This article provides suggested best practices for Symantec File Share Encryption (Formerly PGP NetShare).

For information on other topics for File Share Encryption, see the following articles:

153211 - Symantec PGP File Share Encryption FAQ

180791 - Symantec File Share Encryption Group Key FAQ's.

180789 - How do I create a new Group with a File Share Encryption Group Key on Symantec Encryption Management Server?

155582 - Adding a Group Key to an Existing Group on the Symantec Encryption Management Server

161242 - Encrypting network file shares to Group Keys with Symantec File Share Encryption

These best practices can help overcome issues with folders that fail to encrypt, become corrupted, or take long periods of time to finish re-encrypting.

Scenario 1 of 14: Re-encryption when files are unencrypted

File Share Encryption will always encrypt the files when copied to the folder where protected files reside as long as file creation to these shares is done on a machine that has File Share Encryption installed.  If there are others who copy/create files in these protected folders and do not have File Share Encryption stored, then you will need to re-encrypt these manually.  You can go through a regular re-encryption routine. 

Alternatively, a Feature Request to have these folders automatically encrypted has been logged.  If you would like this automatic Re-encryption functionality, please log a support ticket and we can add you to the list:

ISFR-1908

Scenario 2 of 14: Exclusions Add all the Symantec Encryption program binaries as discussed in the following article:

Scenario 2 of 14: Exclusions Add all the Symantec Encryption program binaries as discussed in the following article:

Scenario 2 of 14: Exclusions Add all the Symantec Encryption program binaries as discussed in the following article: 

200696 - Symantec Encryption Services - Add Symantec Encryption programs to safe list or exclusions in security software

Scenario 3 of 14: Group Keys

Use a File Share Encryption Group Key, which makes managing File Share folders much faster, as it will no longer have to modify all of the metadata for the encrypted files when adding or removing users to a group.

In a PGP Encryption Server managed environment, the use of Group Keys allow you to protect shared files and folders to easily add or remove group members.
All of this can be done without affecting the File Encryption metadata associated with the protected files and folders, which is great for convenience.

Scenario 4 of 14: Filesystem Integrity

Scenario 4 of 14: Filesystem Integrity

Scenario 4 of 14: Filesystem Integrity

Before encrypting, make sure the file system is scanned and defragmented on the system hosting the encrypted folder.

Scenario 5 of 14:  Use a UNC Path instead of Mapped Drive Letter

There have been some unusual, but rare circumstances where File Share Encryption has had some issues running "pgpnetshare.exe" commands citing an error:

"Meta-data initialization failed [-650]."

In these situations, we have found that using a UNC path will sometimes have better results.   

When running the commands, try using \\UNC-PATH-Root\UNC-PATH-SHARE context to see if this helps with a more consistent experience.  
(EPG-26796)

The Group key functionality began with version 3.2.0 of the PGP Server and continue on with all versions of PGP Encryption Server.

Scenario 6 of 14:  Where to run File Share Encryption operations?

Run the File Share encryption process from a computer other than the one used to store the encrypted folder.

Scenario 7 of 14: Avoid third-party application interference

Try to limit the programs running on the computer doing the encryption or the one hosting the files during the encryption process (e.g., backups, virus scans).

Scenario 8 of 14: Sufficient System Requirements

Ensure adequate resources on the server/computer hosting the Symantec File Share. As it may be an intensive process for a computer's CPU, Memory, and hard disk.

Scenario 9 of 14:  NTFS File Permissions

Make sure that the folder permissions are set correctly to allow editing by group members and also to inherit permissions from the parent folder.

Scenario 10 of 14:  Allow Files to be Modified for Encryption

Make sure that the files to be encrypted are not in use (it may be best to wait until after normal business hours before encrypting).

Scenario 11 of 14: Folder Structures for Re-encryption and User Access Lists with PGP Keys

If you have a Root folder directory that has been encrypted to a specific list of keys, all the subfolders will be encrypted using the same keys. 
If you have a need to have subfolders encrypted to a different set of keys, such as different Group Keys, it is recommended to move these subfolders out of the root and be designated as their own root directories. 
This is so that if there are any re-encryption routines that run, access does not get blocked as a re-encryption event can update the subfolders ACLs to match that of the root. 
For this reason, it's best to organize the root directories in advance so that the proper keys can be used so re-encryption routines will not cause loss of access.

Scenario 12 of 14:  Excel Shared Workbooks (Contact Support if you would like this feature)

Scenario 12 of 14:  Excel Shared Workbooks (Contact Support if you would like this feature)

Scenario 12 of 14:  Excel Shared Workbooks (Contact Support if you would like this feature)

Using some of the shared features of Microsoft Office products may not work, so avoid using these features if you can.  For example, Shared Workbooks for Excel Spreadsheets is not tested or supported:

150173 - File Share Encryption does not support the Excel Shared Workbook feature

Scenario 13 of 14:  Legacy Filter Driver VS Minifilter Driver

File Share Encryption offers a very unique way to automatically, and seamlessly encrypt files and make them easily accessible by authorized users.  
When an authorized user has the key needed to authenticate, the file is automatically opened and does not behave any differently.

This makes it very easy for end users to be able to work on documents without the inconvenience of having to re-encrypt each time the file is modified.  

In order to do this, File Share Encryption uses a "Filter Driver" to encrypt/authenticate data in real time. 

Anything that is encrypted/authenticated goes through this filter driver to allow this seamless access.  

Using Legacy Filter Drivers are still supported by Microsoft, although the recommendation is to move to using a "minifilter" driver due to better system stability (not related to security). 

Symantec Engineering and Security conducts regular security reviews on all aspects of the software and the Legacy Filter Driver used to encrypt data continues to be secure.  

All encryption algorithms being used by File Share Encryption are also the highest available.  

Although Symantec Encryption solutions have plans to move to a minifilter driver in a future release, using the filter driver in its current design is both secure and sanctioned to encrypt data.  
IMSFR-934

Scenario 14 of 14:  Decrypting shares

It is never recommended to decrypt shares to fix user access as this not only takes time, but also leaves data in a sensitive state.

Instead, it is recommended to to create a new share and encrypt that share to the new users needed, and then simply copy the data over.
You can then share the new location that has encrypted all the shares to the proper user list. 

EPG-24297

For information on other topics for File Share Encryption, see the following articles:

153211 - Symantec PGP File Share Encryption FAQ

180791 - Symantec File Share Encryption Group Key FAQ's.

180789 - How do I create a new Group with a File Share Encryption Group Key on Symantec Encryption Management Server?

155582 - Adding a Group Key to an Existing Group on the Symantec Encryption Management Server

161242 - Encrypting network file shares to Group Keys with Symantec File Share Encryption