A device owner of a storage device has full rights to the contents therein for reading and writing. Often, the device owner wants to grant or deny access rights to other users and/or groups of individuals. File systems, such as the New Technology File System (NTFS) of Windows and some of the Linux file systems, permit the device owner to control access to files by assigning permissions for files.
By using file system technology, the device owner may safeguard files in both internal system storage and in external, portable storage such as USB flash drives (UFDs). However, this technology for safeguarding files may be circumvented in a portable storage device by simply connecting the portable storage device to a host that does not respect the permission rules of the file system. For example, the Linux NTFS driver ignores permission rules. Also, some third party drivers, such as the open-source ext2ifs that allow Windows to access ext2 partitions, do not enforce Linux permission rules. (The term “ext2” stands for “second extended file system,” and the term “ext2ifs” references an installable file system (IFS) driver written by Stephan Schreiber, which is a driver implemented for some versions of the Microsoft Windows operating system.) Even connecting the portable storage device to a host running a different Windows domain will allow a local administrator to act as a device owner and consequently to override security measures.
Microsoft developed the Encrypting File System (EFS), which transparently encrypts the data within an NTFS and stores the keys within an Active Directory schema. Such approach ensures that if permissions are circumvented, the data within the files remains inaccessible. However, while this works well when integrated into Windows, EFS does not work in an independent environment and requires a central authentication mechanism in order to retrieve the keys.
The encryption technique Pretty Good Privacy (PGP) utilizes a transparent file encryption engine that uses shared key-rings. This technique provides a flexible software-based framework for maintenance and enforcement of permissions. However, this permission system is independent of the native operating system user/group permission set and requires additional management and client software, which must be installed on the host to access the data.
Hence, there exists a need for a way to safeguard files from unauthorized access, which works in an independent environment, does not require a central authentication mechanism to retrieve keys, and does not require additional management and client software installed on a host.