21.9 Encryption Parameter Settings
In the Encryption Parameter Settings interface, you can configure the disaster recovery time and whether to hide encryption marks on encrypted documents in File Explorer for the entire network, specific groups, or specific clients.
All encryption parameter settings must be saved to take effect.
| Icon Button |
Description |
 |
Modify the encryption parameter settings of selected computers or users |
 |
Delete the encryption parameter settings of selected computers or users |
 |
Export policy file, import policy file, or copy the current policy to other clients |
Note:
- Unless otherwise specified, all encryption parameter settings apply only to Windows clients and do not take effect for Linux or Mac clients.
Emergency Settings
Disaster Recovery Time
Disaster recovery time is set for emergencies. If a client with a configured disaster recovery time cannot connect to the server due to network or server failures, and no long-term offline authorization policy is in place, the client can enter backup mode within the disaster recovery time and perform encryption and decryption operations according to its online permissions.
Note:
- This setting also applies to Mac and Linux clients.
Allow Copying Small Amounts of Text
For authorized software with clipboard restrictions, content cannot be copied to non-authorized software. However, for business needs, a small portion of text may need to be copied from such documents. In this case, you can enable Allow Copying Small Amounts of Text.
Enter the number of characters allowed for copying. For example, entering 5 allows copying up to 5 characters.
Display Settings
Hide Encryption Marks
On clients with Hide Encryption Marks enabled, encrypted documents no longer show the small lock icon. Users cannot visually distinguish between encrypted and non-encrypted documents.
Hide Encryption Client Interface
On clients with Hide Encryption Client Interface enabled, the encryption system icon in the system tray (bottom-right corner) is hidden. Users cannot access functions through the encryption icon menu.
Note:
- This setting also applies to Mac clients.
Security Password Settings
Require Security Password
On clients with Require Security Password enabled, the security password cannot be empty and must be set.
Password Must Meet Complexity Requirements
On clients with Password Must Meet Complexity Requirements enabled, the security password must satisfy all of the following:
- 1. At least six characters in length.
- 2. Include characters from at least three of the following four categories:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Digits (0-9)
- Non-alphabetic characters (e.g., !, $, #, %)
- 3. Password strength must be medium or higher.
Security Password Input Settings
Administrators can restrict how clients enter security passwords. The settings are as follows:
| Setting |
Description |
| Allow Client to Set |
Default option. Clients can configure security password input settings at their discretion. |
| Require Password for Every Operation |
When selected, the client's security password input setting is set to Require Password for Every Operation and cannot be changed. |
| Enter Once After Logging Into Secure Object |
When selected, the client's security password input setting is set to Enter Once After Logging Into Secure Object and cannot be changed. |
| No Password Required for Login Operations |
When selected, the client's security password input setting is set to No Password Required for Login Operations and cannot be changed. |
Password Error Attempt Verification
When enabled, the client validates the number of incorrect security password entries for operations requiring a password.
| Setting |
Description |
| Within Time Limit |
Specify a time period in minutes. Default is 20 minutes. 0 means no time limit. |
| Max Incorrect Attempts |
The number of incorrect password entries allowed. Default is 5. |
| Password Lock Duration |
After reaching the maximum incorrect attempts, the security password input is disabled for the specified duration. Default is 10 minutes; 0 means no lock. |
| Password Lock Alert |
When the maximum incorrect attempts are reached, the console generates an alert. Alert level is lowest; enabled by default. |
After configuration, if the number of incorrect password attempts reaches the specified limit within the set time, the password input field will be locked for the specified duration.
Maximum Password Usage Period
Administrators can specify the number of days a security password is valid. For example, if set to 30 days, the password can be used normally for 30 days from the time it is set. After 30 days, the client will be prompted that the password has expired and must be changed. If the client already has a security password when configured from the console, the period starts from the time the console setting is applied.
Encrypted Document Thumbnail Settings
Configure encrypted document thumbnails to display them and their previews in File Explorer.
| Setting |
Description |
| Show Thumbnails |
Enable or disable display of encrypted document thumbnails. |
| File Types to Show |
Select the types of encrypted documents for which thumbnails are displayed. |
| File Types to Exclude |
Select the types of encrypted documents for which thumbnails are not displayed. |
| Show Previews |
Enable or disable display of encrypted document preview images. |
| File Types to Show |
Select the types of encrypted documents for which previews are displayed. |
| File Types to Exclude |
Select the types of encrypted documents for which previews are not displayed. |
Note:
- By default, encrypted files still display thumbnails and previews for the following image formats: JPG, JPEG, JPE, BMP, GIF, PNG, TIF, and TIFF.
Email Whitelist
Clients with an email whitelist automatically decrypt encrypted attachments into regular files when sending specified emails. Currently, only SMTP emails without SSL are supported.
