File encryption is the process of converting data in a file into a secret code to protect the data. It is a security measure that ensures that only authorized users can access the data in the file. Encryption is used to protect sensitive information such as personal data, financial information, and confidential business data from unauthorized access . File encryption in C# is complex, the EEFD SDK provides a complete modular framework for the developers to build the file encryption software.
Types of Cryptography: There are two types of cryptography:
- Symmetric Cryptography: It is an encryption system where the sender and receiver of a message use a single common key to encrypt and decrypt messages. Symmetric Key Systems are faster and simpler, but the sender and receiver have to somehow exchange keys securely. The most popular symmetric-key cryptography system is Data Encryption System(DES).
- Asymmetric Cryptography: Under this system, a pair of keys is used to encrypt and decrypt information. A public key is used for encryption and a private key is used for decryption. The public key and the private key are different. Even if the public key is known by everyone, the intended receiver can only decode it because he alone knows the private key.
To encrypt file with C#, there are many C# encryption libraries available for the programming. Here is a comprehensive list of popular crypto libraries from https://github.com/quozd/awesome-dotnet/blob/master/README.md#cryptography:
-
- BouncyCastle – Together with the .Net System.Security.Cryptography, the reference implementation for cryptographic algorithms on the CLR.
- HashLib – HashLib is a collection of nearly all hash algorithms you’ve ever seen, it supports almost everything and is very easy to use
- libsodium-net – libsodium for .NET – A secure cryptographic library
- Pkcs11Interop – Managed .NET wrapper for unmanaged PKCS#11 libraries that provide access to the cryptographic hardware
- StreamCryptor – Stream encryption & decryption with libsodium and protobuf
- SecurityDriven.Inferno – .NET crypto library. Professionally audited.
- Microsoft CryptoAPI – .NET provides implementations of many standard cryptographic algorithms, and the .NET cryptography model is extensible. A Cryptography API has been released since Windows Vista. The Next Generation (CNG) is a cryptographic API that you can use to create encryption security software for encryption key management, cryptography and data security, and cryptography and network security.
The C# Auto Encryption Code Snippet with EEFD
Even though there are a lot of C# encryption libraries available in the market, but it is still very complex to encrypt file in C#. The EEFD is a mature commercial encryption SDK. It provides a complete modular framework for the developers even without much encryption development experience to build the on-access file encryption software within a day.
EaseFilter Encryption Filter Driver (EEFD) is a file system encryption filter driver. It provides a comprehensive security solution to develop the transparent on-access file level encryption products. The EEFD allows you to encrypt the newly created files transparently. You can authorize the on-access encryption/decryption under the control of client-defined policy.
The below code snippet demonstrates how to setup a filter rule to encrypt the file in a encryption folder, and setup another filter rule to decrypt the encrypted file. Only the authorized processes and users can read the encrypted file, the unauthorized processes or users will get the raw encrypted data:
- Setup an auto encryption folder, all new created files in this folder will be encrypted automatically. The encrypted file will be decrypted automatically when the users from the whitelist access the files. It won’t be decrypted when the users from the blacklist access the file, it will get the raw encrypted data.
- Setup an auto encryption folder, all new created files in this folder will be automatically encrypted, all processes will get the raw encrypted data when they read the encrypted files, so you can secure upload or share these files to the cloud.
- Setup the encryption on the go folder, files are not encrypted in this folder, the file will be encrypted automatically in memory when the user from the blacklist access the files. So, you can add the processes to the blacklist if you want to secure share the files for these processes.
using System;
using EaseFilter.FilterControl;
namespace AutoFileEncryption
{
class Program
{
static FilterControl filterControl = new FilterControl();
static void Main(string[] args)
{
string lastError = string.Empty;
string licenseKey = "Email us to request a trial key: info@easefilter.com";
FilterAPI.FilterType filterType = FilterAPI.FilterType.CONTROL_FILTER
| FilterAPI.FilterType.ENCRYPTION_FILTER | FilterAPI.FilterType.PROCESS_FILTER;
int serviceThreads = 5;
int connectionTimeOut = 10; //seconds
try
{
//copy the right Dlls to the current folder.
