File/Folder Encryption solutions SHOULD be considered for use with sensitive pieces of user data with high confidentiality requirements, such as trade secrets and datasets containing personally identifiable information (PII).
There may be situations where a business needs to encrypt individual pieces of data rather than entire storage devices, as in full disk encryption (FDE). File encryption involves encrypting individual files on a storage device and permitting decryption only after proper authentication is provided. Folder encryption follows the same concept, only it allows encryption of entire folders of data. There are various proprietary and third-party solutions for file/folder encryption. Windows Encrypting File System (EFS) is a Microsoft solution that uses public-key cryptography to encrypt pieces of data on the NTFS filesystem. EFS is intended for basic user data and cannot be used to encrypt compressed files, system files and directories, root directories, and transactions. Linux systems have a number of options to choose from for file/folder encryption, with GnuPG being a popular choice.
A file/folder encryption solution will encrypt the chosen files or folders when configured by the user. Subsequently, when a user attempts to access the file or folder, they will be required to authenticate with something like a password or smart card. If successful, the encryption solution will decrypt the data, and the user will be allowed access. Just as with full disk encryption, businesses should ensure that implementations of file/folder encryption are properly configured and managed, especially the authenticators used in the decryption process. Businesses should also note that there are downsides to file/folder encryption over other strategies. Notably, file/folder encryption does not address residual data that could be left over in the system swap file, and does not protect filenames and metadata, which could in themselves provide useful information to threat actors.