Encryption On the Go

Encryption On the Go provides you a simple solution to develop Windows application, encrypt your file before it was sending out of your computer.  Encryption On the Go was implemented with EaseFilter Encryption Filter Driver SDK, a transparent file system encryption filter driver.

A transparent file system encryption filter driver will integrate the encryption or decryption in the read or write IO process in the file system level, without the extra IO it can improve your encryption performance dramatically. With the file system level auto encryption, encrypt the files or decrypt the files are completely transparent to the users.

How to implement the encryption on the go solution?

  1. Setup the auto encryption folder, all the new created files will be automatically encrypted in this folder. The files will remain encrypted when the blacklist processes read the encrypted files. You can setup the blacklist processes by disabling the decryption feature for the processes, for example “explorer”, “outlook” and browser applications, the files will remain encrypted when these processes send the encrypted files out of your computer. In the receiver’s computer, you need to setup a decryption folder, drop the encrypted files to this folder, the files remain encrypted in the disk. The encrypted files only can be decrypted by the authorized processes or users. The encrypted file was embedded with header which you can identify if this file was encrypted.
 //setup a file filter rule for folder encryptFolder
 FileFilter fileFilter = new FileFilter("c:\\encryptedFolder\\*");
                
 //enable the encryption for the filter rule.
 fileFilter.EnableEncryption = true;

 //Generate the 256bits encryption key with the master encryption key
 fileFilter.EncryptionKey = Utils.GetKeyByPassPhrase(masterKey, 32);
               
 //Setup the blacklist processes, the processes will get the encrypted raw data, i.e. backup software, explorer.exe
 uint accessFlag = FilterAPI.ALLOW_MAX_RIGHT_ACCESS & ~(uint)FilterAPI.AccessFlag.ALLOW_READ_ENCRYPTED_FILES;
 fileFilter.ProcessNameAccessRightList.Add("explorer.exe", accessFlag);
 fileFilter.ProcessNameAccessRightList.Add("backup.exe", accessFlag);

 filterControl.AddFilter(fileFilter);

if (!filterControl.SendConfigSettingsToFilter(ref lastError))
{
 MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
  MessageBox.Show("SendConfigSettingsToFilter failed." + lastError, "SendConfigSettingsToFilter", MessageBoxButtons.OK, MessageBoxIcon.Error);
   return;
}

2. Setup a encryption on the go folder, all the files won’t be encrypted in this folder, the files in the folder remain clear with this option,  the files will be encrypted only when the blacklisting processes send the files out, for example “explorer”, “outlook” and browser applications. In the receiver’s computer, you need to setup a decryption folder, drop the encrypted files to this folder, the files remain encrypted in the disk. There is no embedded data in the encrypted file for this option which you can’t identify if this file was encrypted, we always assume the file was encrypted in the drop folder.

You need to setup the encryption filter rule and disable the flag “ALLOW_ENCRYPT_NEW_FILE”, then the filter driver won’t encrypt the new generated files. The filter driver will encrypt the data when the file was read by the blacklist processes, when the flag “DISABLE_ENCRYPT_DATA_ON_READ” was disabled. Here is the code snippet

Please reference the c# “AutoFileCryptTool” demo project for more detail.

            //for blacklist process for autoencryption, it has maximum acess rights.
            string blackListProcessRights = "";
            string[] blacklist = blackProcessList.Split(new char[] { ';' });
            if (blacklist.Length > 0)
            {
                foreach (string unAuthorizedUser in blacklist)
                {
                    if (unAuthorizedUser.Trim().Length > 0)
                    {
                        //encrypt the file on read, don't encrypt the new file
                        uint accessFlag = FilterAPI.ALLOW_MAX_RIGHT_ACCESS & (uint)(~FilterAPI.AccessFlag.DISABLE_ENCRYPT_DATA_ON_READ) & (uint)(~FilterAPI.AccessFlag.ALLOW_ENCRYPT_NEW_FILE);
                        blackListProcessRights += ";" + unAuthorizedUser + "!" + accessFlag.ToString();
                    }
                }
            }


            FileFilterRule EncryptOnReadFilterRule = new FileFilterRule();
            EncryptOnReadFilterRule.Type = (int)FilterRuleType.EncryptionOnRead;
            EncryptOnReadFilterRule.IncludeFileFilterMask = folderName + "\\*";
            EncryptOnReadFilterRule.EncryptionPassPhrase = GlobalConfig.MasterPassword;
            EncryptOnReadFilterRule.AccessFlag = (uint)FilterAPI.ALLOW_MAX_RIGHT_ACCESS | (uint)FilterAPI.AccessFlag.ENABLE_FILE_ENCRYPTION_RULE;
            EncryptOnReadFilterRule.AccessFlag &= (uint)(~FilterAPI.AccessFlag.ALLOW_ENCRYPT_NEW_FILE); //disable new created file encryption
            EncryptOnReadFilterRule.EncryptMethod = (int)FilterAPI.EncryptionMethod.ENCRYPT_FILE_WITH_SAME_KEY_AND_UNIQUE_IV;
            EncryptOnReadFilterRule.ProcessNameRights = blackListProcessRights;