CryptoFS Now there is a product that allows you the benefits and security of a file encryption system with all the benefits of a full disk encryption system. Just enter your password and your selected partition/disk will mount onto your system. This lets you use all the operating system tools to interact with your encrypted files without losing security. Simple to use and better yet CryptoFS is platform independent and completely portable. If you get a new computer simply copy your CFS files to the other system and you’ll be on your way. CryptoFS (CFS) is a cryptographically secure and portable filesystem designed from the ground up to meet stringent United States Federal standards. CFS is basically a filesystem that stores file data and structural data in a secure database. The filesystem is presented to the operating system using the operating system's native file sharing capabilities, essentially creating a network inside your computer. The operating system can mount a CFS filesystem in much the same way as it would mount a filesystem on a LAN, seeing the CFS filesystem as if it was a Common Internet File System (CIFS). All operations that the operating system can normally perform on CIFS can be performed on CFS. This mechanism works with almost every operating system currently in existence including Windows XP, Windows Vista, Apple OSX, Linux, FreeBSD, and Solaris.

Menu CryptoFS Home Price List Support Updates Dowload Area . Live Sales Chat

CFS has the following features depending on the edition purchased:

Create multiple hidden partitions
With CryptoFS you can create as many partitions/drives as you want. Nobody will be able to tell how many different drives/partitions you have inside the CFS database. This allows you a certain freedom in what you store in CFS. When you enter in your password/passphrase then the appropriate CFS partitions will mount on your system. (Not available in CFS Light)

Create custom ‘views’
If you have multiple partitions of CFS data you can format how you want it to be displayed on your system. As an example you could have your ‘work’ view that has accounting, customer files and employee records. While each one could be mounted as a separate drive you also have the option to mount this data so that each partition is mounted as a sub directory under a single drive. This provides you flexibility with how your data is presented. (Not available in CFS Light)

Panic Password
When used with the Advanced Management Console (Enterprise Edition) you can trigger an alert on the management console (requires Internet connectivity) that there’s a problem. This password can also trigger a full system wipe, bring up a fake partition or bring up the requested/specified partition.

Fake Data Output
You can create a partition that contains only unimportant data on the system. If a user is under duress to provide a password to the CFS drive they can provide one that accesses only unimportant information. The fake data is cryptographically indistinguishable from the real data, and an attacker cannot determine whether or not he has been provided access to all the useful data.

eToken Compatible
An eToken is a USB key that can be required to gain access to the entire CryptoFS system or just specified partitions. The eToken can be protected with a PIN, providing secure two-factor authentication.

System Wipe
Wipe all data in every partition with one passphrase. This results in ‘drive’/partition errors designed to mislead someone that the data is still there but somehow corrupted. Since the CFS data on the system doesn’t change size nobody can tell how many partitions there are or what the contents are allowing you to wipe out the data without fear that this action has been detected.

Removable Storage Media Support
You can create a smaller partition that can be placed on a removable storage system like a thumb drive or a DVDRW/CDRW.

Extensibility:

CFS is part of a product line and has an upgrade pathway. Upgrades to CFS provide additional capabilities such as:

• Reflections: Secure Backup and Recovery
• FlashBack: Version History and Rollback
• ParaDrive : Collaboration, Secure File Sharing

When used together the entire product line allows for interagency file sharing, hidden secure areas, secure backup and restore, version history, journaling and more. Recovery and license management functions make CFS inexpensive to implement and maintain for large customers.

These product lines are available because of the confluence of technology between our filesystem and secure transport tools.

• Filesystem technology tools include secure backup and restore. Encrypted data is backed up in its encrypted form, so the backups can be stored or handled without risk of data compromise. Another feature in this set is file snapshots. This allows you to see how a file has changed over time or restore a deleted file to a previous version.
• Transport technology products provide secure file sharing over the Internet. Also in this feature set are features to access your files securely from any Internet-connected computer, even if your computer is behind a NAT or comparable device.

