On-the-fly disk encryption: how to protect confidential information. Transparent encryption of network folders in the corporate space

CyberSoft company blog

Wide use network technologies(LAN, CAN, VPN) allows companies to organize fast and convenient exchange information on different distances. However, protecting information in a corporate environment is a task that remains relevant to this day and worries the minds of managers of small, medium and large enterprises in a wide variety of fields of activity. In addition, no matter the size of the company, management almost always needs to differentiate employee access rights to confidential information based on the degree of its importance.

In this article we will talk about transparent encryption as one of the most common methods of protecting information in a corporate environment, let’s consider general principles encryption for multiple users (multiple public key cryptography), and we will also talk about how to set up transparent encryption network folders using the CyberSafe Files Encryption program.

What is the advantage of transparent encryption?

The use of virtual cryptodisks or the full-disk encryption function is quite justified in local computer user, however in the corporate space a more appropriate approach is to use transparent encryption, since this feature provides fast and comfortable work with classified files for several users simultaneously. When creating and editing files, the processes of encryption and decryption occur automatically, on the fly. To work with protected documents, company employees do not need to have any skills in the field of cryptography; they do not have to perform any additional actions in order to decrypt or encrypt secret files.

Working with classified documents occurs as usual using standard system applications. All functions for setting up encryption and delineating access rights can be assigned to one person, for example a system administrator.

Multiple Public Key Cryptography and Digital Envelopes

Transparent encryption works as follows. To encrypt the file, a randomly generated symmetric session key is used, which in turn is protected using a public key. symmetric key user. If a user accesses a file to make some changes to it, the transparent encryption driver decrypts the symmetric key using the user's private key and then decrypts the file itself using the symmetric key. We described in detail how transparent encryption works in.

But what if there are several users and classified files are stored not on the local PC, but in a folder on remote server? After all, the encrypted file is the same, but each user has their own unique key pair.

In this case, the so-called digital envelopes.

As you can see from the figure, the digital envelope contains a file encrypted using a randomly generated symmetric key, as well as several copies of this symmetric key, protected using each user's public asymmetric keys. There will be as many copies as users are allowed to access the protected folder.

The transparent encryption driver works according to the following scheme: when a user accesses a file, it checks whether its certificate is available ( public key) in the allowed list. If yes - using private key For this user, the copy of the symmetric key that was encrypted using his public key is decrypted. If in the certificate list given user no, access will be denied.

Encrypting network folders using CyberSafe

Using CyberSafe, System Administrator will be able to configure transparent encryption of a network folder without using additional data protection protocols, such as IPSec or WebDAV, and subsequently control user access to a particular encrypted folder.

To set up transparent encryption, each user who is going to be allowed access to confidential information must have CyberSafe installed on their computer, a personal certificate must be created, and the public key must be published on the CyberSafe public key server.

Next, the system administrator on the remote server creates new folder, adds it to CyberSafe and assigns keys to those users who will be able to work with files in this folder in the future. Of course, you can create as many folders as required and store them in confidential information of varying degrees of importance, and the system administrator can at any time remove a user from those who have access to the folder, or add a new one.

Let's look at a simple example:

On file server ABC enterprise stores 3 databases with confidential information of varying degrees of importance - DSP, Secret and Top Secret. It is required to provide access to: DB1 for users Ivanov, Petrov, Nikiforov, DB2 for Petrov and Smirnov, DB3 for Smirnov and Ivanov.

To do this, on the file server, which can be any network resource, you will need to create three separate folders for each database and assign certificates (keys) of the corresponding users to these folders:

Of course, this or another similar problem with differentiating access rights can be solved using Windows ACLs. But this method can only be effective when delineating access rights on employee computers within the company. By itself, it does not provide protection of confidential information in the event of third party connection to a file server and the use of cryptography to protect data is simply necessary.

In addition, all file system security settings can be reset using the command line. In Windows, there is a special tool for this - “calcs”, which can be used to view permissions on files and folders, as well as to reset them. In Windows 7, this command is called "icacls" and is executed as follows:

1. B command line with administrator rights, enter: cmd
2. Go to the disk or partition, for example: CD /D D:
3. To reset all permissions, enter: icacls * /T /Q /C /RESET

It is possible that icacls will not work the first time. Then before step 2 you need to do next command:
After this earlier set permissions on files and folders will be reset.

You can create a system based on virtual cryptodisk and ACL(more details about such a system when using crypto disks in organizations are written.). However, such a system is also vulnerable, since to ensure permanent access employees accessing the data on the cryptodisk, the administrator will need to keep it connected (mounted) throughout the entire working day, which jeopardizes confidential information on the cryptodisk even without knowing the password to it, if an attacker is able to connect to the server during the connection.

