Automatic encryption decryption without need to type passwords /keys

Posted on 2009-05-14
Last Modified: 2012-08-14
Hello Experts,

I am looking for a way to secure/ encrypt  files / folders like SQL db, My Sql db, Codes etc.

My objective is that such files or db should be accessible if accessed from same system
but if the file or folder is copied to other location, then the file or folder should be encrypted.

This files/ folders are on systems which are accessed by multiple users.

I do not want to give decryption password to such users and would like to use the system's own unique hardware identity to serve as a password. ( I would want a recovery password )

Is there a way to do it ? What is the simplest approach to achieve this ?



Question by:rakesh99
  • 4
  • 3
LVL 33

Expert Comment

by:Dave Howe
ID: 24393603
I am pretty sure that isn't possible. If a file can be read by the local machine, then it can be read by the local machine - therefore, anyone who chooses to copy the files across to another machine can do so.

That said, EFS will allow you restrict the ability to read given files (for example, the MySQL or MS SQL db files) to a single user or subset of users, which could then be the service login for that service. This should allow you to achieve a situation where the database engine itself can see and manipulate the files, but no other user on the machine (even with administrator rights) can do so.

That would not be secure against a truly determined attacker (it is possible, if difficult, to recover service passwords given suitable hacking tools, and that would give you a gateway straight into the encrypted files, either directly or via EFS hacking tools) but it would prevent a normal user, with no physical access to the server and no special rights, from copying or inspecting the files so protected. It would take a deliberate and detectable attack by a skilled hacker, which could be a high enough bar to prevent data loss in practice.

Author Comment

ID: 24394420
Can the combination of concepts of Trusted Computing Platform , Bitlocker / Truecrypt can't assist here ?

Author Comment

ID: 24394709
I am trying to achieve what you mentioned :

1)  My Sql Db / Sql Db
"a situation where the database engine itself can see and manipulate the files, but no other user on the machine (even with administrator rights) can do so."

2) Php Codes ( Sugar CRM)
"a situation where the "code" is secure. Sugar Crm Should run , but no other user on the machine (even with administrator rights) can copy files in an decrypted form."

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

LVL 33

Accepted Solution

Dave Howe earned 500 total points
ID: 24398698
Trusted computing is a bit of a misnomer. it guarantees that a third party provider, approved of by the manufacturer of the cpu, can run DRMed content without it being available to the owner of the machine. in context therefore, it would be required that your machine be of the correct cpu type for TC, that your operating system attest that it hasn't been altered, and for your database engine to also so attest, before a TC compatible engine could obtain a key (from an external source) to unlock access to media. As MS SQL doesn't currently do this, and MySQL could never do this (being open source) it isn't a viable route.

Bitlocker and Truecrypt are examples of "cold device" security - in order to gain access to data, you must authenticate to the software, at which point the data is made available to the operating system. There is no way to make it available only to individual apps - either it is available to all users (subject to ntfs permissions if applicable) or none.

NTFS permissions (aka "Access Control Lists") can restrict access to a file to a given service, or more accurately, service account, but can't prevent a machine admin from "taking ownership" of the file and resetting that ACL.

Only EFS is proof against administrator level users - and even then, if a recovery key is set, there are ways around that for a savvy admin.

Author Comment

ID: 24429037
Hello Dave,

Your feedback is very informative and authoritative.

I can prevent Administrator Access to users. Pls advise in such case what options are
available to me and which one I should implement.

Author Closing Comment

ID: 31581523
Dave was good. Though he skipped the last question asked by me , but he did answered the original question well.
LVL 33

Expert Comment

by:Dave Howe
ID: 24481771
Really, for this sort of scenario, EFS is the easiest solution. only downside is that the password to the account is hardcoded into the service def - but that information is not available apart from by administrators, so you should be good to go with an EFS based setup.

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question