Re: dual password for file/folder encryption

["Kevin Tunison" <ktunison () gmail com>]

On Mon, Dec 15, 2008 at 3:23 PM, Tariq Khan <Tariq.Khan () tvu ac uk> wrote:
> Hi all
>
> I am looking for encryption software. Here's the story (bear with me),
> we role out laptops and desktops for staff members and we would like by
> default to have a folder which is encrypted and anything dropped (saved)
> into that folder is automatically encrypted. Now, the idea is that we
> set the master password on the folder (which should filter down to the
> files), so when the users "put and pull" from the folder they are asked
> for a password which they can set them selves. You may be wondering
> "why", well in case of an employee leaving "under a cloud" or has not
> informed us of the password for their files and folders within the
> default encryption folder we can get to the folder and any files within
> it with our master password. Apart from the fact that a lot of our staff
> are forever forgetting their passwords.
>
> I have tried some software but they do not have the option for a master
> password which can override user set passwords.
>
> I hope all that made sense. I would really appreciate any help.
>
> Thank you
>
>
> Tariq Khan
>
> Information Security Analyst
> Corporate Systems Group
> Thames Valley University
>
> Learning and Information Services
>
> DISCLAIMER
> The information contained in this message may be CONFIDENTIAL and is
> intended for the addressee only. Any unauthorised use, dissemination of
> the information, or copying of this message is prohibited. If you are
> not the addressee, please notify the sender immediately by return e-mail
> and delete this message. Although this e-mail and any attachments are
> believed to be free of any virus, or other defect which might affect any
> computer or system into which they are received and opened, it is the
> responsibility of the recipient to ensure that they are virus free and
> no responsibility is accepted by Information Services department (ISD)
> of Thames Valley University (or any of its associated subsidiaries) for
> any loss or damage from receipt or use thereof. Please note that the
> opinion(s) expressed in this email are that of the sender, and does not
> necessarily represent that of Thames Valley University (or any of its
> associated subsidiaries).
This will really depend on the level of encryption and the Operating
System environment in which you are operating.  From the Microsoft
perspective, the EFS (Encrypted Files System) can achieve this in an
Active Directory environment.  But beware here, because EFS has flaws
which renders it useless in some environments (ie while the files are
opened over a network, or sitting in the paging file).  With Active
Directory you would setup a recovery agent (by default this would be
the built-in domain admin account) whom is able to recover files
encrypted by domain users.  This would not recover files encrypted by
local machines, and it would require cached logins for mobile workers
(which can be a security vulnerability also).

Not many people serious about encryption/security rely on an EFS setup
unless there is not budget.  But, it is there, and it does provide
some level of encryption.

That said, have a look at Bestcrypt Corporate.  This product should
help you achieve your requirement.

All the underlying functions with encryption at the moment rely on
certificates/signatures.  It is quite important to understand the
fundamentals of how this setup works before purchasing in to a
product.  Try not to think of the data security in terms of passwords,
but certificates that apply encryption.

Warm Regards,

KevinT MCSA