Encrypted Folders (EFT built-in, Secure-Data-at-Rest Solution)

EFT Server provides three forms of securing files on disk (data-at-rest encryption):

Each of these methods has benefits and drawbacks. Other alternatives include using third party data at rest encryption, such as the built-in encryption provided by some NAS devices.

OpenPGP is a well-known, dual-key based encryption technology. The primary benefit is the fact that only recipients whose public key was included at the time of encryption will be able to decrypt the file, assuming they own the corresponding private key to their public one. This provides more control over who can access the data, vs. other methods. PGP has two shortcomings: First, it requires that participants create and maintain their key pairs, adding complexity to the process. Second, it is not a streaming encryption technology, as the entire file must be present (written to disk) before encryption (or decryption) can occur. In the context of file transfers, the result is temporary files that cause havoc with automation that consumes files the moment they are received in the target directory. Refer to OpenPGP and EFT for how to use OpenPGP

EFS addresses all of the drawbacks of PGP, eliminating participant key management and providing streaming encryption at the file I/O level; however, it also suffers from two shortcomings: First, some network drive technologies do not support Windows EFS (turning it on in EFT has no effect). Second, standards such as PCI DSS disallow the use of encryption technologies where the keys required for encryption/decryption reside on the systems within PCI scope. It just so happens that Window’s EFS keys do reside on the target system. Refer to Enable EFS Encryption for how to use Windows EFS integration.

EFT built-in encrypted folders provides an alternative to using a best-of-breed 3rd party data-at-rest encryption solution. EFT’s encrypted folders provide streaming encryption (and decryption), enabling transparent, seamless file read/write. The symmetric encryption leverages AES 256 in CTR mode, with the encryption key known only to EFT. Any file touched by EFT’s protocols (either as a server or as a client) are automatically encrypted (or decrypted) on arrival or departure, as appropriate.

EFT built-in Encrypted Folders

Physical folders stored on the disk in EFT's Virtual File System (VFS) can be transparently encrypted during read/write using EFT-managed AES-256 symmetric encryption (CTR mode), which uses a secret key known only to the server. The server will encrypt files as they arrive over supported protocols, and decrypt files when departing over those same protocols. The server, when acting as a client, will also encrypt files that it downloads into an encrypted folder, and decrypt files that it copies or moves to a remote server, including LAN copy.  (See below for instructions for creating the key.)

The following limitations for encrypted folder targets should be noted:

To enable EFT-managed encryption

  1. In the administration interface, connect to EFT and click the Server tab.

  2. On the Server tab, click the Site you want to configure.

  3. In the right pane, click the Security tab.  

  4. In the Data Security area, next to Encrypted folders, click Configure. The Encrypted Folders dialog box appears.

  5. To add folders that contain files you want to encrypt, click Add. The Folder to encrypt dialog box appears.

  6. Type or browse for the file that you want to encrypt, then click OK.

  7. Files uploaded to this folder will be encrypted upon arrival and decrypted upon departure over EFT's supported protocols. EFT will also encrypt files that are downloaded (as client) into an encrypted folder, and decrypt files that are copied or moved to a different location.

    EFT will attempt to decrypt any and all files already present in the folder. (This may take a long time if there are many files in the folder.)

To remove an encrypted folder from the list

  1. Click it in the Encrypted Folders dialog box, then click Remove.

  2. All encrypted files in the folder will be decrypted. (This may take a long time if there are many files in the folder.)

Considerations

To change the encryption key

EFT uses a default encryption key that is hard coded in the software. Using the default, hard-coded key introduces risk. If someone were able to obtain the encrypted files, they could decrypt those using their copy of EFT. Therefore it is recommended you change the key prior to using this feature. Override the default key passcode using the following registry setting.