Geek Answers Handbook

Encryption / Decryption of Beginning Questions

I never did encryption or decryption, so I decided to jump in and try to do something similar to FolderLock. The following questions are mostly about design issues, but some coding issues are mixed up.

http://www.newsoftwares.net/folderlock/

Despite this, I was in the initial stages and had some preliminary questions.

  • When you encrypt a folder, you really encrypt all the files inside the folder, not the folders themselves, since the folder cannot be encrypted. It is right?

  • In addition, I wrote my encrypted / decrypted code, but I want to include a password in it. My plan is that when a user selects a folder / file for encryption, set a password for them that will be associated with the key needed to decrypt the folder / file. Good idea or bad idea? Anyone have a better suggestion? I discuss having one password for the program itself, which also unlocks any encrypted file / folder ...

  • How do I change a folder in Windows 7 (which I encrypted) to request a password when I open it, and not just open and show all encrypted files?

  • Finally, when you encrypt the file (with the way my code is being written now), you get the source file that you encrypted and the encrypted version of that file. I'm sure I know the answer to this question, but am I deleting the original version and leaving the encrypted version? What if, for some reason, the decryption fails and I don’t have a backup of my file? Should I back up files?

Thanks for any help! I tried to search on the above questions, but it seems that most of the people who do this are at a much higher level than me, so I did not find many useful answers.

EDIT: let me explain that although I am trying to create something similar to FolderLock, this is ONLY for my education. I am not trying to create a commercially viable application, just doing something fun and learning at the same time.

+7
source share
3 answers

How you encrypt files and folders is not a one-answer question. You can encrypt files at about three different levels when we talk about the Windows environment:

  • Hard disk encryption : in this case, you are encrypting the full hard drive, which means that the drive as a whole is encrypted. BitLocker is an example of this. In this case, you encrypt everything except the master boot record. Each byte that is written to the hard drive is encrypted, including the operating system.

  • Filter filter or file system. Encryption. You can write your own filter driver or file system driver to encrypt and decrypt files selectively and transparently as they are written to disk. Most business encryption solutions offer this functionality. Microsoft has its own solution in the form of Encrypting File System . The advantage of this is that it is much better integrated with the OS, encrypted files and folders look like regular files for all other applications. TrueCrypt is another program that performs this type of encryption and opens it with open source code, so you can take a look at it.

  • Application Level Encryption: You can also encrypt files, as I would like to call, at the application level. You cannot reach this level if you do not use your own filter. This means that you encrypt the file, similar to how you compress it, say, WinZip. The encrypted file is displayed to other applications as a file of a different format, rather than the original format. In fact, this is not much different from file compression with WinZip / WinRAR, except that instead of compression you encrypt it. If you compress a folder using WinZip, it will still be compressed into a single file. The same with encryption if you do this at this level. You can write shell extensions for Windows Explorer that will make it “look like a folder”, but essentially it will still be a single file, and you cannot “save as ..” to this folder from another application. You will probably also need a graphical interface to view the folder if you double-click this file.

I assume that you want to write an application that will perform encryption at the application level. In this case, you should be aware of the limitations of this approach, as I mentioned above.

Regarding your questions:

  • You can encrypt the folder in the container, think about WinZip / WinRar again, or you can encrypt each file in the folder individually into a separate file.

  • To use a password / key, my recommendation is to have a random key to encrypt the actual data. Then you encrypt this key with the keys obtained from one or more passwords in separate keys. This will allow you to have multiple passwords for the file. As for the algorithm, I recommended AES-128, as it is a well-established and very fast algorithm. To use AES, you need to create a key and IV that have a specific length (128 bits of each of AES-128). The best way to create these keys is to use Rfc2898DeriveBytes with the actual password that the user enters. Do not forget about the HMAC , which you should use to verify that the actual decryption of the file is correct. You can use the HMAC only to verify that the random key has been decrypted correctly, which means that you do not need to run the HMAC throughout the content.

  • To do this, you will need to write a shell extension, but this will take you so far. For example, you cannot save a file from a word into your encrypted folder, as this will actually be a container form for encrypted files.

  • I would advise you to leave it to the user to back up the files. Any deleted files should also be cleaned safely , since simply deleting them is not enough to remove all traces of a file from the file system.

+3
source
  • A folder is just a collection of files. As for your application, it may just encrypt the contents of the folder.
  • You must use a password to obtain a key. In .NET, you can do this with Rfc2898DeriveBytes . This means that you do not even store the key. Password is the key. Never hold the key yourself if it can be avoided. Thus, the only option for the attacker is brute force; reverse engineering will not bring anything useful.
  • You may have to write a shell extension for this. This is a completely different subject. (I hope you will be comfortable working with COM Interop / PInvoke).
  • It depends on how much “check” you want. You could, for example, calculate the SHA-256 hash of the source file; encrypt it; then decrypt it; hash decrypted file; and make sure the hashes match. The trick will do it all like an atomic operation. You can also save the SHA-256 in an unencrypted file (even after deleting the unencrypted content) to subsequently decrypt it; You can verify that it was done correctly. In this case, you use the hash as a checksum.
+1
source

  • Yes and no. The file system has an encryption flag and can be applied to a folder. This is important because the new file created in this folder will be automatically encrypted. However, the folder itself is not encrypted.

  • I don’t quite understand ... If it works like TrueCrypt, then this is a good idea.

  • What password? In any case, if this is your encryption method, you should delve into the APIs and Windows Shell objects, and I'm not quite sure that such an extension is possible with .NET (I think I read somewhere that this is not so, on actually it would be for some reason i forgot the failure)

  • I don’t understand why the decryption failed. Obviously, everything can fail, including the hard drive, but then every file can fail, and you cannot protect it.

-2
source

More articles:


All Articles