File Encryption Solution Framework (FESF)
Facilitates the development of transparent, on-access, file-based encryption for the Windows environment.
Update 22 September: FREE FESF Evaluation Edition now available for limited, non-commercial use (permits customization). Contact firstname.lastname@example.org to learn more.
The OSR File Encryption Solution Framework (FESF) allows Clients to incorporate transparent on-access, per-file encryption into their products. While adding on-access encryption sounds like something that should be pretty simple to accomplish, it turns out to be something that’s exceptionally complicated. Creating a solution that performs well is even more difficult. Here at OSR we have been designing, developing and supporting file encryption “toolkits” and our clients’ successful implementations based on them for more than 20 years.
One of the main goals of FESF is to handle most of the necessary complexity, including the actual encryption operations, in kernel mode. This allows Clients that license FESF to build customized file encryption products with no kernel-mode programming. Let’s restate that for emphasis: FESF licensees can develop a per-file encryption solution – with all the stability, performance and security required by such solutions – entirely in user-mode.
- Start With Best in Class Code — FESF provides all the infrastructure needed to demonstrate a working dynamic per-file encryption/decryption product. Starting with this code, your team adds the customization (such as unique user interface, encryption policy, and key management) that differentiates your product and provides your unique added value.
- Customization Almost Exclusively in User Mode — Virtually all the customization your team will need to perform can be done in user-mode, using C or C++. Of course, OSR is ready to help if your product requires extensive customization including changes to kernel-mode code.
- Encrypt Files Anywhere — Your policy can include encryption anywhere: On your local drive, on a server onsite or in the cloud, on a USB or other removable media device – wherever you like – and it just works.
- Performance — An encryption solution has to be secure and it has to be reliable, that’s a given. And while customers are willing to accept some overhead for encryption operations, performance is certainly among the top issues with which per file encryption solutions struggle. That’s why engineering team members expended a great deal of effort designing performance into FESF from the beginning. From the new on-disk structure, to a streamlined interface model to the way we’ve implemented the file system filtering: Performance was a number one goal.
- Efficiency — Encrypted files remain small, even including encryption header and key information.
- Interoperability — Everyone runs an anti-virus solution on their computer. Users expect an encryption solution to “play well” with whatever other software they have running on their machines. FESF was designed using the Isolation Filter approach, based on the “same stack” file system filter model OSR pioneered back in the mid-90s and that is now (finally) officially endorsed by Microsoft. The result: Dramatically increased interoperability with all types of other file system filters.
- Multi-Platform Support. This is a vital part of building products these days: customers want to share data between their devices, be it PC, Mac, iPhone, Android device or even Windows tablet or phone.
- One-time License Fee – NO Royalties. In addition to the broad terms of licensure, FESF can be licensed for a one-time fee, and you may ship your product to end users anywhere in the world without royalties.
FESF User-Mode Components
- FESF Policy Service. The FESF Policy Service is the interface between FESF and the Client’s components that determine policy. The FESF Policy Service receives requests from the FESF Kernel Mode Components, converts them to the expected format, and passes them to the Client-developed Policy DLL.
- FESF Policy DLL. The Policy DLL is the primary interface point between FESF and the Client’s product implementation. OSR includes a sample Policy DLL that Clients can use as the basis for their own implementation, including making decisions on policy and key management.
- FESF DS Service. The FESF Data Storage Service provides services to Client-developed utilities. These services include determining if a file is encrypted, checking the true size on disk of an encrypted file, updating the header, etc.
- Other Applications/Utilities. These are modules that may be designed and implemented as part of the client-specific end-user product.
FESF Kernel Components
The FESF Kernel Mode Components are responsible for intercepting file operations (such as CreateFile, ReadFile, and WriteFile) on supported file systems, implementing Client-specified policies, managing provision of the correct “view” (encrypted/decrypted or raw) of a given file’s data based on the Client-specified policy, and also for performing the actual encryption/decryption operations via Microsoft’s CNG kernel-mode library. The kernel components comprise a series of file system mini-filters and their associated libraries.
The FESF provides the following features:
- Transparent on-access encryption of newly created files and transparent on-access encryption/decryption of FESF encrypted files, all under the control of Client-defined policy.
- Same stack “Isolation”. FESF uses an in-line isolation filter to control the cache and manage clear and encrypted views of data.
- Client policy determination (that is, deciding which files get encrypted and which accesses to encrypted files receive raw access or transparent encryption/decryption access) in user-mode using Client-provided components. These components include a Policy DLL, written in C/C++, plus any other combination of services, applications and utilities which may be written in any language supported by Windows that can communicate with the Policy DLL.
- Easy to understand samples that can be used by Client as a starting point to develop a complete Client Product.
- FIPS compliant encryption. The FESF utilizes the US FIPS 140-2 compliant Microsoft CNG libraries, customizable by the Client for implementing encryption and key storage providers.
- Cross-platform support. FESF provides an example utility for decrypting files on a Linux-based OS.
- 32-bit (x86) and 64-bit (X64) architectures of Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008R2, Windows Server 2012, and Windows Server 2012R2.
Licensure of FESF includes one (1) year of technical support, including questions, bug support, and access to framework maintenance updates. Licensees will also have options to secure major updates (functional enhancements) and OS upgrades as well.
- Source code for all user-mode components including the user-mode FESF Service.
- Documentation, headers, and library files necessary for Client to interface with OSR-supplied FESF user-mode components.
- Object code for all other FESF components (source licenses to KM components by special arrangement).
- All code is written in C/C++ with binaries built using the Windows Driver Kit and Microsoft’s Visual Studio.
- FESF “Developer” Kit (coming soon)
- Other architecture and API documentation available; please contact the OSR Sales Team for more details.
Some FESF licensees may wish to customize core components of FESF to meet their product needs. In addition to providing options for licensure of FESF kernel components, OSR can be engaged to provide turnkey custom development services to modify FESF components to client specifications.
To aid in the evaluation of FESF features as specific to our clients’ solution requirements, OSR offers the free FESF Evaluation Edition. This edition provides the full suite of FESF components and source code to the user-mode FESF Solution Sample (and project files), which can be customized by licensees under an limited, non-commercial license arranged with the OSR sales team. As opposed to a simple demonstrable eval, this edition will allow licensees engage in actual development of their solution without having to commit to a full FESF license up front. This Evaluation Edition license also includes an option for limited, external distribution for the purposes of demonstration (e.g., to prospective investors or end-customers).
Contact the OSR Sales Team for more details.