• Overview
  • Benefits
  • How it works
  • Details

SecretAgent w/ Transparent Encryption (SA/TE)


SA/TE is a plug-in extension that adds transparent encryption capabilities to the SecretAgent 7.x security console. In the context of SecretAgent, transparent encryption means the automatic, on-the-fly, encryption of files according to specified rules and without direct user intervention. SA/TE supports rules that trigger encryption based on:

  • a file’s type (i.e., its file extension)
  • a file’s location
  • the application creating or accessing the file
  • keywords or phrases appearing in the file


SA/TE file encryption rules:
  • specify an access control list (ACL), a list of X.509 “recipient” certificates under which matching files are encrypted
  • are defined by an administrator and, if permitted, by individual users


        protects sensitive files automatically without user intervention
    - rules defined and centrally managed by an administrator determine which files are protected


        provides secure file exchange between Windows and Linux
    - files encrypted on either operating system can be decrypted on the other


        works with network file systems
    - SA/TE properly handles local disks, Windows shares, and CIFS file systems


        extends SecretAgent
    - SecretAgent can create encrypted SA/TE files as well as decrypt them


        supports DAS
    - if encryption is performed on behalf of the members of a DAS “Community of Interest” (CoI), decryption must be mediated by a DAS server


        is compatible with Bagala
    - SA/TE file encryption rule sets may be established and managed by a Bagala administrator and deployed throughout the enterprise

Transparent Encryption (sample scenario)


SA/TE encryption diagram


Transparent Decryption (sample scenario)


SA/TE decryption diagram


Typically, an encrypted file is transparently decrypted for any process owned by an entity on its ACL… but there are exceptions!


The SA/TE package consists of:
    the FESF file system layer (developed by OSR)
- mediates between application read/write requests and disk I/O

    the ISC Security Policy Library (developed by ISC)
- makes encrypt/decrypt decisions
- performs all certificate and key management tasks
- mediates all public and private key operations

    a Cryptographic Service Provider
- provides access to private key operations through a PKCS#11 API
- may be DAS-enabled

    the Linux Kernel Crypto API
- performs symmetric encryption/decryption (AES) and hashing

File Format

SA/TE files are constructed in such a way that FESF will immediately recognize them as encrypted and handle them appropriately. Each SA/TE file consists of:
    a cryptographic header:
- encryption and message digest algorithm IDs
- the certificate of each ACL member together with the file’s random AES key (“DEK”) wrapped with the public key in that certificate (“KEK”)
- a message authentication code (MAC) used for integrity checking of the header
- a message digest used to verify integrity of the payload

    AES-encrypted ciphertext

Ecosystem Requirements

    A means of establishing and managing rules
- SA/TE may be used to create and manage encryption rules for an individual user
- Bagala can centrally manage, deploy, and enforce the use of rules throughout an enterprise

    A cryptographic service provider
- stores and provides access to user credentials
- normally a PKCS#11 HSM or software emulator
- CSPid or Acala ( on Linux)

    Supports Windows and the following Linux filesystems
- ext4 (local filesystem)
- CIFS (remote filesystem)

FIPS 140-2 logo

Tabs on this page:

Microsoft Partner logo

Red Hat logo