On-the-fly encryption. On-the-fly encryption without administrative rights. Composition of a typical transparent encryption system

As you know, many disk encryption programs cannot be used on public computers unless you have administrator rights. The fact is that for such programs to work, you must first install the virtual disk driver. But this is only possible if you have administrator rights (i.e. only on your home computer). This problem becomes increasingly significant if you need a portable encryption program.

View the contents of an encrypted disk.

Only some disk encryption programs have a portable utility for viewing disk contents, which allows you to work with an encrypted disk offline (without setting the virtual drive letter). But in it you cannot work with files as usual. You can only extract the desired file from the utility window and then open it. You will then need to import the file back into the Content Viewer if you have changed it. In this case, the on-the-fly encryption principle does not work. Also, with this approach there is a security vulnerability, you may accidentally leave “unencrypted” files somewhere, and you will not be able to work with large files.

But now in improved portable encryption and offers on-the-fly encryption even in “traveller” mode using Rohos Disk Browser:

• By double-clicking on a file, it immediately opens in the corresponding application. And you work with it in the usual way.
• You can open large files (for example, view an encrypted AVI file, listen to music).
• No “unencrypted” data is left on the guest PC or the unprotected part of the USB flash drive.
• You can run Portable Applications!

Rohos Mini Drive creates an encrypted partition on any USB flash drive and you can open it on any computer. You can also open a protected partition on a public PC without administrative rights with , which allows you to open any Rohos protected partition (FAT/FAT32/NTFS, read/write), browse it, extract files and now does file virtualization for any application.

File virtualization.

The developers have introduced the File Virtualization function, which allows you to open files from Rohos Disk Browser in the corresponding application without first decrypting them into a temporary folder. Rohos virtualizes the file availability for the application. Thus, it works with the encrypted file using the principle of on-the-fly encryption. This function is similar to Virtual Disk technology, but it does not launch the disk driver, and works on a per-application basis.

How it works:

1. When you double-click on a document in Rohos Disk Browser, the utility searches for the corresponding application.
2. Rohos then launches this application with a built-in File Virtualization module. The name of the virtual file is passed as the command line.
3. The application opens this file, but all read/write requests are sent to Rohos Disk Browser.
4. Rohos Disk Browser encrypts or decrypts “on the fly” the necessary parts of the file in exchange.
5. Please note that it is impossible to open a virtual file in any other application except the one launched by the Rohos Disk Browser utility.

When you double click on the PortableApps\*\EXE file, Rohos virtualizes the entire folder and file structure, and launches the portable application.

But our virtualization technology needs testing and further improvements, so we encourage you to help us.

Or update the program to the latest Rohos Disk Encryption v.1.7 or Rohos Mini Drive v.1.7 to test the new feature:

• Launch Rohos Disk Browser (RBrowser.exe) and open your encrypted disk (*.RDI file).
• Double click on any file...
• Or use the Folder Virtualization feature.

We have currently checked many file types such as BMP, JPG, PNG and TXT, RTF, DOC, XLS, PPT, ZIP, RAR, MP3 and AVI files.

You can also open any other file types and portable EXE files. If you have a file that Rohos Disk Browser was unable to open, please provide the file name, extension, and which application should open it.

Further developments:

• Folder Virtualization feature for working with documents and portable applications directly from Windows Explorer!
• Create encrypted partitions directly from the portable utility Rohos Disk Browser.
• The functions “Change the password for the encrypted partition” and “Check the protected partition for errors.”

TrueCrypt is a software system for creating and using an on-the-fly encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted or decrypted while it is being read or written, without interrupting the user. Data stored on an encrypted volume cannot be read (decrypted) without using the correct password/keyfile or the correct encryption keys. The entire file system is encrypted, including folder and file names, file contents, empty space, metadata, and the like).

Files can be copied to and from a mounted TrueCrypt volume in the same way they are copied from/to any normal drive (for example, using drag-n-drop technology). Files are automatically decrypted on the fly (in memory) when read or copied from a TrueCrypt encrypted volume. The reverse is also true - files written or copied to a TrueCrypt volume are encrypted on the fly in memory right before they are written to disk. However, this does not mean that the entire file intended for encryption/decryption must be completely stored in memory before encryption/decryption. TrueCrypt does not require additional memory.

