Decryption Question

@TB73 

I'm going to assume you are using the DDP file folder based encryption (FFE) solution (aka policy-based encryption). DDP also has a full disk encryption, self-encrypting drive, encryption external media, and bitlocker solution. FFE is the most popular choice, hence my assumption.

In FFE, we can use three types of encryption keys:

• System Data Encryption (SDE)
• Common Encryption
• User Encryption 

95% of environments use some combination of SDE with Common.

During the default decryption/uninstall option, as long as you enter an authorize DDP admin, it will decrypt all data using the encryption keys associated with the machine name. 

If you just turn policy (via Admin console) to off and you use User Encryption, then each user will perform the decryption when they log in. Otherwise the decryption will occur once an authorized user logs into the system for SDE/Common. 

Let me know if you need further clarification

-Brian

L4 Dell Data Security | #IWork4Dell

Hi Brian,

Great information - thanks.

Here is what I have set at the Enterprise level within the DDP console. Let me know what my option are here:

Under the Windows Encryption Policy Category:

Fixed Storage:

SDE Encryption Enabled = False

General Settings:

Encryption Enabled = True

Application Data Encryption Key = Common

User Data Encryption Key = User

Regards,

Tim

Tim,

 My apologies about the wait. My profile is undergoing some revisions, which made it inaccessible for a bit. 

It looks like you are using Common/User based encryption keys only. In that case, the specific user would need to log in to decrypt user encrypted data (which typically is only documents).

Let me know if you have any further questions. 

-Brian

L4 | Dell Data Security #IWork4Dell