While Anchor itself does not encrypt data on synced desktop clients, it is both possible and recommended that drive encryption is used on agent machines as an additional layer of protection against lost or stolen devices.
(Additional information on Anchor architecture and server/transfer encryption can be found here.)
When choosing your encryption solution, it’s helpful to understand the two basic types of encryption available for user machines – at rest encryption and live encryption.
At rest encryption (Desktop client can sync)
At rest encryption involves protecting data from access via encryption prior to booting the operating system. Once the key is input (either manually or based on the hardware configuration via TPM), the OS boots up, and data is then accessible to both the user and applications without the input of any special encryption key.
Anchor can sync data in this scenario, as data is fully available to the operating system at the software/application level at the time our application is loaded.
Examples of at rest encryption
- Bitlocker for Windows OS – Bitlocker can be configured in a number of ways, from fully transparent (no user interaction required whatsoever), to requiring a USB key inserted by the user in order to boot. Once the encryption key is input (via whichever method is chosen during Bitlocker setup), the OS then boots up and presents the data as unencrypted, providing a transparent experience for the user once the OS is operational.
- FileVault for MacOS – Much like it’s Windows counterpart, FileVault protects access to data prior to entering the operating system. The machine boots to a pre-OS boot partition, requiring a password/passkey. Once authenticated, data is presented as unencrypted within the OS.
- FDE, or Hardware Encryption – Some storage drives have built- in hardware that allows on the fly encryption at the hardware level. Instead of encryption being handled within the operating system by utilizing part of the boot partition, the storage device itself provides encryption, making it OS/software agnostic. Once the key is input during the boot sequence, the OS itself boots up, fully unaware of encryption being used.
Live encryption (Desktop client is unable to sync):
Live encryption would be if the data is even encypted at the OS level, such that the OS itself doesn't immediately have access to the data. For instance, once you attempt to open a file, you must enter a passkey to access it even after the OS is loaded.
Another example is that you must open all files through a separate third party software – this third party software then provides the encryption key to access the file, but the OS itself does not have direct access.
Anchor is unable to sync data in these cases as it is completely unable to access the encrypted files (much as the OS itself is unable to do so). If files encrypted in this nature are placed inside a synced directory, Syncedtool (Anchor’s agent) will note these as system exclusions, while continuing to sync other files.
Examples of live encryption:
- Veracrypt – Veracrypt is somewhat unique in that it’s encryption can be based on the user that is accessing the file. While files can be displayed as ‘unencrypted’ to the user tied to those files, all other users on that machine (including SYSTEM, the OS’s ‘user account’) are unable to access them.