Transparent File Encryption - A File System Encryption SDK

Download  EaseFilter Transparent Encryption SDK Setup File
Download  EaseFilter Transparent Encryption SDK Zip File

Easefilter Encryption Filter Driver SDK

EaseFilter File System Encryption Filter Driver SDK provides you a comprehensive security solution to develop transparent file level encryption products, it allows you to encrypt the files on-the-fly, it can allow only authorized users or processes to access the encrypted files. Supported strong cryptographic algorithm Rijndael is a high security algorithm which was chosen by the National Institute of Standards and Technology (NIST) as the new Advanced Encryption Standard (AES), it can support key lengths 128-bits,192-bits and 256-bits.

EaseFilter File System Mini Filter Driver SDK is a mature commercial product. It provides a complete modular framework for the developers even without the driver development experience to build the filter driver within a day. The SDK includes the modules from code design to the product installation, it includes all the basic features you need to build a filter driver.

file system encryption

The encryption software you can develop with EaseFilter File Encryption SDK

  1. Data encryption at rest.
  2. Encryption at rest prevents the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk.
  3. Data protection.
  4. Document encryption, file encryption is very important step for data protection, only the authorized users or processes can read the encrypted data, or will get the raw encrypted data.
  5. Data loss prevention.
  6. To prevent the data breach, your data is encrypted all the time, even your data was lost and found in an unauthorized place, they are protected against the unauthorized access.
  7. Secure file sharing with DRM.
  8. Encrypted your files with digital rights management data embedded into the encrypted header, protect, track and control your encrypted files anywhere anytime, you can grant or revoke the access control to any user at any time even the files were shared.

EaseFilter Encrypting File System

EaseFilter File System Encryption Driver is an encrypting file system, is a file system level encryption, a file based encryption. A transparent encryption filter driver will integrate the encryption or decryption in the read or write IO process in the file system level, without the extra IO it can improve your encryption performance dramatically. With the file system level auto encryption, you can prevent your sensitive data from being exposed or stolen, you can encrypt your folders/files to prevent your data breach.

EaseFilter encrypting file system is an alternative solution for Microsoft EFS. It has more features and more flexible than Microsoft EFS, it can support both user and process based encryption, it can encrypt every file with the unique encryption key, it can enbedded custom tag data into the encrypted file.

Military-grade Advanced Encryption Standard (AES) algorithm. The encryption engine uses the Advanced Encryption Standard (AES) algorithm, a symmetric block cipher chosen by the U.S. government, using keys sized at 128, 192 and 256 bits.

Block level decryption. EaseFilter File System Encryption SDK performs real-time decryption of the encrypted file in any block data with 16 bytes. If you need to read the blocks of the big encrypted file, it doesn't need to decrypt the whole file, it only needs to decrypt the block data of the encrypted file, it can improve the read performance.

AES-NI Support. EaseFilter EaseFilter File Encryption Engine utilizes the US FIPS 140-2 compliant Microsoft CNG libraries, it can support AES-NI (or the Intel Advanced Encryption Standard New InstructionsAES-NI), at an algorithm level AES-NI provides significant speedup of AES. For non-Parallel modes of AES operation (CBC encrypt), AES-NI can provide 2-3 fold gain in performance over a completely software encryption. For parallel modes of AES operation (CBC-decrypt, CTR), AES-NI can provide 10x improvement over a completely software encryption.

AES-NI.

Process Based File Encryption

Create a unique view for every process or user. Decryption per process is the most complicated part for the on-the-fly encryption development. In Windows file system, when a file was opened, it will create a cache view in memory, it will be shared by all processes or users with following file open. So, when an authorized process opened an encrypted file, the clear data was kept in system memory cache, at this point if an unauthorized process opened this same file, it will see the clear data instead of the raw encrypted data from the cache memory. How to prevent the clear data from being accessed by unauthorized processes via the share cache view in the memory? EaseFilter EaseFilter File Encryption engine uses the isolation filter driver technology to bypass the system cache manager and create the unique cache view for every process or user, so the clear data won't be shared by different processes or users.

