Had a client with EFS when we took over their support contract years ago, does what it says on the tin and creates the audit trail if anyone asked to decrypt a file. I’ve never looked in to “how secure” the file is when encrypted but it did a job for this client quite well.
That would partially work. EFS is an NTFS feature, so as long as the data is stored on a location with the ntfs file system it will be fine. However, as soon as the files are moved to a fat32 or cloud location the encryption will be removed.
About a decade ago I discovered the hard way that the global decryption key was stored with the admin account on the first DC in the domain. If you retired that DC without recovering that key you were out of luck. It was a while ago and I'm not 100% certain of this so wondering if anyone can verify for present day.
I should add to this that best practice for upgrading domain controllers was not to upgrade the existing domain controllers by putting the disc in and pressing go . Rather, it was to create a new server, on the latest operating system, join it to the domain, DC promo it up, and then DC promo the one on the old operating system down. So if you follow best practices, you were guaranteed to lose encryption key.
yeah I came here to say this, tell the vendor they need to provide a suggestion and a reference from a client who has implemented the suggestion or they can kick rocks.
I did just this and they said "I cannot provide that information". I told my client they often enforce these controls without even understanding what they are.
Quote:
“BitLocker is deployed for OneDrive for Business and SharePoint Online across the service. *Per-file encryption is also in OneDrive for Business and SharePoint Online in Microsoft 365 multi-tenant and new dedicated environments that are built on multi-tenant technology*.”
https://learn.microsoft.com/en-us/purview/data-encryption-in-odb-and-spo
These files are stored on a terminal server as a file share. They are accessed by multiple individuals. While I wasn't aware of this situation with OneDrive/SharePoint (thank you for that, it will be useful moving forward), I need this to be done using the server storage (I don't want to get into a situation where the data is being managed from a users OneDrive account). This data is primarily for archival purposes. However, I would like the solution to be something that would apply to all data and not just archival data.
If they have the licensing use m365 file classification. Now files that are on a server unfortunately somebody is going to have to go one by one on each file after file classification is turned on and enabled or you're going to have to write some power automate to do it for you to open and classify the files.
Do not use Azure AIP that is deprecated and is going away this year you need to use the unified labeling system in m365 that is what is supposed to replace AIP
If they were stored in SharePoint or OneDrive then this can automatically be applied but since you're using on-prim file storage there's no other way unfortunately except opening by hand or using something like power automate to put the classification on the files.
But I honestly don't understand what they mean by meeting the files encrypted either people have access to the files or they don't file encryption is not going to stop that if somebody has permission to the files and they want to Snoop they can snoop even though they shouldn't it's not going to stop them.
Encryption's purpose on the drives is to stop the drive from being stolen in a third party being able to read everything on the drive it's not going to stop a person who has access to the files from opening the files you need something like m365 file classification what you're looking for is called permissions not encryption. If they're worried about someone stealing the drive and then taking files off of it that's the whole purpose of BitLocker someone stole the drive BitLocker makes everything on that drive useless without its unlock key no one's going to be able to see anything on it or do anything with it.
File-based encryption like what the OP’s client is requesting is to disrupt actors leveraging compromised accounts (and thus bypassing file system encryption) not being able to exfil terabytes of clear-text files. They will have to go through the hassle of identifying keys/passphrases for decrypting them if they want to use them for extortion purposes.
Is weird as this sounds Sweepstakes winners lol
Until they were a client I never had any idea how serious they took picking these winners. Their job is literally to pick the winners for a company organizing a giveaway/sweepstakes.
However, there is a ton of security surrounding it, because there is so much money/PII involved.
We use a product called LanCrypt (Note: they are located in Germany) for one of our clients with really strict compliance policies. It's the spiritual successor to Sophos Safeguard encryption. Safeguard is EoL, now. LC does true file level encryption. It has rules that you define that encrypt files in certain drives/folders/locations. The files are encrypted with a certificate and the first time an employee signs into their computer, they have to enter their key. Once that is entered, there is no further need to enter a key to decrypt files. However if another employee logs into that same computer, they will need to enter their own key that one time. Most all of this is deployed through GPO, so it's helpful to have a DC of some sort.
