GuardianEdge Removable Storage Encryption

The encryption of mobile devices has been recommended to management for a while now.   After it came up again in a recent HIPPA audit, money became available in FY11.

As an administrator of GuardianEdge Hard Disk encryption (GEHD), it was natural to consider them for encrypting USB devices. 

GuardianEdge Removable Storage Encryption requires the GuardianEdge Framework.   Existing GEHD installs will need to be upgraded.   Just as the version of Framework and Hard Disk Encryption must match, so the Removable Storage Encryption version must be a supported version.

The software MSI is created in the GuardianEdge Manager with an initial configuration.   As with GEHD configuration changes are done through group policy.  Removable Storage Encryption has the following configuration options

Access Rights:
– Do not allow access to files on removable storage devices
– Allow read-only access to files on removable storage devices
– Allow read-write access to files on removable storage devices

– Encrypt all files written to or access on removable storage devices
– Encrypt new files written to removable storage devices
– Encrypt to CD/DVD only
– Do no encrypt files on removable storage devices

Exemptions are allowed for multimedia files so you don’t automatically encrypt your mp3s.

In our case we had been looking to initially make the encryption an available tool for users rather than mandatory.   Yes, it is a lot less secure.   It’s also easier to implement.   This product doesn’t have any way to do that.  

When files are encrypted to a USB Drive, depending on which options the administrator has enabled, users can use passwords or certificates to encrypt files.   The password uses the password policy configured in the GuardianEdge Framework.    A recipient of that USB without GuardianEdge software would use the Access utility which is saved to the USB automatically.   They can make changes to the files and save them in an encrypted format back to the external device.    The access utility is for Mac and Windows only.  

The administrator can create groups  so that user within that group do not have to have a password or certificate to access the files.   This would seem to require a new group policy for each access group.   This quickly looks like groups would only be used when you don’t care about insider attacks and prefer to preserve usability internally.

The administrator can also create a recovery certificate so that all files encrypted to removable storage are recoverable in case of lost or forgotten credentials.   This is similar to the EFS recovery certificate.   GuardianEdge provides some weak instructions for those with a Microsoft CA, for others the only advice is “create a certificate with the “Key Encipherment” usage.   If you created all users in the same group, then this recovery “master” certificate is redundant.

For times when you want to mail encrypted files and don’t care about changes needing to be returned securely you can create a self-extracting executable.    This is also protected by password or certificate.  

When you have both Hard Disk Encryption and Removable Storage Encryption installed, a systray icon is visible.   This icon allows access to the User console and the encrypted CD/DVD burner.   Both of these items are available on the start menu.   I fail to see my this systray icon is required and cannot be removed.

I’m at an early stage of this deployment.   Any time you’re making it harder for users to do something they aren’t going to be happy.   Unfortunately there are times when the systems need to be locked down and access removed.   When regulations dictate the protection of data, we need to protect data both in transit and as it is stored on disk.


  1. after GuardianEdge encryption USB keyboard and mouse are not working…

    we dont have provision for ps2 PORT keyboard and mouse on the montherboard…

    is there any other option to login with usb keyboard..

    Thanks advance..


    • You need to be reviewing release notes for known issues for your particular computer model and then contacting support.

      I haven’t seen issues with usb keyboards in the preboot environment for a very long time.

  2. I have a problem with getting BSOD using Guardian Edge 9.4.1 on a USB drive on Windows XP. When I try to copy large number of files to the USB drive, Guardian Edge crashes the system. On the other hand if I compress the files into one zip file, it appears that no matter how big the resulting file, there is than no problem copying it to the USB drive. I’ve asked our sys admins and there response is essentialy to bad, live with it. Has any one had a similar problem and know of a way to make Guardian edge behave? The Sys admins tell me it just keeps grabbing more memory until it crashes the OS. Is there anyway to limit the amount of system resource guardian Edge grabs. We should be migrating to Windows 7 in next few months. Has anyone heard of this being a windows 7 problem also?

Comments are closed.