Issue
- Access to encrypted storage based on the user context in ESET Endpoint Encryption
- Access based on sessions
- Access based on users
Solution
Access based on sessions
When a user enters their ESET Endpoint Encryption Key-File password it enables access to encrypted containers. The containers are encrypted using keys available to the user, for example, Virtual Disks and Encrypted Removable Media.
If another user logs in to Windows simultaneously as the original user, they will have limited access to the same containers.
- User will be denied access to removable media
- User will have read-only access to virtual disks
Access based on users
After certain software is launched from within a user's session, the software may elevate itself when run under the System user account. If this happens, then encryption keys will not be available to that software's process and access will be denied to the containers.
- Another user is attempting to access the encrypted data across the network
- The user has elevated software by using the Run as administrator option and is being denied access to the encrypted containers from the software
- Software is running under a different user context within the user's session for example, backup software that runs under the System user account, possibly as a Windows Service
This does not apply to Full Disk Encryption of system disks. If you intend to use backup software with an encrypted system disk, ensure restoration has been tested using the solution before deploying to a live environment.
In most instances, a file-style sync backup of data from full disk encrypted systems would be the best for scheduled backups. Backups performed at a file-level are more likely to run as the user instead of the system. Users will also have access to encrypted storage should it be required.
Use the command line tool to mount a virtual disk globally so all system users can access its contents.