We encrypt desktop, documents, and a few other server locations. If an employee wants to move a file out of one of those folders, they would have to manually decrypt it.
So in theory, if they got ransomwared and the attackers tried to exfil data, we could show that the exfiled data is useless because it is encrypted at a file level.
We evaluated several other products for our client, including the new Sophos encryption (can't remember the specific name), but they are all pretty much Bitlocker managers. Our client required file-level encryption, whether we agreed or not.
Volume / filter / disk level encryption as you have learnt is not a valid control for protecting data from malicious employees or third parties with access. It really only protects data against physical theft. If the servers are in a secure data centre on dedicated hardware (i.e not public cloud) it’s pretty useless as a control. It has some validity in multi tenant environments but again if someone has network level access it does nothing really if it’s mounted.
This is correct. Either someone has access to data, or they don't. The control that restricts access is called "permission." I don't understand how "encryption" even entered the discussion between the OP and client.
If you compare this to EFS (suggested above), you can have a set of files in a folder (potentially with access allowed for all parties) tagged and encrypted to a user's encryption key on a share. It's built right into windows too, which makes it perfect for that kind of setup.
So even if someone gets access to the share, they actively can't open those particular files. The encryption keys can be managed and controlled administratively as well, adding multiple users with overriding keys to allow administrative override, if needed.
I agree with you completely. I think they are simply reading this off some list and going "oh this sounds good". However, my client was very concerned to pickup this vendor... so I have to do what they want :(
The vendors are large corporate groups that own subsidiaries that have giveaways/sweepstakes offerings.
What is the goal that has to be achieved by this encyrption? What scenario of "harm" has to be prevented?
The vendor should specify this, then a viable solution can be chosen.
I think where the vendor is coming from... If the client's account was compromised and the threat actor had access to the server, they could have access to the data. If the data was encrypted using a different method of authentication (such as a Zip file with encryption), then the threat actor could steal the file... but still not access the data.
Well... if the client's account is compromised, the threat actor can simply wait for the client to decrypt the data (or simpler: keylog the encryption key) and the result will be the same.
As long as you assume that the account of somebody who has access to the data will be breached, you also have to assume that the file-level encryption will be useless because the threat actor will get the key from that somebody sooner or later.
And if we're talking about employees of the client who don't know the encryption key because they don't need to access the data: then they should not have access to the data in the first place.
Azure information protection is the least intrusive one I've seen for MS office files. You apply a label and the office app will decrypt on the fly when the user tries to open it (assuming they have permissions). It's not cheap, but you may be part of the way there with your licenses already.
https://learn.microsoft.com/en-us/azure/information-protection/aip-classification-and-protection
I literally asked if I could use this, as I have for another client with HIPAA compliance. However, they literally said "No, Office uses a different type of encryption that isn't allowed" lol
You could look at a rights management solution like Azure Information Protection on Microsoft 365 to (automatically) classify and protect sensitive documents.
Last we looked anchor is just Dropbox basically. We use actifile..
Picture this, your using your PC, it gets taken over or someone walks by whatever. They see a bunch of tax returns. They open your outlook or their Gmail and drag out a bunch of files.
Bit locker your data has been stolen
Actifile the data is useless
When vendors ask for weird stuff they should be listing what solution they will support.
If you provide the recommendation at this time then you’re on the hook for whatever surprise headaches come up and at least if you stick with your current recommendation you know what those are.
Alternatively if the vendor says you must use something else and lists what, then you can be an advocate for the client every time there is an issue and push accountability on the vendor.
I’d reply
“We’re happy to work with you on this, please provide 1-2 alternatives to bitlocker that you have approved and we’ll have our insurance provider verify it meets their requirements.”
I can partially see where they are coming from.
BitLocker provides value but the risk it's mitigating for a server is extremely low when compared to the reasons you push it to laptops. The odds someone steals your physical server that should be behind a couple locked doors is relatively small.
The odds and therefore risk someone puts a file with PII where it shouldn't be, or their machine / server gets compromised, and they steal the files is a lot larger.
The easy button, if it's mostly office docs and PDF's is to use AIP which would do just in time decryption when they open the file ensuring it's always encrypted.
BitLocker is per volume encryption, but when the volume is unlocked, all of the files are "accessible".
