Process-Controlled File Encryption

TL;DR

Yes, several file-encryption tools allow access only to whitelisted processes. This significantly boosts cyber security by preventing malware or unauthorised software from decrypting your sensitive data even if it bypasses other protections. We’ll cover options like VeraCrypt with application-specific passwords and explore approaches using Linux’s eCryptfs combined with AppArmor.

Solution Guide

1. Understand the Concept: Process-controlled encryption means files are only decrypted when a specific, approved program tries to access them. If any other process attempts decryption, it’s blocked. This is stronger than simple password protection because even knowing the password isn’t enough; you need permission from the system.
2. VeraCrypt with Application-Specific Passwords (Windows/macOS/Linux): VeraCrypt is a popular open-source disk encryption tool. While not *directly* process whitelisting, it offers a similar level of control using application-specific passwords.
   • Create a VeraCrypt volume as usual.
   • When mounting the volume, use the ‘Mount Options’ and enable ‘Use application-specific password’.
   • For each program you want to access the volume, create a unique password within VeraCrypt specifically for that application. This means if an attacker gets the main volume password, they *still* need individual app passwords.
3. eCryptfs with AppArmor (Linux): This is a more robust but complex solution ideal for Linux systems.
   • Install eCryptfs: Most distributions include it. If not:

     sudo apt install ecryptfs-utils

   • Encrypt your home directory (or a specific folder): This is the typical use case.

     ecryptfs-setup

     Follow the on-screen prompts. This creates encrypted directories and manages keys.

   • Install AppArmor:

     sudo apt install apparmor apparmor-utils

   • Create an AppArmor profile for allowed applications: This is the core of process whitelisting. You’ll need to define which programs can access the encrypted directory.
     • Find the full path of the application you want to allow (e.g., /usr/bin/firefox).
     • Create or edit an AppArmor profile for that application in /etc/apparmor.d/. For example, create a file named /etc/apparmor.d/firefox_ecryptfs.
   • Example AppArmor Profile (firefox_ecryptfs): This allows Firefox to access the encrypted home directory:

     #include 
     
     profile firefox_ecryptfs /usr/bin/firefox flags=(attach_disconnected,mediate)
     {
       #include 
       file,
       capability net_admin,
       network inet tcp,
       network inet udp,
       read, write, execute @{HOME}/.Private/* rw,
       read, write /tmp/* rw,
     }
     

     Important: Replace @{HOME} with the actual path to your home directory.

   • Load the AppArmor profile:

     sudo apparmor_parser -r /etc/apparmor.d/firefox_ecryptfs

   • Test: Try accessing the encrypted files with Firefox (should work). Try accessing them with another program (should be denied).
4. Commercial Solutions: Several commercial disk encryption products offer process whitelisting features. These often come with easier-to-use interfaces and support.
   • FolderLock: Offers application control to restrict access to encrypted folders.
   • DeviceLock: Provides comprehensive endpoint data protection, including process-based encryption controls.
5. Important Considerations:
   • Complexity: eCryptfs/AppArmor is complex and requires careful configuration. Mistakes can lock you out of your files.
   • Maintenance: AppArmor profiles need updating when applications are upgraded.
   • Performance: Encryption always has a performance impact, but process whitelisting adds overhead.