Solved

Best file encryption for network shares.

Posted on 2003-11-26
18
1,278 Views
Last Modified: 2010-05-18
What is the best file encryption package available to have multiple users encrypt/decrypt on a network share?

Encrypted volumes are OK, software based preferred.  We need a simple, robust package that protects our data from physical theft and intruders and which doesn't stop us from sharing data.
0
Comment
Question by:ICCP
  • 6
  • 4
  • 4
  • +2
18 Comments
 
LVL 9

Expert Comment

by:TooKoolKris
Comment Utility
0
 

Author Comment

by:ICCP
Comment Utility
Thanks for that.

However, I've got a list of URL's as long as my arm.  The problem is figuring out what is best.

I've tried the MS offering, based on the advice of some supposed experts, and it wouldn't work.  IE, to encrypt, a file had to be decryptable by only one user.  They've sorted this out in Win2003, but it's too recent for our taste.

The expert I'm looking for will have installed file encryption offerings of various flavours in a large variety of locations and will recommend the best based on extensive experience.
0
 
LVL 1

Expert Comment

by:Skytzo
Comment Utility

Can I make sure of something first.  Are you looking for a VPN rather than general encryption?

More specifically, are you looking to simply secure the network traffic between your systems, or are you looking to do on-the-fly encryption of data on the discs themselves?  Or both?

If it is as simple as a VPN, there are non-expensive hardware devices that can do the job for you, though if you are looking for disc encryption as well, then you are probably looking for software.

Which one are you looking for?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. figuring out what is best.
nobody can tell you, you need to find out yourself.

> .. robust package that protects our data from physical theft ..
impossible. Except noone has physical access.

If there're sevaral people who need to share access, each needs to know the secret.
If you only have one secret, and need to distribute it to more than one person, you have more than one weak system.

To get more close to what you want, you need something like a PKI, where each person can have it's own secret, and each secret can be invalidated (revoked) independently.

I'd suggest PGPDisk, which can use a PKI.
0
 

Author Comment

by:ICCP
Comment Utility
Thanks for those thoughts guys.

Skytzo - disk encryption only.  Not VPN.  No traffic encryption.

The theory is that system intruders who manage to crack the ACLs will then have to crack the encryption and also - if the server is lifted and carted away, the data will still be protected by encryption.  (keys need to be stored separate to data)

ahoffman - I understand that we'll need to test in our environment.  What I'm trying to do is test the best - avoid testing some of the snake oil products available out there and avoid products that experienced experts have found to be wanting.  A question - at how many sites have you personally set up PGPDisk with PKI?
0
 
LVL 4

Expert Comment

by:ferg-o
Comment Utility

PGP to 7.1 always had trouble with file locking on shared encrypted files - if this has been fixed at v.8 then I would recommend it highly because of the excellent features for management like trust levels, the ability to customise, admin and enforce client settings and Additional Decryption Keys.

(me=former PGP implementation consultant)

I have literally just started looking at v.8 so if I see any issues with PGPDisk I will post here.

If you do go for another solution I would be very interested to hear which one...
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. how many sites have you personally set up PGPDisk with PKI?
none, 'cause my personal opinion is that it is a useless attempt, producing more problems than it resolves (not 'cause of PGP, but 'cause of the nature of the problem).

Do you have a PKI running?
If not, start with it first, 'cause it's the backbone of what I sugested. And it's no fun, not easy, not trivial, not click&type, not for none-gurus, etc. etc.. It's something secure ..
See ferg-o's comment.
Sounds like I'm out of the run for solutions, but I'l listening ..
0
 
LVL 4

Expert Comment

by:ferg-o
Comment Utility

You may also want to have a look at this:

http://www.keydrive2.com/pages/620683/index.htm

We partner with these guys - they use a USB token to look after authentication for the encrypted information. Very simple to use - one thing that is a problem with PKI is that you have to store your private key somehwere. By default in PGP it is stored on your hard drive. In that case if one of your staff loses their laptops someone could brute force their key. We are getting into NSA-level technology here but there *is* a risk. With a token you have a pin number for the key - the key stores the complex passwords or certificates.
0
 
LVL 1

Expert Comment

by:Skytzo
Comment Utility

The last comment reminded me of the Abit secure drive system.  It is a board that sits between your IDE bus and the IDE cable and encrypts all data on the disc.  It uses a usb token to store the key.  Remove the key, and the drive is locked.

http://www.abit-usa.com/products/multimedia/secureide/

Check it out.  As a hardware solution it is faster than disk encryption and probably just as if not more secure due to the entire disc being encrypted.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. is that you have to store your private key somehwere.
That's the culprit for any atempt (at least as long as you don't hit in the key completely every time it is requested, useless ..)
Also keep in mind that a USB token is as weak as most keys on hard disk, it's just as save as the pass phrase to protekt it.
And more worse, it simple to get physical access to it, much simpler than unplugging a hard disk ;-)
Also keep in mind that most OS have no protection on USB, nor is the USB protocol secure. It's rather simple to write drivers for USB which act as a sniffer on the all connected USB devices (sorry don't have a link handy for this, but experianced people know how to find it;-)
0
 
LVL 1

Expert Comment

by:Skytzo
Comment Utility

Sorta like a key logger that records any keys input to a keyboard, or the the device, I forget the name, that can capture your screen image from 200 yards away outside your building.  

lol..  I think we are in the realm of spy vs spy now.  I think the item above is used to unlock your disk prior to any OS level or device drivers being loaded.
0
 

Author Comment

by:ICCP
Comment Utility
This is very tricky.  Thanks to all for thoughts.

ferg-o - sounds like you have a good depth of experience with PGP.  Have you ever implemented any of the other products?  I'm trying to get a feel for any comparison that might be implied.

