PROTECT Frequently Asked Questions
How do customers collaborate with third parties or external contractors?
GuardWare PROTECT supports secure collaboration without forcing external parties into complex workflows. There are multiple supported options:
External invited users: GuardWare PROTECT allows organisations to securely extend access to external users, such as subcontractors, consultants, or partners, by inviting them via PROTECT Management Console to use GuardWare PROTECT. Once PROTECT is installed, they can open, edit, and work with encrypted files in their normal applications, without changing their workflow. All access remains under the full control of the data owner. For example, when a subcontractor is engaged on a project, access can be granted for the duration of the engagement. When the project ends, the organisation can revoke access and invalidate the encryption keys, immediately preventing further access to the files.
Password-protected ZIP files: Files can be securely shared as a ZIP file outside the GuardWare ecosystem. Users will require a password to access the ZIP file.
What happens if a customer stops using GuardWare PROTECT? Are their files locked in?
GuardWare server never expires. Even if a customer doesn’t want to use GuardWare PROTECT and the license expires, they can still access all previously encrypted files. The only capability that becomes unavailable is encrypting new files. However, customers must maintain an active Microsoft Azure Key Vault subscription, as it is required for managing and accessing encryption keys.
Additionally, if PROTECT is uninstalled from the device, encrypted files cannot be accessed. Any encrypted files must be decrypted before uninstalling PROTECT to ensure continued access.
GuardWare provides several secure mechanisms to decrypt files, including Remote server-based decryption.
If I change the format of a protected file (for example, saving a DWG as a PDF), is the new file still protected?
Yes, GuardWare PROTECT ensures that when a protected file is saved or exported into another format or extension (for example, DWG to PDF), the newly created file is also protected.
Can I upload protected files to websites such as ChatGPT?
Yes, this depends on your settings. Some common approaches include:
Trusted web application: ChatGPT can be added as a trusted web application, allowing it to consume encrypted content securely.
User-initiated decryption: Users can be permitted to remove encryption (with a mandatory reason) before uploading the file to ChatGPT.
GuardWare PROTECT is highly flexible and can be configured to align with your organisation’s policies and risk tolerance.
What file types are supported? DWG and Revit are mentioned, but what about Inventor, ReCap, Navisworks, and others?
GuardWare PROTECT is independent of file type and application. PROTECT can encrypt any file type that is actively in use.
The only limitation is access to the environment itself. For example:
Source code can be encrypted and still compiled while remaining encrypted.
CAD, BIM, and engineering files continue to function normally inside their native applications.
However, we recommend not encrypting executable files, DLLs, and system files, as doing so may affect system stability and application functionality.
Does GuardWare PROTECT support Autodesk Inventor, Revit, and similar engineering tools?
Yes. GuardWare PROTECT is regularly tested with Autodesk Inventor, Revit, and similar CAD and BIM environments. These tools are fully supported, and files continue to function normally within their native applications while remaining protected.
There is concern that GuardWare breaks DWG and RVT files.
The files are not broken; GuardWare PROTECT applies a security layer on top of the file, similar to how SSL encrypts data during network transmission. The key difference is:
SSL encrypts data in transit.
GuardWare encrypts data both in transit and while it is actively being used by the application.
The underlying file format remains unchanged and intact at all times.
What happens if Autodesk changes file formats?
No issue. GuardWare PROTECT works as a format-preserving wrapper. Because it does not alter the internal structure of the file, changes to underlying file formats do not impact the protection mechanism.
Does GuardWare PROTECT work with ACC and Vault?
Yes. GuardWare PROTECT is fully compatible with Autodesk Construction Cloud (ACC) and Autodesk Vault.
Could this be a way for the Government or Defence organisations to safely use cloud platforms such as ACC?
Yes. GuardWare PROTECT provides a strong foundation for enabling secure cloud adoption, including for government and defence use cases. Testing and validation can be carried out to align with specific regulatory and security requirements, but the capability is absolutely there.
How does a file know that it needs to be opened through GuardWare PROTECT?
Each file encrypted by GuardWare PROTECT contains an internal header that identifies it as a protected file. When the file is accessed, this header is automatically detected by PROTECT’s system-level drivers, which operate at the operating system kernel level. These drivers intercept file access requests and transparently apply decryption for authorised users and applications.
As a result, protected files open normally in their native applications, while unauthorised users or systems are prevented from accessing the content. This process is automatic and requires no manual action from the user.
What data does GuardWare PROTECT send back? Is any telemetry data collected?
GuardWare PROTECT does not send customer data outside the organisation’s environment.
All encrypted files, content, and sensitive information remain within the customer’s own infrastructure or approved cloud environment. For security and auditing purposes, PROTECT records operational events such as file encryption and decryption, file access and usage, upload, etc.
This monitoring data is used for visibility, compliance, and incident investigation and is displayed within the PROTECT Management Console. It is not shared externally and remains fully under the customer’s control.
How is a user’s access removed? Do they need to uninstall the GuardWare client?
No, removing access does not require uninstalling the PROTECT client from the user’s device.
Access is managed centrally through encryption keys and security groups. When a user no longer requires access, administrators simply revoke their access to the relevant keys using the PROTECT Management Console. This is typically done by removing the user from the relevant Security Group. Once removed, the user can no longer decrypt or open protected files, even if the PROTECT client remains installed on their device.
This approach allows organisations to instantly and securely revoke access without needing physical access to the user’s machine or relying on the user to take any action.
Is there any master key held by GuardWare that could decrypt customer files? How are encryption keys managed and protected?
No. GuardWare does not hold, control, or have access to any master decryption key. All private keys are stored in the customer’s own Azure Key Vault and remain under the customer’s control at all times.
Each encrypted file contains its own file decryption key. However, this key is itself encrypted using RSA-2048 and securely stored in the customer’s own Azure Key Vault, which is owned and controlled by the customer, not GuardWare. This means that only the customer’s organisation has access to the private keys required to decrypt files.
How does the encryption hierarchy work, and how is customer data protected if GuardWare is compromised?
GuardWare PROTECT uses a layered encryption model designed to prevent unauthorised access, even in extreme scenarios.
Files are encrypted using AES-CBC-ESSIV, a strong, layered encryption algorithm.
The file’s encryption key is embedded in the file in encrypted form.
That embedded key is protected by RSA-2048 and secured in the customer’s Azure Key Vault.
This creates multiple independent security layers. Even if one layer is compromised, the remaining layers would continue to protect the data. As a result, files cannot be decrypted using conventional or classical attack methods.
Does GuardWare have visibility into customer data or portals?
No. GuardWare has no visibility into customer file contents, encryption keys, or private data. All sensitive material remains within the customer’s environment and key management infrastructure.
What happens if a device is lost or stolen?
Because encryption and access checks are enforced per open, an attacker without a valid identity and policy membership cannot read protected files. Administrators can remotely revoke access and, if required, destroy keys to render copied data permanently unusable.
How does GuardWare PROTECT work when the device is not connected to the internet? Is there a grace period?
GuardWare PROTECT supports offline access through a configurable offline key lifespan, which acts as a grace period. Each encrypted file uses its own key, which is securely stored on the local device, allowing users to access encrypted files without a constant internet connection. Administrators can define the default offline key lifespan, which determines how long a user can access encrypted files while offline. As long as the device reconnects to the PROTECT server within this timeframe, access remains uninterrupted.
However, if the device remains offline beyond this period, or if there is a configuration or policy change, the offline key expires, and access is blocked until the device reconnects and refreshes its keys.
Last updated