**This is an old revision of the document!**

File Encryption

Encryption Overview

One of the issues that becomes apparent with more users choosing to work from mobile phones and tablets is the issue of security. Sometimes these devices can end up in the wrong hands and when that happens it is reasonable to take precautions about how can open and gain access to files you have stored in the Cloud.

The secondary security concern can be with Cloud the Providers themselves. Users often want to protect certain files on the actual Cloud where they reside, and to that end they can want to use encryption independent of the Cloud Provider.

This particular use case can be solved by using the Cloud encryption service that SME provides. Encryption works when users upload files from SME web or desktop access clients, to any of the 40+ Cloud Storage and Saas Providers that SME supports. Users connect over SSL and assign files a private key phrase to file that are uploaded.

This key phrase is not stored anywhere on the SME service, and files are encrypted as they stream through the SME service to the remote Cloud Provider.

Encryption Algorithm

The File Fabric uses FIPS certified AES-256 encryption using the Rijndael cipher, with Cipher Block Chaining (CBC) where the block size is 16 bytes. The cipher Rijndael consists of:

  • an initial Round Key addition
  • Nr-1Rounds
  • a final round.

The chaining variable goes into the “input” and the message block goes into the “Cipher Key. The likelihood of recovering a file that has been encrypted using our encryption is fairly remote. The most efficient key-recovery attack for Rijndael is exhaustive key search. The expected effort of exhaustive key search depends on the length of the Cipher Key and for a 16-byte key, 2127 applications of Rijndael;

Any AES-256 decryption tool that supports the Rijndael cipher with 16 byte blocksizes can be used to un-encrypt files.

SME provides free stand-alone desktop Apps (Mac, Windows, Linux) to also enable un-encryption, available from the SME Cloud Tools section of the website.

Encryption Scope

Encryption can be set at an Org (Team) or on a Personal level.

Team Encryption

The Cloud Admin of the Team Account can set by logging in to the Web and choosing “Main menu —> Policies —> Encryption” and choosing the encryption password and scope.

Once this password is set then Cloud Files for all users of the Primary Cloud are 'encrypted at rest’ therein.

Note: Existing files are not encrypted only new file uploads are encrypted.


The password is stored, in an encrypted fashion, in the SME appliance and does not leave the appliance as it is used to encrypt/decrypt files on demand.


The Admin can choose the scope, either:

  • All shared team folders
  • All Shared team folders plus user files

Share Team Folders: Only team folders are encrypted the users personal files are not encrypted

All Shared Team folders plus user files: Shared Team folders and users personal files in the personal cloud are encrypted at rest


For team folders, the encryption is transparent to end users. Team users do not need to know the encryption password and files are simply encrypted and decrypted as accessed via SME Apps.

Team encrypted files that are shared without passwords also do not require the recipient to know the encryption password.

Shared team files that have been encrypted can still additionally be subject to password policies that require the recipient of a shared link to submit a password prior to access. In such cases the encryption is still transparent i.e. nothing has to be done.


Standalone desktop decryption tools are provided in the event users want to download encrypted files direct from remote clouds or data stores.

Personal Encryption

Uploading

A user can set his own password to encrypt files uploaded in the web browser (entered when uploading), in the desktop tools, and also using the SME Android App.


In the browser when uploading the user has the option to encrypt the files and enter the encryption phrase.


For windows and mac tools the user can set the encryption phrase in settings or in the dedicated windows explorer explicitly set the encryption password on upload.


On the SME Android App files uploaded can also be encrypted on upload from the device


Unlike the account level encryption the encryption phrase set by personal users is not stored on the server ie. the user has to remember the phrase otherwise they will not be able to gain access to the file and if they forget it there is no way for the SME service to recover it.

Note: also that different phrases can be used for different files.


As an optimization the SME desktop tools provide an option to save a single encryption phrase for ease of use when dealing with files from the desktop.

Encryption Scope Precedence

Team level encryption has priority over personal encryption. When encryption is turned on at the Team level then personal encryption of files will no longer be available to end users in that team domain.

If team level encryption scope for All shared team folders is set then the encryption phrase set by the Admin is used for team folders ie. the personal encryption phrase is not used for team folders and the option to encrypt is not available to the user for files stored in shared team folders

If team level encryption scope is set as All Shared team folders plus user files then the encryption phrase set by the admin is used for team folders and the users personal files. The users encryption phrase is not used and the option to encrypt is not available to the user.

Password Change

If encryption passwords are changed at a team level then prior passwords are still honoured for decrypting purposes.

Performance

Throughput i.e upload/download when using encryption will be slower than working with non encrypted files. There are 2 reasons for this:

  • CPU usage is higher for encryption / decryption
  • Each block is buffered, encrypted and then sent to the storage