Go Premium for a chance to win a PS4. Enter to Win


Automatic encryption decryption without need to type passwords /keys

Posted on 2009-05-14
Medium Priority
Last Modified: 2012-08-14
Hello Experts,

I am looking for a way to secure/ encrypt  files / folders like SQL db, My Sql db, Codes etc.

My objective is that such files or db should be accessible if accessed from same system
but if the file or folder is copied to other location, then the file or folder should be encrypted.

This files/ folders are on systems which are accessed by multiple users.

I do not want to give decryption password to such users and would like to use the system's own unique hardware identity to serve as a password. ( I would want a recovery password )

Is there a way to do it ? What is the simplest approach to achieve this ?



Question by:rakesh99
  • 4
  • 3
LVL 33

Expert Comment

by:Dave Howe
ID: 24393603
I am pretty sure that isn't possible. If a file can be read by the local machine, then it can be read by the local machine - therefore, anyone who chooses to copy the files across to another machine can do so.

That said, EFS will allow you restrict the ability to read given files (for example, the MySQL or MS SQL db files) to a single user or subset of users, which could then be the service login for that service. This should allow you to achieve a situation where the database engine itself can see and manipulate the files, but no other user on the machine (even with administrator rights) can do so.

That would not be secure against a truly determined attacker (it is possible, if difficult, to recover service passwords given suitable hacking tools, and that would give you a gateway straight into the encrypted files, either directly or via EFS hacking tools) but it would prevent a normal user, with no physical access to the server and no special rights, from copying or inspecting the files so protected. It would take a deliberate and detectable attack by a skilled hacker, which could be a high enough bar to prevent data loss in practice.

Author Comment

ID: 24394420
Can the combination of concepts of Trusted Computing Platform , Bitlocker / Truecrypt can't assist here ?

Author Comment

ID: 24394709
I am trying to achieve what you mentioned :

1)  My Sql Db / Sql Db
"a situation where the database engine itself can see and manipulate the files, but no other user on the machine (even with administrator rights) can do so."

2) Php Codes ( Sugar CRM)
"a situation where the "code" is secure. Sugar Crm Should run , but no other user on the machine (even with administrator rights) can copy files in an decrypted form."

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

LVL 33

Accepted Solution

Dave Howe earned 2000 total points
ID: 24398698
Trusted computing is a bit of a misnomer. it guarantees that a third party provider, approved of by the manufacturer of the cpu, can run DRMed content without it being available to the owner of the machine. in context therefore, it would be required that your machine be of the correct cpu type for TC, that your operating system attest that it hasn't been altered, and for your database engine to also so attest, before a TC compatible engine could obtain a key (from an external source) to unlock access to media. As MS SQL doesn't currently do this, and MySQL could never do this (being open source) it isn't a viable route.

Bitlocker and Truecrypt are examples of "cold device" security - in order to gain access to data, you must authenticate to the software, at which point the data is made available to the operating system. There is no way to make it available only to individual apps - either it is available to all users (subject to ntfs permissions if applicable) or none.

NTFS permissions (aka "Access Control Lists") can restrict access to a file to a given service, or more accurately, service account, but can't prevent a machine admin from "taking ownership" of the file and resetting that ACL.

Only EFS is proof against administrator level users - and even then, if a recovery key is set, there are ways around that for a savvy admin.

Author Comment

ID: 24429037
Hello Dave,

Your feedback is very informative and authoritative.

I can prevent Administrator Access to users. Pls advise in such case what options are
available to me and which one I should implement.

Author Closing Comment

ID: 31581523
Dave was good. Though he skipped the last question asked by me , but he did answered the original question well.
LVL 33

Expert Comment

by:Dave Howe
ID: 24481771
Really, for this sort of scenario, EFS is the easiest solution. only downside is that the password to the account is hardcoded into the service def - but that information is not available apart from by administrators, so you should be good to go with an EFS based setup.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question