Re: secure file handling
Date: 27 Jul 2005 12:35:32 -0000 To: firstname.lastname@example.org('binary' encoding is not supported, stored as-is) Hi Alejandro,
As every technical response goes, the answer is "It depends".
If you're looking for entry-level protection, built-in file system level encryption can work. Easily identifiable problems are 1) OS-level encryption typically is only as secure as the user account that has access to decrypt it, and 2) OS-level encryption can cause loss of access to your data if you have a system crash and can't regenerate the key that originally encrypted them, and 3) OS-level encryption is typically not portable or scalable, i.e. hard to have encrypted grid computing or shared access.
If you're looking for secure file handling for a larger environment, you might want to consider some 3rd party products like those from NeoScale and Decru, that use AES 256-bit encryption.
If you're looking for decent security at a reasonable price, maybe look at GPG or PGP.
Probably the most solid solution I've seen has been the Decru DataFort accompanied with their DCS client software. (no, I don't work for them or own any shares.) Their devices are tamper-resistant, where physical access causes the systems not to load the keys any more. Some of their devices are equipped with a "panic button" where pressing this physical button deletes the encryption keys, making the data practically irretrievable. Plus, with their DCS client software you can enforce policies to the client, ensuring only known software is running on them, and even control which processes can access certain files, not just which users.
That's the "Mack Daddy" solution, but most any encryption software will provide you with the two features you've asked for - confidentiality (no one without the encryption key can 'recover' your files), and data integrity (no one without the private encryption key can change the content of a file without there being evidence/corruption). Data integrity can be achieved without encryption by 'signing' the files. For example, something as simple as an MD5 checksum can be used to guarantee the files have not been modified.
Hope this helps,
Dave Boone, CISSP