Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Automatic encryption decryption without need to type passwords /keys

Posted on 2009-05-14
7
Medium Priority
?
750 Views
Last Modified: 2012-08-14
Hello Experts,

I am looking for a way to secure/ encrypt  files / folders like SQL db, My Sql db, Codes etc.

My objective is that such files or db should be accessible if accessed from same system
but if the file or folder is copied to other location, then the file or folder should be encrypted.

This files/ folders are on systems which are accessed by multiple users.

I do not want to give decryption password to such users and would like to use the system's own unique hardware identity to serve as a password. ( I would want a recovery password )

Is there a way to do it ? What is the simplest approach to achieve this ?


Regards

Rakesh




0
Comment
Question by:rakesh99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24393603
I am pretty sure that isn't possible. If a file can be read by the local machine, then it can be read by the local machine - therefore, anyone who chooses to copy the files across to another machine can do so.

That said, EFS will allow you restrict the ability to read given files (for example, the MySQL or MS SQL db files) to a single user or subset of users, which could then be the service login for that service. This should allow you to achieve a situation where the database engine itself can see and manipulate the files, but no other user on the machine (even with administrator rights) can do so.

That would not be secure against a truly determined attacker (it is possible, if difficult, to recover service passwords given suitable hacking tools, and that would give you a gateway straight into the encrypted files, either directly or via EFS hacking tools) but it would prevent a normal user, with no physical access to the server and no special rights, from copying or inspecting the files so protected. It would take a deliberate and detectable attack by a skilled hacker, which could be a high enough bar to prevent data loss in practice.
0
 

Author Comment

by:rakesh99
ID: 24394420
Can the combination of concepts of Trusted Computing Platform , Bitlocker / Truecrypt can't assist here ?
0
 

Author Comment

by:rakesh99
ID: 24394709
I am trying to achieve what you mentioned :

1)  My Sql Db / Sql Db
"a situation where the database engine itself can see and manipulate the files, but no other user on the machine (even with administrator rights) can do so."

2) Php Codes ( Sugar CRM)
"a situation where the "code" is secure. Sugar Crm Should run , but no other user on the machine (even with administrator rights) can copy files in an decrypted form."


0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 24398698
Trusted computing is a bit of a misnomer. it guarantees that a third party provider, approved of by the manufacturer of the cpu, can run DRMed content without it being available to the owner of the machine. in context therefore, it would be required that your machine be of the correct cpu type for TC, that your operating system attest that it hasn't been altered, and for your database engine to also so attest, before a TC compatible engine could obtain a key (from an external source) to unlock access to media. As MS SQL doesn't currently do this, and MySQL could never do this (being open source) it isn't a viable route.

Bitlocker and Truecrypt are examples of "cold device" security - in order to gain access to data, you must authenticate to the software, at which point the data is made available to the operating system. There is no way to make it available only to individual apps - either it is available to all users (subject to ntfs permissions if applicable) or none.

NTFS permissions (aka "Access Control Lists") can restrict access to a file to a given service, or more accurately, service account, but can't prevent a machine admin from "taking ownership" of the file and resetting that ACL.

Only EFS is proof against administrator level users - and even then, if a recovery key is set, there are ways around that for a savvy admin.
0
 

Author Comment

by:rakesh99
ID: 24429037
Hello Dave,

Your feedback is very informative and authoritative.

I can prevent Administrator Access to users. Pls advise in such case what options are
available to me and which one I should implement.
0
 

Author Closing Comment

by:rakesh99
ID: 31581523
Dave was good. Though he skipped the last question asked by me , but he did answered the original question well.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24481771
Really, for this sort of scenario, EFS is the easiest solution. only downside is that the password to the account is hardcoded into the service def - but that information is not available apart from by administrators, so you should be good to go with an EFS based setup.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question