Securing Data at Rest with Encrypted File Systems

Posted by John V. on Thu, Jun 20, 2013 @ 02:00 PM


In my last post, I shared with you the importance of Securing Data at Rest. One of the most effective ways of securing data, whether at rest or in transit, is through encryption. After reading this article, you’ll learn one way of encrypting data at rest, and that is by using encrypted file systems.

What encrypted file systems are and when they are useful

An encrypted file system solution is one of the easiest ways to protect data-at-rest through encryption. Most of these solutions, like Windows EFS and Mac OS X FileVault, are already included in an operating system’s installation. Therefore, they’re readily available. The encircled icon in the screenshot below is Mac OS X’s FileVault, which is found among other System Preferences tools.



Other encrypted file system software, like TrueCrypt and EncFS have to be downloaded and installed. However, once they’re installed, they’re as easy to use as their built-in counterparts. In most cases, all users need to do is login using their designated username and password and they can gain access to the encrypted files.

Encrypted file system solutions typically provide transparent encryption. This means, end users can go about their normal routine of transferring files back and forth without having to perform extra steps to make sure those data-at-rest files are encrypted. If all you need is a quick and easy encryption solution for data-at-rest, then an encrypted file system software is the best choice.

In the succeeding sections, we’ll take a closer look at two of the most widely used encrypted file systems solutions: Windows EFS and TrueCrypt.


Windows EFS

Microsoft Windows EFS (Encrypting File System) is a built-in component of the NTFS file system, which comes with certain versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008. To use EFS, you simply change the property of a folder and enable encryption.

Once a folder’s encryption mechanism is activated, all the files you create within that folder or move into that folder are automatically encrypted. A user without the right credentials (username and password) who will want to access the files inside that folder will be prompted by a message informing him/her that he/she lacks the necessary access privileges.

Users may be able to distinguish an encrypted file from one that is not by color. By default, Windows displays encrypted files’ file names in green.

Because it is already included in a typical Windows installation, EFS is the quickest way to encrypt your files if you’re already using Windows. There’s nothing to download or install and encrypting a folder can be done with just a few clicks. Unless you really have very sensitive information that requires a very strong encryption solution, EFS should suffice.

Here’s a screenshot showing a Windows folder whose encryption property is being enabled.


windows efs



TrueCrypt is a free, open source tool that supports Microsoft Windows, Mac OS X, and Linux. It can be used to encrypt a set of files within a TrueCrypt container file, the Windows system partition or an external HDD or flash disk.

Once you’ve created a TrueCrypt volume, which is where you place files you want encrypted, you will need to mount it first before you can start creating files inside it. After mounting and entering the required password, these files will then be encrypted/decrypted on-the-fly. Meaning, the files will be automatically decrypted right after they are loaded and encrypted right before they are saved. All encryption/decryption takes place behind the scenes.

Have a look at the screenshot below. The window in the foreground is the TrueCrypt application with a mounted volume. The one in the background is the actual volume, opened and ready to receive files and folders for encryption.



In addition to a password, you can also associate a keyfile to a TrueCrypt volume for enhanced security. Without the keyfile, you won’t be able to access the volume.

For those who need an even greater level of security, TrueCrypt allows the creation of a hidden volume within another TrueCrypt volume. As the name implies, the hidden volume is invisible to people who don’t know it’s there. The two volumes may have different passwords.

This ‘hidden volume’ feature can come in handy if you get forced by an assailant to reveal the credentials of the encapsulating volume. For as long as the assailant is unaware that there’s another volume hidden inside the encapsulating volume, the files inside your hidden volume will remain safe.   



udp file transfer



Increase data security by integrating encrypted file systems with JSCAPE MFT Server

Encrypted file system software are able to provide a convenient way of securing data-at-rest. By simply activating EFS on your Windows server or FileVault on your Mac OSX server, you’ll be making it difficult for anyone who steals your server to gain access to your encrypted files. If you want better flexibility, then you can download and install TrueCrypt or EncFS.

Encrypted file system software have limitations though. For instance, if you want to move some of your encrypted file system-protected files through a network, those files will have to be decrypted first. When that happens, your files will no longer be protected and can be susceptible to network-based attacks. 

To secure your files even as they move through a network, you can use managed file transfer tools like JSCAPE MFT Server. JSCAPE MFT Server supports secure network protocols like SFTP (SSH File Transfer Protocol) and FTPS (FTP-Secure Sockets Layer), which encrypts your data even while it is in transit. By combining encrypted file system software and JSCAPE MFT Server, you can keep your data secure at all times. 

As mentioned, encrypted file system solutions offer the benefit of convenience when you want to encrypt data-at-rest. But there are some people who are not yet comfortable with the level of protection these solutions provide.

You see, in a typical encrypted file system, the only thing that separates an unauthorized user and the data being protected is the username and password. So once those credentials are exposed (e.g. they are written on a post-it stuck to the computer monitor or shared by the unwitting owner to other users - sounds familiar, doesn’t it?), an unauthorized user can easily gain access to the contents of the encrypted folder.



In my next post, I’ll talk about PGP encryption, a relatively more secure method of data-at-rest encryption. PGP uses private keys which you can secure in a safe location separate from the data being protected. Without those keys, the data you encrypt cannot be accessed.

JSCAPE MFT Server already comes with a built-in feature that automatically protects an uploaded file with PGP encryption. More about that in my next post.



Topics: JSCAPE MFT Server, Compliance