File Encryption Solution Framework (FESF) for Windows
Facilitates the development of transparent, on-access, file-based encryption for the Windows environment.
Update 2 September 2017: FESF is learning to speak Linux! Development of a native kernel-mode implementation of FESF for Linux is underway. See more details here. Contact email@example.com to learn more about how you can become a member of the FESF for Linux Early Access Program.
The OSR File Encryption Solution Framework (FESF) allows Clients to incorporate transparent on-access, per-file encryption into their products. While adding on-access encryption sounds like something that should be pretty simple to accomplish, it turns out to be something that’s exceptionally complicated. Creating a solution that performs well is even more difficult. Here at OSR we have been designing, developing and supporting file encryption “toolkits” and our clients’ successful implementations based on them for more than 20 years.
What kinds of products will FESF help you build? To name just a few:
- File and document security, management, and tracking for security and compliance
- Data loss prevention
- Document and file authentication
One of the main goals of FESF is to handle most of the necessary complexity, including the actual encryption operations, in kernel mode. This allows Clients that license FESF to build customized file encryption products with no kernel-mode programming. Let’s restate that for emphasis: FESF licensees can develop a per-file encryption solution – with all the stability, performance and security required by such solutions – entirely in user-mode. We’ve already done the kernel-mode programming for you.
- Start With Best in Class Code — FESF provides all the infrastructure needed to demonstrate a working dynamic per-file encryption/decryption product. Starting with this code, your team adds the customization (such as unique user interface, encryption policy, and key management) that differentiates your product and provides your unique added value.
- Customization Entirely in User Mode — All the customization your team will need to perform can be done in user-mode, using the language of your choice. Of course, OSR is ready to help if your product requires extensive customization including changes to kernel-mode code.
- Encrypt Files Anywhere — Your policy can include encryption anywhere: On your local drive, on a server onsite or in the cloud, on a USB or other removable media device – wherever you like – and it just works.
- Flexible, Dynamic, Policy Determination — Your code is called whenever a new file is created or an existing encrypted file is opened. Your policy determines whether that particular open instance should result in raw or transparent encrypt/decrypt access. Your policy decision can be based on any number of factors including the file path or name being accessed, the accessing user’s credentials, and/or the accessing application. Policy can also be dictated by environmental factors such as time of day, the system on which the file resides, or whether the file is being remotely or locally accessed.
- Performance — An encryption solution has to be secure and it has to be reliable, that’s a given. And while customers are willing to accept some overhead for encryption operations, performance is certainly among the top issues with which per file encryption solutions struggle. That’s why engineering team members expended a great deal of effort designing performance into FESF from the beginning. From the on-disk structure, to a streamlined interface model to the way we’ve implemented the file system filtering: Performance was a number one goal.
- Efficiency — Encrypted files remain small, even including encryption header and key information.
- Interoperability — Everyone runs an anti-virus solution on their computer. Users expect an encryption solution to “play well” with whatever other software they have running on their machines. FESF was designed using the Isolation Filter approach, based on the “same stack” file system filter model OSR pioneered back in the mid-90s and that is officially endorsed by Microsoft. The result: Dramatically increased interoperability with all types of other file system filters.
- Multi-Platform Support. This is a vital part of building products these days: customers want to share data between their devices, regardless of the OS. A full-featured version of FESF is available on Windows. Code libraries that support encrypting or decrypting individual file on Linux-based systems is included. A native kernel-mode Linux implementation of FESF, including support for dynamic policy determination in user-mode, will be available in 2018.
- Have an Existing Product or On-Disk Structure? Need Compatibility? If you’re updating an existing product, and want to maintain backwards compatibility, you can beyond the basic FESF product with our FESF Providers Kit. This kit includes kernel-mode source code and documentation, that will allow you to build and customize your encryption solution, right down to the details of the on-disk structure.
- One-time License Fee – NO Royalties. In addition to the broad terms of licensure, FESF can be licensed for a one-time fee, and you may ship your product to end users anywhere in the world without royalties.
FESF for Windows product architecture:
FESF for Windows User-Mode Components
- FESF Policy Service. The FESF Policy Service is the interface between FESF and the Client’s components that determine policy. The FESF Policy Service receives requests from the FESF Kernel Mode Components, converts them to the expected format, and passes them to the Client-developed Policy DLL.