For example, there is an .avi file stored on a TrueCrypt volume, and therefore entirely encrypted. The user, using the correct password (and/or key file), mounts (opens) the TrueCrypt volume. When a user double-clicks a video file icon, the operating system launches the program associated with that file type - typically a media player. The media player begins to load the small initial part of the video file from the TrueCrypt encrypted volume into memory in order to play it. As this small portion is downloaded, TrueCrypt automatically decrypts it in memory. The decrypted part of the video, now stored in memory, is played by the media player. After playing this part, the media player will begin to load the next small part of the video file from the TrueCrypt encrypted volume into memory, and the process will repeat. This process is called on-the-fly encryption/decryption and it works with all file types, not just video.

TrueCrypt never stores any unencrypted data to disk - it stores it temporarily in memory. Even when the volume is mounted, the data on it is stored encrypted. When you restart Windows or turn off your computer, the volume is disabled and the files stored on it become inaccessible and remain encrypted. The same thing happens in case of an unexpected power outage (without shutting down the system properly). To access them again, you must mount the volume using the correct password and/or keyfile.

Encryption and use of a non-system disk partition

Step 1

Launch TrueCrypt by double-clicking the TrueCrypt.exe file or by clicking the TrueCrypt shortcut from the Start menu.

Step 2:

The main TrueCrypt window should appear. Click Create Volume.

Step 3:

The TrueCrypt Partition Creation Wizard window should appear.

At this step, you choose where you want to create the TrueCrypt section. A TrueCrypt partition can be located in a file, also called a container, on a disk partition, or on a disk device. In this guide, we will choose the second option and encrypt the USB storage device.

Select the “Encrypt non-system partition/disk” option and click on the “Next” button.

Step 4:

At step 4 we have to choose what our volume type will be. In this case, there are 2 options:

Regular TrueCrypt volume;

TrueCrypt hidden volume;

At this stage, select the “Regular TrueCrypt volume” option. PS: we’ll deal with the “TrueCrypt Hidden Volume” option later (Step 12).

Step 5:

In step 5, we have to select the device that we will encrypt.

Select the desired device (in this case, drive F: is selected).

Now that you have selected the device to encrypt, you can proceed to the next step by clicking on the “Next” button.

Step 6:

At this stage you have to choose one of two options:

ü create an encrypted volume and format it

ü encrypt the partition in its place.

If the device selected in Step 5 has important information that you want to save and encrypt, then you need to select the “Encrypt partition in its place” option. Otherwise (if the selected device does not have important information, or there is no information on it at all, select “Create an encrypted volume and format it.” In this case, all information stored on the selected device will be lost.) After you Select the option and click on the “Next” button.

Step 7:

Step 8:

In the eighth step, you need to make sure once again that you have chosen exactly the device you wanted. Once you are sure that your choice is correct, click the “Next” button.

Step 9:

This is one of the most important steps. Here you must choose a good password for the section. Carefully read the information displayed in the wizard window about what is considered a good password. After choosing a good password, enter it in the first input field. Then enter it again in the second field and click Next. Note: The “Next” button will be inactive until the passwords in both fields match.

Step 10:

Move your mouse as randomly as you can in the Volume Creation Wizard window for at least 30 seconds. The longer you move the mouse, the better. This greatly increases the cryptographic strength of the encryption keys (which in turn increases security). Click "Markup".

We agree with the formatting of the selected section.

We are waiting for the process to finish.

We carefully read the notice on how to use the volume we created and how to remove encryption from the partition/device.

So, the volume is created. After you click “OK”, TrueCrypt will prompt you to create 1 more volume (“Next” button). If you want to stop the Volume Creation Wizard, click on the “Exit” button.

Step 11:

Now that the volume has been created, you need to learn how to use it. Note that during a normal attempt to access our encrypted device (My Computer – Encrypted Device), Windows will prompt us to format it (after the formatting process the device will be empty and unencrypted). To access our volume, you need to open TrueCrypt and on the main form select the device that was encrypted (in our example, this is the F: drive). After selecting the device, we have to select an unallocated drive letter (I'll choose Z:) and click the "Mount" button.

