Today, data leakage is the one of the main problems of data security for most enterprises. There are many technologies about the solutions of the information security. Intrusion detection, firewalls and private networks are traditional methods in information security. But these methods are difficult to prevent data leakage because they are suitable for dealing with network and malicious code attack.
EaseFilter File System Encryption Filter Driver provides a reliable protection for data leakage by using transparent file encryption technologies. The processes of encryption and decryption are executed in file system filter driver and are completely transparent to users. By leveraging this transparent approach, your organization can implement encryption, without having to make changes to your applications, infrastructure, or business practices.
A file system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. File system filtering services are available through the filter manager in Windows. The Filter Manager provides a framework for developing File Systems and File System Filter Drivers without having to manage all the complexities of file I/O. The Filter Manager simplifies the development of third-party filter drivers and solves many of the problems with the existing legacy filter driver model, such as the ability to control load order through an assigned altitude. A filter driver developed to the Filter Manager model is called a minifilter. Every minifilter driver has an assigned altitude, which is a unique identifier that determines where the minifilter is loaded relative to other minifilters in the I/O stack. Altitudes are allocated and managed by Microsoft.
Encryption is the process in which data (plaintext) is translated into something that appears to be random and meaningless (ciphertext). Decryption is the process in which the ciphertext is converted back to plaintext. A cryptographic algorithm, or cipher, is a mathematical function used in the encryption and decryption process. A cryptographic algorithm works in combination with a key (a number, word, or phrase) to encrypt and decrypt data. To encrypt, the algorithm mathematically combines the information to be protected with a supplied key. The result of this combination is the encrypted data. To decrypt, the algorithm performs a calculation combining the encrypted data with a supplied key. The result of this combination is the decrypted data.
EaseFilter Encryption Filter Driver is using Rijndael (256-bit key) algorith which is a high security algorithm created by Joan Daemen and Vincent Rijmen (Belgium). Rijndael is the new Advanced Encryption Standard (AES) chosen by the National Institute of Standards and Technology (NIST). At present, there is no way to break any of these algorithms, unless to try all possible keys. If one billion computers were each searching one billion keys per second, it would take over 10*10ˆ24 years to recover information encrypted with a 168-bit algorithm (the age of the universe is 10*10ˆ9 years).
Transparent file encryption (TFE) performs real-time I/O encryption and decryption of the files in any block data with 16 bytes. The encryption uses a 256 bits symmetric key to encrypt or decrypt the data with AES encryption algorithm. TFE protects data "at rest", meaning the data and files. It provides the ability to comply with policies which can be applied by users, processes and file type. This allows only authorized users and processes to access the encrypted files, unauthorized users and processes can’t access the encrypted files.
EaseFilter encryption filter driver includes kernel mode filter driver and user mode encryption and decryption APIs. The EaseFilter Driver includes the Access Control componment, Isolation layer componment and the encryption engine. The EeaseFilter APIs is the componment to communicate between client application and the filter driver. The filter APIs expose the interfaces to the client application which can easily monitor or control the filter driver.
Encyption Policies – with the filter rule setting, you can create multiple encryption policies, based on the file types, folder or file name, process and user name, to control what files can be encrypted, what processes and users have the permission to decrypt the files.
Every encryption filter rule, you need to assign an encryption key for that, the filter driver will use it to encrypt or decrypt the files, the key can be 16 bytes, 24 bytes or 32 bytes. When you create new files which meets the encryption filter rules, the filter driver will encrypt the file, and the filter driver always generates a unique 16 bytes IV for the new created file, so don’t need to worry about the IV was reused.
Transparent File Encryption – Integrated the encryption file system filter driver to windows file system, enables data-at-rest file encryption, users are unware of the encryption and the decrption processes taking place.
With the transparent file encryption, it won't affect the original data and programs, without any modification of existing applications to deliver data encryption, privilieged user access control and security intelligence.
Encryption Performance – With on-access file encryption, there are no extra I/O operations needed, the filter driver encrypts the block data in the same write I/O, decrypt the block data in the same read I/O, avoid burderning the system with the extra I/O operations.
You also can encrypt or decrypt the files with API “AESEncryptFile” and “AESDecryptFile”, use encryption API, you can set your own encryption key and IV, the IV is optional, if it is null, it will be assigned a unique 16 bytes ascii characters, for the encryption API, you have another option which you can add the IV tag or not, if you add the IV tag, the encrypted file can be recognized by filter driver, also make sure the encryption key you used for the encryption API must be the same as the encryption filter rule for filter driver. If you don’t set the IV tag, the file was encrypted but there are no any identification related to the encrypted file, it can’t be decrypted by filter driver, it only can be decrypted by “AESDecryptFile” API.
Isolation Layer – EaseFilter Isolation Layer Filter Driver creates two views of the access data, one is encrypted from the local storage, so your data is always encrypted in the local disk, the other one is decrypted to the authorized user, for every file open, the filter driver will create an unique memory cache, so the users or processes won't see the same view of the data if they have different permission.
You can access the encrypted files only when the encryption filter driver is running, the filter driver will decrypt the data in memory during the read request, and it will encrypt the data during the write request, so the data in memory always is clear data, the data in disk always is encrypted. When the encryption filter driver is turned off, the encrypted file can’t be accessed, when the application opens the encrypted file, it will get “the file can’t be accessed by the system” error, so no one can read the encrypted files without the encryption filter driver enabled.
To develop file systems and file system filter drivers, use the Windows Driver Kit (WDK),which is provided by Microsoft. Even with the resources available in the Windows Driver Kit (WDK) developing file systems is certainly a challenge. To simplify your development and to provide you with a robust and well-tested file system filter driver that works with all versions and patch releases of the Windows operating systems supported by Microsoft, EaseFilter Inc. offers the file system filter driver SDK which provides a complete, modular environment for building active file system filters in your application. With the EaseFilter file system filter driver SDK, you can develop your own filter driver application with c++/c# or other languages.
EaseFilter File System Mini Filter Driver SDK is a mature commercial product. It provides a complete modular framework to the developers even without driver development experience to build the filter driver within a day. The SDK includes the modules from code design to the product installation, it includes all the basic features you need to build a filter driver:
1. The communication module.
It demonstrates how to set up the communication channel between the filter driver and your user mode application, send and receive the messages between them.
2. The debug and trace module.
You can print or trace the debug message with WPP trace module, and you also can use the system event log to log the information from the filter driver.
3. The configuration module.
This module shows how to manage the configuration setting for the filter driver, includes the managed folders.
4. The file context module.
This module demonstrate how to trace every file I/O request, with the user information, process information and file information.
5. The I/O request packet handler module.
This is the most important module, the SDK demonstrates how to intercept the I/O requests, modify the I/O data. It means you can build your own custom filter driver easily based on the SDK.
EaseFilter Inc. is a company who specializes in windows file system filter driver development. It can provide architect, implement and test file system filter drivers for a wide range of functionalities. It also can offer several levels of assistance to meet your specific needs: Provide consulting service for your existing file system filter driver; Customize the SDK to meet your requirement; Create your own filter driver with SDK source code.
For more information please go to the website: www.easefilter.com
You can download the demo binary and example projects here: