alanccw
asked on
Looking For Disk Encryption System
Hi,
I am looking for a disk encryption system that can:
1. Encrypt all files on all computers in our company.
2. Inside our company, use transparent encryption described in https://en.wikipedia.org/wiki/Disk_encryption so that all files can be copied or moved as if they were not encrypted.
3. When copying or moving the files outside our company, the files stay encrypted. This is to prevent any employees from copying confidential data outside our company.
I have studied MS Encrypted File System and BitLocker, but both seems cannot support the third feature. Therefore, I just wonder whether there are other tools that can support all.
Thanks
I am looking for a disk encryption system that can:
1. Encrypt all files on all computers in our company.
2. Inside our company, use transparent encryption described in https://en.wikipedia.org/wiki/Disk_encryption so that all files can be copied or moved as if they were not encrypted.
3. When copying or moving the files outside our company, the files stay encrypted. This is to prevent any employees from copying confidential data outside our company.
I have studied MS Encrypted File System and BitLocker, but both seems cannot support the third feature. Therefore, I just wonder whether there are other tools that can support all.
Thanks
Those two points are on opposite sides of the encryption spectrum.
If you opt for something that is transparent, it will only end up encrypted again if it is saved on an encrypted storage.
If you opt for something that is transparent, it will only end up encrypted again if it is saved on an encrypted storage.
ASKER
My purpose is to prevent employees in our company to copy confidential files outside our company, meanwhile to make sure the files can be shared inside our company smoothly.
ASKER
I have just clarified my question. Thank you very much.
Bitlocker protects the files at rest, AD RMS protects files from leaving organization
You can try RMS, agreed. Be aware that it won't make your life easier but a lot of administrative work will come your way, if you still wanted to share files with externals like customers. As for an easy solution, that covers files on drives and removable media, bitlocker used the way I outline in my article is an easy solution. Of course that does not cover uploads and mails. See https://www.experts-exchange.com/articles/25879/A-new-aspect-to-securing-USB-data-SID-protectors.html
To do (3) it need file and folder encryption solution minimally as compared to FDE. Here is one solution worthy a look. It comes with more but minimally you can see its FFE feature that allows you to even customise the commonly user favourite folders' path including those of portable storage device to be default encrypt. Transparent to user. Of course the standard Windows system files will be excluded and also based on other that you like to configure.
https://www.secureage.com/products/securedata/
https://www.secureage.com/products/securedata/
When did you add the third point?
ASKER
Hi,
Point 3 is the most important one, to prevent data theft from employees. Point 2(sharing data within company) can be sacrificed as long as the data on the local computer are all encrypted.
I have tried EFS and VeraCrypt(a fork of TrueCrypt), but both will decrypt files when sending them to others via email.
ADRMS seems complex. Is there an easy way to implement what I need?
Thanks
Point 3 is the most important one, to prevent data theft from employees. Point 2(sharing data within company) can be sacrificed as long as the data on the local computer are all encrypted.
I have tried EFS and VeraCrypt(a fork of TrueCrypt), but both will decrypt files when sending them to others via email.
ADRMS seems complex. Is there an easy way to implement what I need?
Thanks
If the file container is mounted, decryption will be on the fly. So any files are as if in plain. Can dismount container when not needed.
Password protect using 7z or winzip equivalent may be an option though it need to be manually trigger.
Password protect using 7z or winzip equivalent may be an option though it need to be manually trigger.
"ADRMS seems complex. Is there an easy way to implement what I need?" - definitely not.
ASKER
I just study AD RMS. Based on https://en.wikipedia.org/wiki/Active_Directory_Rights_Management_Services and the Test Lab Guide https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134037(v%3dws.11) . It seems that AD RMS can only protect specific types of files, such as Office documents, etc.. For other file types, such as plain text files, C++ files(.cpp & .h), AD RMS cannot protect them. Is there a way to enable AD RMS to protect all kinds of files? Or at least encrypt all kinds of files so that if they are copied out of the company Intranet, they are kept encrypted and cannot be read.
Did you read about pfiles? It seems ADRMS can encrypt any type of file, but "natively" only supports some file types like office. 3rd party vendors might have tools to extend that: https://cloudblogs.microsoft.com/enterprisemobility/2012/04/28/ad-rms-supported-files/
ASKER
Hi, McKnife,
Thank you very much for your information. However, the information in https://cloudblogs.microsoft.com/enterprisemobility/2012/04/28/ad-rms-supported-files/ seems out-dated. For example, it said "Liquid Machines extends AD RMS protection to over 400 different file types including PDF and CAD files.", but its website http://www.liquidmachines.com/rms cannot be visited any more. By googling "Liquid Machines", I find the company has been acquired by Check Point Software Technologies at https://www.checkpoint.com/ . However, by browsing its website, I cannot find any product related to AD RMS any more.