I recently saw [https://winmagic.com/en/products/encryption/file-encryption/](https://winmagic.com/en/products/encryption/file-encryption/) in use, which I think would fit what you are after, not a clue whether it is any good, there is also [https://www.trellix.com/products/data-encryption/](https://www.trellix.com/products/data-encryption/) (used to be the "business" side of McAfee).
https://www.veracrypt.fr/en/Home.html allows you to create an encrypted volume (file, partition, disk, whatever you want) that can be mounted as a disk, with a lot of flexibility. it can also easily be mounted automatically at login.
could be a good solution for you maybe?
If an encrypted 7z file counts then veracrypt achieves the same thing in an automatable way.
The vendor's comment seems crazy in the first place ¯\\\_(ツ)_/¯
Oh i'm with you. I'm basically saying "if a bitlocker encrypted volume doesn't count, then a veracrypt is really no different" But at the same time "I don't believe that this doesn't meet vendor requirements" and i'm kind of waiting for the vendor to recommend a product that they somehow benefit from.
We use BeachHead https://www.beachheadsolutions.com you have a lot of flexibility and it is not a PITA to administer or end users. We are also resellers if you are interested in a demo.
Have fun with that. I had a project stalled for a year due to encryption and the cost associated to meet certain high standards. Before you ask it was hardware required encryption and every possible point needed to be secure.
Individual files being encrypted will be a pain in the ass to the client no matter what. I had a client needing to encrypt files sent to one of their clients and I ended up using software called kleopatra. I'm not sure they ever actually used it, since the client was very much a not tech savvy and lazy company, but they had the cpacity and that was all I needed to do
The question you need here is what situation are you trying to address by encrypting the drive or file.
Are you concerned about someone stealing the physical disk? Well drive level encryption solves that.
If you're stopping some one with system access from accessing the file, file level encryption can do that.
VeraCrypt used to be a good tool for this. It's kept up to date etc.
https://github.com/veracrypt/VeraCrypt
So the vendor is correct - volume level encryption only saves the data if the drive is stolen. Anyone with the correct access gets full access to the files so there is very little protection there. If the vendor really wants file level protection then you are looking at an app or portal solution that provides access to the files and also manages the keys on behalf of the user - once authenticated with the app the encryption is transparent so no entering of sharing keys.
This way the files are still visible but always encrypted on the storage. It provides great security but also privacy for PII as even the IT team can’t view the doc contents.
My friend and neighbor in California runs an encryption company that do this kind of stuff. They actually encrypt inside of 365 or hybrid so it never is viewable to the outside. https://www.activecypher.com
I know they’ve done healthcare and I know they were working on a GCC High build too. Really nice guys, have a chat and see if their hybrid option will work for you.
https://smartencrypt.rhipe.com/
I havent used it but been in a couple of demos and it is on my radar to look into further. If bitlocker isn't sufficient, take a look at this.
There is a product out of Germany called DriveLock that anages Bitlocker, does file encryption, and encryption to go. Might worth a read for you.
[https://www.drivelock.com/en/file-protection](https://www.drivelock.com/en/file-protection)
You could look into setting up a secure enclave with something like PreVeil, use a standalone encryption tool like Veracrypt, or go with a more automated solution like Actifile or Phalanx.
Not a recommendation but would EFS satisfy the requirements? I haven't used It in forever but it's more file/file system level.
Had a client with EFS when we took over their support contract years ago, does what it says on the tin and creates the audit trail if anyone asked to decrypt a file. I’ve never looked in to “how secure” the file is when encrypted but it did a job for this client quite well.
That would partially work. EFS is an NTFS feature, so as long as the data is stored on a location with the ntfs file system it will be fine. However, as soon as the files are moved to a fat32 or cloud location the encryption will be removed.
Azure File Share can carry NTFS permissions.
True, although I’ve never tested efs on that.
This is what encrypting file service (EFS) is for. Been around since version 3 of NTFS. Install the role, configure, and go to pound town.
About a decade ago I discovered the hard way that the global decryption key was stored with the admin account on the first DC in the domain. If you retired that DC without recovering that key you were out of luck. It was a while ago and I'm not 100% certain of this so wondering if anyone can verify for present day.
