This topic contains 11 replies, has 3 voices, and was last updated by Prabhukumar R 4 months, 2 weeks ago.
Just a quickie! I’ve been looking around with regards to file encryption solutions for small networks/workgroups and there is precious little out there! Most larger encryption systems are overly complicated for the smaller business.
I’ve been using AxCrypt for a while and find it very simple to use and share my files with another user successfully (albeit a drawn out affair to share lots of files).
It struck me that with a simple (!!!!) addition, AxCrypt would work well in a workgroup environment if there could be some way to remove the need of the users to know the encryption login password. If this could somehow be preset on install or hidden and remembered by their PC then it would mean it would work well. If the means to manually decrypt was also selectable (removed from the file manager) then it could be a great product as:
- Users would be able to share encrypted files on their network easily without needing any knowledge of passwords.
- If a user copied off a file to take home, it would be useless as they can’t decrypt it (not aware of password)
I know users could still open encrypted files at work and then ‘save as’ to an unencrypted file but this is a start which lots of companies would like I suspect??
I’m afraid you lost me a little bit. What’s the point of encryption if there is no secret key involved somewhere?
AxCrypt almost does what you say, you can share the embedded file key with anyone with an email address, and they can sign in using their own password. But they still need to enter and know that password.
AxCrypt would work well in a workgroup environment if there could be some way to remove the need of the users to know the encryption login password.
Fellow user here!
Maybe I am not understanding you correctly or you might be using the software otherwise than intended. Users shouldn’t “know the encryption login password”.
With AxCrypt every user should have his/her own login. There is no such thing as “the” password, every user has his account (with his own password) and this will successfully decrypt any files shared with them by the owner.
If what you’re doing is sharing “the” password that you use to encrypt the files then you’re doing it wrong according to AxCrypt. Technically there’s nothing to stop you doing this but because there’s no option to have multiple passwords it means that any other files encrypted by yourself can be decrypted by the user using the same password (assuming he has access to them).
The workaround to the scenario I have just suggested would be for you to create a separate account with a different email address and password.
Users would be able to share encrypted files on their network easily without needing any knowledge of passwords.
AxCrypt is designed to work like this assuming you use the ‘share’ function as intended. The only password (not passwords (plural)) the user needs to know is his own because he can only access files shared with him. You should never be sharing your password with him.
If you want transparent encryption then you need to use full disk encryption (like BitLocker) as this will better protect your data if your computers are stolen. In this scenario then you don’t need to use AxCrypt because the data is encrypted at rest. AxCrypt is intended for users sharing files via external email, public cloud or physical media.
Neither AxCrypt or BitLocker can protect you if you’re working on a system and it’s hacked. Therefore it’s pointless to separately encrypt files with AxCrypt unless you intend sharing them externally or it’s extremely sensitive and you want to make sure that if the file was emailed to somebody by mistake that it is unreadable.
This is the correct process for AxCrypt file sharing.
If a user copied off a file to take home, it would be useless as they can’t decrypt it (not aware of password)
No encryption software can help you here. If a user is that way inclined then he can simply:
- take a screenshot
- use his camera phone
- print the data onto paper
- copy and paste the data (it’ll then be unencrypted)
- save the data to a new file (it’ll then be unencrypted)
- remember the information – if possible
You need to find out about Data Loss Protection. If you’re a Windows user then use that link to find out about Microsoft’s DLP product. Encryption software cannot protect your secrets from authorised insiders, think about it.
Very briefly DLP scans your data and prevents screenshots, saving to unencrypted files, printing, copying and pasting but it cannot protection you against somebody photographing their screen or remembering the information. DLP also stops your staff inadvertently emailing/uploading sensitive data types. DLP is not encryption, it’s designed to be used in conjunction with encryption.
thanks for all the replies!
Svante, the key is still used, but this is now unknown to the user (one of X employees)
Franz, thanks for your detailed reply – much appreciated. The reason why i’m assuming all in the workgroup are using the same axcrypt login username/password is for sharing – currently the process for sharing files is unmanageable on a network once more users need access plus someone would have to share the file and select the others – nightmare…
This is something you can easily resolve with the granular permissions of SharePoint or OneDrive for Business. Both are excellent if you’re bought into the Microsoft ecosystem like Office 365. If security is a concern you can manage your own encryption key with Microsoft although this requires storing it on a Thales HSM and you need some knowledge of how this works.
