Automatic encryption decryption without need to type passwords /keys

Posted on 2009-05-14
Last Modified: 2012-08-14
Hello Experts,

I am looking for a way to secure/ encrypt  files / folders like SQL db, My Sql db, Codes etc.

My objective is that such files or db should be accessible if accessed from same system
but if the file or folder is copied to other location, then the file or folder should be encrypted.

This files/ folders are on systems which are accessed by multiple users.

I do not want to give decryption password to such users and would like to use the system's own unique hardware identity to serve as a password. ( I would want a recovery password )

Is there a way to do it ? What is the simplest approach to achieve this ?



Question by:rakesh99
  • 4
  • 3
LVL 33

Expert Comment

by:Dave Howe
ID: 24393603
I am pretty sure that isn't possible. If a file can be read by the local machine, then it can be read by the local machine - therefore, anyone who chooses to copy the files across to another machine can do so.

That said, EFS will allow you restrict the ability to read given files (for example, the MySQL or MS SQL db files) to a single user or subset of users, which could then be the service login for that service. This should allow you to achieve a situation where the database engine itself can see and manipulate the files, but no other user on the machine (even with administrator rights) can do so.

That would not be secure against a truly determined attacker (it is possible, if difficult, to recover service passwords given suitable hacking tools, and that would give you a gateway straight into the encrypted files, either directly or via EFS hacking tools) but it would prevent a normal user, with no physical access to the server and no special rights, from copying or inspecting the files so protected. It would take a deliberate and detectable attack by a skilled hacker, which could be a high enough bar to prevent data loss in practice.

Author Comment

ID: 24394420
Can the combination of concepts of Trusted Computing Platform , Bitlocker / Truecrypt can't assist here ?

Author Comment

ID: 24394709
I am trying to achieve what you mentioned :

1)  My Sql Db / Sql Db
"a situation where the database engine itself can see and manipulate the files, but no other user on the machine (even with administrator rights) can do so."

2) Php Codes ( Sugar CRM)
"a situation where the "code" is secure. Sugar Crm Should run , but no other user on the machine (even with administrator rights) can copy files in an decrypted form."

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

LVL 33

Accepted Solution

Dave Howe earned 500 total points
ID: 24398698
Trusted computing is a bit of a misnomer. it guarantees that a third party provider, approved of by the manufacturer of the cpu, can run DRMed content without it being available to the owner of the machine. in context therefore, it would be required that your machine be of the correct cpu type for TC, that your operating system attest that it hasn't been altered, and for your database engine to also so attest, before a TC compatible engine could obtain a key (from an external source) to unlock access to media. As MS SQL doesn't currently do this, and MySQL could never do this (being open source) it isn't a viable route.

Bitlocker and Truecrypt are examples of "cold device" security - in order to gain access to data, you must authenticate to the software, at which point the data is made available to the operating system. There is no way to make it available only to individual apps - either it is available to all users (subject to ntfs permissions if applicable) or none.

NTFS permissions (aka "Access Control Lists") can restrict access to a file to a given service, or more accurately, service account, but can't prevent a machine admin from "taking ownership" of the file and resetting that ACL.

Only EFS is proof against administrator level users - and even then, if a recovery key is set, there are ways around that for a savvy admin.

Author Comment

ID: 24429037
Hello Dave,

Your feedback is very informative and authoritative.

I can prevent Administrator Access to users. Pls advise in such case what options are
available to me and which one I should implement.

Author Closing Comment

ID: 31581523
Dave was good. Though he skipped the last question asked by me , but he did answered the original question well.
LVL 33

Expert Comment

by:Dave Howe
ID: 24481771
Really, for this sort of scenario, EFS is the easiest solution. only downside is that the password to the account is hardcoded into the service def - but that information is not available apart from by administrators, so you should be good to go with an EFS based setup.

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now