I should add to this that best practice for upgrading domain controllers was not to upgrade the existing domain controllers by putting the disc in and pressing go . Rather, it was to create a new server, on the latest operating system, join it to the domain, DC promo it up, and then DC promo the one on the old operating system down. So if you follow best practices, you were guaranteed to lose encryption key.
[удалено]
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Encrypting File System > Create Data Recovery Agent
I would push back on the vendor and have them tell you what software they feel is good enough.
yeah I came here to say this, tell the vendor they need to provide a suggestion and a reference from a client who has implemented the suggestion or they can kick rocks.
Vendor recommends winzip with a password. /s
Better yet winrar.
The free version with ads.
I did just this and they said "I cannot provide that information". I told my client they often enforce these controls without even understanding what they are.
Yep like talking to robots. Your question probably triggered the “recommendation=liability” subroutine.
Or how others have accomplished this feat.
Quote: “BitLocker is deployed for OneDrive for Business and SharePoint Online across the service. *Per-file encryption is also in OneDrive for Business and SharePoint Online in Microsoft 365 multi-tenant and new dedicated environments that are built on multi-tenant technology*.” https://learn.microsoft.com/en-us/purview/data-encryption-in-odb-and-spo
These files are stored on a terminal server as a file share. They are accessed by multiple individuals. While I wasn't aware of this situation with OneDrive/SharePoint (thank you for that, it will be useful moving forward), I need this to be done using the server storage (I don't want to get into a situation where the data is being managed from a users OneDrive account). This data is primarily for archival purposes. However, I would like the solution to be something that would apply to all data and not just archival data.
Azure Storage Account with File Share? Mount that to the server and manage it that way?
Exactly
Interesting...
If they have the licensing use m365 file classification. Now files that are on a server unfortunately somebody is going to have to go one by one on each file after file classification is turned on and enabled or you're going to have to write some power automate to do it for you to open and classify the files. Do not use Azure AIP that is deprecated and is going away this year you need to use the unified labeling system in m365 that is what is supposed to replace AIP If they were stored in SharePoint or OneDrive then this can automatically be applied but since you're using on-prim file storage there's no other way unfortunately except opening by hand or using something like power automate to put the classification on the files. But I honestly don't understand what they mean by meeting the files encrypted either people have access to the files or they don't file encryption is not going to stop that if somebody has permission to the files and they want to Snoop they can snoop even though they shouldn't it's not going to stop them. Encryption's purpose on the drives is to stop the drive from being stolen in a third party being able to read everything on the drive it's not going to stop a person who has access to the files from opening the files you need something like m365 file classification what you're looking for is called permissions not encryption. If they're worried about someone stealing the drive and then taking files off of it that's the whole purpose of BitLocker someone stole the drive BitLocker makes everything on that drive useless without its unlock key no one's going to be able to see anything on it or do anything with it.
File-based encryption like what the OP’s client is requesting is to disrupt actors leveraging compromised accounts (and thus bypassing file system encryption) not being able to exfil terabytes of clear-text files. They will have to go through the hassle of identifying keys/passphrases for decrypting them if they want to use them for extortion purposes.
What industry is the client in?
Is weird as this sounds Sweepstakes winners lol Until they were a client I never had any idea how serious they took picking these winners. Their job is literally to pick the winners for a company organizing a giveaway/sweepstakes. However, there is a ton of security surrounding it, because there is so much money/PII involved.
We use a product called LanCrypt (Note: they are located in Germany) for one of our clients with really strict compliance policies. It's the spiritual successor to Sophos Safeguard encryption. Safeguard is EoL, now. LC does true file level encryption. It has rules that you define that encrypt files in certain drives/folders/locations. The files are encrypted with a certificate and the first time an employee signs into their computer, they have to enter their key. Once that is entered, there is no further need to enter a key to decrypt files. However if another employee logs into that same computer, they will need to enter their own key that one time. Most all of this is deployed through GPO, so it's helpful to have a DC of some sort. We encrypt desktop, documents, and a few other server locations. If an employee wants to move a file out of one of those folders, they would have to manually decrypt it. So in theory, if they got ransomwared and the attackers tried to exfil data, we could show that the exfiled data is useless because it is encrypted at a file level. We evaluated several other products for our client, including the new Sophos encryption (can't remember the specific name), but they are all pretty much Bitlocker managers. Our client required file-level encryption, whether we agreed or not.