Network drives with built-in encryption also do not solve the problem, since they only protect data when no one is working with it. That is, the built-in encryption function can protect confidential data from compromise only if the disk itself is stolen.

In CyberSafe, file encryption/decryption is carried out not on the file server, but on the user side. Therefore, confidential files are stored on the server only in encrypted form, which eliminates the possibility of them being compromised when direct connection attacker to the file server. All files on the server, stored in a folder protected with transparent encryption, are encrypted and securely protected. At the same time, users and applications see them as regular files: Notepad, Word, Excel, HTML, etc. Applications can read and write these files directly; the fact that they are encrypted is transparent to them.

Users without access can also see these files, but they cannot read or modify them. This means that if the system administrator does not have access to documents in any of the folders, he can still access them backup. Of course everything backups files are also encrypted.

However, when the user opens any of the files for work on his computer, there is a possibility that it will be accessed unwanted applications(if, of course, the computer is infected). To prevent this, CyberSafe has as an additional security measure, thanks to which the system administrator can define a list of programs that can access files from a protected folder. All other applications that are not included in the trusted list will not have access. This way we will limit access to confidential information for spyware, rootkits and other malware.

Since all work with encrypted files is carried out on the user's side, this means that CyberSafe is not installed on the file server and when working in a corporate space, the program can be used to protect information on network storage ah from the file NTFS system such as Windows Storage Server. All confidential information is encrypted in such a storage, and CyberSafe is installed only on user computers from which they access encrypted files.

This is the advantage of CyberSafe over TrueCrypt and other encryption programs that require installation in a place where files are physically stored, and therefore can only be used as a server Personal Computer, but not network drive. Of course, the use of network storage in companies and organizations is much more convenient and justified than using a regular computer.

Thus, with the help of CyberSafe, without any additional tools, you can organize effective protection valuable files, ensure convenient work with encrypted network folders, and also differentiate user access rights to confidential information.

02/04/2016, Thu, 11:49, Moscow time, Text: Pavel Pritula

Transparent disk encryption systems are a high-tech, knowledge-intensive product, the development and support of which is within the capabilities of a very limited number of companies. But they perform their main function – reducing the risk of leakage of confidential information – well.

As noted in “How to Manage the Risk of Leakage of Critical Data,” businesses are forced to constantly reduce the risk of leakage of confidential information. The simplest and relatively inexpensive way is to use transparent encryption systems. The main advantage of transparent encryption is that the user is not required to participate in any processes; they all take place in background"on the fly".

A lot depends on setting the requirements for the system

At first glance, transparent encryption systems on the market have a lot in common: after all, they all solve the same problem. But business always has its own specific requirements. Below is a list of the most relevant ones.

Requirements for transparent encryption systems

№	Description of requirements
1	Encryption strength	The strength of the protection must be such that secrecy is not violated even if the attacker becomes aware of the encryption method
2	Reliability of encryption algorithms	The encryption algorithm used must not have weak points cryptanalysts could use
3	Secure use of keys	The encryption key must be inaccessible to an attacker. Failure to comply with principles safe use encryption keys may jeopardize the security of information, even though the system will implement the most cryptographic algorithms
4	"Transparency" of encryption	Encryption should occur as transparently as possible for the user - he does not notice the process of encrypting and decrypting data during operation
5	Error tolerance	The system must be as resistant to random errors and incorrect user actions
6	Multi-factor authentication	Verification of user rights to access protected data should be implemented using tools multi-factor authentication
7	Additional functionality for working in emergency situations	In emergency situations, when an attempt becomes known physical access or an attempt to seize server equipment, extremely useful tool protection becomes possible to urgently terminate access to data
8	Protection from insiders	All system users, including system administrators and technical staff, must have access to the physical file system solely within the scope of their authority as specified in the company’s information security policies

The first two points, regarding the reliability and strength of encryption algorithms, require cryptography service providers to meet regulatory requirements for their products. In the Russian Federation, this is the use of GOST 28147-89 with a key length of 256 bits in solutions from crypto providers licensed by the FSB of Russia.

How to protect yourself from the system administrator?

Attackers interested in private data may also be inside the company. A serious threat from which cryptography cannot save is posed by technical specialists and system administrators of the company. But at the same time, due to their duties, they are obliged to monitor the performance of systems that ensure security on each computer.

