Setting up shared access to an encrypted disk

Rohos Disk Encryption allows you to set up shared access to an encrypted disk for different uses:

  1. Shared access for all users on a single computer. For example, on Windows Terminal Services,
    In this case, users do not need to know the password for the disk, and they do not need to launch Rohos Disk. They do not know where the disk’s file container is located, and they cannot delete it. Entering the password for accessing the disk is the responsibility of the Administrator or Rohos disk owner.
  2. Access for select users working with a single Windows computer.
    In this case, each user will know the password for the disk. Each user will enter the password for accessing the disk independently of the others whenever necessary.
  3. Shared access using a shared folder on the network.
    In this case, the Rohos disk drive letter open for shared access on the local network will be a file server. Entering the password for activating the Rohos disk will be done once each day by the Administrator or Rohos disk owner. The Administrator or owner will also assign network access rights to users and will be responsible for making backups and shutting down access to the disk.


Shared access for all users on a single computer

1stcase1

In the Rohos Disk options, you must enable the option Enable shared disk drive (local and network).

options

After this is done, when the Rohos disk is activated by one user, the drive letter for this disk will immediately become visible to all users when they open Explorer.

drive_letter

By enabling the option read-only, all users – including the disk owner – will not be able to make any changes to the contents of the Rohos disk.

read-only

You can set different rights to read or write to individual folders within the disk itself. Some users will have full control, while other users will have read-only access, and still others will be prevented from viewing the contents of the secret Rohos disk.

NTFS

Advantages of this method:

  1. The password for the disk is kept by one user, the disk owner.
  2. There is a possibility of restricting access to certain users.
  3. The disk itself can be located somewhere accessible only to its owner, which reduces the risk of it being copied or deleted by a third party.
  4. Users do not need to know the password to the secret disk, as the drive letter for the connected disk will be readily visible in Windows Explorer.
  5. This solution is also suitable for Terminal Server. A work folder with especially important and confidential files and applications can be converted to a Rohos disk by using “Encrypt folder”. This will make data protection transparent for all Remote Desktop users.

Features of this method:

When other users open Rohos Disk, the drive letter will be visible among the other disks. If one user accidentally deactivates the disk, it will be deactivated for all users. To stop this from happening, you can prevent ordinary users from launching Rohos Disk on the server by protecting it with a password.

Pass

In addition, you need to untick the box Show Rohos Icon near the clock so that users are not able to manage the disk using the icon next to the clock.

Providing access to certain users working with a single Windows computer

shared_container1

To set up this method of shared access:
1. You must turn on the option Enable shared Disk drive. In this case, the disk’s drive letter will be visible only to the session or account which supplied the password for activating this encrypted disk.

1

2. The file container must be placed on a shared-access folder and different access rights should be assigned to it for different users in order to prevent this file from being copied or deleted without authorization. Some users can thus open the file for reading and writing, while other users will only be able to read from the file. Still other users will not be able to see it at all.

shared

3. It is necessary to create a shortcut to activate this disk and to copy it onto the Desktop for selected users.
To do this, in the main window choose Rohos Disk Encryption > Disk > Tools > Create disk shortcut. Then, you will find the shortcut on your desktop.

4. Provide the Rohos disk password to all users or create access key devices for them such as SafeNet Ikey, ruToken, eToken or other PKCS#11-compatible solutions.

Advantages of this method:

  1. The disk owner doesn’t have to active the Rohos disk every time.
  2. There is no need to protect the Rohos Disk management console with a password.
  3. If one user closes the disk, this will not disturb the work of other users.
  4. The disk’s drive letter is not shown in other sessions. For example, this is useful when the system does not have trustworthy administrators, and they will not be able to gain access to the secret disk. In the event that a key device is used to access the disk, it will not be possible for others to intercept the password.

Shared access using a shared folder on the network


The entire Rohos encrypted disk or particular folders on it can be opened for shared access in the network. Choose the disk in My Computer and enter its settings by using the context menu.

shared_disk9

Limiting access to this disk for different categories of network users can be done here by using the Permissions command.

Now connect the Rohos disk network folder for the workstations on the network:

shared_disk10

Advantages of this method for providing access:

  • The encrypted disk can be located on the computer as well as on a connected USB storage device.
  • You can set things up so that when a USB storage device is disconnected, the encrypted disk will be automatically disabled, the network folder will disappear, and access to it will immediately be stopped.
  • You can configure a hardware security module (HSM) for accessing a secret disk, using for example a USB token such as ruToken, iKey, or eToken. You can then entrust the key token to a responsible employee for enabling the disk. When the token is removed from the PC, the disk will be automatically disabled as well.
  • You can activate the secret disk when necessary by entering a password or automatically when connecting a USB key token.
  • The network does not necessarily need to know the password for the disk in order to begin working with it, and all data will be reliably protected on the file server.

While one network user is working with one file or directory, another user can work with a different file or directory. One perceives the disk as a simple shared-access resource. However, you just need to log out of the system and access to the disk will be automatically stopped.