Client side encryption in OneDrive, via existing NTFS encryption
NTFS should be extended with an API to access files and folders in encrypted format (it already has API for the decrypted format, since decryption is automatic and transparent).
Then OneDrive could use the NTFS-encrypted raw format to upload data to cloud. This would enable client side encryption with very little investment from Microsoft with huge business advantages:
- support for client side encryption, transparently, on FS level
- support for upload changes only, since only the changed files are uploaded, i.e. no need for containers just to encrypt files
- very little investment is needed
Encryption should be based at least on the following options:
- simple PIN (no keyfiles)
- password (no keyfiles)
- keyfile + password
- possibly others
We currently support uploading and sync for encrypted files today but appreciate your suggestion on this approach.
This needs to be implemented. This is an incredibly simple fix and will solve ALL the "Let me encrypt my files at rest before uploading to the cloud" requests! Honestly, I can't see how the Dev gave the response he gave. Either he doesn't understand the question, or there's other reasons MS doesn't want us to have our data encrypted at rest WITH OUR OWN KEYS. I'd love to ditch my encrypted VHD file which is clumsy and is worse for me and MS.
I had encrypted the OneDrive folder (which resided in my profile) as Michael did and had the same results. When I synced the files were not encrypted anymore.
However when I encrypted my whole profile, then when I synced OneDrive, the files were encrypted locally.
Sundeep Singh Basra commented
Or something like Encrypt the Onedrive Cache locally on the drive.
Bram Vlasblom commented
On computers where multiple users log on the entire OneDrive cache is accessibele for local administrators. Please add a Group Policy to enable EFS encryption on the OneDrive cache. We use OneDrive for Business as replacement for the Offline Files feature. Offline Files has a encryption Group Policy with EFS which we used before. OneDrive for Business should have such a feature for Enterprise computers.
I encrypt my OneDrive folders on my PC using EFS, because it is a shared computer. When OneDrive syncs and copies new files to those folders, the new files are NOT EFS encrypted. I need to go back and manually select the new synced files and encrypt them. This seems like a bug, since copying files to those directories any other way results in them automatically being encrypted. I'm not asking for cloud side encryption, I just want newly synced files to be encrypted locally.
Just a heads up
I know Google drive is different animal etc etc. \
However if I try to access synced files in Google drive folder under user's profile (C:\users\test\Google drive) with my local admin account I CANNOT get access contrary to OneDrive for business - with your admin account you can actually open any folder in other user's profile ( including C:\users\test\OneDrive).
So with 2 words - if someone steal Windows machine and get local admin rights - your OneDrive files will be compromised but not your Google Drive files.
Please ensure that OneDrive encrypts files added into a folder where the folder is encrypted.
yes nice build in perfect
I would like to see whole disk encryption as a requirement to install the app. When the installer runs it should be able to check the machine to see if the disk is encrypted, if so allow the install. If the drive is not encrypted give the user the choice to enable bit locker and continue the install or quit the install if they don't want to encrypt. The process should be very transparent to the user.
There should also be an admin page in office365 that would let administrators see what devices the user has installed OneDrive for Business. This page could also display the encryptions status of each device. Make it like a policy compliance, similar to active sync devices. Maybe quarantine devices that don't meet the set policy.
There needs to be more control for OneDrive for Business to be a success. Just letting a user download and install this on their home PC with no way to control the data just wont work.
Would Office Online still be able to edit Office or other files or would it be restricted to the machine it was encrypted on?
Michael Parlette commented
maybe start with the business side of things? impress me guys. Thanks for your time.