C
Chris Largent
I've been researching the many, MANY encryption solutions on the market
(both open source and commercial). Unfortunately, I haven't found one
that satisfies a feature set that is apparently just in my head. Please let
me
know if there is a product that works in the following way (or if you see
any conceptual flaws in my thinking):
- The solution would run as a driver or service that would load during
boot-up.
- The solution would allow the user to define one to many logical
collections of files/folders. These logical collections could span physical
drives. For example, a user could create a logical collection called
"Images", and then assign an image directory located on her C: drive *and*
another image directory located on her D: drive to this "Images" collection.
The user might even add some individual files residing elsewhere in the file
system to this "Images" collection. (I'm not so concerned with removable
media or inter-system portability...but a solution that could also address
these issues would be fine!)
- The solution would dynamically encrypt and decrypt files that are included
in the collection. Please read on because I'm *not* attempting to describe
the many products out there that provide "virtual disk encryption".
- The very first time any file in a particular collection is accessed, the
solution would prompt the user for the collection's
password/passphrase/private key. This would unlock the container for THE
REST OF THE SESSION. Subsequent access to *any* file assigned to the
particular logical container would be allowed (i.e., transparent decryption
and re-encryption if the file was modified).
- The solution would provide an icon in the Windows XP system tray that
would allow the user to manually re-lock containers (all or individually).
Subsequent access to a file assigned to a particular logical container would
result in the password/passphrase/private key prompt again (for that
particular container).
- If the user does not manually re-lock a container, it will be
automatically locked when the user logs out or the computer is rebooted or
shutdown.
- Of course, like many of the products on the market, the solution would
allow the user the select encryption and hash algorithms, possibly even on a
per-container basis.
Why? Why not just use one of the many "virtual disk encryption" products,
like TrueCrypt?
I've recently become very interested in the online backup market. Just like
most users, I'm concerned about the security of my files, and I would
ideally like to upload only encrypted versions of my files. Yes, most of
the online backup service providers have a client-side application that
encrypts *before* uploading, and while I do trust my service provider, I
still like to maintain a healthy amount of paranoia.
The virtual disk encryption approach does not bode well from an online
backup perspective. A *huge* encrypted file (representing the virtual disk
or volume) results in dismal transfer performance, even when byte-level
delta processing is performed by the online backup software.
Windows' native EFS doesn't address this particular opportunity either. To
my knowledge, there is no *easy* way for a user to "turn off" their access
to their encrypted files during a Windows session (i.e., so the user is
shown the encrypted data instead of the unencrypted data).
Lastly, using a traditional encryption/decryption product--one that cannot
work dynamically as I described above--would be too tedious and time
consuming.
(both open source and commercial). Unfortunately, I haven't found one
that satisfies a feature set that is apparently just in my head. Please let
me
know if there is a product that works in the following way (or if you see
any conceptual flaws in my thinking):
- The solution would run as a driver or service that would load during
boot-up.
- The solution would allow the user to define one to many logical
collections of files/folders. These logical collections could span physical
drives. For example, a user could create a logical collection called
"Images", and then assign an image directory located on her C: drive *and*
another image directory located on her D: drive to this "Images" collection.
The user might even add some individual files residing elsewhere in the file
system to this "Images" collection. (I'm not so concerned with removable
media or inter-system portability...but a solution that could also address
these issues would be fine!)
- The solution would dynamically encrypt and decrypt files that are included
in the collection. Please read on because I'm *not* attempting to describe
the many products out there that provide "virtual disk encryption".
- The very first time any file in a particular collection is accessed, the
solution would prompt the user for the collection's
password/passphrase/private key. This would unlock the container for THE
REST OF THE SESSION. Subsequent access to *any* file assigned to the
particular logical container would be allowed (i.e., transparent decryption
and re-encryption if the file was modified).
- The solution would provide an icon in the Windows XP system tray that
would allow the user to manually re-lock containers (all or individually).
Subsequent access to a file assigned to a particular logical container would
result in the password/passphrase/private key prompt again (for that
particular container).
- If the user does not manually re-lock a container, it will be
automatically locked when the user logs out or the computer is rebooted or
shutdown.
- Of course, like many of the products on the market, the solution would
allow the user the select encryption and hash algorithms, possibly even on a
per-container basis.
Why? Why not just use one of the many "virtual disk encryption" products,
like TrueCrypt?
I've recently become very interested in the online backup market. Just like
most users, I'm concerned about the security of my files, and I would
ideally like to upload only encrypted versions of my files. Yes, most of
the online backup service providers have a client-side application that
encrypts *before* uploading, and while I do trust my service provider, I
still like to maintain a healthy amount of paranoia.
The virtual disk encryption approach does not bode well from an online
backup perspective. A *huge* encrypted file (representing the virtual disk
or volume) results in dismal transfer performance, even when byte-level
delta processing is performed by the online backup software.
Windows' native EFS doesn't address this particular opportunity either. To
my knowledge, there is no *easy* way for a user to "turn off" their access
to their encrypted files during a Windows session (i.e., so the user is
shown the encrypted data instead of the unencrypted data).
Lastly, using a traditional encryption/decryption product--one that cannot
work dynamically as I described above--would be too tedious and time
consuming.