In the current difficult economic situation, a number of employees, including system administrators, have a desire to copy corporate information for sale on the black market or as additional benefit before competing applicants when applying for new job. This strains the relationship between management and company staff.

This means that the selected transparent encryption system must simply have mechanisms that implement a set of requirements for protection from the system administrator, which has found its place in the list of requirements for the solution.

Virtual file system is an important security component

So what is the underlying mechanism behind best-in-class transparent encryption systems that can achieve many of the requirements presented above? In practice, it is expressed by a simple formula: the file is available to the owner of the information in decrypted form, and for everyone else - only in encrypted form without access to the keys. Experts call this functionality “access concurrency.”

“But if the user’s computer has Windows installed, which has practically become a corporate standard in the Russian Federation, then achieving “simultaneous access” is not an easy task. This is due to the Windows coherence effect: a file in it can have its copies, in addition to the file system, in the memory manager or cache. Therefore, we have to solve the problem of “simultaneous existence” of files,” says Ilya Shchavinsky, business development manager at Aladdin R.D. And the problem is solved in an original way with help collaboration“virtual file system” (VFS) and a file system driver filter, the operation diagram of which is given below.

Virtual file system

Source: “Aladdin R.D.”, 2016

As can be seen from the diagram, the cache manager “believes” that it is working with two different files. For this purpose, VFS forms an additional pair structure of file descriptors. Special driver file systems provides constant update encrypted file on the real file system, after changing it unencrypted copy in VFS. Thus, the data on the disk is always encrypted.

To limit access to files, the file system driver, when accessing protected resources, loads RAM encryption keys. The very same Key information protected by the key pair of the user's certificate and stored in crypto storage.

As a result, the authorized user sees one file system, a virtual one with decrypted files, while unauthorized users will at the same time see the physical (real) file system, where the names and contents of the files are encrypted.

System administrators and other technical specialists who do not have the ability to obtain decrypted encryption keys will work with a real, securely encrypted file system. At the same time, they retain the opportunity to correctly perform their official duties, for example, create backup copies of encrypted information without violating the confidentiality of the information itself. This will fulfill important requirement on protecting information from insiders.

Without multi-factor authentication, risks cannot be reduced

For multi-factor authentication of users to download operating system and to access encrypted data, a token or smart card is usually used - a device on which the user’s public key certificate and the corresponding private key are stored.

A centralized system for managing and storing encryption keys protects against the loss of these keys - they are located on a secure server and are transferred to the user only as needed. The company also controls employee access to their data and can deny it at any time. In addition, it is possible to monitor access events to protected data, as well as enable encryption mode for all data sent to flash drives, etc.

Composition of a typical transparent encryption system

) allows companies to organize fast and convenient exchange of information at various distances. However, protecting information in a corporate environment is a task that remains relevant to this day and worries the minds of managers of small, medium and large enterprises in a wide variety of fields of activity. In addition, no matter the size of the company, management almost always needs to differentiate employee access rights to confidential information based on the degree of its importance.

In this article we will talk about transparent encryption As one of the most common methods of protecting information in a corporate environment, we will look at the general principles of encryption for multiple users (multiple public key cryptography), and also talk about how to set up transparent encryption of network folders using the CyberSafe Files Encryption program.

What is the advantage of transparent encryption?

The use of virtual crypto disks or the full-disk encryption function is quite justified on the user’s local computer, but in the corporate space a more appropriate approach is to use transparent encryption, since this function provides fast and convenient work with classified files for several users simultaneously. When creating and editing files, the processes of encryption and decryption occur automatically, on the fly. To work with protected documents, company employees do not need to have any skills in the field of cryptography; they do not have to perform any additional steps in order to decrypt or encrypt secret files.

Multiple Public Key Cryptography and Digital Envelopes

Transparent encryption works as follows. A randomly generated symmetric session key is used to encrypt the file, which in turn is protected using the user's public asymmetric key. If a user accesses a file to make some changes to it, the transparent encryption driver decrypts the symmetric key using the user's private key and then decrypts the file itself using the symmetric key. We described in detail how transparent encryption works in the previous topic.

But what if there are several users and classified files are stored not on the local PC, but in a folder on a remote server? After all, the encrypted file is the same, but each user has their own unique key pair.

In this case, the so-called digital envelopes.

The transparent encryption driver works according to the following scheme: when a user accesses a file, it checks whether its certificate (public key) is in the list of allowed ones. If so, the copy of the symmetric key that was encrypted using his public key is decrypted using this user’s private key. If the user's certificate is not listed, access will be denied.

