Encryption Minifilter and network file systems

Arshak_Isajanyan · July 1, 2018, 3:32pm

Hi,

I’m trying to develop a minifilter that encrypts files and I got it working for local file systems, however it often fails for Lanmanredirector. For local file systems I was using the technique of encrypting only non-cached/paging I/O IRPs.

For network FS I often run into a situation when no such IRPs are posted during write operation. Instead just IRP with IRP_MJ_WRITE and IRP_DEFER_IO_COMPLETION flags comes in - that’s it. Is there any technique to handle network FS write requests properly? Thanks!

Similar question (unanswered) is here:
http://www.osronline.com/showThread.cfm?link=103786

Scott_Noone_OSR · July 2, 2018, 9:43am

Because oplocks…

Redirector may not be allowed to cache write data due to the oplock state of
the file. In this case, it will take the incoming cached write and send it
over the network. Because the write bypasses the file system cache on the
client, you will not see a subsequent paging I/O for the modified region.

Redirector does not expose the oplock state of the file, thus there is no
way to know if a given write will be cached on the client or sent to the
server. There are only two ways out of this that I know of:

Do the encrypt/decrypt on the server side
Implement an Isolation filter. In this case you have your own caching
layer and know that anything sent to the FSD needs to be encrypted.

-scott
OSR
@OSRDrivers

Arshak_Isajanyan · July 2, 2018, 11:11am

Thanks for detailed response Scott. For isolation filter - I just read the OSR article about it. Wondering if that technique is safe and if there’s any open source sample available to better understand what’s involved? Thanks!

Scott_Noone_OSR · July 2, 2018, 12:57pm

What do you mean by “safe”? We use it for our File Encryption Solution
Framework and, while it has LOTS of complexity it solves a lot of problems.

I don’t think there are any freely available samples.

You basically need to implement a file system within your file system
filter. This includes all of the interactions with the Cc and Mm.

To give you an order of magnitude in terms of complexity, we estimate that
we’re approaching 10 engineering years into our Isolation Framework. It’s a
significant product and business decision to go down this path, but it’s
doable.

-scott
OSR
@OSRDrivers

Arshak_Isajanyan · July 2, 2018, 1:56pm

I got it, thanks for the information!