These features all work synergistically together. For example, with Internet file sharing and snapshotting, you can view a file's history along with who changed it and when. With secure transport and backup, you can make a backup securely at a remote location without having to trust that location with your data.

Product Levels

• Light: Allows one partition to be created and mounted.
• Power User: Allows you to create multiple partitions and to create an unlimited number of views for your data.
• Corporate: The Corporate Edition includes CryptoFS Light with the remote management console.
• Enterprise: The Enterprise Edition includes the remote management console, advanced support and all CryptoFS features.
  

Corporate and Enterprise Licensing:

CFS uses a licensing model specifically designed to make deployment painless for large enterprises. A bulk license can either be provided with online administration or with administration through a physical token.

In the preferred model, the customer is provided with a management console. The management console generates a 2048-bit RSA public/private key pair. They then produce a signed license request which is submitted. When the license request is accepted, our licensing server generates the appropriate number of master licenses, one for each copy of CFS purchased. Each master license contains a unique identifier and the public key for the management console that will administer these copies.

To issue a license, the management console creates a 2048-bit RSA public/private key pair for this copy. It then creates a secondary license including the unique identifier in the master license, the security policy, and the licensee. The public key is also embedded in the license and the license is signed with the licensee's master key.

The master console can also create the key rings at this time, if desired. It then encrypts the key rings with the license's 2048-bit RSA key and signs it with the master key. Then it combines the two licenses with the encrypted key ring to form the final installation set. The key rings are the symettric keys actually used to encrypt the data.

CFS, when started up, will read the master license (which contains no security-sensitive information) and see that the master license contains a sub-licensing key. It will then refuse to proceed unless it finds that secondary license. The secondary license can contain security policy information. This policy can include requiring all data be accessible through a recovery key or that all key rings be archived by the master console.

CFS cannot proceed further without decrypting the key ring. The private key required to decrypt the key ring can either be protected by a password or, ideally, stored in a FIPS-compliant security token, a physical device that connects to a computer's USB port.

If directed by the security policy in the secondary license, CFS Light will only use key rings that have been signed by the recovery key. This ensures that only keys archived by the master server are used. The key that signs the key rings does not have to be the same master key that signs the licenses. This permits the recovery private key to be kept where even those who administer the licensing of the software cannot access it. The recovery public key can also be placed in the master license, so even those who license the software cannot bypass or avoid the recovery requirements or access the archived keys.

Encryption Operations:

On startup, CFS finds its master license (issued by the software distributor). If the master license directs it to do so, it locates a secondary license (issued by the licensee's distribution authority). If either the master or secondary license directs it to do so, it locates a signed key ring. If it cannot locate these things, CFS refuses to operate.

The key ring is always stored encrypted. The master and secondary licenses can be stored encrypted if desired. The preferred mechanism is for the key that decodes the key ring to be stored on a FIPS-approved security token.

The key ring contains 64 128-bit AES keys (assuming 128-bit AES has been selected). When an object needs to be encrypted, one of the 64 keys is arbitrarily selected and a 128-bit initialization vector and 128-bit salt are selected by a FIPS-approved random number generator. The object then has a salt appended to it and the HMAC/SHA1 of the object plus the salt is computed. The object and salt are then encrypted using RSA in OFB128 mode. The object identifier, initialization vector, encrypted object and salt, and HMAC are then stored and form the encrypted object.

File metadata is always stored as encrypted objects. File data is cut into pieces and stored as encrypted objects. This provides a significant benefit in that it ensures that all metadata and file data is tamperproof and that any data errors (whether intentionally caused or due to hardware or software problems) are detected immediately. Surprisingly, many other supposedly secure encryption products do not make any effort to validate the decrypted data.

CFS internal storage also protects against metadata loss or corruption. Each data object contains enough redundant information to place itself back where it goes. So even if a significant amount of metadata is lost, any data objects that are recovered can be identified and placed where they belong. This increases storage requirements slightly, but the benefit of recovery even against massive data corruption is significant.