This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newb / LanCrypt : May a process be allowed to write data onto a distant shared folder that is lancrypt protected, but not be able to read it afterward ?

Hi

I have a case brought up by my customer and was wondering if it can be done with LanCrypt. I could not find an answer in online technical documentation.

Let say an application server needs to copy a file during runtime onto a remote folder on a workstation.
The remote folder is hosted on a workstation and have lancrypt installed, and the folder is currently protected with lancrypt.
The application server is hosted on window server and do not have lancrypt installed. The policy of the customer company does not allow lancrypt on window servers.

In this context, is there a way to configure the remote folder to accept a "guest" application server to "drop files" in it, without lancrypt installed on the server ?

I don't think this is not possible with lancrypt but I would like to be sure.

Thank you for attention and help



This thread was automatically locked due to age.
  • If he application server can copy a file to the remote folder depends on Windows rights in that folder, regardless whether SGLC is installed on the server or not. 

    On the workstation running the SGLC Client you could run a script to check for new files, and encrypt them.

    Once encrypted the application server might still be able to retrieve the file, depending on its rights again, then but only in encrypted form.

    “First things first, but not necessarily in that order” – Doctor Who

  • HI,

    Thank you very much for your reply.

    I did not mention it but my application server will be allowed through window's right to write onto the remote folder.

    The script solution sounds a bit wobbly to me. For example, how can I make sure it will not encrypt a file that is being copied (we're talking of files of hundreds of mo) ?

    You confirm there is no native function in LanCrypt that could make encryption happening during the process of writing (and not some times after the writing) ? These files are very sensitive and cannot be left unencrypted even for a few seconds...

    > Once encrypted the application server might still be able to retrieve the file, depending on its rights again, then but only in encrypted form.

    Yes, that's what I would like to achieve if possible. Once copied, the file should not be read from the application server.

  • The native function of LAN Crypt is encrypting even before writing. But that can only be done on a client with LAN Crypt installed. If you would be able to install SGLC Client on your Application Server, and have the application doing the writing under a user context, the encryption would already be done on the Application Server, before the file hits the network cable. And if you could use storage that would seem write-only from the Application Server´s perspective, that also would be an alternative. 

    In SafeGuard LAN Crypt a user has the key or not. If a user has the key, encryption as well as decryption is possible.

    “First things first, but not necessarily in that order” – Doctor Who

  • Hi,

    Thank you for your reply. It's very helpful.

    "you could use storage that would seem write-only from the Application Server´s perspective" : We have ruled out this alternative, as it doesn't seem possible in windows (without using some sort of airlock mecanism that will move dropped files somewhere safe, solution our customer does not want) : 

    http://superuser.com/questions/911242/setting-ntfs-permissions-to-write-but-not-read

    https://technet.microsoft.com/en-us/library/cc783530%28v=ws.10%29.aspx#w2k3tr_randp_how_xgvr

    One last question, what would happen if application server drop a file in a LanCrypt protected remote folder ? Would it fails ? Would it copy the file in "clear" ? In other word, The remote folder has to be excluded from lancrypt protection in order for the application server be able to drop files in it ?

    We are thinking of encrypting the files within the application server with a public key whose private pair is only knew of the remote folder's workstation's user keystore.

  • I seems my previous reply hasn´t been received/¨stored/whatever. So here is the 2nd attempt.

    What would happen to a file, dropped by a server in a certain folder, is dependent of its rights there, and whatever is installed on the server. As far as SGLC is concerned, as long as the client is not installed on the server, it doesn´t interfere 

    Yes a PKI based solution looks like the right fit. I encountered the exact behaviour when encrypting a draft email, but not being able to open it because of issues with the private key. It even sounds a bit like one of our old products, from the era when the mere mentioning of PKI would have everyone else run away. SafeGuard Sign&Crypt anyone?

    It (write only access) is also a feature I will discuss with product management. But don´t get your hopes up.

    “First things first, but not necessarily in that order” – Doctor Who

  • Hello,

    Thank you very much for your time and patience. Your answers have been really helpful !