Endpoint Encryption

Hi everyone,

We want to develop a web file sharing system that clients will use to upload reports. The uploaded files will have stay confidential until used at various company departments. We can ensure on-the-Net confidentiality via SSL up to the moment the reports will be uploaded and saved at the service repository. We would also like to provide confidentiality up to the end user, when the people assigned by the particular company dept. get the report to their system. An obvious way to do it would be to distribute the public keys of each company dept. and have the clients encrypt the reports before uploading them. This however has two disadvantages:

a. it requires a public key distribution business process and

b. it would require PGP to be running on the client side, which is something we cannot always assume due to local security policies etc.

As you probably understand, the issue we try to resolve has to do with the files staying unencrypted at the company file repository once they have been successfully uploaded.

I would like therefore to propose using PGP NetShare to this end: The upload webserver will save the files at a PGP Netshare and result in the files getting encrypted by default. Then have each company dept. access the Netshare and get the files.

So my question is: can it be done? Have a webserver use a PGP Netshare as a storage place? I suppose the problem would not be using the storage itself as it behaves exactly as a shared drive. I would however worry about having the webserver use PGP to access it. Is there any way to do this? Could it be done perhaps by PGP command line?

Any other solution we could use in the same direction?

Many thanks,

Georgios

I don't think this will work for you.  I believe that NetShare will only work via a local network, and will not work as desired from web access.  Additionally, my understanding is that if files are placed in a NetShare protected folder by people who do not have PGP installed, and/or who are not added as NetShare users of the NetShare protected folder, the added files will not be encrypted. 

If you don't want to use public key encryption (which is the most secure way to do it), an option would be to use PGP Zip files encrypted to a shared passphrase.

One way to implement this is to have a process detect when files were uploaded (i.e. it watches the destination folder), and then protect them using the PGP NetShare command line tool, and then move them to another location on the server where they can be accessed by clients running PGP NetShare.

Symantec has partners who have devised workflow solutions using PGP technologies to do this in a more automated fashion (one that immediately comes to mind is Cryptosoft, http://www.cryptosoft.com/).

Tom, thanks for your answer.

Actually, we do not want to have the web service users directly "save" to the netshare. That of course would require them to have PGP desktop and would not be possible outside the domain.

I'm rather researching if the webserver on the receiving end of the SSL connection can use a Netshare as standard storage place. The webserver itself to be a netshare user.

Many thanks anyway,

Georgios

David, thank you for your answer and the pointer to Cryptosoft.

The solution you propose is halfway there. If the files could be directly uploaded to the Netshare (as I mentioned before, have the web server using the Netshare as a storage place) that would be exactly what we're looking for. We want to avoid any case (even for very short periods) of files existing on our systems unencrypted.

Anyway, it is interesting to know that there is a Netshare command line tool and I'll take a look at them to see if a solution could be devised around them.

Could you perhaps point me to any documentation on the PGP Netshare command line tool?

Many thanks,

Georgios

The User's Guide for the PGP NetShare Command Line tool can be found here:   PGP NetShare Command Line v10.1.0 User Guide

Though the PGP NetShare Command Line tool is available to run in "standalone" mode (e.g. for use on servers, where you don't want a copy of PGP Desktop installed), I'm not sure how we license or package it for that use.  I've asked the PM for PGP NetShare to respond to that question.