Download EaseFilter Transparent Encryption SDK Setup File
Download EaseFilter Transparent Encryption SDK Zip File
Auto File DRM Encryption Tool was developed with EaseFilter Encryption Filter Driver(EEFD) SDK. The tool can encrypt the file transparently in file system level, it allows you to embed the digital rights management( DRM) data to the encrypted files. It allows you to protect the sensitive files from end to end, the encrypted files always stay encrypted in the disk. It allows only the authorized processes or users to read the encrypted file, the unauthorized processes or users only can get the raw cipher text of the encrypted file. The tool allows you to share the file securely, you can manage your own custom DRM data in your central server, you can grant or revoke the file access anytime and anywhere, you will know who and when the encrypted files were read.
How to Use DRM Encryption Tool
1. Test transparent file encryption in local
Setup an auto encryption folder, all the new created files in this folder will be encrypted automatically, the new written of the encrypted files also will be encrypted automatically. If you want to only encrypt the specific file type, you can setup the filter rule in the code with the file filter mask. Please note that the file was rename to the encryption folder won't be encrypted automatically.
Decrypt the file with the authorization, you can setup the authorized processes or users who can read the encrypted files, the unauthorized users or processes will get the raw cipher text of the encrypted files. If you want to copy or transfer the encrypted files out of your computer and stay the file encrytped, you can setup the unauthorized processes, for example the Windows Explorer process if you want to copy the encrytped file in the Windows explorer, email outlook process if you want to attach the encrytped file.
2. Test DRM file encryption
To enable the DRM, you can attach a tag data to the encrypted file. There is built in DRM support in the EEFD, the DRM data have the access policies which include the file expiration date, authorized processes, users or computers. You also can add your custom tag data to the encrypted file, and associate the tag data with your own DRM data in the server, when the encrypted file was opened, it will go to get the authorization from your server with tag data.
3. Test the encrypted file secure sharing
To test the encrytped file sharing, you need to setup a decryption folder in another computer, copy the encrypted file to this folder, you can setup the authorized processes or users who can read the encrypted file.
Easefilter Encryption Filter Driver (EEFD)
EEFD is a file system file level encryption filter driver. It intercepts the I/O requests targeted at a file system. By intercepting the request before it reaches its intended target file system, the filter driver can encrypt or decrypt the data buffer provided by the original target of the request, the encryption and decryption only happens in memory, all encrypted files always stay encrypted in disk. Even though there is a lot of encryption libraries in the market, but it is still very complex to develop a reliable transparent on access file encryption product. The EEFD is a mature commercial product. It provides a complete modular framework for the developers even without the driver development experience to build the on access file encryption software within a day.
How to develop the auto file DRM encryption tool
Develop the auto file DRM encryption tool is simple with the EEFD SDK. The EEFD provides a comprehensive security solution to develop the transparent on access file level encryption products, to encrypt the newly created files transparently, to authorize or block the on access encryption/decryption under the control of client-defined policy.
EEFD SDK provides the API for different programming languages to develop the Windows encryption application, it provides the C++/C# demo source code to demonstrate how to use the EEFD APIs. Beside the C++ and C# languages, all other languages which can invoke the Win32 native APIs are able to use the EEFD APIs to develop the security application.
Setup the auto file encryption filter rule
To use the EEFD in your application, your application needs to setup one or more filter rules as the file control policies to the filter driver. An auto file encryption filter rule includes the file filter mask which can manage the files you want to encrypt, by default the file filter mask is a folder, it will encrypt all the files in the folder. If you only want to encrypt the files with the specific file type, you can setup the file filter mask to the specific file type, but make sure you understand that your application won’t generate the files not included in your file filter mask, or it won’t be encrypted. For example, the Microsoft Office always will generate the temporary files without the file extension, so if your file filter mask set to only specific file types, then these temporary files won’t be encrypted automatically.
Setup the file encryption filter rule is simple with the EEFD API “AddFileFilterRule“, you just need to setup the auto encryption folder and enable the encryption feature in the file filter rule as below:
/// Add the new filter rule to the filter driver.
