Reputation: 63
Encrypting Web Application's Files
I have been tasked to research encryption on our web servers for clients' files that we receive. We are running an IIS7 environment and, when transferred files from our clients via HTTPS, we would like to store these to disk in an encrypted fashion. I am a network engineer and the software developers have pushed this on me to find an Operating System implementation. I have looked at BitLocker and EFS, but I don't see why or how I would need this in place since we are not concerned with someone stealing physical drives from our secured data center. Would this not be easier on the software end with in IIS7?
Upvotes: 1
Views: 1521
Answers (3)
Reputation: 46060
The choice is quite wide:
- DBMS with built-in encyrption of stored data
- encryption capabilities of the OS' file system (NTFS). NTFS lets you encrypt individual files with encryption certificate, which is stored in Windows Certificate store. It is exportable, so you can copy it for backup purposes.
- virtual disk created by third-party software (eg. TrueCrypt). Such software usually supports passphrases and certificates or PGP keys (depending on software) for encryption
- virtual disk created by your software using one of our Virtual Storage products. The choice of encryption mechanisms is nearly unlimited with this option.
Upvotes: 0
Reputation: 11569
.Net has some great API's for encrypting files. You could use AES-256 (refered to as Rijndael in .Net C#) to encrypt all files before you store them on disk. Then encrypt the AES key using RSA keys from a machine certificate (X509Certficate2 in C#). Store the encrypted AES key (and initialization vector if using CBC) with the encrypted file.
When you need to decrypt the file, use the private key from the machine certificate to decrypt the AES key, then use that AES key to decrypt the rest of the file.
Upvotes: 0
Reputation: 2085
HTTPS will encrypt the data from point to point. Once it arrives on the server (and you are storing it) it is unencrypted.
To furthermore encrypt the data you have a couple options: either encrypt the whole drive (BitLocker/EFS-style) or encrypt the individual files, in which case (imho) the easiest solution would be to simply store the files in a database and use either the databases's built-in , or your programming language API's encryption of choice to encrypt and decrypt the files on storage and retrieval.
Downside to encrypting the whole drive is that you will loose performance on a production server-- usually a bad thing.
Upvotes: 1
Related Questions
- How to create an encrypted file container using .net
- How to encrypt files in a folder
- Encrypt .dll from asp.net web application
- how to encrypt folder in c#?
- How to encrypt .config file Asp.net
- ASP.net Encrypt Files After Upload / Decrypt To User
- Conditional encryption of file configuration file ASP.NET
- Encrypting a web.config file and supplying the path to the file
- Encrypting config files info
- Encrypting contents of a file when uploading