Enter the password that was created in Step 9.

TrueCrypt will now try to mount the partition. If the password is incorrect (for example, you entered it incorrectly), then TrueCrypt will notify you about this, and you will need to repeat the previous step (reenter the password and click OK). If the password is correct, the partition will be mounted.

We have just successfully mounted our encrypted device as virtual disk Z:

The virtual disk is completely encrypted (including file names, allocation tables, free space, etc.) and behaves like a real disk. You can save (copy, move, etc.) files to this virtual disk, and they will be encrypted on the fly while being written.

If you open a file stored on a TrueCrypt partition, for example, in a media player, the file will be automatically decrypted in RAM (memory) on the fly while reading.

Important: Please note that when you open a file stored on a TrueCrypt partition (or when you write/copy a file from/to a TrueCrypt partition), you will not be asked to enter your password again. You must enter the correct password only when mounting the partition.

You can open the mounted partition, for example, by double-clicking on the text marked with a red rectangle, as shown in the screenshot below.

You can also find and open the mounted partition, as you usually do for other drives. For example, simply open “My Computer” and double-click on the drive shortcut (in our case, drive Z).

Select the partition from the list of mounted partitions in the main TrueCrypt window (Z: in the picture above) and then click Unmount.

Device decryption

If you need to decrypt your device back, follow these steps:

ü check that the encrypted device is unmounted;

ü go to My Computer;

ü find the encrypted one in the list of disks (the one we want to decrypt);

ü right-click on the selected disk;

ü select the “Format” item from the context menu list;

Once formatting is complete, the disk will be decrypted and accessible as before.

Step 12:

To create a hidden volume, repeat steps 1-3 and in the fourth step, select the “TrueCrypt Hidden Volume” option.

You can learn more about what a hidden volume is by clicking on the link “What is a “hidden volume”?” But something can be described here:

ü a hidden volume is created inside an already existing regular volume

ü access to a hidden volume is carried out in the same way as to a regular one, only when mounting a regular current you need to enter the password of the hidden one contained inside the regular one

ü there is no way to know about the existence of a hidden volume, which provides additional protection for information stored on this volume

Step 13:

Step 14:

The Volume Creation Wizard prompts us to choose a method for creating a hidden volume. There are two options for creating a hidden volume:

ü “Normal mode” - by selecting this option, the wizard will first help you create a regular volume, after which it will be possible to create a hidden volume inside a regular one;

ü “Direct mode” - create a hidden volume on an already existing regular volume (which we will choose since we have already created a regular volume above);

Step 15:

In this step, we have to enter the password used in the regular (outer) volume. This password was entered in Step 9. After entering the password, click “Next”.

Step 16:

Notification about the success of studying the cluster map, about the maximum size of the hidden volume.

Step 17:

Here you can select the encryption algorithm and hash algorithm for the partition. If you are not sure what to choose here, you can use the default settings and click “Next” (for more detailed information, see the chapter Encryption Algorithms and Hash Algorithms).

Step 18:

At this stage, select the size of the hidden volume. Please note the maximum possible size!

Step 19:

This step is similar to step 9. BUT!!! The password for the hidden volume must be different from the password for the outer volume.

Step 20:

Move your mouse as randomly as you can in the Volume Creation Wizard window for at least 30 seconds. The longer you move the mouse, the better. This greatly increases the cryptographic strength of the encryption keys (which in turn increases security). Click the “Mark” button.

carefully read the notice on how to use the volume we created and how to remove encryption from the partition/device.

The wizard warns us that as a result of improper use of the outer volume, the hidden one may be damaged. To learn how to protect a hidden volume, see the “Precautions for Hidden Volumes” section.

That's it, the hidden volume is ready. To create another volume, click the “Next” button. To stop the Volume Creation Wizard, click “Exit” (in our case, 2 volumes are enough for us; below we will explain how to work with a hidden volume).

Step 21:

Working with a hidden volume is similar to working with an external volume. The only difference is that to access the hidden volume you must enter the password from Step 19, not 9.

