Encrypting files stored on a local drive protects them from being read should an attacker exfiltrate them from the network environment or a user’s device. Data encrypted at rest is an important component in cybersecurity, data protection, and compliance. If an attacker compromises a system and steals files, the attacker would be unable to read the encrypted files since they’re stored in an unreadable format without the encryption key.
What Is File-level Encryption?
With file-level encryption, also known as file-based encryption or filesystem-level encryption, individual files and folders stored on a local device or network storage may be encrypted without needing to encrypt the entire storage medium itself. Encrypted files look like a long string of random characters, but the key used to encrypt files will translate the characters to the file’s original state. Administrators can specify files and data that must be encrypted, so it’s possible that a user workstation has some files in an unencrypted state. Usually, files with sensitive corporate data, intellectual property, trade secrets, or customer information are encrypted.
A hospital network environment is a good example of a file-level encryption use case. Hospitals store patient data, including personally identifiable information (PII), payment information, and sensitive electronic health records. Any healthcare organization in the US—including hospitals—is bound by HIPAA (Health Insurance Portability and Accountability Act) regulations. HIPAA requires healthcare providers to encrypt electronic protected healthcare information (ePHI). Using file-level encryption, hospitals would stay compliant with local regulations and avoid disclosing sensitive data to a third party after a compromise.
>> Pure Storage offers a simple and secure way to store healthcare data without compromising on efficiency. Read on to learn more.
How Does File-level Encryption Work?
The processes involved in file-level encryption are invisible to the user on the workstation or local device. A user must be authenticated into the environment to decrypt files, and the system automatically encrypts files when they’re stored on the local storage drive. For every file access request, the system intercepts the request and ensures that the user is authenticated into the environment before decrypting it.
To encrypt and decrypt a file, the user must have access to a key. To preserve performance, most file-level encryption services use the Advanced Encryption Standard (AES), which is a symmetric algorithm. A symmetric algorithm uses the same key to encrypt and decrypt data. Since the key can be used to decrypt files, it’s often kept in a secure location on the system and encrypted by a private key only available to the administrator.
File-level Encryption Technologies and Services
Both Microsoft and Apple have their own form of file-level encryption embedded in their operating systems. The Microsoft Windows operating system includes BitLocker. Users can enable or disable BitLocker on their local devices, and administrators on a Windows network can force file-level encryption using global policies.
Apple includes FileVault on its Mac operating system. All files are encrypted on the local storage device, so data cannot be stolen after the theft of a Mac laptop. Only users with credentials on the local laptop can access encrypted files.
A third option for file-level encryption is the open source software VeraCrypt. It’s a free third-party file encryption application for Windows, Linux, and macOS. It’s a third-party option if you do not want to use the popular encryption tools available in major operating systems, but it may be more difficult to manage than embedded operating system software if you do not have experience with file-level encryption.
In the data center, the security of at-rest encryption can be taken to the next level. Pure Storage® FlashArray™ deploys industry-leading AES-256 standard for data-at-rest encryption. FlashArray encrypts data with the use of three dependent layers of internal keys: an array key, an SSD key, and a data encryption key. The array key is generated with a random secret and then distributed across multiple SSDs, ensuring half of the array drives, plus two more, are required to recreate the current access keys.
Pros and Cons of File-level Encryption
Corporations and data centers use file-level encryption to preserve sensitive data even after a compromise. After a hacker or malware gains access to an environment, the network is scanned for any sensitive data. The data is usually sent to an attacker-controlled server where it’s used for extortion or sold on darknet markets.
When files are encrypted, exfiltrated files are unreadable and can’t be sold or used for nefarious purposes. Only users with the encryption key can decrypt files, and users are given access to files automatically when they authenticate into the environment and are given authorization. Administrators can control access to files using group policies or specific permissions on the local device. Some compliance regulations including HIPAA require file-level encryption, so implementing encryption tools keeps organizations compliant.
Administrators must keep the system maintained because losing encryption keys results in the loss of files. Encryption keys should only be available to authorized people. Should a third party have access to keys, any stolen files could be decrypted. Some complexity is added to the environment using file-level encryption, but a good application makes it convenient for administrators and invisible to users.
Alternatives to File-level Encryption
File-level encryption is separate from full-disk encryption (FDE), where the latter encrypts the entire file system and all data on the drive. Administrators can choose files for encryption with file-level encryption, but full-disk encryption is often seen as a more secure environment. Government entities often use FDE to better protect the local file system and sensitive data.
Application-level encryption is another option for administrators managing critical software such as database engines. Most major database engines have application-level encryption embedded into their features. An application-level encryption feature encrypts a subset of data such as specific fields in database tables containing highly sensitive information. As an example, Microsoft SQL Server has application-level encryption in its enterprise version.
Conclusion
For extended data protection and compliance, data centers and businesses provisioning services in the cloud should consider using file-level encryption. Files stolen after a compromise are unusable to the attacker, so businesses can better secure their sensitive information even after a data breach. Software used in file encryption runs in the background of a server or user device, so it does not interfere with productivity or other daily operations.
