IBM File and Folder Encryption Version 2.1 This file contains the latest information about the IBM(R) Client Security File and Folder Encryption (FFE) utility. The FFE utility provides a powerful way to protect the files and folders stored on your computer. Before using the FFE utility, it is important to understand the protection capabilities provided by the product and any limitations. Supported software versions to use with this release ==================================================== IBM Client Security Software Release 5.3 or later on TPM systems Usage Notes =========== The FFE utility is fully compatible with the IBM Rescue and Recovery program. When a file is copied from a protected folder into an unprotected folder, the file is automatically decrypted. Likewise, when a file is copied from an unprotected folder into a protected folder, the file is automatically encrypted. Known issues or limitations =========================== - FFE incompatibility with hot-swappable hard drives In certain cases on computers running FFE, hard disk drives that are hot-added (i.e. inserted while Windows is running) might not be properly recognized, and might appear to Windows as being unformatted. To correct this, reboot the computer with the hard drive connected to the computer. To allow for proper use of hot-added hard disk drives, ensure that the file system (i.e. FAT32 or NTFS) on drive C: and the partitions on your hot-added hard disk drive are the same. - File count after right-click encryption When attempting to encrypt multiple files using the right-click encryption function, the operation might fail if any of the files being encrypted are of a prohibited type, such as DLL, VxD, SYS, etc. When the right-click operation fails, the number of files not encrypted displayed in the error window might be incorrect. - Guest users cannot use the File and Folder Encryption or Password Manager utilities The File and Folder Encryption or Password Manager utilities do not permit access to a guest user even though the guest user account is displayed in the Administrator Utility. - The File Not Encrypted count is incorrect The File and Folder Encryption (FFE) utility counts the files that are encrypted. It also counts files that are not encrypted because they have prohibited file extensions. When a file is not encrypted, the FFE utility counts it twice in the summary of Files Not Encrypted. - FFE incompatibility with IBM Rapid Restore(TM) PC and IBM Rapid Restore Ultra 3.0 or earlier IBM Rapid Restore PC and IBM Rapid Restore Ultra are backup and restore applications that protect users from data loss due to an operating-system failure. The Client Security File and Folder Encryption utility is not compatible with either of these applications. These applications are not supported when installed on the same computer. FFE is compatible with IBM Rapid Restore Ultra 4.0 and later. Important: Data loss is likely if files and folders protected by FFE are backed-up up with IBM Rapid Restore PC or IBM Rapid Restore Ultra 3.0 or earlier. - FFE compatibility limitations with Grisoft AVG 6.x and Grisoft AVG 7.x MS Office files in protected folders might not be decrypted correctly when Grisoft AVG anti-virus software is installed. To resolve the issue, disable "Check Macro Viruses" in the AVG Control Center application on AVG version 6.x, and disable "Scan Documents" of the "AVG Resident Shield" in the AVG Control Center application on AVG version 7.x. - Renaming and disabling FFE-encrypted files or folders Do not disable FFE without first decrypting any files or folders that were protected with FFE. If any FFE-encrypted files or folders are renamed after FFE is disabled, the seed data required for unprotecting the files or folders will be lost. - Right-click encryption compatibility In addition to FFE, IBM Client Security Software also provides the ability to protect individual files with the right-click encryption function. Users should not copy files protected by the right-click encryption function into protected folders. If files protected by the right-click encryption function are copied into FFE-protected folders, data loss might occur. Do not perform any right-click encryption operation while protecting or unprotecting with FFE. - Moving encrypted files and folders The IBM FFE utility does not support: - Moving files and folders within protected folders - Moving files or folders between protected and unprotected folders If you attempt to perform either of these unsupported Move operations, an Access Denied message will be displayed by the operating system. This message is normal and simply provides notification that this Move operation is not supported. If you attempt to move an unprotected folder into a protected folder, an empty folder is created in the protected location, but then an Access Denied message is displayed. As an alternative to using a Move operation, do the following: 1. Copy the protected files or folders to the new location. 