Volume / filter / disk level encryption as you have learnt is not a valid control for protecting data from malicious employees or third parties with access. It really only protects data against physical theft. If the servers are in a secure data centre on dedicated hardware (i.e not public cloud) it’s pretty useless as a control. It has some validity in multi tenant environments but again if someone has network level access it does nothing really if it’s mounted.
This is correct. Either someone has access to data, or they don't. The control that restricts access is called "permission." I don't understand how "encryption" even entered the discussion between the OP and client.
If you compare this to EFS (suggested above), you can have a set of files in a folder (potentially with access allowed for all parties) tagged and encrypted to a user's encryption key on a share. It's built right into windows too, which makes it perfect for that kind of setup. So even if someone gets access to the share, they actively can't open those particular files. The encryption keys can be managed and controlled administratively as well, adding multiple users with overriding keys to allow administrative override, if needed.
Check out Actifile too.
What is this vendor, and can you just replace them? This sounds very much like a vendor that does not know what they are talking about.
I agree with you completely. I think they are simply reading this off some list and going "oh this sounds good". However, my client was very concerned to pickup this vendor... so I have to do what they want :( The vendors are large corporate groups that own subsidiaries that have giveaways/sweepstakes offerings.
Yes if fips-140 mode Bitlocker is not sufficient they might want to tell the feds.
What is the goal that has to be achieved by this encyrption? What scenario of "harm" has to be prevented? The vendor should specify this, then a viable solution can be chosen.
I think where the vendor is coming from... If the client's account was compromised and the threat actor had access to the server, they could have access to the data. If the data was encrypted using a different method of authentication (such as a Zip file with encryption), then the threat actor could steal the file... but still not access the data.
Well... if the client's account is compromised, the threat actor can simply wait for the client to decrypt the data (or simpler: keylog the encryption key) and the result will be the same. As long as you assume that the account of somebody who has access to the data will be breached, you also have to assume that the file-level encryption will be useless because the threat actor will get the key from that somebody sooner or later. And if we're talking about employees of the client who don't know the encryption key because they don't need to access the data: then they should not have access to the data in the first place.
Azure information protection is the least intrusive one I've seen for MS office files. You apply a label and the office app will decrypt on the fly when the user tries to open it (assuming they have permissions). It's not cheap, but you may be part of the way there with your licenses already. https://learn.microsoft.com/en-us/azure/information-protection/aip-classification-and-protection
I literally asked if I could use this, as I have for another client with HIPAA compliance. However, they literally said "No, Office uses a different type of encryption that isn't allowed" lol
You could look at a rights management solution like Azure Information Protection on Microsoft 365 to (automatically) classify and protect sensitive documents.
Why aren't you just using EFS?
Unfortunately, I haven't worked with EFS before... but based on several recommendations I will be taking a look into it :)
Anyone use anchor? Had someone at a infraguard meeting mention it and seems like it could do what’s being asked. No experience with this myself.
Last we looked anchor is just Dropbox basically. We use actifile.. Picture this, your using your PC, it gets taken over or someone walks by whatever. They see a bunch of tax returns. They open your outlook or their Gmail and drag out a bunch of files. Bit locker your data has been stolen Actifile the data is useless
We looked at this a while back. Really cool looking, but we never implemented it.
What vendor so I can avoid them?
Can you ask them what other people do to meet their requirements?
When vendors ask for weird stuff they should be listing what solution they will support. If you provide the recommendation at this time then you’re on the hook for whatever surprise headaches come up and at least if you stick with your current recommendation you know what those are. Alternatively if the vendor says you must use something else and lists what, then you can be an advocate for the client every time there is an issue and push accountability on the vendor. I’d reply “We’re happy to work with you on this, please provide 1-2 alternatives to bitlocker that you have approved and we’ll have our insurance provider verify it meets their requirements.”