Encrypting network folders using CyberSafe

Using CyberSafe, the system administrator will be able to configure transparent encryption of a network folder without using additional data protection protocols, such as IPSec or WebDAV, and subsequently control user access to a particular encrypted folder.

Next, the system administrator on the remote server creates a new folder, adds it to CyberSafe and assigns keys to those users who will be able to work with files in this folder in the future. Of course, you can create as many folders as required, store confidential information of varying degrees of importance in them, and the system administrator can at any time remove a user from those who have access to the folder, or add a new one.

Let's look at a simple example:

The file server of the ABC enterprise stores 3 databases with confidential information of varying degrees of importance - DSP, Secret and Top Secret. It is required to provide access to: DB1 for users Ivanov, Petrov, Nikiforov, DB2 for Petrov and Smirnov, DB3 for Smirnov and Ivanov.

Of course, this or another similar problem with differentiating access rights can be solved using Windows ACLs. But this method can only be effective when delineating access rights on employee computers within the company. By itself, it does not protect confidential information in the event of a third-party connection to a file server, and the use of cryptography to protect data is simply necessary.

1. In the command line with administrator rights, enter: cmd
2. Go to the disk or partition, for example: CD /D D:
3. To reset all permissions, enter: icacls * /T /Q /C /RESET

It is possible that icacls will not work the first time. Then before step 2 you need to run the following command:

After this, previously set permissions on files and folders will be reset.

You can create a system based on virtual cryptodisk and ACL(more details about such a system when using crypto disks in organizations are written.). However, such a system is also vulnerable, since in order to ensure constant employee access to data on the cryptodisk, the administrator will need to keep it connected (mounted) throughout the entire working day, which jeopardizes confidential information on the cryptodisk even without knowing the password to it, if an attacker is in the middle of connecting will be able to connect to the server.

In this article we will talk about transparent encryption As one of the most common methods of protecting information in a corporate environment, we will look at the general principles of encryption for multiple users (cryptography with multiple public keys), and also talk about how to set up transparent encryption of network folders using the program.

What is the advantage of transparent encryption?

Multiple Public Key Cryptography and Digital Envelopes

In this case, the so-called digital envelopes.

Encrypting network folders using CyberSafe

Using CyberSafe, the system administrator will be able to configure transparent encryption of a network folder without using additional data protection protocols, such as or further managing user access to a particular encrypted folder.

Let's look at a simple example:

Of course, this or another similar problem with differentiation of access rights can be solved with Windows help. But this method can only be effective when delineating access rights on employee computers within the company. By itself, it does not protect confidential information in the event of a third-party connection to a file server, and the use of cryptography to protect data is simply necessary.

1. In the command line with administrator rights, enter: cmd
2. Go to the disk or partition, for example: CD /D D:
3. To reset all permissions, enter: icacls * /T /Q /C /RESET

It is possible that icacls will not work the first time. Then before step 2 you need to run the following command:

After this, previously set permissions on files and folders will be reset.

You can create a system based on virtual cryptodisk and ACL(more details about such a system when using crypto disks in organizations are written.). However, such a system is also vulnerable, since in order to ensure constant employee access to data on the cryptodisk, the administrator will need to keep it connected (mounted) throughout the entire working day, which jeopardizes confidential information on the cryptodisk even without knowing the password to it, if an attacker is in the middle of connecting will be able to connect to the server.

The encryption/decryption of files is carried out not on the file server, but on the user side. Therefore, confidential files are stored on the server only in encrypted form, which eliminates the possibility of them being compromised when an attacker directly connects to the file server. All files on the server, stored in a folder protected with transparent encryption, are encrypted and securely protected. At the same time, users and applications see them as regular files: Notepad, Word, Excel, HTML, etc. Applications can read and write these files directly; the fact that they are encrypted is transparent to them.

Users without access can also see these files, but they cannot read or modify them. This means that if the system administrator does not have access to documents in one of the folders, he can still back them up. Of course, all file backups are also encrypted.

However, when a user opens any of the files for work on his computer, there is a possibility that unwanted applications will gain access to it (if, of course, the computer is infected). To prevent this, CyberSafe has as an additional security measure, thanks to which the system administrator can define a list of programs that can access files from a protected folder. All other applications that are not included in the trusted list will not have access. This will limit access to confidential information for spyware, rootkits and other malware.

Since all work with encrypted files is carried out on the user's side, this means that CyberSafe is not installed on a file server and, when working in a corporate space, the program can be used to protect information on network storage devices with the NTFS file system, such as . All confidential information is encrypted in such a storage, and CyberSafe is installed only on user computers from which they access encrypted files.

