Encryption of folder and data
Dear Experts,
I am requested to encrypt a folder on our file server, and have started looking into different methods. My concern is, if files are copied from encrypted folder onto external storage devices, is the encryption no longer protecting the file?
I am requested to encrypt a folder on our file server, and have started looking into different methods. My concern is, if files are copied from encrypted folder onto external storage devices, is the encryption no longer protecting the file?
Hi yballan.
Tell us, why would you need to do this?
I am experienced with encryption matters and I see no valid reason for using folder encryption if the contents are accessed only via network. You should use NTFS permissions together with full disk encryption at the server.
Tell us, why would you need to do this?
I am experienced with encryption matters and I see no valid reason for using folder encryption if the contents are accessed only via network. You should use NTFS permissions together with full disk encryption at the server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear btan,
Thank you for your quick response, after reading your reply, I am starting to believe that I do not have enough knowledge about the encryption, and will be reading on these materials to understand better.
Dear McKnife,
Thank you for your quick response. Here is what is happening. One of our client requested that their information needs to be encrypted, so we wanted to put on encrypted folder on file server for multiple workers to access. We also need to make sure that if someone copies these files onto external storage, or emails it as attachment, that it cannot be deciphered.
Thank you for your quick response, after reading your reply, I am starting to believe that I do not have enough knowledge about the encryption, and will be reading on these materials to understand better.
Dear McKnife,
Thank you for your quick response. Here is what is happening. One of our client requested that their information needs to be encrypted, so we wanted to put on encrypted folder on file server for multiple workers to access. We also need to make sure that if someone copies these files onto external storage, or emails it as attachment, that it cannot be deciphered.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Experts, for valuable information. I will bring up all possible solutions suggested by you to my supervisor to go forward.
Not to bog you down with material but this can help as starter - there is a security section if you really to jump straight into it https://msdn.microsoft.com/en-us/library/ms995356.aspx
I see it as if using Windows itself as native support for encryption per se (subjected to OS type)
Disk encryption - Bitlocker (has TPM and USB keyfile)
File/folder encryption - EFS
Removable medium encryption - Bitlocker-to-go or EFS (NTFS formatted drive)
second factor authentication - Smartcard or token (default smartcard crypto service provider, CSP)), Biometric Framework (Bio API)
Network Encryption (pt to pt) - VPN/IPSec
Online Drive encryption - Onedrive (SSL channel), Azure Cloud (Multi-factor Auth), Azure Virtual network (VPN/IPSec)..
Regardless, for external storage medium one thing to note that moving forward is the Fast IDentity Online (FIDO) Alliance support whereby objective is to transition away from passwords and to a stronger form of identity. This forms also the the FIDO U2F Security Key to serve as a Fast Identity Online Universal Second Factor (FIDO U2F) Authentication - supposed to be a FIDO Ready™ U2F compliant physical USB second factor device that offers a simpler, stronger alternative to today’s six digit one-time passcodes (OTP)...
Too many areas in coverage and probably for your case is to ensure minimally data is encrypted everywhere it store, transit and in use (if poss). Encrypted thumbdrive with authentication is a one worthy investment besides the EFS only...there is Ironkey to mentioned as candidate...
I see it as if using Windows itself as native support for encryption per se (subjected to OS type)
Disk encryption - Bitlocker (has TPM and USB keyfile)
File/folder encryption - EFS
Removable medium encryption - Bitlocker-to-go or EFS (NTFS formatted drive)
second factor authentication - Smartcard or token (default smartcard crypto service provider, CSP)), Biometric Framework (Bio API)
Network Encryption (pt to pt) - VPN/IPSec
Online Drive encryption - Onedrive (SSL channel), Azure Cloud (Multi-factor Auth), Azure Virtual network (VPN/IPSec)..
Regardless, for external storage medium one thing to note that moving forward is the Fast IDentity Online (FIDO) Alliance support whereby objective is to transition away from passwords and to a stronger form of identity. This forms also the the FIDO U2F Security Key to serve as a Fast Identity Online Universal Second Factor (FIDO U2F) Authentication - supposed to be a FIDO Ready™ U2F compliant physical USB second factor device that offers a simpler, stronger alternative to today’s six digit one-time passcodes (OTP)...
Too many areas in coverage and probably for your case is to ensure minimally data is encrypted everywhere it store, transit and in use (if poss). Encrypted thumbdrive with authentication is a one worthy investment besides the EFS only...there is Ironkey to mentioned as candidate...
E.g. in group policy below, the activation of encryption for a file residing on a network share generates error message such as "This operation requires an interactive window station".
> Computer configuration / Windows settings / Security settings / Public Key Policies EFS: "Require a smart card for EFS = ENABLED"
In short, when you encrypt on a server, the EFS protected file is first decrypted and then sent in clear plaintext over the network, and then re-encrypted on the remote server destined. One way around this is to connect to the server using WebDAV. Then the file is encrypted locally and will use your smart card. Otherwise consider using 7zip, winzio and password protect the file so that it is independent and remain encrypted till password unlocked it and extracted out....