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddFileFilterRule(
uint accessFlag,
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
bool isResident,
uint filterRuleId );
//the code snippet to encrypt the file with the file filter rule.
FilterControl filterControl = new FilterControl();
FilterAPI.FilterType filterType = FilterAPI.FilterType.CONTROL_FILTER | FilterAPI.FilterType.ENCRYPTION_FILTER | FilterAPI.FilterType.PROCESS_FILTER;
int filterConnectionThreads = 5;
int connectionTimeOut = 30;
string licenseKey = "your license key";
string lastError = string.Empty;
filterControl.StartFilter(filterType,filterConnectionThreads, GlobalConfig.ConnectionTimeOut, licenseKey, ref lastError);
//setup a file filter rule for folder encryptFolder
FileFilter fileFilter = new FileFilter("c:\encryptionFolder\*");
//enable the encryption for the filter rule.
fileFilter.EnableEncryption = true;
//setup the 256bits encryption key,put your own encryption key here
byte[] encryptionKey = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,
0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
fileFilter.EncryptionKey = encryptionKey;
//add the encryption file filter rule to the filter control
filterControl.AddFilter(fileFilter);
Setup the authorized whitelist processes and unauthorized blacklist processes
With the EEFD SDK, you can setup the control policies to protect your encrypted files, prevent your sensitive files from being read or copied out. With the access control policies, you can setup the whitelist processes or users who can read the encrypted files, they can get the clear text of the encrypted files. You can setup the blacklist processes or users who can’t read the encrypted files, they will get the raw cipher text of the encrypted files. There are two options to setup the whitelist and blacklist process or users.
- Setup the encryption filter rule, by default all processes or users can’t read the encrypted files, they are all in the blacklist. If you want to allow the specific processes or users, you need to add those processes or users with the encryption access rights. This is the way to implement the zero trust solution.
- Setup the encryption filter rule, by default all processes or users read the encrypted files, they are all in the whitelist. If you want to allow the specific processes or users, you need to add those processes or users without the encryption access rights.
If you want to upload or distribute your encrypted files out of your organization, and you want your encrypted files to stay encrypted, you need to add the processes who will upload or distribute the encrypted files to the blacklist. For example, you can add the backup process, explorer or outlook processes to the black list, then these processes will keep the encrypted file staying encrypted after they was copied out or uploaded to internet.
Secure file sharing with DRM
With the embedded DRM in the encrypted file, you can protect and monitor your business critical document such as intellectual property and product design, wherever it lives or travels – across devices, apps, cloud services and on-premises. Share information safely inside and outside the organization. To encrypt the files with the extra digital rights management data, you can control the encrypted file with the custom DRM, to expire your encrypted file, grant or revoke the control of the encrypted files anywhere and anytime even they were distributed. EEFD supports hundreds of file types including Microsoft Office files, Adobe PDF, Source code (java, cpp, etc.), 2D and 3D CAD files (dwg, prt, stp, etc.)
Embed the custom DRM data to the encrypted file
To embed the custom DRM data to the encrypted file and encrypt the file with unique key, you need to set the filter property “EnableEncryptionKeyFromService” to true, and setup the callback function for OnFilterRequestEncryptKey. With this setting, a new file creation will invoke the callback function OnFilterRequestEncryptKey, in the callback function you can append the custom tag data to the new created encrypted file as a header. You also can setup your own unique custom encryption key for the new created file, so you can encrypt the file with the unique key per file, and manage your encryption key with your own solution.
//enable the encryption key from service, you can append the custom DRM data
fileFilter.EnableEncryptionKeyFromService = true;
//in the callback function OnFilterRequestEncryptKey, you can authorize the file access in the callback function
fileFilter.OnFilterRequestEncryptKey += OnFilterRequestEncryptKey;
public void OnFilterRequestEncryptKey(object sender, EncryptEventArgs e)
{
e.ReturnStatus = NtStatus.Status.Success;
if (e.IsNewCreatedFile)
{
//if you want to block the new file creation, you can return accessdenied status.
//e.ReturnStatus = NtStatus.Status.AccessDenied;
//if you want to the file being created without encryption, return below status.