The Isolation Mini Filter Driver

EaseFilter File Encryption SDK was implemented with Isolation Mini Filter Driver. An Isolation Mini Filter Driver is a Windows file system Minifilter driver that separates the view(s) of a file's data from the actual underlying data of that same file. A typical Isolation Layer Filter Driver can create two views of the access data, one is encrypted from the local storage, so your data is always encrypted in the local disk, the other one is decrypted to the authorized user, for every file open, the filter driver will create a unique memory cache, so the different users or processes won't see the same view of the data if they have different permission for the same file. When the process or the user was authorized to access the encrypted file, the filter driver will decrypt the data in memory during the read request, so the authorized process can get the clear data back, or it will get the raw encrypted data. When the encryption filter driver is turned off, the application will always get the encrypted raw data.

Isolation Filter Driver

The well-designed EaseFilter Isolation Minifilter could allow both views, the decrypted view of the file’s contents and the encrypted view of the file’s contents, to different applications reading the file simultaneously. It can automatically decrypt data from an encrypted document when accessed by authorized application likes Microsoft Word.  However, when that same encrypted document is accessed from an unauthorized application, for example a backup application, the Isolation Minifilter could provide the raw, encrypted contents of the file.

A C# File Encryption Example

Using EaseFilter File Encryption SDK is simple with the APIs, here is a simple C# auto file encryption example implementing with EaseFilter EaseFilter File Encryption SDK as below, you can setup an encryption folder in computer A, configure the authorized processes, users who can read the encrypted file, and setup the decryption folder in computer B. You can copy the encrypted file in computer A to the decryption folder in computer B, you can authorize the processes which can read the encrypted files in the decryption folder.

Auto file encryption

The following example creates a filter rule to encrypt the file in a encryption folder, create another filter rule to decrypt the encrypted file. Only the authorized the processes and users can read the encrypted file, or other processes or users will get the raw encrypted data. You can implement the following features:

  1. Setup an auto encryption folder, all new created files in this folder will be encrypted automatically, the encrypted file will be decrypted automatically when the users from the whitelist access the files, it won't be decrypted when the users from the blacklist access the file, they will get the raw encrypted data.
  2. Setup an auto encryption folder, all new created files in this folder will be automatically encrypted, all processes will get the raw encrypted data when they read the encrypted files, so you can secure upload or share these files to the cloud.
  3. Setup encryption on the go folder, files are not encrypted in this folder, the file will be encrypted automatically in memory when the user from the blacklist access the files. So, you can add the processes to the blacklist if you want to secure share the files for these processes.
  
using System;
using EaseFilter.FilterControl;

namespace AutoFileEncryption
{
    class Program
    {
        static FilterControl filterControl = new FilterControl();

        static void Main(string[] args)
        {
            string lastError = string.Empty;
            string licenseKey = "Email us to request a trial key: info@easefilter.com";

            FilterAPI.FilterType filterType = FilterAPI.FilterType.CONTROL_FILTER
			| FilterAPI.FilterType.ENCRYPTION_FILTER | FilterAPI.FilterType.PROCESS_FILTER;
            int serviceThreads = 5;
            int connectionTimeOut = 10; //seconds

            try
            {
                //copy the right Dlls to the current folder.
                Utils.CopyOSPlatformDependentFiles(ref lastError);

                if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
                {
                    Console.WriteLine("Start Filter Service failed with error:" + lastError);
                    return;
                }
                        
                //setup a file filter rule for folder encryptFolder
                string encryptFolder = "c:\\encryptFolder\\*";
                FileFilter fileFilter = new FileFilter(encryptFolder);

                //enable the encryption for the filter rule.
                fileFilter.EnableEncryption = true;

