Encrypt Microsoft OneDrive files with CTE
This document describes how to encrypt files in Microsoft OneDrive with CTE.
Use Cases
- Encrypt Microsoft OneDrive files with CTE for standard policies on a Windows server
Test Environment
-
CTE Agent: 7.4.0
-
CipherTrust Manager: 2.10.0
-
OS: Windows 10 Azure VM (OneDrive is built into Windows 10)
-
OneDrive setup (Host VM/OS) for other Windows platforms:
-
Download the OneDrive Application from Microsoft and install it.
-
Follow the steps in Sync files with OneDrive in Windows to sync the files using OneDrive.
-
Steps
To integrate CTE with Microsoft OneDrive:
Note
Microsoft OneDrive is already configured in the Azure VM environment and can be seen in File Explorer. View files in your OneDrive cloud from OneDrive.live account.
Deploy a CipherTrust Manager in Microsoft Azure
Install and Register the CTE Agent
-
Install CTE Agent on a client system where OneDrive is mounted. Refer to CTE Agent Quick Start Guide for details.
-
Register the CTE Agent with the CipherTrust Manager deployed in Azure.
Encrypt data on a OneDrive folder with CTE
OneDrive Files On-Demand allows you to access all of your files in your OneDrive cloud storage without having to download them and use local storage space. If this is enabled, the files and folders are shown as Reparse Points locally. You can still see all of your files as online-only files in File Explorer, but they do not use local space. When you are connected to the Internet, you can use the files like every other file on your device.
Note
-
Before guarding, enabling, disabling, or unguarding, pause syncing on OneDrive.
-
For the
vmlfs driver, the Files-On-Demand feature of OneDrive must be disabled. For thevmfiltr driver, the Files-On-Demand feature of OneDrive does not need to be disabled.
Use Case 1: Encrypting new data in OneDrive
When creating a GuardPoint for new data, use a Standard Encryption policy to encrypt this data.
| Policy Type | Standard | |
|---|---|---|
| Security Rules | ||
| Line 1 | Effect | Audit, Permit |
| Line 1 | Action | all_ops |
| Process Set | OneDrive | C:\Users\winAdministrator\AppData\Local\Microsoft\OneDrive\OneDrive.exe, C:\Windows\sysWOW64\OneDrive.exe |
| Security Rules | ||
| Line 2 | Effect | Audit, Permit, ApplyKey |
| Line 2 | Action | all_ops |
After you create and guard a folder in OneDrive:
-
Create/copy files that should be encrypted to a backup file. The files, when viewed online are in encrypted form. Same files in VM (locally) – in clear.
-
After disabling the GuardPoint:
-
Files in OneDrive cloud – encrypted
-
Same files in VM (locally) – encrypted
-
-
After enabling the GuardPoint:
-
Files in OneDrive cloud – encrypted
-
Same files in VM (locally) – in clear
-
Use Case 2: Encrypting already existing data in OneDrive
For data that already exists in a OneDrive, you have to:
-
Create the GuardPoint and apply an initial transformation policy.
-
When initial transformation is finished, apply the Production policy.
-
Resume the OneDrive/CTE synchronization.
| Policy Type | Data Transformation: Initial Transformation | |
|---|---|---|
| Security Rules: | ||
| 1 | Effect | ApplyKey,Audit,Permit |
| 1 | Action | Key_op |
| 2 | Effect | Deny, Audit |
| 2 | Action | all_ops |
| Key Selection Rules | Clear_key | |
| Data Transformation rules | key1 |
| Policy Type | Data Transformation: Production | |
|---|---|---|
| Security Rules | ||
| Line 1 | Effect | Audit, Permit |
| Line 1 | Action | all_ops |
| Process Set | OneDrive | C:\Users\winAdministrator\AppData\Local\Microsoft\OneDrive\OneDrive.exe, C:\Windows\sysWOW64\OneDrive.exe |
| Security Rules | ||
| Line 2 | Effect | Audit, Permit, ApplyKey |
| Line 2 | Action | all_ops |
| Key Selection Rules | key1 | |
See the CTE Data Transformation Guide for more information.
