RE: [NTSysADM] File share encryption

[Michael B. Smith]

I’m pretty sure that starting with Windows Server 2012 R2, you can get 
claims-based decryption.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Nathan Shelby
Sent: Wednesday, January 25, 2017 6:07 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] File share encryption

Well there's an inbox solution for this in Windows, it will take some serious 
design and additional CAL purchases as well as custom development for Linux 
client usage however 2 of the three requirements are simple solves for Linux 
based clients (at rest, in transit) transparent decryption gets a bit harder. A 
quick bit of research seems to indicate you could right a java app using the 
rms 4.1 or later SDK to write a wrapper for your linux/mac clients to access 
Windows Rights Management enabled documents.
Encrypted at rest -- Bitlocker / Windows Rights Management
Encrypted in transit -- SMB 3.0
Decryption on access limited to groups transparently -- Windows Rights 
Management


Nathan Shelby
ntshe...@gmail.com<mailto:ntshe...@gmail.com>
425-205-9047

On Wed, Jan 25, 2017 at 2:22 PM, Richard Stovall 
<rich...@gmail.com<mailto:rich...@gmail.com>> wrote:
Two things I can think of.

- The shares might not live on Windows servers (could be addressed by limiting 
to Windows servers).

- The files need to remain encrypted if they are copied off to other devices.  
Decryption should only be doable by approved parties in appropriate AD groups.  
(Forgot to mention that this morning.  Sorry.)



On Wed, Jan 25, 2017 at 5:09 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
What’s wrong with BitLocker?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Richard Stovall
Sent: Wednesday, January 25, 2017 10:15 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] File share encryption

How are folks encrypting files on shares?  I need to have files on some shares 
encrypted with transparent decryption when authorized users access the files.

Looking at Symantec/PGP file share encryption, but it is way overkill for what 
I'm trying to do.

Ideally, the shares should be able to be Windows or Samba (Linux).  Worst case, 
Windows only.

Any suggestions?

Thanks,
RS