5

We have recently received a few client contracts where all client files must be encrypted at all times. The challenge we are having is sharing encrypted files and simultaneous access on network shares.

There are thousands of files which need to remain encrypted and accessed by different users and services. Microsoft's encryption hasn't worked very well for us under Windows XP and assigning multiple certificates to a file so multiple people may access them is cumbersome and error-prone.

We are currently using PGP NetShare on our clients folders but are running into issues when multiple people access a file (e.g. Microsoft Access) or viewing thousands of files in a folder (the list keeps refreshing returning your view to the top, Windows Explorer).

We are contacting PGP about these issues, but I thought it a good time to find out what has worked in the wild; what solutions others have come up with to deal with selective file encryption on network shares.

Our basic need to is to restrict file access to only those who are allowed to access the files for a given client. This restriction will be directory based, so there are not files that are encrypted and not-encrypted in the same directory. The files are stored on Windows Server 2008 storage server access via Windows shares. In a best case scenario we would be able to allow a service (using network credentials/user) to access and decrypt the files on a share. Something not possible with PGP NetShare (they can be access, but not decrypted).

Brettski
  • 942
  • 3
  • 20
  • 31
  • Wait...Are you encrypting them to prevent theft if a drive is stolen or removed, or encrypting so Bob and Alice can both access \\server\share\* and have two documents in that share such that Alice can read one, and Bob can access the other? – Bart Silverstrim Oct 14 '10 at 17:04
  • In a perfect world Bob and Alice who have access to the share should both be able to decrypt the files. But, for any reason someone does gain access to the files they are still unreadable since they are encrypted. The encryption access would be the same for all users who should have access. There is no configuration in the same folder where Alice decrypts file A only and Bob decrypts file B only. – Brettski Oct 14 '10 at 18:06
  • Seven years down the road, do you found any solution, @Brettski? I'm looking at this problem as well now. – tkokasih Mar 17 '17 at 21:18
  • 1
    No @tkokasih, we never did find a good solution for this. – Brettski Apr 01 '17 at 01:47

2 Answers2

2

Do the files need to be encrypted, or do you need to keep unauthorized people out? These are two distinct requirements.

I'd consider using a system level encryption on the files, on the Server 2008 computer, BitLocker might work well. Then use IPSec for encrypting LAN traffic. And just use normal access controls for authorization.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • Does system level encryption work will in Windows 2008? In Windows Server 2003, we had nothing but trouble allowing more than one person decrypt a file. – Brettski Oct 14 '10 at 18:09
  • 1
    Plus I don't know of any way to allow a group of people to decrypt a file just by placing it in a directory. If I copy a file to an encrypted folder, I have encrypted the file and I am the only one who can decrypt it. So now I need to add all these other people so they may also decrypt the file (and re-encrypt it, etc). Then I copy 9,000 file to the directory... – Brettski Oct 14 '10 at 18:12
  • 1
    I mentioned that BitLocker usually works well; it's transparent to all authorized users. Sounds like you aren't very familiar with encryption and file security; perhaps you should consider hiring a consultant who is. – Chris S Oct 15 '10 at 00:16
  • Bitlocker is whole disk encryption, we are only encrypting some directories. Perhaps the solution may be to encrypt the entire volume, though at 1.5T I am not sure we want to do that. No I am no expert at network file encryption, though I have wrestled for some time with EFS under Windows 2003. I am not against hiring a consultant, but it seems nobody has a good solution for encrypting directories on a shared network resource. – Brettski Oct 21 '10 at 19:12
  • Also, I have not experienced or read where the ability to decrypt a file follows the ACL for that file with Microsoft Encryption solutions. In other words, just because you have access to a share doesn't necessarily mean you can decrypt the file. With EFS and a folder marked for encryption, only the person who places a file in that folder may decrypt it, unless other users added to that file, there are no configurations at the folder level. – Brettski Oct 21 '10 at 19:17
  • BitLocker does encrypt the whole volume, but there's very few disadvantages to that. The size of the volume doesn't really factor (except the initial time to encrypt). Encrypting just certain directories isn't nearly as easy as it sounds. It is easy however to encrypt all network traffic to that server. After doing that, setting appropriate authorization to the direction will effectively limit access to authorized persons across an encrypted medium, and the files will be encrypted on disk. – Chris S Oct 21 '10 at 19:22
  • I'd add 802.1x into the mix to prevent unauthorized devices from accessing the network. – Tom O'Connor Apr 24 '13 at 22:11
1

EFS is the way to go: http://wikipedia.org/wiki/Encrypting_File_System

You can allow several users the access to the encrypted files (ie. Windows will encrypt/decrypt the files on the fly for them)

Works very well on Win7 / Windows 2008.

FrankJK
  • 306
  • 1
  • 3
  • 60% of our computer-base is Windows XP. When copying files into a folder, how can multiple users be automatically configured to be able to decrypt them? – Brettski Oct 14 '10 at 19:12