(Available in EFT Server Enterprise)
Files stored on the disk in EFT Server's Virtual File System can be transparently encrypted during read/write using Microsoft's Encrypting File System (EFS). Data is encrypted as it is written to disk, and decrypted prior to transmission.
If you turn on this feature, it is recommended that you set up appropriate back-up measures to protect your data. If you need to recover a private key (EFT Server's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.) to decrypt data, and that key is lost, you will not be able to recover the data that the key protects. Streaming repository encryption leverages Microsoft's Encrypting File System (EFS). If you need more information on setting up appropriate back-up procedures, refer to Configuration and Security Best Practices.
Streaming repository encryption is not available for systems running on FAT32 file systems. NTFS is required.
Streaming repository encryption is not available with NT authentication due to limitations of NT authentication. If you require this feature with an NT set up, LDAP authentication is recommended.
PCI DSS requirement 3.4.1 requires that logical access and decryption keys be managed independently for disk-level encryption. If you enable this feature for a PCI DSS-enabled Site, EFT Server prompts you to disable it, or continue with reason.
The PCI DSS requires that if disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts. That does not mean EFS cannot be used at all, but rather that it cannot be used as the sole mechanism for repository encryption. For this reason, the Server will only warn, rather than fail, during an audit.
To enable streaming repository encryption
In the Administrator, connect to EFT Server and click the VFS tab.
In the left pane, right-click the parent folder you want to configure, then click Encrypt Contents.
If the folder you selected has subfolders, a confirmation message appears.
Specify whether to Apply changes to this folder only or Apply changes to this folder and all subfolders, then click OK.
The folder and subfolders, if selected, display a red asterisk to indicate that the folder contents are encrypted.
To remove encryption, right-click the encrypted folder and click Encrypt Contents to clear the check box.
If the folder you selected has subfolders, a confirmation message appears. Specify whether to Apply changes to this folder only or Apply changes to this folder and all subfolders, then click OK.
The asterisk is removed from the folder and subfolders, if selected.