This is the advantage of CyberSafe over TrueCrypt and other encryption programs that require installation in a place where files are physically stored, which means that only a personal computer can be used as a server, but not a network drive. Of course, the use of network storage in companies and organizations is much more convenient and justified than using a regular computer.

Thus, with the help of CyberSafe, without any additional tools, you can organize effective protection of valuable files, ensure convenient work with encrypted network folders, and also differentiate user access rights to confidential information.

To encrypt physical disks and create virtual encrypted disks. However, such encryption is not always convenient.
Firstly, it is not always possible to encrypt all physical disk. Secondly, if you use virtual disks, then container files typically take up hundreds of megabytes disk space and they are very easy to detect by an attacker. Yes, there is data, but human laziness wins. Thirdly, the encrypted folder can constantly grow, and the size of the crypto disk is limited by the size specified when it was created.
Everyone wants to work with files conveniently, and at the same time, the files are reliably protected. There is such a compromise - this is transparent file encryption, when files are encrypted and decrypted “on the fly” - while working with them. The files remain encrypted, and you work with them as if they were regular files. For example, if you encrypted the C:\Documents folder and placed your documents in it, then when you open a document from this folder, Word or Excel starts and they do not even suspect that they are encrypted. You work with encrypted files as with ordinary ones, without thinking at all about encryption, mounting, virtual disks etc.
In addition to ease of use, transparent encryption has another significant advantage. As a rule, virtual encrypted disks store a large number of files. To work with even one of them, you need to connect the entire crypto disk. As a result, all other files become vulnerable. Of course, you can create many small crypto disks, assign each separate password, but this is not very convenient.
In the case of transparent encryption, you can create as many encrypted folders as you need and place different groups of files in each of them - documents, private photos etc. In this case, only those files that are accessed are decrypted, and not all files on the crypto disk at once.

Advantages and Disadvantages of EFS

In Windows (starting with Windows 2000 and except for Home editions), the encrypted file system - EFS ( Encrypting File System).
EFS is designed to prevent one user from accessing another user's (encrypted) files. Why was it necessary to create EFS if NTFS supports access rights? Although NTFS is a fairly secure file system, over time, various utilities(one of the first was NTFSDOS, which allowed you to read files located on an NTFS partition from a DOS environment), ignoring rights NTFS access. There is a need for additional protection. EFS was supposed to be such protection.
Essentially, EFS is an add-on to NTFS. EFS is convenient because it is included in Windows and you do not need any additional software to encrypt files. software- everything you need is already in Windows. To start encrypting files, you don’t need to do anything. preliminary actions because the first time a file is encrypted, an encryption certificate and private key are automatically generated for the user.
Another advantage of EFS is that when you move a file from an encrypted folder to any other, it remains encrypted, and when you copy a file to an encrypted folder, it is automatically encrypted. There is no need to perform any additional steps.
This approach, of course, is very convenient, and the user seems to have only one benefit from EFS. But that's not true. On the one hand, under unfavorable circumstances, the user may lose access to encrypted files altogether. This may happen in the following cases:

Hardware problems, for example, failed motherboard, bootloader is corrupted, damaged system files due to failure hard drive(bad sectors). Eventually HDD You can connect to another computer to copy files from it, but if they are encrypted with EFS, you will not succeed.
The system has been reinstalled. Windows can be reinstalled for a variety of reasons. In this case, access to the encrypted data will, of course, be lost.
User profile deleted. Even if you create a user with the same name, he will be assigned a different ID, and the data will still not be decryptable.
The system administrator or the user himself reset the password. After this, access to EFS data will also be lost.
Incorrect user transfer to another domain. If a user's transfer is not done correctly, they will not be able to access their encrypted files.