2. Delete the original files or folders by using the Shift+Del key combination. - Deleting encrypted files and folders To ensure that no sensitive files or folders are left unencrypted in the Recycle Bin, you should use the Shift+Del key combination to delete protected files and folders. The Shift+Del key sequence performs an unconditional delete operation and does not attempt to put deleted files in the Recycle Bin. - Microsoft Encrypted File System (EFS) compatibility IBM File and Folder Encryption (FFE) and the Microsoft Encrypted File System (EFS) provide similar but different file encryption functions. Unexpected results might occur if EFS-protected files are copied into FFE-protected folders. Do not use both solutions on the same system. - Changing directories with a command prompt When using a command prompt, you might experience problems changing the active directory to a protected subfolder. It is best to use Microsoft(R) Windows(R) Explorer to access protected folders and subfolders. - Abbreviated file names The Client Security File and Folder Encryption utility does not support applications that are dependent on short file names, for example when the long file name longfilename.txt gets abbreviated to the short file name of longfi~1.txt. - Path name length limitations When you attempt to protect a folder using the IBM FFE utility or attempt to copy a file or folder from an unprotected folder to a protected folder, you might receive a One or more path names are too long message from the FFE utility. If you receive this message, you have one or more files or folders that have a path that exceeds the maximum character-length allowed. To correct the problem, either rearrange the folder structure to shorten its depth or shorten some folder or file names. You might encounter this problem even if your displayed path name is shorter than the operating system-specific character limitation. That is because each file and folder that is protected by FFE has eight characters appended to its file or folder name, beginning at the protected folder and extending onward in the protected path. These characters are not visible in normal operation, but these characters count toward the maximum path length. For this reason, it is best to keep all protected folders as close to the root as possible. - Protecting or unprotecting folders using Microsoft Explorer When a folder is protected or unprotected using Microsoft Explorer, the folder might temporarily disappear from the display. During this process, all protected files and folders are temporarily locked. To display the folder, refresh Explorer. If you try to access a protected file or folder while protecting or unprotecting a file or folder, an Access Denied message will be displayed. - Drive letter protection You can use the IBM FFE utility to encrypt or decrypt files and folders on the C drive only. The IBM FFE utility does not support encryption on any other hard-disk partition or physical drive. - Running applications from a protected folder The IBM FFE utility does not support running applications from a protected folder. For example, if you have an executable named PROGRAM.EXE, you cannot run that application from a protected folder. - Problems protecting a folder If you attempt to protect a folder and receive a message stating that The folder cannot be protected. One or more files may be in use, log off and then log onto FFE. If this does not solve the problem, verify the following: - Verify that none of the files contained in the folder are currently in use. - Verify that none of the files contained in the folder include a file name that use the abbreviated short format. Files with names longer than the xxxxxxxx.xxx format that require abbreviation, such as adminis~r.exe cannot be protected. If you attempt to protect a folder containing such a file, a warning message will be displayed. To protect the folder, the file name must be changed. - Verify that all of the files contained in the folder have file names of the same language. FFE does not support file names of multiple DBCS languages. If you attempt to protect a folder containing files with file names in more than one DBCS language, a warning message is displayed. Before you can protect the folder, all file names must be in the primary language of the operating system. - If Windows Explorer is displaying one or more subfolders of a folder that you are attempting to protect, verify that the folder you are attempting to protect is highlighted and active, not any of the subfolders. - Passphrase requested when the security chip is disabled CSS might request a passphrase after the security chip has been disabled. Click Cancel to proceed. - Uninstalling the IBM FFE utility Before you uninstall the IBM FFE utility, make sure you complete the following tasks: - Use the IBM FFE utility to decrypt any files or folders that are currently protected. Failure to do so might result in the inability to uninstall FFE. - Do not uninstall CSS before FFE. If CSS is uninstalled prior to FFE, data in any protected folders will be lost.