Secure Folders & Security Groups: Overview


Secure Folders


Secure Folders are specially designated storage locations in which Atakama encrypted files are saved. However, non-encrypted files can also be saved within Secure Folders. When Atakama is first installed, two Secure Folders are created: 1)“Atakama/” located at C:\Users\<username>\Atakama, and 2) “Atakama/Personal Files” at C:\Users\<username>. You can create additional Secure Folders via the Secure Folders tab within the Control Center. Every Secure Folder has a corresponding folder locally on the disk where the .kama files are located.


Secure Folder How-to:

Global Identifier

The Global Identifier is a descriptive name for a Secure Folder that is shared by all users. It is a way to identify a location regardless of its path. 


Each Secure Folder is assigned to a Security Group that governs the sharing permissions (i.e., who has access) to the encrypted files saved within the Secure Folder.


Cloud Backups

Using Atakama's CloudSync feature, you can link a Secure Folder to a cloud provider. All the files within the Secure Folder will be backed up to the cloud location. 


Automatic Encryption

Secure Folders can be optionally configured to automatically encrypt files under certain circumstances. For example, if you are running data discovery and classification software (e.g., Microsoft Information Protection) that discovers files and labels them, Atakama reads the labels and automatically encrypts the file the instant it is labeled.


Encryption Workflows

There are two ways to encrypt files:


Right-click to encrypt

Files can be encrypted from the context menu (right-click) by tapping on the "Protect with Atakama" option.


Context menu showing "Protect with Atakama" option 


Dragging files to the Atakama Vault

Dragging a non-encrypted file into a Secure Folder via the Atakama Vault will cause the file to be instantly encrypted.


Access Workflows

There are two ways to access .kama files:

  • Accessing them directly where they are stored, otherwise known as the actual location on disk
  • Accessing them through the Atakama Vault 


Actual location on disk

.kama files can be opened just like any other file wherever the file may be located.

When directly accessing a .kama file, some programs (e.g., Microsoft Word ) may report the file path as within the Atakama Vault. This is expected behavior.


Atakama Vault

Secure Folders are also accessible through the Atakama Vault. Only encrypted files will reside within the Atakama VaultFiles created directly in the Atakama Vault are immediately encrypted by default. Files can also be dragged-and-dropped into the Atakama Vault, but this is not recommended for new files. Files within the Atakama Vault will not show the ".kama" file extension. 


Considerations when accessing files through the Atakama Vault.

  • Files are immediately encrypted by default, so this is the most secure way to create a new encrypted file

  • File icons are visible with their expected file extensions (i.e., .docx, .pdf, .txt, etc.)

  • Accessing files through the Atakama Vault is a workflow change for end users

  • May require file folder reorganization

  • Unencrypted file artifacts could remain when the file is created outside the Atakama Vault (e.g., before being dragged-and-dropped into the Atakama Vault or right-click to encrypt)

Security Groups

Security Groups are the cryptographic mechanism that allows users to access encrypted files (i.e., decrypt files) within Secure FoldersSecurity Groups can be granted access to multiple Secure Folders. Granting an Atakama Profile access to a Secure Folder will also add that user to the Security Group that has access to that Secure Folder


File-level access is the ability to open a file or see the list of files within a folder. File-level access is granted through access control lists (ACLs) or the web interface in the case of cloud providers. Cryptographic access is the ability to decrypt an encrypted file. Although it is possible to have either file-level access or cryptographic access, both are necessary to access Atakama-encrypted files (i.e., decrypt the file).


When a Security Group is granted access to additional Secure Folders, all Atakama Profiles within the Security Group will retain their respective cryptographic access. That is, Atakama Profiles that have cryptographic access to one folder will have cryptographic access to the second folder regardless of their file-level access.

Atakama Permissions and Filesystem Permissions

When provisioning a new Secure Folder, there are two layers that determine a user's access to encrypted files:

  • Their underlying filesystem access control lists (ACLs and NTFS permissions)
    • Every user must have "Modify" or higher level of permission to a secure folder's database folder (.atakamashare.db, located inside the root level of a secure folder) and "Read" or higher level of permission for the secure folder's structure file (.atakama_dir.kama file, located in every folder that contains an encrypted file)
  • Atakama permissions (via Security Groups)

If a user lacks permission in either of those layers, they will be unable to decrypt files. As such, if a user requires access to encrypted files, they need both NTFS and Atakama permission to do so.

How to update Security Group Verifications (relevant when upgrading to Oystercatcher only)

When upgrading to Oystercatcher, you will need to manually update the Security Group verification by clicking the “Update Verification” button in the Secure Folder Configuration window.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.