Moreover, it said "Secure Islands offers a developmental framework they can use to supply AD RMS file protection to any file format within three to four weeks.", but secure Islands has been acquired by Microsoft and its website also cannot be visited.
It seems that the only solution to support a specific file format with AD RMS is to use its own SDK.
Thank you very much for your information. However, the information in https://cloudblogs.microsoft.com/enterprisemobility/2012/04/28/ad-rms-supported-files/ seems out-dated. For example, it said "Liquid Machines extends AD RMS protection to over 400 different file types including PDF and CAD files.", but its website http://www.liquidmachines.com/rms cannot be visited any more. By googling "Liquid Machines", I find the company has been acquired by Check Point Software Technologies at https://www.checkpoint.com/ . However, by browsing its website, I cannot find any product related to AD RMS any more.
Moreover, it said "Secure Islands offers a developmental framework they can use to supply AD RMS file protection to any file format within three to four weeks.", but secure Islands has been acquired by Microsoft and its website also cannot be visited.
It seems that the only solution to support a specific file format with AD RMS is to use its own SDK.
...And you also informed yourself about the mentioned pfiles? https://docs.microsoft.com/en-us/azure/information-protection/rms-client/sharing-app-view-use-files
ASKER
Hi, McKnife,
Thank you very much for your information. I plan to configure a Windows server with the Active Right Management service to see if it works for my case, but the configuration is a bit complex. And it seems that "Azure Active Directory" uses the smiliar right management service. Therefore, I have signup a free account on Azure and want to have a try. However, after viewing the introduction video of Azure Active Directory, I find it does not mention any of the file protection feature at all. Does "Azure Active Directory" has such a feature? Thanks
Thank you very much for your information. I plan to configure a Windows server with the Active Right Management service to see if it works for my case, but the configuration is a bit complex. And it seems that "Azure Active Directory" uses the smiliar right management service. Therefore, I have signup a free account on Azure and want to have a try. However, after viewing the introduction video of Azure Active Directory, I find it does not mention any of the file protection feature at all. Does "Azure Active Directory" has such a feature? Thanks
Oh, that is beyond my knowledge as I have zero Azure AD experience, sorry.
I think you are talking about Azure Rights Management which requires Azure Active Directory.
Azure Rights Management (and Azure AD) is easy to set up.
Azure Rights Management (and Azure AD) is easy to set up.
ASKER
Hi, Shaun
I find a article at https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-user-guide . I think this is the portal for file protection.
I find a article at https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-user-guide . I think this is the portal for file protection.
ASKER
I think this article https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-file-types describes how to make all supported files protected by default.
Yes, the pfiles that use encapsulation, I was mentioning that.
ASKER
Hi,
I try to signup Azure Pay as you go, and then try to follow the instructions in https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations to sign in Azure portal, then in "All resources", find the "Azure Information Protection" and click it, but I get the following error:
Access denied
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
Then I see a message box in the top-right corner:
We could not find a license for your tenant to use Azure Information Protection. To open the Azure Information Protection admin portal, you must have Azure Information Protection Premium P1 (included within Enterprise Mobility and Security E3) or Azure Information Protection Premium P2 (included within Enterprise Mobility and Security E5). Or, an Office 365 subscription that includes Azure Rights Management.
I try to subscribe Office 365 free trial, then try again, but still get the same error. How to solve the problem?
I try to signup Azure Pay as you go, and then try to follow the instructions in https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations to sign in Azure portal, then in "All resources", find the "Azure Information Protection" and click it, but I get the following error:
Access denied
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
Then I see a message box in the top-right corner:
We could not find a license for your tenant to use Azure Information Protection. To open the Azure Information Protection admin portal, you must have Azure Information Protection Premium P1 (included within Enterprise Mobility and Security E3) or Azure Information Protection Premium P2 (included within Enterprise Mobility and Security E5). Or, an Office 365 subscription that includes Azure Rights Management.
I try to subscribe Office 365 free trial, then try again, but still get the same error. How to solve the problem?
Ask Microsoft support.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Please go into detail:
->what is your scenario, what are you protecting against, that would still be possible if all involved media was bitlocked?