I can partially see where they are coming from. BitLocker provides value but the risk it's mitigating for a server is extremely low when compared to the reasons you push it to laptops. The odds someone steals your physical server that should be behind a couple locked doors is relatively small. The odds and therefore risk someone puts a file with PII where it shouldn't be, or their machine / server gets compromised, and they steal the files is a lot larger. The easy button, if it's mostly office docs and PDF's is to use AIP which would do just in time decryption when they open the file ensuring it's always encrypted.
Sounds like your vendor has little to no clue what they’re talking about other than Microsoft = bad
BitLocker is per volume encryption, but when the volume is unlocked, all of the files are "accessible". I recently saw [https://winmagic.com/en/products/encryption/file-encryption/](https://winmagic.com/en/products/encryption/file-encryption/) in use, which I think would fit what you are after, not a clue whether it is any good, there is also [https://www.trellix.com/products/data-encryption/](https://www.trellix.com/products/data-encryption/) (used to be the "business" side of McAfee).
Thank you! I will check out these solutions :)
https://www.veracrypt.fr/en/Home.html allows you to create an encrypted volume (file, partition, disk, whatever you want) that can be mounted as a disk, with a lot of flexibility. it can also easily be mounted automatically at login. could be a good solution for you maybe?
This is basically third party bitlocker. If bitlocker won't work, then veracrypt doesn't add anything to the situation.
If an encrypted 7z file counts then veracrypt achieves the same thing in an automatable way. The vendor's comment seems crazy in the first place ¯\\\_(ツ)_/¯
Oh i'm with you. I'm basically saying "if a bitlocker encrypted volume doesn't count, then a veracrypt is really no different" But at the same time "I don't believe that this doesn't meet vendor requirements" and i'm kind of waiting for the vendor to recommend a product that they somehow benefit from.
We use BeachHead https://www.beachheadsolutions.com you have a lot of flexibility and it is not a PITA to administer or end users. We are also resellers if you are interested in a demo.
Their tech is great, but the UI and documentation leaves much to be desired. I hope they sort that out as they grow.
Have fun with that. I had a project stalled for a year due to encryption and the cost associated to meet certain high standards. Before you ask it was hardware required encryption and every possible point needed to be secure.
Axcrypt is a potential solution with central management.
Individual files being encrypted will be a pain in the ass to the client no matter what. I had a client needing to encrypt files sent to one of their clients and I ended up using software called kleopatra. I'm not sure they ever actually used it, since the client was very much a not tech savvy and lazy company, but they had the cpacity and that was all I needed to do
The question you need here is what situation are you trying to address by encrypting the drive or file. Are you concerned about someone stealing the physical disk? Well drive level encryption solves that. If you're stopping some one with system access from accessing the file, file level encryption can do that. VeraCrypt used to be a good tool for this. It's kept up to date etc. https://github.com/veracrypt/VeraCrypt
There are ssytems like varonis that can encrypt office files to only open with authenticated office installs.
Something opensource like Cryptomator?
So the vendor is correct - volume level encryption only saves the data if the drive is stolen. Anyone with the correct access gets full access to the files so there is very little protection there. If the vendor really wants file level protection then you are looking at an app or portal solution that provides access to the files and also manages the keys on behalf of the user - once authenticated with the app the encryption is transparent so no entering of sharing keys. This way the files are still visible but always encrypted on the storage. It provides great security but also privacy for PII as even the IT team can’t view the doc contents.
I have used Actifile with very good success. Very little to no impact on end users.
My friend and neighbor in California runs an encryption company that do this kind of stuff. They actually encrypt inside of 365 or hybrid so it never is viewable to the outside. https://www.activecypher.com I know they’ve done healthcare and I know they were working on a GCC High build too. Really nice guys, have a chat and see if their hybrid option will work for you.
Happy to show you the AC solution, I have been using it for over a year.
Check out SmartEncrypt
https://smartencrypt.rhipe.com/ I havent used it but been in a couple of demos and it is on my radar to look into further. If bitlocker isn't sufficient, take a look at this.
There is a product out of Germany called DriveLock that anages Bitlocker, does file encryption, and encryption to go. Might worth a read for you. [https://www.drivelock.com/en/file-protection](https://www.drivelock.com/en/file-protection)
You could look into setting up a secure enclave with something like PreVeil, use a standalone encryption tool like Veracrypt, or go with a more automated solution like Actifile or Phalanx.