Encryption products are broken down into five major categories: file- or folder-level, volume or partition, media-level, field-level, and communications. They are further defined by their cryptographic key storage mechanism.
File-level encryption protects data on a logical file-by-file basis. File encryption includes on-disk file and folder solutions, as well as password-protected encrypted archival formats -- Pkzip, for example. File encryption allows specific files to be protected, such that less important files don’t waste the additional resources necessary to encrypt and decrypt.
File-level encryption routines are among the most mature ciphers, often sharing well-tested underlying standard protocols with names such as 3DES (Data Encryption Standard), AES (Advanced Encryption Standard), Diffie-Hellman, Blowfish, and RSA (Rivest-Shamir-Adelman). File encryption is often available at the OS level. Microsoft has EFS (Encrypting File System), and the Mac OS uses FileVault. OS-level encryption often has a problem extending to new portable media types or across foreign volume partitions, so application-level file encryption solutions abound. The most popular is produced by PGP. It comes in both open source and commercial versions.
Folder-level encryption products encrypt the contents of entire folders, such as the Windows My Documents directory or the Linux or Mac user’s home directory. Be aware that many seemingly folder-level encryption products don’t encrypt the entire folder as a single object. Instead, they individually encrypt each file within the folder, using a file-specific or a folder master encryption key -- or a combination of both. For instance, Microsoft’s EFS encrypts each file with its own unique symmetric key (even when the entire folder is selected for encryption), which all participating users share. Each user’s individual copy of the unique, but shared, symmetric file key is then encrypted with the user’s unique asymmetric encryption key.
Although file-level encryption products are among the most popular and mature solutions, there is a major weakness that is increasingly making them less desirable. It is difficult to prevent unprotected data leaks with file-level encryption. For instance, suppose you enable file-level encryption on all files within your personal document folder. Although file-level encryption might protect the specific files indicated, it most likely will not protect any temporary files that an application or the operating system creates when the documents are opened, copied, or transmitted. Unless the encryption user accurately knows and protects all the potential areas where the data could be temporarily stored, it is possible for a disk analysis program to find unprotected file remnants.
Several encryption solutions get around the major problem of file-level encryption by encrypting the entire volume or partition on which the file is stored. This can be done at the OS level or using an application. Some volume encryption products work by creating one large logical file that represents the entire encrypted volume. When data is copied to the volume, it is added to the larger encrypted file as a contained element. Other volume encryption products work by adding a custom device driver that interacts with the operating system adding an encryption/decryption routine to the normal file reads and writes. One of the more popular open source volume encryption solutions is TrueCrypt.