When users (especially beginners) start using EFS, few people think about it. But, on the other hand, there is special software (and it will be demonstrated later) that allows you to access the data even if the system has been reinstalled and some keys have been lost. And I don’t even know whether this fact can be considered an advantage or disadvantage - this software allows you to restore access to data, but at the same time it can be used by an attacker to gain unauthorized access to encrypted files.
It would seem that data encrypted using EFS is very secure. After all, files on disk are encrypted using the FEK (File Encryption Key), which is stored in the file attributes. The FEK itself is encrypted with the master key, which, in turn, is encrypted with the keys of system users who have access to this file. User keys are encrypted with the password hashes of these users, and the password hashes are also encrypted with SYSKEY.
It would seem that such an encryption chain should provide reliable protection data, but it all simply comes down to a login and password. Once the user resets the password or reinstalls the system, it will no longer be possible to gain access to the encrypted data.
The EFS developers played it safe and implemented recovery agents (EFS Recovery Agent), that is, users who can decrypt data encrypted by other users. However, using the EFS RA concept is not very convenient and even difficult, especially for novice users. As a result, these very novice users know how to encrypt using EFS files, but do not know what to do in an emergency situation. It's good that there is special software that can help in this situation, but the same software can also be used for unauthorized access to data, as already noted.
Disadvantages of EFS also include the inability to provide network encryption (if you need it, you must use other data encryption protocols, such as IPSec) and the lack of support for other file systems. If you copy an encrypted file to a file system that does not support encryption, such as FAT/FAT32, the file will be decrypted and can be viewed by anyone. There is nothing surprising in this, EFS is just an add-on over NTFS.
It turns out that EFS does more harm than good. But, in order not to be unfounded, I will give an example of using the Advanced EFS Data Recovery program to gain access to encrypted data. The scenario will be very simple: first I will log in as a different user and try to access an encrypted file that another user has encrypted. Then I will simulate a real situation where the certificate of the user who encrypted the file was deleted (this could happen, for example, in the case Windows reinstallation). As you will see, the program without special problems will cope with this situation.

Using Advanced EFS Data Recovery to Decrypt EFS Encrypted Files

Let's see how you can decrypt files encrypted with EFS. The first step is to enable encryption for one of the folders. For the demonstration, I specifically created an EFS-Crypted folder. To enable EFS encryption for a folder, you simply need to enable the corresponding attribute in its properties (Fig. 1).

Rice. 1. Enable encryption for a folder

The name of the encrypted folder and all files placed in it (which will be automatically encrypted) is displayed in Explorer green. As shown in Fig. 2, I added to the encrypted folder text file config.txt, the contents of which we will try to view by logging in as a different user. For the test, another user with administrator rights was created (such rights are needed by the Advanced EFS program Data Recovery(AEFSDR) from ElcomSoft), see fig. 3.

Rice. 2. Contents of the encrypted folder

Rice. 3. New user created

Naturally, if you log in as a different user and try to read the config.txt file, nothing will work (Fig. 4).

Rice. 4. Access denied

But it doesn’t matter - let’s launch Advanced program EFS Data Recovery and go straight to Expert mode (you can, of course, use the wizard that opens upon first launch (Fig. 5)), but I like the expert mode better.

Rice. 5. Wizard when launching Advanced EFS Data Recovery

Rice. 6. Expert Advanced mode EFS Data Recovery

So go to the tab Encrypted files and press the button Scan for encrypted files. In Fig. 6 already shows the scan result - our only encrypted file C:\EFS-Crypted\config.txt was found. Select it and click the button Decrypt. The program will prompt you to select the directory in which you want to decrypt the files (Fig. 7).

Rice. 7. Select the directory where the files will be decrypted

Since I have trial version program, then to continue you need to press Continue(Fig. 8). Decrypted files are placed in the AEFS_ subfolder<имя_диска>_DECRYPTED (Fig. 9). Please note that our config.txt file is no longer highlighted in green and we can view its contents (Fig. 10).

Rice. 8. Click the button Continue

Rice. 9. Decrypted files

Rice. 10. Contents of the config.txt file

Now let’s complicate the program’s task Advanced EFS Data Recovery, namely, we will delete the personal certificate. Log in as the user who created the encrypted folder and launch the mmc console, select the menu command File, Add or Remove Snap-in. Next, select the equipment Certificates and press the button Add(Fig. 11). In the window that appears, select my account user(Fig. 12).

Rice. 11. Adding equipment

Rice. 12. Certificate Manager snap-in

Next, click the button OK and in the window that appears, go to Certificates, Personal, Certificates. You will see the certificates created for current user(Fig. 13). In my case the user is called test. Click on his certificate right click mouse and select command Delete to remove the certificate. You will see a warning that it will no longer be possible to decrypt data encrypted using this certificate. Well, we'll check that out soon.

Rice. 13. Personal certificates

Rice. 14. Warning when deleting a certificate

Close the snap-in and try accessing the encrypted file. Nothing will work for you, despite the fact that you encrypted this file. After all, the certificate has been deleted.
Change user, run Advanced EFS Data Recovery program. Try decrypting the file as shown earlier. First, the program will report that the certificate was not found. Therefore, you need to go to the tab EFS related files and press the button Scan for keys. After some time, the program will tell you that it has found the keys, but probably not all of them (Fig. 15). The program recommends that you scan your keys again, but this time with the option enabled Scan by sectors(Fig. 16), but I did not do this and immediately went to the tab Encrypted files. The program successfully found and decrypted the file. In Fig. Figure 17 shows that I have already saved the decrypted file to my desktop.