//e.ReturnStatus = NtStatus.Status.FileIsNoEncrypted;
//for the new created file, you can add your custom tag data to the header of the encyrpted file.
//here we just add the file name as the tag data.
e.EncryptionTag = UnicodeEncoding.Unicode.GetBytes(e.FileName);
}
else
{
//this is the encrytped file open request, request the encryption key and iv.
//if you want to block encrypted file being opened, you can return accessdenied status.
//e.ReturnStatus = NtStatus.Status.AccessDenied;
//if you want to return the raws encrypted data for this encrypted file, return below status.
//e.ReturnStatus = NtStatus.Status.FileIsEncrypted;
//here is the tag data if you set custom tag data when the new created file requested the key.
byte[] tagData = e.EncryptionTag;
}
//here is the encryption key for the encrypted file, you can set it with your own key.
e.EncryptionKey = Utils.GetKeyByPassPhrase(GlobalConfig.MasterPassword, 32);
//if you want to use your own iv for the encrypted file, set the value here,
//or don't set the iv here, then the unique auto generated iv will be assigned to the file.
//e.IV = Utils.GetIVByPassPhrase(GlobalConfig.MasterPassword);
}Create your own custom DRM data
To embed the DRM data to the encrypted file, you can use your own custom DRM data, or you can use our build in DRM data with below structure format which is supported in the filter driver as below:
- You can setup the expiry date with the flag “Flags_Enabled_Expire_Time” enabled in AESFlags, so the encrypted file only can be accessed before the expiry date.
- You can setup the computer Id with the flag “Flags_Enabled_Check_Computer_Id” enabled in AESFlags, only the computer with the same computer Id can access the encrypted file.
- You can setup user name verification with the flag “Flags_Enabled_Check_UserName” enabled in AESFlags, if the IncludeUserNames is not empty, then only the users in the list can access the encrypted file, if the ExcludeUserNames is not empty, then all the users in the list can’t access the encrypted file.
- You can setup process name verification with the flag “Flags_Enabled_Check_ProcessName” enabled in AESFlags, if the IncludeProcessNames is not empty, then only the processes in the list can access the encrypted file, if the ExcludeProcessNames is not empty, then all the processes in the list can’t access the encrypted file.
typedef enum _AESFlags
{
Flags_Enabled_Expire_Time = 0x00000010,
Flags_Enabled_Check_ProcessName = 0x00000020,
Flags_Enabled_Check_UserName = 0x00000040,
Flags_Enabled_Check_AccessFlags = 0x00000080,
Flags_Enabled_Check_User_Permit = 0x00000100,
Flags_AES_Key_Was_Embedded = 0x00000200,
Flags_Request_AccessFlags_From_User = 0x00000400,
Flags_Request_IV_And_Key_From_User = 0x00000800,
Flags_Enabled_Check_Computer_Id = 0x00001000,
Flags_Enabled_Check_User_Password = 0x00002000,
}AESFlags;
typedef struct _AES_TAG_CONTROL_DATA
{
ULONG VerificationKey;
ULONG AESFlags;
LONGLONG CreationTime;
LONGLONG ExpireTime;
ULONG AccessFlags;
ULONG LengthOfIncludeProcessNames;
ULONG OffsetOfIncludeProcessNames;
ULONG LengthOfExcludeProcessNames;
ULONG OffsetOfExcludeProcessNames;
ULONG LengthOfIncludeUserNames;
ULONG OffsetOfIncludeUserNames;
ULONG LengthOfExcludeUserNames;
ULONG OffsetOfExcludeUserNames;
ULONG LengthOfAccountName;
ULONG OffsetOfAccountName;
ULONG LengthOfComputerId;
ULONG OffsetOfComputerId;
ULONG LengthOfUserPassword;
ULONG OffsetOfUserPassword;
//the data store here.
//IncludeProcessNames;
//ExcludeProcessNames;
//IncludeUserNames;
//ExcludeUserNames;
//AccountNames;
//ComputerId;
//UserPassword;
} AES_TAG_CONTROL_DATA, *PAES_TAG_CONTROL_DATA;