File Based Encryption Overview
One of the issues with increasing compliance regimes such as GDPR, CCPA, and increasing breaches of data is the issue of security.
Most data services use an encryption 'at rest' data strategy. This encrypts all data that resides on the storage. The 'key' to the encryption is most often held by the storage providers and this key is used to encrypt all data.
From a compliance perspective, relying on this alone is not enough as the industry has seen high profile breaches of cloud services where data protected in this way has been exposed.
Companies therefore should take additional precautions with data ie. ensuring it is encrypted independent of the storage provider. File based encryption is one such mechanism that can be used to achieve this.
The File Fabric's file based encryption (FBE) service, when activated, stream encrypts data before it resides on the storage (where, if encryption at rest is used by the storage provider, it is additionally encrypted).
You can consider file based encryption to be analogous to a safe that's stored within a bank vault. The vault is the encryption at rest, and even if this is breached, each safe within the vault has its own layer of security that must also be 'cracked' to gain access to the data.
The File Fabric can be used to encrypt either individual files or directories using a key. This can be set at a company tenant level and therefore be transparent to end user or it can e configured so that either file or directory can each have their own individual encryption key.
The File Fabric uses FIPS certified AES-256 encryption using the Rijndael cipher, with Cipher Block Chaining (CBC) where the block size is 16 bytes. The cipher Rijndael consists of:
- an initial Round Key addition
- a final round.
The chaining variable goes into the “input” and the message block goes into the “Cipher Key. The likelihood of recovering a file that has been encrypted using our encryption is fairly remote. The most efficient key-recovery attack for Rijndael is exhaustive key search. The expected effort of exhaustive key search depends on the length of the Cipher Key and for a 16-byte key, 2127 applications of Rijndael;
Any AES-256 decryption tool that supports the Rijndael cipher with 16 byte blocksizes can be used to un-encrypt files.
The File Fabric provides free stand-alone desktop Apps (Mac, Windows, Linux) to also enable de-encryption, if the encryption key is known, directly from the storage (without having to use the File Fabric).
Encryption can be set for the whole team by the File Fabric Administrator by setting an encryption policy. This can be set at a global level (all files) or it can be only for nominated folders or files.
If global team encryption is not turned on, the File Fabric Administrator can set the scope to be on a per user level, in which the end user is responsible for setting and remembering the encryption key.
(Previously known as Team Encryption)
The File Fabric Administrator of the Org Account can set encryption by logging into the Web and choosing “Organization —> Policies —> Encryption” and choosing the encryption password and scope.
Once this password is set then Files for all users of the Primary Cloud are 'encrypted at rest’ therein (this is additional to any 'encryption at rest' set by a storage provider).
Note: Existing files are not encrypted only new file uploads are encrypted.
The password is stored, in an encrypted fashion, in the File Fabric and does not leave the appliance as it is used to encrypt/decrypt files on demand.
The Admin can choose the scope, either:
- All shared team folders
- All Shared team folders plus user files
- Nominated Folders
Share Team Folders: Only team folders are encrypted the users personal files are not encrypted
All Shared Team folders plus user files: Shared Team folders and users personal files in the personal cloud are encrypted at rest
Nominated folders: Only files in nominated are encrypted.
For team folders, the encryption is transparent to end users. Authenticated Team users do not need to know the encryption password and files are simply encrypted and decrypted as accessed via File Fabric Apps once they are authenticated and authorised to access the resource.
Team encrypted files that are shared without passwords also do not require the recipient to know the encryption password.
Shared team files that have been encrypted can still additionally be subject to password policies that require the recipient of a shared link to submit a password prior to access. In such cases the encryption is still transparent i.e. nothing has to be done.
Standalone desktop decryption tools are provided in the event users want to download encrypted files direct from remote clouds or data stores.
A user can set his own password to encrypt files uploaded in the web browser (entered when uploading), in the desktop tools, and also using the File Fabric Android App.
In the browser when uploading the user has the option to encrypt the files and enter the encryption phrase. The encrypted file will be listed with a shield icon.
For Windows and Mac Apps the user can set the encryption phrase in settings or in the dedicated windows explorer explicitly set the encryption password on upload.
On the File Fabric Android App files uploaded can also be encrypted on upload from the device
Unlike the account level encryption the encryption phrase set by personal users is not stored on the server ie. the user has to remember the phrase otherwise they will not be able to gain access to the file and if they forget it there is no way for the SME service to recover it.
Note: also that different phrases can be used for different files.
As an optimization the File Fabric desktop tools provide an option to save a single encryption phrase for ease of use when dealing with files from the desktop.
Encryption Scope Precedence
Team level encryption has priority over personal encryption. When encryption is turned on at the Team level then personal encryption of files will no longer be available to end users in that team domain.
If team level encryption scope for All shared team folders is set then the encryption phrase set by the Admin is used for team folders ie. the personal encryption phrase is not used for team folders and the option to encrypt is not available to the user for files stored in shared team folders
If team level encryption scope is set as All Shared team folders plus user files then the encryption phrase set by the admin is used for team folders and the users personal files. The users encryption phrase is not used and the option to encrypt is not available to the user.
Note that if Files are encrypted through the File Fabric they will only be accessible through the File Fabric. This can often be the intent with sensitive data stored on remote storage provider but you should note that if such files are subsequently moved directly on the storage then they will become inaccessible directly and will need to be accessed by using the File Fabric's standalone desktop decryption App which is available for Mac, Windows or Linux.
If encryption passwords are changed at a team level then prior passwords are still honoured for decrypting purposes.
Throughput i.e upload/download when using encryption will be slower than working with non encrypted files. There are 2 reasons for this:
- CPU usage is higher for encryption / decryption
- Each block is buffered, encrypted and then sent to the storage