Encrypt:

1. not a system disk;

2. part of the disk;

3. separate files of different formats

Create virtual images of encrypted objects and test their operation.

Control questions

1. What does the term “on-the-fly encryption” mean?

2. What are the operating modes of the TrueCrypt program?

3. How to delete an encrypted partition?

4. List the advantages of this software?

Encryption is the process of encoding information in such a way that it cannot be accessed by other people unless they have the necessary key to decode it. Encryption is typically used to protect important documents, but it's also a good way to stop people trying to steal your personal data.

Why use categories? To break down the huge variety of information encryption programs into simpler and more understandable sets of programs, i.e. structure. This article is limited to a set of utilities for encrypting files and folders.

1. Utilities for encrypting files and folders - these utilities are discussed in this article. These encryption utilities work directly with files and folders, unlike utilities that encrypt and store files in volumes (archives, that is, file containers). These encryption utilities can operate in on-demand or on-the-fly mode.
2. Virtual disk encryption utilities. Such utilities work by creating volumes (encrypted containers/archives), which are represented in the file system as virtual drives with their own letter, for example, “L:”. These drives can contain both files and folders. The computer's file system can read, write and create documents in real time, i.e. in the open. Such utilities work in "on the fly" mode.
3. Full-drive encryption utilities - encrypt all data storage devices, for example, hard drives themselves, disk partitions and USB devices. Some of the utilities in this category can also encrypt the drive on which the operating system is installed.
4. Client encryption utilities in the cloud: a new category of encryption utilities. These file encryption utilities are used before uploading or syncing to the cloud. Files are encrypted during transmission and while stored in the cloud. Encryption utilities in the cloud use various forms of virtualization to provide client-side access to the source code. In this case, all work occurs in “on the fly” mode.

Cautions

Operating systems are vicious: echoes of your personal data - swap files, temporary files, power saving mode files ("system sleep"), deleted files, browser artifacts, etc. - will likely remain on whatever computer you use to access the data. It is not a trivial task to isolate this echo of your personal data. If you need to protect hard drive data while it is moving or coming from outside, then this is quite a difficult task. For example, when you create an encrypted archive of files or unzip such an archive, then, accordingly, the original versions of the files or copies of the original files from this archive remain on the hard drive. They may also remain in temporary file storage locations (aka Temp folders, etc.). And it turns out that the task of deleting these original versions becomes a task not of simply deleting these files using the “delete” command.

1. Just because an encryption program "works" does not mean it is secure. New encryption utilities often appear after "someone" reads applied cryptography, chooses an algorithm, and gets to work developing it. Maybe even “someone” is using proven open source code. Implements the user interface. Make sure it works. And he will think that this is all over. But that's not true. Such a program is probably filled with fatal bugs. "Functionality does not equate to quality, and no amount of beta testing will reveal security issues. Most products are a fancy word for 'compliance'. They use cryptography algorithms, but are not secure themselves." (Free translation) - Bruce Schneier, from Security Pitfalls in Cryptography. (original phrase: "Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw. Too many products are merely buzzword compliant; they use secure cryptography, but they are not secure.").
2. The use of encryption is not sufficient to ensure the security of your data. There are many ways to bypass protection, so if your data is “very sensitive”, then you need to also think about other ways of protection. You can use this article as a “start” for additional searches risks of using cryptographic software.

Overview of file and folder encryption programs

TrueCrypt was once the best program in this category. And it is still one of the best, but no longer corresponds to this category, since it is based on working using virtual disks.

Most, if not all, of the programs described below expose the user to non-obvious threats, which are described above in point #1 from the list.cautions . TrueCrypt, which is based on working with partitions rather than working with files and folders, does not expose users to this vulnerability.

Sophos Free Encryption- no longer available.

Related Products and Links

Related Products:

Alternative products:

• SafeHouse Explorer is a simple, free program that is light enough to be easily used on USB drives. You can also find well-prepared videos and user manuals on their website.
  