Rice. 15. Search for keys

Rice. 16. Scan window

Rice. 17. The file is decrypted again

To the shame of EFS or to the credit of Advanced EFS Data Recovery, in both cases the file was decrypted. At the same time, as you can see, I did not need any special knowledge or skills. All you need to do is launch a program that will do all the work for you. You can read about how the program works on the developers’ website (http://www.elcomsoft.ru/); we will not discuss in detail the principle of its operation in this article, since AEFSDR is not the subject of the article.
To be fair, it must be said that specialists can configure the system so that Advanced EFS Data Recovery will be powerless. However, we have considered the most normal use EFS for the vast majority of users.

Transparent encryption system implemented in CyberSafe Top Secret

Let's look at how transparent encryption is implemented in CyberSafe. For transparent encryption, the Alfa Transparent File Encryptor driver (http://www.alfasp.com/products.html) is used, which encrypts files using the AES-256 algorithm or the GOST 28147-89 algorithm (when using Crypto-Pro).
The encryption rule (file mask, allowed/prohibited processes, etc.), as well as the encryption key, is sent to the driver. The encryption key itself is stored in the ADS folder (Alternate Data Streams, eb.by/Z598) and is encrypted using OpenSSL ( RSA algorithm) or GOST R 34.10-2001 - certificates are used for this.
The logic is as follows: add a folder, CyberSafe creates a key for the driver, encrypts it with the selected public certificates (they must be previously created or imported into CyberSafe). When any user tries to access a folder, CyberSafe opens the ADS folder and reads the encrypted key. If this user has the private key of the certificate (he may have one or more of his own certificates) that was used to encrypt the key, he can open this folder and read the files. It should be noted that the driver decrypts only what is needed, and not all files when access to the file is granted. For example, if the user opens a large Word document, then only the part that is currently loaded into the editor is decrypted, and the rest is loaded as necessary. If the file is small, then it is completely decrypted, but the remaining files remain encrypted.
If the folder is a shared network folder, then the files in it remain encrypted; the client driver decrypts only the file or part of the file in memory, although this is also true for local folder. When editing a file, the driver encrypts changes in memory and writes them to the file. In other words, even when a folder is enabled (we'll show you what that is later), the data on the disk always remains encrypted.

Using CyberSafe Top Secret to Transparently Encrypt Files and Folders

It's time to consider practical use CyberSafe Top Secret programs. To encrypt a folder, go to the program section Transparent encryption(tab File encryption), see fig. 18. Then from Explorer, drag the folders you want to encrypt to work area programs. You can also use the button Ext. folder. I added one folder - C:\CS-Crypted.

Rice. 18. CyberSafe Top Secret program

Click the button Apply. In the window that appears (Fig. 19), click the button Yes or Yes for everything x (if you are trying to encrypt several folders at a time). Next, you will see a window for selecting certificates, the keys of which will be used for transparent encryption of the folder (Fig. 20). As a rule, certificates are created immediately after installing the program. If you haven't done this yet, you'll have to return to the section Private keys and press the button Create.

Rice. 19. Click Yes

Rice. 20. Selecting certificates for transparent encryption

The next question from the program is whether you need to set an administrator key for this folder (Fig. 21). Without an administrator key, you will not be able to make changes to the folder, so click the button Yes.

Rice. 21. Press again Yes

After this, you will return to the main program window. Before you start working with an encrypted folder, you need to select it and click the button Turn on. The program will ask for the password of the certificate (Fig. 22) specified to encrypt this folder. After this, working with an encrypted folder will not differ from working with a regular folder. In the CyberSafe window, the folder will be marked as open, and a lock icon will appear to the left of the folder icon (Fig. 23).

Rice. 22. Enter the certificate password

Rice. 23. Encrypted folder connected

In Explorer, neither the encrypted folder nor the encrypted files are marked in any way. Outwardly, they look the same as other folders and files (unlike EFS, where the names of encrypted files/folders are highlighted in green), see fig. 24.

