EaseFilter Encryption Filter Driver SDK provides you a simple solution encrypt file with header in your application. EaseFilter encrypting file system is an alternative solution for Microsoft EFS. It has more features and more flexible than Microsoft EFS, it can support both user and process based encryption, it can encrypt every file with the unique encryption key, it can embedded custom tag data into the encrypted file.
How to encrypt the file with a custom header?
With EaseFilter Encryption Filter Driver SDK, you can add your custom data to a header which will be embedded into the encrypted file. Encrypting your files with digital rights management data embedded into the encrypted header, you can protect, track and control your encrypted files anywhere anytime, you can grant or revoke the access control to any user at any time even the files were shared.
EaseFilter File System Encryption Filter Driver SDK provides you a comprehensive security solution to develop transparent file level encryption products, it allows you to encrypt the files on-the-fly. It supports strong cryptographic algorithm Rijndael is a high security algorithm which was chosen by the National Institute of Standards and Technology (NIST) as the new Advanced Encryption Standard (AES), it supports key lengths 128-bits,192-bits and 256-bits.
To enable the transparent file encryption feature, you need to enable the feature in the access flag “ALLOW_MAX_RIGHT_ACCESS|ENABLE_FILE_ENCRYPTION_RULE”. To encrypt the file with the custom header data, you need to set the flag “REQUEST_ENCRYPT_KEY_IV_AND_TAGDATA_FROM_SERVICE” in your filter rule BooleanConfig flag.
When a new file was created in the managed folder, you will get the request with command “FILTER_REQUEST_ENCRYPTION_IV_AND_KEY_AND_TAGDATA”, in this callback function you can set up your custom header data for the encrypted file, then the data will be embedded into the new created encrypted file.
When a encrypted file was opened, you will get the request with command “FILTER_REQUEST_ENCRYPTION_IV_AND_KEY” and the custom header data you set in the new created file, you need to return your own IV and KEY to the filter driver which were set in the new created encrypted file.
if ( FILTER_REQUEST_ENCRYPTION_IV_AND_KEY == messageSend->FilterCommand
|| FILTER_REQUEST_ENCRYPTION_IV_AND_KEY_AND_TAGDATA == messageSend->FilterCommand )
{
//this is encryption filter rule with boolean config "REQUEST_ENCRYPT_KEY_IV_AND_TAGDATA_FROM_SERVICE" enabled.
//the filter driver request the IV and key to open or create the encrypted file.
//if you don't want to authorize the process to read the encrytped file,you can set the value as below:
//messageReply->ReturnStatus = STATUS_ACCESS_DENIED;
//messageReply->FilterStatus = FILTER_COMPLETE_PRE_OPERATION;
if( FILTER_REQUEST_ENCRYPTION_IV_AND_KEY_AND_TAGDATA == messageSend->FilterCommand )
{
//this is new created file to request the encryption key and iv,
//you can set the custom tag data to the header of the encrypted file if you set the below value.
//if you want to block the new file creation, return STATUS_ACCESS_DENIED
//messageReply->FilterStatus = FILTER_COMPLETE_PRE_OPERATION;
//messageReply->ReturnStatus = STATUS_ACCESS_DENIED;
//if you don't want to encrypt this new file , return STATUS_FILE_NOT_ENCRYPTED
//messageReply->ReturnStatus = STATUS_FILE_NOT_ENCRYPTED;
//if you want to return the encryption key and iv for new created file, then return STATUS_SUCCESS
//messageReply->ReturnStatus = STATUS_SUCCESS;
//make sure the tag data length is less than the AES_MAX_TAG_DATA_SIZE;
if( AES_MAX_TAG_DATA_SIZE > messageSend->FileNameLength )
{
//for new created file encryption, you can append your own custom tag data to the encryption header.
//here we put the file name as the tag data for test purpose.
messageReply->ReplyData.AESData.Data.TagDataLength = messageSend->FileNameLength;
memcpy(messageReply->ReplyData.AESData.Data.TagData,messageSend->FileName,messageSend->FileNameLength);
}
wprintf(L"New created file :%ws is requesting encryption key, iv and tag data, return status:%0x\n",messageSend->FileName, messageReply->ReturnStatus );
}
else if(FILTER_REQUEST_ENCRYPTION_IV_AND_KEY == messageSend->FilterCommand)
{
//opening the existing encrypted file, request the encryption key.
//please cache the encryption key and tag data in local, since the request will be sent very often.
//here is the custom tag data for the encrypted file which was embedded in the encryption header.
//messageSend->DataBufferLength;
//messageSend->DataBuffer;
//if you want to block the encrypted file open, return STATUS_ACCESS_DENIED
//messageReply->FilterStatus = FILTER_COMPLETE_PRE_OPERATION;
//messageReply->ReturnStatus = STATUS_ACCESS_DENIED;
//if you want to return the raw encrypted data, then return STATUS_FILE_ENCRYPTED, i.e., for backup software or other application requre raw encrypted data.
//messageReply->ReturnStatus = STATUS_FILE_ENCRYPTED;
//if you want to decrypt the file, then return status success, and the encryption key and iv.
messageReply->ReturnStatus = STATUS_SUCCESS;
wprintf(L"Encrypted file :%ws is requesting encryption key and iv,\nThe embedded tag data:%ws, return status:%0x\n"
,messageSend->FileName,messageSend->DataBuffer,messageReply->ReturnStatus );
}
//Here we return the default test iv and key to the filter driver, you can replace it with your own iv and key.
messageReply->ReplyData.AESData.Data.AccessFlag = ALLOW_MAX_RIGHT_ACCESS;
//if you want to use your own iv for the encrypted file, set the value here,
//or set the IVLength to 0, then the unique auto generated iv will be assigned to the file.
if(testiv && 16 == sizeof(testiv))
{
messageReply->ReplyData.AESData.Data.IVLength = 16;
memcpy(messageReply->ReplyData.AESData.Data.IV,testiv,16);
}
else
{
messageReply->ReplyData.AESData.Data.IVLength = 0;
}
//here is the encryption key for the encrypted file, you can set it with your own key.
messageReply->ReplyData.AESData.Data.EncryptionKeyLength = 32;
memcpy(messageReply->ReplyData.AESData.Data.EncryptionKey,testkey,32);
//the total return size
messageReply->ReplyData.AESData.SizeOfData = sizeof(messageReply->ReplyData.AESData.Data) + messageReply->ReplyData.AESData.Data.TagDataLength ;
}