Download EaseFilter Encryption Filter SDK Setup File Download EaseFilter Encryption Filter SDK Zip File
Auto File Encryption Demo was developed with EaseFilter Encryption Filter Driver(EEFD) SDK, it demonstrates how to encrypt the file transparently, it allows only the authorized processes or users to read the encrypted file, the unauthorized processes or users only can get the raw cipher text of the encrypted file. You can implement the secure file sharing solution with the EEFD, it allows you to distribute the encrypted file transparently, it allows you to embed the digital rights management( DRM) to the encrypted files, control only the authorized users or processes to read the encrypted files. You can grant or revoke the distributed encrypted file access anytime and anywhere.
How to develop the auto file encryption application
Develop the auto file encryption application is simple with the EEFD SDK. The EEFD provides a comprehensive security solution to develop the transparent on access file level encryption products, to encrypt the newly created files transparently, to authorize or block the on access encryption/decryption under the control of client-defined policy.
EEFD SDK provides the API for different programming languages to develop the Windows encryption application, it provides the C++/C# demo source code to demonstrate how to use the EEFD APIs. Beside the C++ and C# languages, all other languages which can invoke the Win32 native APIs are able to use the EEFD APIs to develop the security application.
Setup the auto file encryption filter rule
To use the EEFD in your application, your application needs to setup one or more filter rules as the file control policies to the filter driver. An auto file encryption filter rule includes the file filter mask which can manage the files you want to encrypt, by default the file filter mask is a folder, it will encrypt all the files in the folder. If you only want to encrypt the files with the specific file type, you can setup the file filter mask to the specific file type, but make sure you understand that your application won’t generate the files not included in your file filter mask, or it won’t be encrypted. For example, the Microsoft Office always will generate the temporary files without the file extension, so if your file filter mask set to only specific file types, then these temporary files won’t be encrypted automatically.
Setup the file encryption filter rule is simple with the EEFD API “AddFileFilterRule“, you just need to setup the auto encryption folder and enable the encryption feature in the file filter rule as below:
/// <summary>
/// Add the new filter rule to the filter driver.
/// </summary>
/// <param name="accessFlag">access control rights of the file IO to the files which match the filter mask</param>
/// <param name="filterMask">the filter rule file filter mask, it must be unique.</param>
/// <param name="isResident">if it is true, the filter rule will be added to the registry, get protection in boot time.</param>
/// <param name="filterRuleId">the id to identify the filter rule, it will show up in messageId field of messageSend structure if the callback is registered</param>
/// <returns></returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddFileFilterRule(
uint accessFlag,
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
bool isResident,
uint filterRuleId );
//the code snippet to encrypt the file with the file filter rule.
FilterControl filterControl = new FilterControl();
FilterAPI.FilterType filterType = FilterAPI.FilterType.CONTROL_FILTER | FilterAPI.FilterType.ENCRYPTION_FILTER | FilterAPI.FilterType.PROCESS_FILTER;
int filterConnectionThreads = 5;
int connectionTimeOut = 30;
string licenseKey = "your license key";
string lastError = string.Empty;
filterControl.StartFilter(filterType,filterConnectionThreads, GlobalConfig.ConnectionTimeOut, licenseKey, ref lastError);
//setup a file filter rule for folder encryptFolder
FileFilter fileFilter = new FileFilter("c:\\encryptionFolder\\*");
//enable the encryption for the filter rule.
fileFilter.EnableEncryption = true;
//setup the 256bits encryption key,put your own encryption key here
byte[] encryptionKey = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
fileFilter.EncryptionKey = encryptionKey;
//add the encryption file filter rule to the filter control
filterControl.AddFilter(fileFilter);
Setup the authorized whitelist processes and unauthorized blacklist processes
With the EEFD SDK, you can setup the control policies to protect your encrypted files, prevent your sensitive files from being read or copied out. With the access control policies, you can setup the whitelist processes or users who can read the encrypted files, they can get the clear text of the encrypted files. You can setup the blacklist processes or users who can’t read the encrypted files, they will get the raw cipher text of the encrypted files. There are two options to setup the whitelist and blacklist process or users.
- Setup the encryption filter rule, by default all processes or users can’t read the encrypted files, they are all in the blacklist. If you want to allow the specific processes or users, you need to add those processes or users with the encryption access rights. This is the way to implement the zero trust solution.
- Setup the encryption filter rule, by default all processes or users read the encrypted files, they are all in the whitelist. If you want to allow the specific processes or users, you need to add those processes or users without the encryption access rights.
If you want to upload or distribute your encrypted files out of your organization, and you want your encrypted files to stay encrypted, you need to add the processes who will upload or distribute the encrypted files to the blacklist. For example, you can add the backup process, explorer or outlook processes to the black list, then these processes will keep the encrypted file staying encrypted after they was copied out or uploaded to internet.
Secure file sharing with DRM
With the embedded DRM in the encrypted file, you can protect and monitor your business critical document such as intellectual property and product design, wherever it lives or travels – across devices, apps, cloud services and on-premises. Share information safely inside and outside the organization. To encrypt the files with the extra digital rights management data, you can control the encrypted file with the custom DRM, to expire your encrypted file, grant or revoke the control of the encrypted files anywhere and anytime even they were distributed. EEFD supports hundreds of file types including Microsoft Office files, Adobe PDF, Source code (java, cpp, etc.), 2D and 3D CAD files (dwg, prt, stp, etc.)
