Upgrading Media Encryption R73.x Devices and Keys
This version includes a wizard that lets you export Media Encryption devices from the R73.x database and import them into an R80.30 Endpoint Security Management Server. When upgrading from Media Encryption R73 to the current version:
- We recommend that you add the UUID of the R73 server to the trusted list.
- You can access devices that were encrypted on the R73 Media Encryption server automatically, if you export the devices and keys from the R73 database and import them in to the Endpoint Security Management Server.
|
Important - Encryption keys associated with Active Directory users that were not added to the Media Encryption (Protector) server manually or through group synchronization, will not be migrated.
|
Media Encryption (Protector) Encryption Keys and Devices are stored in the MS-SQL database. The Protector Server connects to MS-SQL through named pipelines. To migrate Media Encryption keys and devices, you must configure MS-SQL to accept requests over TCP connections. You must create a login profile that has the permissions required to access the Disknet database.
- If the Protector Server is installed with default settings, use the instructions here.
- If the MS-SQL is installed on an external machine, or MS-SQL management tools are installed, consult with your DBA, and skip to the Running Migration Tools section.
To configure the MS-SQL server to accept requests over TCP connections:
- In the regedit tool, find the "SuperSocketNetLib" key.
The path to this key can be different according to the platform and installed tools.
- Right-click the "SuperSocketNetLib" entry and export it for backup.
- Create a reg file to customize the server:
If the path to the SuperSocketNetLib entry is the same in the Media Encryption (Protector) server and in this article:
- Copy this registry fragment to a separate file.
- Save it with the "reg" extension, and run it.
If the path is different, edit the new reg file so that it fits the path on the machine.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer]
"LoginMode"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib]
"ProtocolList"=hex(7):74,00,63,00,70,00,00,00,6e,00,70,00,00,00,00,00
"TcpPort"="1433"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib\Tcp]
"TcpHideFlag"=dword:00000000
"TcpDynamicPorts"=""
"TcpPort"="1433"
"Enabled"=dword:000 00001
|
- When the registry edit is done, open the regedit utility.
- Make sure that the "reg" script ran successfully and that the values in the registry were changed according to the script.
- Restart the "MSSQLSERVER" process.
To add a new login profile to the MS-SQL server:
- Run the osql tool from the command line:
osql -E
- Run these commands in the osql command line:
EXEC sp_addlogin 'ep','ep'
GO
EXEC sp_grantdbaccess 'ep', 'Disknet'
GO
EXEC sp_addsrvrolemember 'ep', 'sysadmin'
GO
|
To run the Migration Wizard:
- Make sure that Media Encryption & Port Protection and the Endpoint Security server are up and running.
- Make sure that Directory Scanner finished a full scan of the Active Directory.
This is required to complete the key migration successfully.
- Open the SmartEndpoint console.
- Click menu > .
- Enter the details of the Media Encryption R73 Database: IP address or server name, Database Username, Database Password, Database Name.
- Click .
- Select or or both.
- Click .
See the import results. When import is done, users can access the media from computers with Endpoint Security client installed.
Users must access the media at least once to enable Remote Help Key Recovery.
More details can be found in deviceMigrtor.log
file, which is located in the same folder as the SmartEndpoint.exe
executable. To go to this folder, right-click the icon and select > .
Converting File Encryption Devices to Media Encryption
You can easily convert storage devices that were encrypted with Pointsec File Encryption R73 and earlier to Media Encryption E80.xx and higher. When you insert a device encrypted with Pointsec File Encryption into an endpoint computer running this version, you are prompted to upgrade the device.
To convert a File Encryption device to Media Encryption:
- Insert the device into a computer that has an Endpoint Security client with Media Encryption & Port Protection active.
- This message shows:
- Click .
- If necessary, enter the in the window that opens. These must be the credentials originally to encrypt the storage device. They can be:
- A corporate user name and password assigned by the administrator
- A personal user name and password defined for this storage device
If the device was originally encrypted with a corporate password and Media Encryption & Port Protection can find the password on the computer, this window does not open.
- Enter and re-enter a new password for the device.
- Click .
- Optionally, edit the Media Encryption settings.
- Click .
- When the encryption is complete, click .