Google offer a similar, slightly less secure, service with G Suite (formerly Google Apps). Again, it depends what your level of vendor lock-in is at the moment.
If true zero-knowledge encryption is what you’re after then Tresorit offer a service (not cheap) which has seamless sharing and granular permissions. It’s very popular in Europe amongst regulated companies but they’re a cloud-based provider. They incorporate Microsoft’s Digital Rights Management platform to control access to sensitive content and it’s a case of allocating files to different users whilst keeping everything encrypted at all times. Each user needs an account so there’s quite a bit of expense.
What you’re after Rob is a very commercial service. If you’ve got a big team then AxCrypt may be difficult because of the ‘Share Files’ feature. The benefit of AxCrypt is that it’s cheap and geared towards small companies. Bigger companies are better served by the vendors above but there comes a cost which may or may not be affordable for you.
As I said earlier – you don’t actually need file-level encryption providing your hard drives are fully encrypted. You only need file-level encryption when sharing the files externally.
I think keeping AxCrypt as a solution to encrypt files that are uploaded to the cloud, mailed on disks etc. is the best option for you – based on what you’ve said – and then using something like SharePoint locally to keep your files secure.
Maybe you haven’t looked into the key sharing feature + secure folder with AxCrypt. It sounds like the right thing for your scenario.
Each user has his/her own password that (s)he sets individually. Users of a particular folder on a network drive for example, designates it as a ‘Secured Folder’ in AxCrypt, and then sets the users that all files in that folder should be openable by. That’s it. Existing files will be set to include the recipients, and new files will automatically also have the same recipients.
The normal workflow once you’ve set up the secured folder and the default recipients for that folder is trivial. No nightmare!
(Currently an inconvenience is that the configuration of the recipients is kept local in each users computer, and thus each user who creates new files do need to set up the same list of recipients. We’ll improve this in the future.).
thanks Svante, that does sound much more manageable – I shall investigate!!!
I’m not sure on the key sharing side of things, do you have a doc about how they are used? especially the export/import of keys?
There is no need to worry about key import / export. It’s all done automatically by AxCrypt via our key distribution server. All you need to do and know is the recipient(s) email-addresses (only used to identify the recipient account, not to actually email any data).
The key sharing function embeds the shared key into the file. The file must thus first be key shared with the recipient, then sent or file shared. Please note that AxCrypt does not share or send the actual file. To see a quick instructional video explaining how to use key sharing, please view https://www.youtube.com/watch?v=9z3KOZD-Yks .
Please check out our video tutorials at https://www.youtube.com/channel/UCoSoXBjq6iCG5232fHoWStA and our other documentation at https://forum.axcrypt.net/documentation/get-started/ to get started with AxCrypt.
thanks. so, if I have 5 users with a shared network drive which is designated as encrypted, would each of the 5 users have to have a paid account, or would just the one that initiates the share within AxCrypt?
“if I have 5 users with a shared network drive which is designated as encrypted, would each of the 5 users have to have a paid account, or would just the one that initiates the share within AxCrypt?”
It depends on your scenario.
You need the Premium plan for two things in this context.
1) Designate a folder as “Secured”, which means that it is is monitored for changes, and you can set a default set of recipients for new files in the folder. So, when new files are discovered in the folder you can encrypt them with that set of recipients with a single click.
2) To add recipients to specific files, outside of “Secured Folders”. This can be done for ad-hoc specific files, but might be less important for your use-case.
A user does not need to be on the Premium plan in order to open, work with, and save a file that has been key shared. If a file that has say for example 5 recipients for the key share is edited and saved by a non-Premium user, that same set of 5 recipients can still open and work with the file.
So, if you have one user who “owns” the folder, adds files and determines who shold be able to read and update files, only that user needs Premium.
Premium is needed in order to designated folders as secured, and to add/remove recipients for secured folders and discrete files. To work with such files, the Free plan is sufficient.
can axcrypt integrate with DLP solution? Like forcepoint?
No, Currently, the AxCrypt app don’t support for third party integration.
AxCrypt app encrypt file(s) with the .axx extension. AxCrypt encrypted files have their own file structure and AxCrypt app only can interpret and open those file(s). That’s the way AxCrypt was designed. Other than .axx extension files, can’t be opened by the AxCrypt app. No other application(s) can open the AxCrypt encrypted files.