I can imagine problems with file locking.  Network shares seem a problem for a number of products - probably that hardware encryption system included.  We're focussing on software, but if anyone has robust reasons why hardware is "best", would love to hear.

The KeyDrive looks useful with its combo authentication - private key on USB token, PIN also.  A little similar to the RSA one-time password generators.  Presumably they hash the two to get the real key.  So even if someone gets hold of a USB token, there's another factor for further protection and the real key is never stored anywhere (sounds like).  Unfortunately they don't have an office in Australia.  That can't affect the awarding of points in the end though.  I'm just looking for "best".

Key loggers and monitoring devices on hardware are not off the scope of concern, but are way down the list - to be addressed at a later date.  Network intruders and hardware theft are primary concerns for now.

Does anyone know how Eracom compares with PGPDisk as a candidate for "best"?
0
 
LVL 4

Accepted Solution

by:
ferg-o earned 100 total points
Comment Utility

I have messed about with Calyx - the glue holding that suite together is a bit thin but it has a lot of potential. It also wasn't really integrated with tokens for a few of the encryption aspects. I haven't seen Eracom.

In terms of clients using PGP (I am under non-disclosure for most) effectively you are looking at defense organisations, invetsment banks etc. While PGP was owned by NAI there were several problems related to building too many features into the products - the VPN/Firewall component was particularly troublesome with some onboard NIC cards (just small manufacturers like Compaq and IBM) but that has now been scrapped.

Some of the key PGP people from NAI formed PGP Corporation which owns it now. They have stripped it back to do what it does really well - disk and mail encryption. I have been running the latest version for the last couple of days and it has caused me no issues - the whole time I was at NAI I used 7.1, just the mail and disk components with no problems.

I have put all my client folders into an encrypted disk on the server and have been running that fine - even over VPN. Also we are now looking at Version 8.0.3 - that makes it a very mature product. It integrates with Aladdin and Rainbow tokens among others. I highly recommend the use of tokens for private key storage.

If you use PGP Admin (if you are to deploy I suggest you buy some services - it is a complex PKI, should you wish to have additional decryption keys or use trusted/meta introducers to decentralise/simplify/automate management then you will need to plan your PKI architecture carefully prior to implementation) then you have a wide variety of enterprise manageability options that have been built into the product as clients have requested them over the years. PGP will work with x.509 certs but you will lose some functionality over using PGP keys (sorta like big certs with more info on them...) The advantage of this is for use in mail encryption - it is easier to use x.509 with other applications.

So my point is in my opinion you cannot go wrong with PGP as long as you use it for what it is designed for and that the design and implementation is thoroughly planned. In my experience it is the best product of its kind on the market for reasons discusssed above.

I would be intersted to hear about the Eracom stuff if anyone has seen it - from the site it looks interesting..

0
 

Author Comment

by:ICCP
Comment Utility
Thanks very much ferg-o

You're in the front running.

Anyone with comments on Eracom or any other packages?

Comparisons between products based on field-experience will be well-received.
0
 

Author Comment

by:ICCP
Comment Utility
ahoffman - I'm interested in your thought that the nature of the problem means that more difficulties are introduced than solved by using disks encryption.

What sort of problems can be expected?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
Repeating one of my first sentences:
> If you only have one secret, and need to distribute it to more than one person, you have more than one weak system.
Means that everyone having the key can compromise your data. One key get's stolen, somehow, sometimes, somewhere. That's Murphy's law.
Or imagine that there is one user which does not encrypt with a (shared) key everyone else knows ..

What happens if you have huge amount of data (some gigs), and you need to change the encryption key ('cause of various reasons)?
It will take a long time to convert all encryptions, beside the double space you need.

ferg-o, I've no experiance with PGPDisk on shared media. Where is the driver located? Hopefuly on each client trying to use the share.
ICCP, keep in mind that you need to distribute the same software, probably same version, to each client. Some clients then can't participate 'cause there is no driver available.

Just a few of "more" problems (but not saying that it is impossible ;-)
0
 
LVL 4

Expert Comment

by:ferg-o
Comment Utility

Yep - to the server it is just another file. The individual clients run the PGPDisk software and have the PGPKeys component which looks after unlocking the encrypted file. You can choose to mount it as a directory under an NTFS architecture or make it a drive...
0
 

Author Comment

by:ICCP
Comment Utility
Thanks to all.

Fergo got the points for depth of field experience with disk encryption.

I'm missing the magic guru who's set up disk encryption in 20 flavours at 500 sites, but am appreciative of the help offered here.  The guru may be a myth.

I suspect a full answer to "best disk encryption" would take a heavy-going comparative review.  However, we're hearing PGP from many directions.  We're reading the signs and checking it out.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now