Click the 
at the end of the Email Whitelist cell to configure email address rules, attachment file names, and whether to back up decrypted attachments.
| Setting |
Description |
| Email Address Rules |
Configure whitelist email address rules; multiple rules can be set. |
| Attachment File Name |
Control specific attachment names. You can specify included or excluded file names. Supports wildcards and multiple entries separated by "," or ";". |
| Backup Decrypted Attachments |
If enabled, displays Yes; otherwise, No. |
| Backup Range |
Set the size limit for backing up encrypted attachments. Default is 0-100,000 KB; attachments exceeding this range will not be backed up. |
Email Address Rules
Click the at the end of the Email Whitelist cell, then click the 
again to add email address rules.
| Setting |
Description |
| Rule Name |
Set the name of the email rule. |
| Mode |
Select the mode: Decrypt Attachments or Do Not Decrypt Attachments.
Decrypt Attachments: Encrypted attachments in emails matching this rule will be decrypted.
Do Not Decrypt Attachments: Encrypted attachments in emails matching this rule will not be decrypted.
Default is Decrypt Attachments.
|
| Recipient Email |
Set the recipient email addresses, including To, CC, and BCC fields. You can specify included and excluded emails, with excluded emails taking priority over included ones. Emails in the exclusion list do not match this rule and will continue to the next policy.
Supports direct email input or selecting email categories for control:
- Click the  to add email addresses. You can enter a full email address (e.g., [email protected]) or use wildcards for a range of addresses (e.g., *@126.com). Separate multiple entries with commas. After setting, click the  to modify.
- Click the  to add an email category.
|
| Allow Recipients Outside the Exclusion List to Decrypt |
Control decryption for recipients outside the exclusion list.
For emails with multiple recipients:
1. If none of the recipients are within the inclusion list, their attachments will not be decrypted.
2. If at least one recipient is within the inclusion list (and not in the exclusion list):
>> Recipients in the inclusion list: attachments will be decrypted.
>> Recipients in the exclusion list: attachments will not be decrypted.
>> Recipients neither in the inclusion nor exclusion list:
- If this option is checked, their attachments will be decrypted.
- If unchecked, their attachments will not be decrypted.
|
| Sender Email |
Set the sender email addresses. You can specify included and excluded emails, with excluded emails taking priority over included ones. Emails in the exclusion list do not match this rule and will continue to the next policy.
Supports direct email input or selecting email categories for control:
- Click the to add email addresses. You can enter a full email address (e.g., [email protected]) or use wildcards for a range of addresses (e.g., *@126.com). Separate multiple entries with commas. After setting, click the to modify.
- Click the to add an email category.
|
Multiple email address rules can be set, and the order of the rules can be adjusted using the 
.
Email Address Rule Matching Principle
Rules are matched from top to bottom. Once an email matches a valid rule, subsequent rules are not evaluated. If no rules match, the email's encrypted attachments will not be decrypted.
Email Whitelist Rule Example 1
Company Scenario:
- 1. The company has established a Document Control Department (DCD), which acts as the plaintext gateway. For emails sent to external networks, after internal approval, the DCD sends them using external email accounts.
- 2. All external emails use the domain @outerdept.com.
Requirement:
When the DCD sends emails externally, encrypted attachments must be decrypted , but only if the email CCs the DCD supervisor ([email protected]).
To meet the above requirement, configure an email whitelist rule as follows:
Mode: Decrypt Attachments
Recipient Email: Include [email protected]; Exclude none; check Allow Recipients Outside Exclusion List to Decrypt
Sender Email: Include *@outerdept.com; Exclude none
Email Whitelist Rule Example 2
Company Scenario:
- 1.Internal work uses the company’s internal email system. Employee communications and workflow files are all exchanged via internal emails.
- 2.All internal emails use the domain @innerdept.com.
Requirement:
For internal employee emails, only emails sent to specific leaders ([email protected], [email protected]) should have attachments decrypted. All other emails should not decrypt attachments.
To meet the above requirement, configure an email whitelist rule as follows:
Mode: Decrypt Attachments
Recipient Email: Include [email protected], [email protected]; Exclude none; do not check Allow Recipients Outside Exclusion List to Decrypt
Sender Email: Include *@innerdept.com; Exclude none
Log Policy
By default, clients record all encrypted document operation logs. In some cases, not all logs need to be recorded. A log policy can control which encrypted document operations are logged.
| Setting |
Description |
| Record Logs |
Enabled by default. Uncheck to stop logging. Only when checked can operation types and file ranges be configured. |
| Operation Types to Log |
Default is to log all operation types. Can be customized as needed. |
| File Range to Log |
| Included Files |
Files within this range will have their encrypted operations logged. Enter file names or paths, supports wildcards (e.g., *.doc, c:\*). |
| Excluded Files |
Files within this range will not have their encrypted operations logged. Enter file names or paths, supports wildcards (e.g., *.doc, c:\*). |
Note:
- This setting also applies to Mac and Linux clients.
Extended Features
Encrypt New Files
The Encrypt New Files feature automatically encrypts newly created or modified files in specified directories. After encryption, files are assigned the security attributes: Public Security Area – Normal level.
| Setting |
Description |
| Encrypt New Files |
Enable or disable the Encrypt New Files feature. |
| Exclusion Range |
Specify directories and file types that will not be automatically encrypted. Multiple entries are supported. By default, all files in local hard drive directories are included. |
| Encryption Range |
Specify directories and file types that will be automatically encrypted. Multiple entries are supported. By default, all files in local hard drive directories are included. |
Currently supports local drives and network drives. Directories must be valid client local disk paths and support wildcards * and the general path {sd}. For example: {sd}users\*\Documents. {sd} represents the system drive root (e.g., C:\) and must be lowercase. Folder names follow {sd} directly, without an additional \.
