Kaspersky Endpoint Security 12 for Windows

Starting encryption of removable drives

25 April 2024

ID 123503

You can use a policy to decrypt a removable drive. A policy with defined settings for removable drive encryption is generated for a specific administration group. Therefore, the result of data decryption on removable drives depends on the computer to which the removable drive is connected.

Kaspersky Endpoint Security supports encryption of files in FAT32 and NTFS file systems. If a removable drive with an unsupported file system is connected to the computer, the encryption task for this removable drive ends with an error and Kaspersky Endpoint Security assigns the read-only status to the removable drive.

Before encrypting files on a removable drive, make sure it is formatted and there are no hidden partitions (such as an EFI system partition). If the drive contains unformatted or hidden partitions, file encryption may fail with an error.

To encrypt removable drives:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select Policies.
  3. Select the necessary policy and double-click to open the policy properties.
  4. In the policy window, select Data EncryptionEncryption of removable drives.
  5. In the Encryption mode drop-down list, select the default action that you want Kaspersky Endpoint Security to perform on removable drives:
    • Encrypt entire removable drive (FDE). Kaspersky Endpoint Security encrypts the contents of a removable drive sector by sector. As a result, the application encrypts not only the files stored on the removable drive but also its file systems, including the file names and folder structures on the removable drive.
    • Encrypt all files (FLE). Kaspersky Endpoint Security encrypts all files that are stored on removable drives. The application does not encrypt the file systems of removable drives, including the names of files and folder structures.
    • Encrypt new files only (FLE). Kaspersky Endpoint Security encrypts only those files that have been added to removable drives or that were stored on removable drives and have been modified after the Kaspersky Security Center policy was last applied.

    Kaspersky Endpoint Security does not encrypt a removable drive that is already encrypted.

  6. If you want to use portable mode for encryption of removable drives, select the Portable mode check box.

    Portable mode is a mode of file encryption (FLE) on removable drives that provides the ability to access data outside of a corporate network. Portable mode also lets you work with encrypted data on computers that do not have Kaspersky Endpoint Security installed.

  7. If you want to encrypt a new removable drive, it is recommended to select the Encrypt used disk space only check box. If the check box is cleared, Kaspersky Endpoint Security will encrypt all files, including the residual fragments of deleted or modified files.
  8. If you want to configure encryption for individual removable drives, define encryption rules.
  9. If you want to use full disk encryption of removable drives in offline mode, select the Allow encryption of removable drives in offline mode check box.

    Offline encryption mode refers to encryption of removable drives (FDE) when there is no connection to Kaspersky Security Center. During encryption, Kaspersky Endpoint Security saves the master key only on the user's computer. Kaspersky Endpoint Security will send the master key to Kaspersky Security Center during the next synchronization.

    If the computer on which the master key is saved is corrupted and data is not sent to Kaspersky Security Center, it is not possible to obtain access to the removable drive.

    If the Allow encryption of removable drives in offline mode check box is cleared and there is no connection to Kaspersky Security Center, removable drive encryption is not possible.

  10. Save your changes.

After the policy is applied, when the user connects a removable drive or if a removable drive is already connected, Kaspersky Endpoint Security prompts the user for confirmation to perform the encryption operation (see the figure below).

The application lets you perform the following actions:

  • If the user confirms the encryption request, Kaspersky Endpoint Security encrypts the data.
  • If the user declines the encryption request, Kaspersky Endpoint Security leaves the data unchanged and assigns read-only access for this removable drive.
  • If the user does not respond to the encryption request, Kaspersky Endpoint Security leaves the data unchanged and assigns read-only access for this removable drive. The application prompts for confirmation again when subsequently applying a policy or the next time this removable drive is connected.

If the user initiates safe removal of a removable drive during data encryption, Kaspersky Endpoint Security interrupts the data encryption process and allows removal of the removable drive before the encryption process has finished. Data encryption will be continued the next time the removable drive is connected to this computer.

If encryption of a removable drive failed, view the Data Encryption report in the Kaspersky Endpoint Security interface. Access to files may be blocked by another application. In this case, try unplugging the removable drive from the computer and connecting it again.

Notification about a connected drive with file encryption enabled. The user can encrypt files or refuse.

Removable drive encryption request

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.