Rice. 24. CS-Crypted encrypted folder in Explorer

It should be noted that you can encrypt a network folder in the same way. In this case, the CyberSafe program should only be located on the users’ computer, and not on the file server. All encryption is carried out on the client, and already encrypted files are transferred to the server. This decision is more than justified. Firstly, already encrypted data is transmitted over the network. Secondly, even if the server administrator wants to access the files, he will not be able to do anything, since only users whose certificates were specified during encryption can decrypt the files. But the administrator, if necessary, can back up encrypted files.
When the encrypted folder is no longer needed, you need to go to the CyberSafe program, select the folder and click the button Switch off. This solution may not seem as convenient to you as EFS - you need to press the on/off buttons. But this is only at first glance. Firstly, the user has a clear understanding that the folder is encrypted and he will not forget about this fact when he reinstalls Windows. Secondly, with EFS, if you need to be away from your computer, you need to log out, because while you're away, anyone can walk up to your computer and access your files. All he will have to do is copy your files to a device that does not support encryption, such as a FAT32 flash drive. Then he will be able to view files outside of your computer. With CyberSafe, everything is a little more convenient. Yes you need to do additional action(“turn off” the folder) and all encrypted files will become inaccessible. But on the other hand, you will not need to re-launch all programs and open all documents (including unencrypted ones) - as after logging in again.
However, each product has its own characteristics. CyberSafe is no exception. Let's imagine that you encrypted the C:\CS-Crypted folder and placed the report.txt file there. When the folder is disabled, of course, you will not be able to read the file. When the folder included, you can access the file and, accordingly, copy it to any other, unencrypted folder. But after copying the file to an unencrypted folder, it continues to live its own life. On the one hand, it is not as convenient as in the case of EFS, on the other hand, knowing this feature of the program, the user will be more disciplined and will store his secret files only in encrypted folders.

Performance

Now let's try to find out which is faster - EFS or CyberSafe Top Secret. All tests are carried out on real car- no virtual machines. The laptop configuration is as follows - Intel 1000M (1.8 GHz)/4 GB RAM/WD WD5000LPVT (500 GB, SATA-300, 5400 RPM, 8 MB buffer/Windows 7 64-bit). The car is not very powerful, but it is what it is.
The test will be extremely simple. We will copy files into each folder and see how long the copying takes. The following simple scenario will help us figure out which transparent encryption tool is faster:

@echo off echo "Copying 5580 files to EFS-Crypted" echo %time% robocopy c:\Joomla c:\EFS-Crypted /E > log1 echo %time% echo "Copying 5580 files to CS-Crypted" echo %time% robocopy c:\Joomla c:\CS-Crypted /E > log2 echo %time%

It doesn't take a programming guru to figure out what this script does. It's no secret that we often work with relatively small files ranging in size from several tens to several hundred kilobytes. This script copies the Joomla! 3.3.6, which contains 5580 of these small files, first in an EFS-encrypted folder and then in a CyberSoft-encrypted folder. Let's see who will be the winner.
The robocopy command is used to recursively copy files, including empty ones (the /E option), and its output is deliberately redirected to a text file (if desired, you can view what was copied and what was not) so as not to clutter the script output.
The results of the second test are shown in Fig. 25. As you can see, EFS completed this task in 74 seconds, and CyberSoft in just 32 seconds. Considering that in most cases users work with many small files, CyberSafe will be more than twice as fast as EFS.

Rice. 25. Test results

Benefits of CyberSafe Transparent Encryption

Now let's summarize a little. The advantages of CyberSafe transparent encryption include the following facts:

When you turn off a folder, files can be copied encrypted anywhere, which allows you to organize cloud encryption.
The CyberSafe program driver allows you to work over a network, which makes it possible to organize.
To decrypt a folder, you not only need to know the password, you must have the appropriate certificates. When using Crypto-Pro, the key can be transferred to the token.
The CyberSafe application supports the AES-NI instruction set, which has a positive effect on program performance (as proven by the tests above).
You can protect yourself from unauthorized access to your private keys using two-factor authentication.
Support for trusted applications

The last two advantages deserve special attention. To protect yourself from access to the user's private keys, you can protect the CyberSafe program itself. To do this, run the command Tools, Settings(Fig. 26). In the Settings window, on the tab Authentication you can enable either password authentication or two-factor authentication. For details on how to do this, see the CyberSafe manual on page 119.

Rice. 26. Protecting the CyberSafe program itself

On the tab Allowed. applications You can define trusted applications that are allowed to work with encrypted files. By default, all applications are trusted. But for greater security, you can set applications that are allowed to work with encrypted files. In Fig. I indicated 27 as trusted applications MS Word and MS Excel. If any other program tries to access the encrypted folder, it will be denied access. Additional information you can find in the article “Transparently encrypt files on your local computer using CyberSafe Files Encryption” (http://site/company/cybersafe/blog/210458/).