Embed the custom DRM data to the encrypted file
To embed the custom DRM data to the encrypted file and encrypt the file with unique key, you need to set the filter property “EnableEncryptionKeyFromService” to true, and setup the callback function for OnFilterRequestEncryptKey. With this setting, a new file creation will invoke the callback function OnFilterRequestEncryptKey, in the callback function you can append the custom tag data to the new created encrypted file as a header. You also can setup your own unique custom encryption key for the new created file, so you can encrypt the file with the unique key per file, and manage your encryption key with your own solution.
//enable the encryption key from service, you can append the custom DRM data
fileFilter.EnableEncryptionKeyFromService = true;
//in the callback function OnFilterRequestEncryptKey, you can authorize the file access in the callback function
fileFilter.OnFilterRequestEncryptKey += OnFilterRequestEncryptKey;
public void OnFilterRequestEncryptKey(object sender, EncryptEventArgs e)
{
e.ReturnStatus = NtStatus.Status.Success;
if (e.IsNewCreatedFile)
{
//if you want to block the new file creation, you can return accessdenied status.
//e.ReturnStatus = NtStatus.Status.AccessDenied;
//if you want to the file being created without encryption, return below status.
//e.ReturnStatus = NtStatus.Status.FileIsNoEncrypted;
//for the new created file, you can add your custom tag data to the header of the encyrpted file.
//here we just add the file name as the tag data.
e.EncryptionTag = UnicodeEncoding.Unicode.GetBytes(e.FileName);
}
else
{
//this is the encrytped file open request, request the encryption key and iv.
//if you want to block encrypted file being opened, you can return accessdenied status.
//e.ReturnStatus = NtStatus.Status.AccessDenied;
//if you want to return the raws encrypted data for this encrypted file, return below status.
//e.ReturnStatus = NtStatus.Status.FileIsEncrypted;
//here is the tag data if you set custom tag data when the new created file requested the key.
byte[] tagData = e.EncryptionTag;
}
//here is the encryption key for the encrypted file, you can set it with your own key.
e.EncryptionKey = Utils.GetKeyByPassPhrase(GlobalConfig.MasterPassword, 32);
//if you want to use your own iv for the encrypted file, set the value here,
//or don't set the iv here, then the unique auto generated iv will be assigned to the file.
//e.IV = Utils.GetIVByPassPhrase(GlobalConfig.MasterPassword);
}
Create your own custom DRM data
To embed the DRM data to the encrypted file, you can use your own custom DRM data, or you can use our build in DRM data with below structure format which is supported in the filter driver as below:
- You can setup the expiry date with the flag “Flags_Enabled_Expire_Time” enabled in AESFlags, so the encrypted file only can be accessed before the expiry date.
- You can setup the computer Id with the flag “Flags_Enabled_Check_Computer_Id” enabled in AESFlags, only the computer with the same computer Id can access the encrypted file.
- You can setup user name verification with the flag “Flags_Enabled_Check_UserName” enabled in AESFlags, if the IncludeUserNames is not empty, then only the users in the list can access the encrypted file, if the ExcludeUserNames is not empty, then all the users in the list can’t access the encrypted file.
- You can setup process name verification with the flag “Flags_Enabled_Check_ProcessName” enabled in AESFlags, if the IncludeProcessNames is not empty, then only the processes in the list can access the encrypted file, if the ExcludeProcessNames is not empty, then all the processes in the list can’t access the encrypted file.
typedef enum _AESFlags
{
Flags_Enabled_Expire_Time = 0x00000010,
Flags_Enabled_Check_ProcessName = 0x00000020,
Flags_Enabled_Check_UserName = 0x00000040,
Flags_Enabled_Check_AccessFlags = 0x00000080,
Flags_Enabled_Check_User_Permit = 0x00000100,
Flags_AES_Key_Was_Embedded = 0x00000200,
Flags_Request_AccessFlags_From_User = 0x00000400,
Flags_Request_IV_And_Key_From_User = 0x00000800,
Flags_Enabled_Check_Computer_Id = 0x00001000,
Flags_Enabled_Check_User_Password = 0x00002000,
}AESFlags;
typedef struct _AES_TAG_CONTROL_DATA
{
ULONG VerificationKey;
ULONG AESFlags;
LONGLONG CreationTime;
LONGLONG ExpireTime;
ULONG AccessFlags;
ULONG LengthOfIncludeProcessNames;
ULONG OffsetOfIncludeProcessNames;
ULONG LengthOfExcludeProcessNames;
ULONG OffsetOfExcludeProcessNames;
ULONG LengthOfIncludeUserNames;
ULONG OffsetOfIncludeUserNames;
ULONG LengthOfExcludeUserNames;
ULONG OffsetOfExcludeUserNames;
ULONG LengthOfAccountName;
ULONG OffsetOfAccountName;
ULONG LengthOfComputerId;
ULONG OffsetOfComputerId;
ULONG LengthOfUserPassword;
ULONG OffsetOfUserPassword;
//the data store here.
//IncludeProcessNames;
//ExcludeProcessNames;
//IncludeUserNames;
//ExcludeUserNames;
//AccountNames;
//ComputerId;
//UserPassword;
} AES_TAG_CONTROL_DATA, *PAES_TAG_CONTROL_DATA;