• Rohos Mini Drive is a portable program that creates a hidden, encrypted partition on a USB drive.
• FreeOTFE (from the review of virtual disk encryption utilities) is a program for performing disk encryption on the fly. It can be adapted for portable use.
• FreeOTFE Explorer is a simpler version of FreeOTFE. It does not require administrator rights.
• Pismo File Mount Audit Package is a file system extension that provides access to special encrypted files (via the Windows Explorer context menu), which in turn provide access to encrypted folders. Applications can write directly to these folders, ensuring that text copies of the original document are not left behind on your hard drive.
• 7-Zip is a powerful file archive utility that provides 256-bit AES encryption for *.7z and *.zip formats. However, Pismo is a better solution because it avoids the problem of storing unencrypted versions of files.

Quick selection guide (download programs for encrypting files and folders)

AxCrypt

		Integration with Windows Explorer context menu. AxCrypt makes it just as easy to open, edit, and save encrypted files as you would with unencrypted files. Use this product if you need to frequently work with encrypted files.
		The program uses Open Candy (installed with additional third-party software). If you want, you don’t have to install it, but then you need to register on the site.

Information Security ,

Cryptography

The widespread use of network technologies (LAN, CAN, VPN) allows companies to organize fast and convenient exchange of information over various distances. However, protecting information in a corporate environment is a task that remains relevant to this day and worries the minds of managers of small, medium and large enterprises in a wide variety of fields of activity. In addition, no matter the size of the company, management almost always needs to differentiate employee access rights to confidential information based on the degree of its importance.

In this article we will talk about transparent encryption As one of the most common methods of protecting information in a corporate environment, we will look at the general principles of encryption for multiple users (multiple public key cryptography), and also talk about how to set up transparent encryption of network folders using the CyberSafe Files Encryption program.

What is the advantage of transparent encryption?

The use of virtual crypto disks or the full-disk encryption function is quite justified on the user’s local computer, but in the corporate space a more appropriate approach is to use transparent encryption, since this function provides fast and convenient work with classified files for several users simultaneously. When creating and editing files, the processes of encryption and decryption occur automatically, on the fly. To work with protected documents, company employees do not need to have any skills in the field of cryptography; they do not have to perform any additional steps in order to decrypt or encrypt secret files.

Working with classified documents occurs as usual using standard system applications. All functions for setting up encryption and delineating access rights can be assigned to one person, for example a system administrator.

Multiple Public Key Cryptography and Digital Envelopes

Transparent encryption works as follows. A randomly generated symmetric session key is used to encrypt the file, which in turn is protected using the user's public asymmetric key. If a user accesses a file to make some changes to it, the transparent encryption driver decrypts the symmetric key using the user's private key and then decrypts the file itself using the symmetric key. We described in detail how transparent encryption works in the previous topic.

But what if there are several users and classified files are stored not on the local PC, but in a folder on a remote server? After all, the encrypted file is the same, but each user has their own unique key pair.

In this case, the so-called digital envelopes.

As you can see from the figure, the digital envelope contains a file encrypted using a randomly generated symmetric key, as well as several copies of this symmetric key, protected using each user's public asymmetric keys. There will be as many copies as users are allowed to access the protected folder.

The transparent encryption driver works according to the following scheme: when a user accesses a file, it checks whether its certificate (public key) is in the list of allowed ones. If so, the copy of the symmetric key that was encrypted using his public key is decrypted using this user’s private key. If the user's certificate is not listed, access will be denied.

Encrypting network folders using CyberSafe

Using CyberSafe, the system administrator will be able to configure transparent encryption of a network folder without using additional data protection protocols, such as IPSec or WebDAV, and subsequently control user access to a particular encrypted folder.

To set up transparent encryption, each user who is going to be allowed access to confidential information must have CyberSafe installed on their computer, a personal certificate must be created, and the public key must be published on the CyberSafe public key server.

Next, the system administrator on the remote server creates a new folder, adds it to CyberSafe and assigns keys to those users who will be able to work with files in this folder in the future. Of course, you can create as many folders as required, store confidential information of varying degrees of importance in them, and the system administrator can at any time remove a user from those who have access to the folder, or add a new one.

