EFS and multiple users question

[summoner]

I have a database program that resides in a directory shared off a win2k cluster. Our clients have recently put forth a requirement that data residing in our database must be encrypted.

Our firm is thinking of using encrypting file system (EFS) to encrypt the entire directory where the database program resides. One catch: Nearly every user in our company must access this directory and I have heard/read that EFS only works for one user encrypting his/her own files.

Is it possible to encrypt a directory and then have multiple users accessing the encrypted directory?

 

[kmcferrin]

I don't believe so, but that doesn't sound like a very good solution to begin with.

Typically, when you encrypt data it is to keep it away from prying eyes wbile the data is transmitted. If you need to store encrypted data then you're usually concerned about internal security or compromised servers. If you store an entire database file in an encrypted directory, then anyone who has access to any part of the database in it's decrypted form would be able to access any other part of the database in it's decrypted form. And since most of your users will need to access the files, as well as presumably some system accounts, encrypting the directory (if it were possible for a group of users) wouldn't offer you any more security than password protecting the database.

If I were the client and discovered that I had actually paid for such an "encryption" solution, I'd be pretty upset.

 

[summoner]

I'm not exactly thrilled about encrypting our files on our own LAN either. With all of our other security, NTFS rights, etc etc... now we have to encrypt files on our own servers. Makes no sense if you ask me.

Anyway...I was reading how EFS is only for one user...and future versions of EFS can work with multiple users. We have windows 2000 file servers...does this enhanced version of EFS come with windows 2003?

 

[GlenJohnson]

Our clients have recently put forth a requirement that data residing in our database must be encrypted.

Do your clients know what encryption really is? If they want security, there are other options. Any way, does

Enhancements to the Distributed File System (DFS) and Encrypting File System (EFS) allow for powerful, flexible file sharing and storage.

help? From
File sharing and EFS It looks like it's already available on XP. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.

TTinChicago
Johnson Computers

 

[mlichstein]

If you make all the users recovery agents they would be able to read the encrypted data. That's a mess though, and this is a terrible idea. You do not want to do this.

Does management realize that the data is sent over the network in the clear anyway? EFS is file system encryption, and offers no protection when you access the files over a network.

IPSec connections to the server holding the data would be a better way to go. Require that all connections to the server be over IPSec, otherwise the client can't connect.

 

[summoner]

GlenJohnson:
I am not happy with this either. You give a financial account manager a subscription to PC Mag, he picks up some new buzzwords and the end result is what I'm dealing with here. Sorry but the files to be encrypted reside on a win2k cluster volume and not XP. I can encrypt the files, but they are only available to the user who clicks the encrypt button. Everyone else is locked out.

I've checked out windows 2003 and they EFS included lets multiple users encrypt and decrypt the same files. Unfortunately, from a business standpoint, upgrading our 2000 cluster to 2003 is not a viable option at this time.

mlichstein:
I am interested in your idea of making all the users recovery agents. While the I agree with that IPSec connections to the server are a better idea then encryption is our case, the client has specifically put in writing, encryption.

I would be interested in hearing any additional comments on making all the users recovery agents. As messy as it could seem, this could turn out to be the best solution. If we are not compliant with the requirements by the deadline, the client drops us. Anyway thanks for all the helpful answers...back to studying EFS for me.

 

[mlichstein]

The client has specifically said encryption? IPSec is encryption. And it is far better encryption than file level encryption because as I said, EFS data is sent over the network in the clear.

 

[summoner]

It must be a form of file-level encryption. If we can swing IPSec encryption, then it will be a relief for me. But until I can get that clearance, file encryption is the way.

 

[GlenJohnson]

Unfortunately, from a business standpoint, upgrading our 2000 cluster to 2003 is not a viable option at this time.

Just tell the client and the manager that if they want encryption, they have two choices. Using EFS on Windows 2003 which will cost x amount of dollars, or using IPSec, as mlichstein suggested, which is just as good, (If not better), and won't cost a penny. You come out looking like a computer guru and financial wiz. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.

TTinChicago
Johnson Computers

 

[jmacke]

Encrypt for Multiple users, read this KB Article

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316