Utils.CopyOSPlatformDependentFiles(ref lastError);
if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
{
Console.WriteLine("Start Filter Service failed with error:" + lastError);
return;
}
//setup a file filter rule for folder encryptFolder
string encryptFolder = "c:\\encryptFolder\\*";
FileFilter fileFilter = new FileFilter(encryptFolder);
//enable the encryption for the filter rule.
fileFilter.EnableEncryption = true;
//get the 256bits encryption key with the passphrase
string passPhrase = "mypassword";
fileFilter.EncryptionKey = Utils.GetKeyByPassPhrase(passPhrase, 32);
//disable the decyrption right, read the raw encrypted data for all except the authorized processes or users.
fileFilter.EnableReadEncryptedData = false;
//setup the authorized processes to decrypt the encrypted files.
string authorizedProcessesForEncryptFolder = "notepad.exe;wordpad.exe";
string[] processNames = authorizedProcessesForEncryptFolder.Split(new char[] { ';' });
if (processNames.Length > 0)
{
foreach (string processName in processNames)
{
if (processName.Trim().Length > 0)
{
//authorized the process with the read encrypted data right.
fileFilter.ProcessNameAccessRightList.Add(processName, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
}
}
}
//setup the authorized users to decrypt the encrypted files.
string authorizedUsersForEncryptFolder = "domainName\\user1";
if (!string.IsNullOrEmpty(authorizedUsersForEncryptFolder) && !authorizedUsersForEncryptFolder.Equals("*"))
{
string[] userNames = authorizedUsersForEncryptFolder.Split(new char[] { ';' });
if (userNames.Length > 0)
{
foreach (string userName in userNames)
{
if (userName.Trim().Length > 0)
{
//authorized the user with the read encrypted data right.
fileFilter.userAccessRightList.Add(userName, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
}
}
}
if (fileFilter.userAccessRightList.Count > 0)
{
//set black list for all other users except the white list users.
uint accessFlag = FilterAPI.ALLOW_MAX_RIGHT_ACCESS & ~(uint)FilterAPI.AccessFlag.ALLOW_READ_ENCRYPTED_FILES;
//disable the decryption right, read the raw encrypted data for all except the authorized users.
fileFilter.userAccessRightList.Add("*", accessFlag);
}
}
//add the encryption file filter rule to the filter control
filterControl.AddFilter(fileFilter);
//setup a file filter rule for folder decryptFolder
string decryptFolder = "c:\\decryptFolder\\*";
FileFilter decryptFileFilter = new FileFilter(decryptFolder);
//enable the encryption for the filter rule.
decryptFileFilter.EnableEncryption = true;
//get the 256bits encryption key with the passphrase
decryptFileFilter.EncryptionKey = Utils.GetKeyByPassPhrase(passPhrase, 32);
//don't encrypt the new created file in the folder.
decryptFileFilter.EnableEncryptNewFile = false;
//disable the decyrption right, read the raw encrypted data for all except the authorized processes or users.
decryptFileFilter.EnableReadEncryptedData = false;
//setup authorized processes to decrypt the encrypted files.
string authorizedProcessesForDecryptFolder = "notepad.exe;wordpad.exe";
processNames = authorizedProcessesForDecryptFolder.Split(new char[] { ';' });
if (processNames.Length > 0)
{
foreach (string processName in processNames)
{
if (processName.Trim().Length > 0)
{
//authorized the process with the read encrypted data right.
decryptFileFilter.ProcessNameAccessRightList.Add(processName, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
}
}
}
filterControl.AddFilter(decryptFileFilter);
if (!filterControl.SendConfigSettingsToFilter(ref lastError))
{
Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
return;
}
Console.WriteLine("Start filter service succeeded.");
// Wait for the user to quit the program.
Console.WriteLine("Press 'q' to quit the sample.");
while (Console.Read() != 'q') ;
filterControl.StopFilter();
}
catch (Exception ex)
{
Console.WriteLine("Start filter service failed with error:" + ex.Message);
}
}
}
}
File Encryption Example In C# With CNG
The following C# encryption example shows how to encrypt data with CNG by using the advanced encryption standard (AES) symmetric encryption algorithm. As an example of the different implementations available for an algorithm, consider symmetric algorithms. The base for all symmetric algorithms is SymmetricAlgorithm, which is inherited by Aes, TripleDES, and others that are no longer recommended. Aes is inherited by AesCryptoServiceProvider, AesCng, and AesManaged.
using System;
using System.Security.Cryptography;
try
{
using (FileStream fileStream = new("TestData.txt", FileMode.OpenOrCreate))
{
using (Aes aes = Aes.Create())
{
byte[] key =
{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16
};
aes.Key = key;
byte[] iv = aes.IV;
fileStream.Write(iv, 0, iv.Length);
using (CryptoStream cryptoStream = new(
fileStream,
aes.CreateEncryptor(),
CryptoStreamMode.Write))
{
// By default, the StreamWriter uses UTF-8 encoding.
// To change the text encoding, pass the desired encoding as the second parameter.
// For example, new StreamWriter(cryptoStream, Encoding.Unicode).
using (StreamWriter encryptWriter = new(cryptoStream))
{
encryptWriter.WriteLine("Hello World!");
}
}
}
}
Console.WriteLine("The file was encrypted.");
}
catch (Exception ex)
{
Console.WriteLine($"The encryption failed. {ex}");
}