SecretAgent/TE: Automatic, On-The-Fly Encryption

SecretAgent/TE 1.9.4

File encryption applications often require the user to manually select sensitive files, click encrypt, select or enter a list of recipients (an ACL), and then click save. This process, requiring the user to be conscious of the encryption process, is error prone and can disrupt the user’s normal workflow.

SecretAgent/TE protects sensitive files transparently using preconfigured rules. With SA/TE, encryption just happens, without relying on user interaction.

Rule-Based Encryption

SecretAgent/TE supports rules that trigger encryption based on:

  • a file’s type (i.e., its file extension)
  • a file’s location
  • the application creating or accessing the file
  • keywords or phrases appearing in the file

Each rule specifies the ACL to be applied to its matching files. Sets of rules may be established and managed centrally by one or more administrator and, if permitted, locally by individual users.

Use Cases for SecretAgent/TE

Safeguarding Data at Rest
Secures sensitive files with strong encryption, on desktops, laptops, network attached storage, and backup media

Protecting Data in Use
Protects sensitive data in storage even while the files are in use: plaintext is provided in memory and on demand to authorized applications and is never written to disk

Defending against Advanced Persistent Threats, Viruses, and Malware
Prevents unauthorized users and processes from accessing plaintext and exfiltrating data

Enabling Secure Collaboration
Turns existing workflows into a secure collaborative environment

Achieving Compliance
Helps meet data privacy compliance regulations such as HIPAA, PCI, and GDPR


  • Supports ‘in-place’ editing of encrypted documents
  • Works with all applications and file systems
  • Supports secure file exchange between all supported operating systems
  • May be easily deployed and centrally managed
  • Appropriate for organizations of any size, scaling up
    to millions of users
  • Uses NIST CMVP-validated FIPS 140-2 cryptography and proven security standards, including ANSI X.509 and IETF PKIX, TLS, and S/MIME

Technical Specifications

  • Bulk Encryption: 128/192/256-bit AEC-CBC (FIPS 197)
  • Key Exchange: RSA (up to 16384-bit keys; FIPS 186-4; ANSI X9.31), ECDH (233/283/409/571-bit NIST curves in char. 2, 256/384/521-bit NIST curves in char. p; NIST SP800-56A; ANSI X9.63; IEEE 1363)
  • Message Authentication: SHA-1 (FIPS 180-4; ANSI X9.30), SHA-2 (FIPS 180-4)
  • DBRG: NIST SP80-90A HMAC, DBRG SHA-256 (256-bit)
  • Hardware Support: Supported APIs include PKCS#11, Microsoft CAPI; Microsoft Supported Tokens: DOD CAC, PIV, other smart cards, USB tokens, hardware security modules and biometric devices

System Requirements

  • Windows 7, 8, 8.1, 10, or above (x64)
  • CentOS 7.4 (Linux Kernel 3.10.0-957) or above (x64)