File types support wildcards" * " and "?".
If a Document Backup Server is deployed, clients with the Encrypt Document Auto Backup Task enabled will automatically back up files encrypted via the Encrypt New Files policy.
Encrypting Authorized Software – Decrypt Only
Administrators can configure authorized software to decrypt only files without re-encrypting them.
| Setting |
Description |
| Process |
Specify the process name of the authorized software. Supports wildcards. Multiple processes are separated by commas (,). |
| File |
Add filter files to apply settings. Supports full paths and extensions (e.g., E:\work\*.dat). Wildcards and general paths are supported. Multiple entries separated by commas (,). |
Note:
- 1. Only applies to files modified during the use of authorized processes. It does not apply to files encrypted manually, via Encrypt New Files, or through full-disk scan encryption.
- 2. Files set as "Do Not Encrypt" in this setting take precedence over files in the authorized software library.
Watermark Settings for External Documents
External Document Window and Print Watermarks
Clients can configure external documents to display watermark information when opened or printed. This includes custom text, the creator of the external document, and the reader of the external document. Watermarks appear in the visible window when opening the document or on printed external files.
| Setting |
Description |
| Enable Policy |
Enable or disable the external document window and print watermark policy. Detailed settings require this option to be checked. |
| Watermark Type |
Select the watermark type for the policy: Window Watermark, Print Watermark, or Both. Default is Both. |
| Text Content |
Specify the text for the watermark. |
| Font |
Set the font type for the watermark text. |
| Custom Text Size |
Set the font size for the watermark text. Default is 48. |
| Creator & Reader Info Size |
The font size for creator and reader info is automatically adjusted based on the custom text size. Default is 28. |
| Color |
Set the font color of the watermark text. |
| Transparency |
Set the transparency of the watermark text. Default is 80%. |
| Creator Info |
Select which creator information to display in the watermark: computer name, IP address, username, creation time. |
| Reader Info |
Select which reader information to display in the watermark: computer name, IP address, username, reading time. |
External Document Floating Window Title
Enables a floating window when an external document is opened, with customizable title text. The window can be freely moved within the file viewing area.
| Setting |
Description |
| External Document Floating Window Title |
Enable or disable the floating window title for external documents. |
| Text Content |
Set the text displayed in the floating window title. |
| Font Color |
Set the font color of the floating window title. |
| Background Color |
Set the background color of the floating window title area. |
| Show Close Button |
If checked, a close button appears on the floating window, allowing the user to manually close it; if unchecked, the window cannot be manually closed until the external document is closed. |
| Show Process Type Icon |
If checked, the floating window displays the external document’s process type icon; if unchecked, it does not display. |
| Show Permissions |
If checked, moving the mouse over the floating window shows the current permissions of the external document; if unchecked, permissions are not displayed. |
External Document Border
You can set external documents generated by the client to display a border when opened, helping users distinguish between regular files and external files. Both the border color and size can be configured.
| Setting Option |
Explanation |
| External Document Border |
Set whether to enable the external document border; |
| Border Color |
Set the border color; |
| Border Size |
Set the border size (1–10); higher values make the border thicker. |
External Document Network Settings
By default, external documents are blocked from accessing the network. If certain external documents require network access to function properly, administrators can allow specific processes to access designated networks.
| Settings Options |
Description |
| Allow External Document Network |
Enable or disable the policy that permits network access for external documents. |
| Allowed Network |
Specify the process and its permitted network(s). Multiple policies can be set, each containing a process name and a set of network addresses. Network addresses must be in the format IP or IP:Port. Multiple IPs are separated by commas (,); IP ranges and port ranges are not supported.
Example: If the process is set to CATIA.exe and the allowed network is 192.168.7.230:8090, CATIA.exe will be allowed to access 192.168.7.230:8090 when viewing external documents. |
| Border Size |
Set the border size (1–10); higher values make the border thicker. |
Document Upload Request Settings
Enable Settings
Turn on document upload request settings. When enabled, documents that meet the criteria will be uploaded to the request document storage server.
| Settings Options |
Description |
| Enable Settings |
Enable or disable uploading request documents to the document storage server. |
| Document Storage Server Address |
Enter the address of the document storage server (HTTPS protocol only; use the corresponding HTTPS port). |
| Include Files |
Files within this scope will be uploaded to the storage server. Select from predefined file types or manually enter using the button; wildcards are supported (e.g., *.doc, C:\*, D:\test\*.txt). |
| Exclude Files |
Files within this scope will not be uploaded to the storage server. Select from predefined file types or manually enter using the button; wildcards are supported (e.g., *.doc, C:\*, D:\test\*.txt). |
| File Size |
Set the file size range for uploads. Custom values are allowed, limited to 0–2,000,000 KB. |
Note:
- Supports the following requests: decryption requests, external document requests, and document attribute change requests.
Don't see what you're looking for?
