Advantages and disadvantages of File System Filter-driven Encryption Products

File System Filter-driven encryption products, as the name suggests, are transparent encryption and decryption in the file system filter driver, that is, in the ApplicationProgramWhen you open a file for read/write operations, decrypt and encrypt it. The file system filter driver is on the disk drive. Its specific product form is mainly popular transparent encryption and decryption document security products.

Advantages of File System Filter-driven Encryption:
1. the encryption and decryption process is transparent compared with traditional encryption tools (such as encryption file cabinets. The benefits include:
1) the document is automatically encrypted from the first time it is generated. This prevents the author from intentionally or unintentionally leaving plain text during the compilation process, or intentionally or unintentionally leaving plain text after decryption by the subsequent processor, encryption is mandatory.
2) the encryption and decryption process is transparent to users, so that users do not need to learn how to perform file encryption and decryption.
2. Compared with full-disk encryption, file system filter-driven encryption products usually allow transparent encryption and decryption only for file operations of specific processes or file types. Undesirable File Operations, for example, if you manually copy a file to a USB disk, send it as an email attachment, or remotely copy the file through file sharing, or copy the file after Hackers break the system, the ciphertext is obtained.
3. Compared with full encryption, the file system filter-driven encryption product can support multiple users in principle.

Disadvantages of file system filter drive Encryption:
1. Because the file system filters out the driver, the file content obtained by a valid application is in plain text. To prevent these plain texts from "Slipping Away" in various ways ", it is necessary to block various channels that may output plain text ". These approaches are divided into two categories based on programming needs:
1) if you do not need programming, use the existing functions of the application or the functions of the operating system, such as copying content, dragging and dropping copies, printing, mail sending, third-party software plug-ins, screen recording, and so on.
2) programming is required, such as memory reading, API hook mounting, window messages, and custom plug-ins.
In general, there are many ways to prevent them. A variety of products are more or less blocked, and it is difficult to be foolproof.
2. Compared with traditional encryption tools (such as encryption file cabinets), file system filter drives encryption products to transparently encrypt and decrypt specific types of files, rather than based on whether the files are confidential. If the number of confidential files is small and the number of non-confidential files is large, this will cause a large number of non-confidential files to be encrypted, causing a great management burden. If a small number of confidential files and a large number of non-confidential files are required to be approved during decryption, this management burden will easily lead to security vulnerabilities.
3. File System filtering-driven encryption products generally rely on the operating system's identity authentication mechanism. Users who pass operating system authentication are transparently encrypted and decrypted, therefore, the operating system's Identity Authentication Vulnerability becomes a file system filter-driven encryption product Vulnerability (as we all know, Windows identity authentication is easily broken through ).
For example, in the case of a lost laptop, the file system filters the drive encryption product to try to steal data on the hard disk from other systems (such as attaching the protected hard disk to another machine or starting from the optical drive) it provides better protection, but thieves can use n methods to crack or leave a blank user password and directly access the system. Then, all the ciphertext of the user will be transparently decrypted.
4. similar to article 3rd, operating system vulnerabilities in other aspects may also cause fatal damage to file system filter drive encryption products.
For example, in the case where a hacker breaks the system, although the hacker directly copies the ciphertext, the hacker controls the system permission and then remotely controls it to open a file locally on the attacked host, ciphertext is transparently decrypted. If the hacker record the screen on the local host, the plaintext can be transferred out.
 
Note:
1. The above analysis is based on the basic principles of the file system filter-driven encryption product, not for any specific product.
2. Some disclosed vulnerabilities, such as process identification vulnerabilities, are not listed here because they are product implementation vulnerabilities.