                //get the 256bits encryption key with the passphrase
                string passPhrase = "mypassword";
                fileFilter.EncryptionKey = Utils.GetKeyByPassPhrase(passPhrase, 32);

                //disable the decyrption right, read the raw encrypted data for all except the authorized processes or users.
                fileFilter.EnableReadEncryptedData = false;

                //setup the authorized processes to decrypt the encrypted files.
                string authorizedProcessesForEncryptFolder = "notepad.exe;wordpad.exe";

                string[] processNames = authorizedProcessesForEncryptFolder.Split(new char[] { ';' });
                if (processNames.Length > 0)
                {
                    foreach (string processName in processNames)
                    {
                        if (processName.Trim().Length > 0)
                        {
                            //authorized the process with the read encrypted data right.
                            fileFilter.ProcessNameAccessRightList.Add(processName, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
                        }
                    }
                }

                //setup the authorized users to decrypt the encrypted files.
                string authorizedUsersForEncryptFolder = "domainName\\user1";

                if (!string.IsNullOrEmpty(authorizedUsersForEncryptFolder) && !authorizedUsersForEncryptFolder.Equals("*"))
                {
                    string[] userNames = authorizedUsersForEncryptFolder.Split(new char[] { ';' });
                    if (userNames.Length > 0)
                    {
                        foreach (string userName in userNames)
                        {
                            if (userName.Trim().Length > 0)
                            {
                                //authorized the user with the read encrypted data right.
                                fileFilter.userAccessRightList.Add(userName, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
                            }
                        }
                    }

                    if (fileFilter.userAccessRightList.Count > 0)
                    {
                        //set black list for all other users except the white list users.
                        uint accessFlag = FilterAPI.ALLOW_MAX_RIGHT_ACCESS & ~(uint)FilterAPI.AccessFlag.ALLOW_READ_ENCRYPTED_FILES;
                        //disable the decryption right, read the raw encrypted data for all except the authorized users.
                        fileFilter.userAccessRightList.Add("*", accessFlag);
                    }
                }

                //add the encryption file filter rule to the filter control
                filterControl.AddFilter(fileFilter);

                //setup a file filter rule for folder decryptFolder
                string decryptFolder = "c:\\decryptFolder\\*";                
                FileFilter decryptFileFilter = new FileFilter(decryptFolder);

                //enable the encryption for the filter rule.
                decryptFileFilter.EnableEncryption = true;

                //get the 256bits encryption key with the passphrase
                decryptFileFilter.EncryptionKey = Utils.GetKeyByPassPhrase(passPhrase, 32);

                //don't encrypt the new created file in the folder.
                decryptFileFilter.EnableEncryptNewFile = false;

                //disable the decyrption right, read the raw encrypted data for all except the authorized processes or users.
                decryptFileFilter.EnableReadEncryptedData = false;

                //setup authorized processes to decrypt the encrypted files.
                string authorizedProcessesForDecryptFolder = "notepad.exe;wordpad.exe";

                processNames = authorizedProcessesForDecryptFolder.Split(new char[] { ';' });
                if (processNames.Length > 0)
                {
                    foreach (string processName in processNames)
                    {
                        if (processName.Trim().Length > 0)
                        {
                            //authorized the process with the read encrypted data right.
                            decryptFileFilter.ProcessNameAccessRightList.Add(processName, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
                        }
                    }
                }

                filterControl.AddFilter(decryptFileFilter);

                if (!filterControl.SendConfigSettingsToFilter(ref lastError))
                {
                    Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
                    return;
                }

                Console.WriteLine("Start filter service succeeded.");

                // Wait for the user to quit the program.
                Console.WriteLine("Press 'q' to quit the sample.");
                while (Console.Read() != 'q') ;

                filterControl.StopFilter();

            }
            catch (Exception ex)
            {
                Console.WriteLine("Start filter service failed with error:" + ex.Message);
            }

        }

    }
}