- FESF Policy DLL. The Policy DLL is the primary interface point between FESF and the Client’s product implementation. OSR includes a sample Policy DLL that Clients can use as the basis for their own implementation, including making decisions on policy and key management.
- FESF DS Service. The FESF Data Storage Service provides services to Client-developed utilities. These services include determining if a file is encrypted, checking the true size on disk of an encrypted file, updating the header, etc.
- Other Applications/Utilities. These are modules that may be designed and implemented as part of the client-specific end-user product.
FESF for Windows Kernel Components
The FESF Kernel Mode Components are responsible for intercepting file operations (such as CreateFile, ReadFile, and WriteFile) on supported file systems, implementing Client-specified policies, managing provision of the correct “view” (encrypted/decrypted or raw) of a given file’s data based on the Client-specified policy, and also for performing the actual encryption/decryption operations via Microsoft’s CNG kernel-mode library. The kernel components comprise a series of file system mini-filters and their associated libraries.
FESF for Windows provides the following features:
- Transparent on-access encryption of newly created files and transparent on-access encryption/decryption of FESF encrypted files, all under the control of Client-defined policy.
- Same stack “Isolation”. FESF uses an in-line isolation filter to control the cache and manage clear and encrypted views of data.
- Client policy determination (that is, deciding which files get encrypted and which accesses to encrypted files receive raw access or transparent encryption/decryption access) in user-mode using Client-provided components. These components include a Policy DLL, written in C/C++, plus any other combination of services, applications and utilities which may be written in any language supported by Windows that can communicate with the Policy DLL.
- Easy to understand samples that can be used by Client as a starting point to develop a complete Client Product.
- FIPS compliant encryption. The FESF utilizes the US FIPS 140-2 compliant Microsoft CNG libraries, customizable by the Client for implementing encryption and key storage providers.
- Cross-platform support. FESF for Windows libraries for encrypting and decrypting individual files on any Linux-based OS. In addition, a native version of FESF for Linux will be available in 2018.
FESF for Windows OS Support
- 32-bit (x86) and 64-bit (X64) architectures of Windows 7 and later; Windows Server 2008R2 and later.
- ARM support is not currently available, but we’re willing to discuss your use case.
Licensure of FESF includes one (1) year of technical support, including questions, bug support, and access to framework maintenance updates. Licensees will also have options to secure major updates (functional enhancements) and OS upgrades as well.
- Source code for all user-mode components including the user-mode FESF Service.
- Documentation, headers, and library files necessary for Client to interface with OSR-supplied FESF user-mode components.
- Object code for all other FESF components (source licenses to KM components by special arrangement).
- All code is written in C/C++ with binaries built using the Windows Driver Kit and Microsoft’s Visual Studio.
- FESF “Evaluation Edition” allows you to work with and test FESF, even prototype your product, at no cost in limited non-production environments.
- Other architecture and API documentation available; please contact the OSR Sales Team for more details.
Some FESF licensees may wish to customize core components of FESF to meet their product needs. In addition to providing options for licensure of FESF kernel components, OSR can be engaged to provide turnkey custom development services to modify FESF components to client specifications.
To help you evaluate the features of FESF for Windows within your own solution, OSR offers the free FESF for Windows Evaluation Edition. This edition provides the full suite of FESF for Windows components and source code to the user-mode FESF for Windows Solution Sample (and project files), which can be customized by licensees under an limited, non-commercial license arranged with the OSR sales team.
As opposed to a simple demonstrable evaluation, this edition will allow you to undertake actual development of your solution without having to commit to a full FESF for Windows license up front. This Evaluation Edition license also includes an option for limited, external distribution for the purposes of demonstration (e.g., to prospective investors or end-customers).
Contact the OSR Sales Team for more details.
OSR is building a native kernel-mode implementation of FESF for Linux that will be released during 2018.
FESF for Linux is a ground-up implementation that will provide compatibility for encrypted files and will feature the same robustness and flexibility as the Windows implementation.
More information on FESF for Linux can be found here.