Upgrading Media Encryption R73.x Devices and Keys

This version includes a wizard that lets you export Media Encryption devices from the R73.x database and import them into an R80.30 Endpoint Security Management Server. When upgrading from Media Encryption R73 to the current version:

• We recommend that you add the UUID of the R73 server to the trusted list.
• You can access devices that were encrypted on the R73 Media Encryption server automatically, if you export the devices and keys from the R73 database and import them in to the Endpoint Security Management Server.

  Important - Encryption keys associated with Active Directory users that were not added to the Media Encryption (Protector) server manually or through group synchronization, will not be migrated.

Media Encryption (Protector) Encryption Keys and Devices are stored in the MS-SQL database. The Protector Server connects to MS-SQL through named pipelines. To migrate Media Encryption keys and devices, you must configure MS-SQL to accept requests over TCP connections. You must create a login profile that has the permissions required to access the Disknet database.

• If the Protector Server is installed with default settings, use the instructions here.
• If the MS-SQL is installed on an external machine, or MS-SQL management tools are installed, consult with your DBA, and skip to the Running Migration Tools section.

To configure the MS-SQL server to accept requests over TCP connections:

1. In the regedit tool, find the "SuperSocketNetLib" key.

   The path to this key can be different according to the platform and installed tools.

2. Right-click the "SuperSocketNetLib" entry and export it for backup.
3. Create a reg file to customize the server:

   If the path to the SuperSocketNetLib entry is the same in the Media Encryption (Protector) server and in this article:

   1. Copy this registry fragment to a separate file.
   2. Save it with the "reg" extension, and run it.

   If the path is different, edit the new reg file so that it fits the path on the machine.

   Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer] "LoginMode"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib] "ProtocolList"=hex(7):74,00,63,00,70,00,00,00,6e,00,70,00,00,00,00,00 "TcpPort"="1433" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib\Tcp] "TcpHideFlag"=dword:00000000 "TcpDynamicPorts"="" "TcpPort"="1433" "Enabled"=dword:00000001

4. When the registry edit is done, open the regedit utility.
5. Make sure that the "reg" script ran successfully and that the values in the registry were changed according to the script.
6. Restart the "MSSQLSERVER" process.

To add a new login profile to the MS-SQL server:

1. Run the osql tool from the command line: osql -E
2. Run these commands in the osql command line:

   EXEC sp_addlogin 'ep','ep' GO EXEC sp_grantdbaccess 'ep', 'Disknet' GO EXEC sp_addsrvrolemember 'ep', 'sysadmin' GO

To run the Migration Wizard:

1. Make sure that Media Encryption & Port Protection and the Endpoint Security server are up and running.
2. Make sure that Directory Scanner finished a full scan of the Active Directory.

   Important! This is required to complete the key migration successfully.

3. Open the SmartEndpoint console.
4. Click Tools menu > Devices and Keys Migration Tool.
5. Enter the details of the Media Encryption R73 Database: IP address or server name, Database Username, Database Password, Database Name.
6. Click Next.
7. Select Import Devices or Import Keys or both.
8. Click Next.

   See the import results. When import is done, users can access the media from computers with Endpoint Security client installed.

   Important! Users must access the media at least once to enable Remote Help Key Recovery.

More details can be found in deviceMigrtor.log file, which is located in the same folder as the SmartEndpoint.exe executable. To go to this folder, right-click the SmartEndpoint icon and select Properties > Open File Location.

Converting File Encryption Devices to Media Encryption

You can easily convert storage devices that were encrypted with Pointsec File Encryption R73 and earlier to Media Encryption E80.xx and higher. When you insert a device encrypted with Pointsec File Encryption into an endpoint computer running this version, you are prompted to upgrade the device.

To convert a File Encryption device to Media Encryption:

1. Insert the device into a computer that has an Endpoint Security client with Media Encryption & Port Protection active.
2. This message shows:

   To access the device, you need to convert it to Media Encryption format.

3. Click OK.
4. If necessary, enter the File Encryption credentials of the device in the window that opens. These must be the credentials originally to encrypt the storage device. They can be:
   • A corporate user name and password assigned by the administrator
   • A personal user name and password defined for this storage device

   If the device was originally encrypted with a corporate password and Media Encryption & Port Protection can find the password on the computer, this window does not open.

5. Enter and re-enter a new password for the device.
6. Click Continue.
7. Optionally, edit the Media Encryption settings.
8. Click Encrypt.
9. When the encryption is complete, click Finish.