Let's look at a simple example:

The file server of the ABC enterprise stores 3 databases with confidential information of varying degrees of importance - DSP, Secret and Top Secret. It is required to provide access to: DB1 for users Ivanov, Petrov, Nikiforov, DB2 for Petrov and Smirnov, DB3 for Smirnov and Ivanov.

To do this, on the file server, which can be any network resource, you will need to create three separate folders for each database and assign certificates (keys) of the corresponding users to these folders:

Of course, this or another similar problem with differentiating access rights can be solved using Windows ACLs. But this method can only be effective when delineating access rights on employee computers within the company. By itself, it does not protect confidential information in the event of a third-party connection to a file server, and the use of cryptography to protect data is simply necessary.

In addition, all file system security settings can be reset using the command line. In Windows, there is a special tool for this - “calcs”, which can be used to view permissions on files and folders, as well as to reset them. In Windows 7, this command is called "icacls" and is executed as follows:

1. In the command line with administrator rights, enter: cmd
2. Go to the disk or partition, for example: CD /D D:
3. To reset all permissions, enter: icacls * /T /Q /C /RESET

It is possible that icacls will not work the first time. Then before step 2 you need to run the following command:
After this, previously set permissions on files and folders will be reset.

You can create a system based on virtual cryptodisk and ACL(more details about such a system when using crypto disks in organizations are written.). However, such a system is also vulnerable, since in order to ensure constant employee access to data on the cryptodisk, the administrator will need to keep it connected (mounted) throughout the entire working day, which jeopardizes confidential information on the cryptodisk even without knowing the password to it, if an attacker is in the middle of connecting will be able to connect to the server.

Network drives with built-in encryption also do not solve the problem, since they only protect data when no one is working with it. That is, the built-in encryption function can protect confidential data from compromise only if the disk itself is stolen.

In CyberSafe, file encryption/decryption is carried out not on the file server, but on the user side. Therefore, confidential files are stored on the server only in encrypted form, which eliminates the possibility of them being compromised when an attacker directly connects to the file server. All files on the server, stored in a folder protected with transparent encryption, are encrypted and securely protected. At the same time, users and applications see them as regular files: Notepad, Word, Excel, HTML, etc. Applications can read and write these files directly; the fact that they are encrypted is transparent to them.

Users without access can also see these files, but they cannot read or modify them. This means that if the system administrator does not have access to documents in one of the folders, he can still back them up. Of course, all file backups are also encrypted.

However, when a user opens any of the files for work on his computer, there is a possibility that unwanted applications will gain access to it (if, of course, the computer is infected). To prevent this, CyberSafe, as an additional security measure, has a system of trusted applications, thanks to which the system administrator can define a list of programs that can access files from a protected folder. All other applications that are not included in the trusted list will not have access. This will limit access to confidential information for spyware, rootkits and other malware.

Since all work with encrypted files is carried out on the user's side, this means that CyberSafe is not installed on a file server and, when working in a corporate space, the program can be used to protect information on network storage devices with the NTFS file system, such as Windows Storage Server. All confidential information is encrypted in such a storage, and CyberSafe is installed only on user computers from which they access encrypted files.

This is the advantage of CyberSafe over TrueCrypt and other encryption programs that require installation in a place where files are physically stored, which means that only a personal computer can be used as a server, but not a network drive. Of course, the use of network storage in companies and organizations is much more convenient and justified than using a regular computer.

Thus, with the help of CyberSafe, without any additional tools, you can organize effective protection of valuable files, ensure convenient work with encrypted network folders, and also differentiate user access rights to confidential information.

Each of us stores a fair amount of confidential information on our hard drive. For some, these are just passwords for various network services, others are responsible for storing important documentation, and others have been developing an innovative program for several years. In any case, data must be protected from strangers, which in our mobile world is quite problematic to do without the use of encryption systems.

Taking a look at the list of encryption software for Linux and analyzing the popularity and relevance of each of them, we come to the conclusion that there are only four secure and supported cryptosystems for encrypting hard drives and other storage media on the fly:

WARNING

For security reasons, it is better to disable indexing of encrypted partitions by editing the /etc/updatedb.conf configuration file. Files encrypted by EncFS cannot have hard links, since the encryption system binds data not to the inode, but to the file name.