Per-File Encryption is a security architecture where every individual file is encrypted with a unique, dedicated cryptographic key, rather than using a single key for an entire disk, folder, or database.
While traditional At-Rest Encryption (like BitLocker or FileVault) protects a device while it is powered off, Per-File Encryption stays with the data wherever it travels. Whether a file is sitting in a sanctioned cloud, moving through Shadow SaaS, or sitting on a contractor’s unmanaged laptop, it remains encrypted and inaccessible to anyone without the specific identity and permission to open that exact file.
How Does Per-File Encryption Work?
In a Per-File Encryption model, the security is "Identity-Bound" and decentralized. Here is the typical workflow:
- Unique Key Generation: Every time a file is created or modified, a unique Data Encryption Key is generated specifically for that file.
- Encryption At The Edge: The file is encrypted using FIPS-Validated algorithms before it leaves the user's device or the application.
- Persistent Protection: The ciphertext and the encrypted metadata travel together. The only way to open the file is to trigger a real-time Context-Aware Access check to unwrap the key.
Why Is Per-File Encryption Superior to Full-Disk Encryption?
For a CISO, Per-File Encryption solves the "Blast Radius" problem that traditional encryption ignores.
- Eliminating Lateral Movement: If an attacker compromises a server, they cannot simply browse the files. Because every file has a different key, compromising one file does not give the attacker access to the next.
- Securing Data In Transit: Traditional encryption often "unwraps" data for transport. Per-file encryption ensures the data is encrypted before it hits the network, mitigating Man-in-the-Middle (MitM) risks.
- Safe Harbor In The Cloud: When you use per-file encryption, your cloud provider (like AWS or Google) never sees the plaintext. This allows you to store sensitive CUI or PHI in the public cloud while maintaining total sovereignty.
- Combating Shadow IT: If an employee moves a file to an unauthorized Shadow AI tool, the file remains encrypted. The AI tool cannot "read" or "train" on the content because it does not possess the unique file key.
Key Benefits of Per-File Encryption for Compliance
Per-file encryption is the fastest path to meeting the "Accountability" and "Integrity" requirements of modern regulations:
- Granular Audit Trails: Because each file is opened individually, you get a cryptographic Audit Trail for every single document, showing exactly who accessed it and from where.
- Instant Revocation: If an employee is terminated, you can remove access to files instantly without affecting the rest of the system.
- CMMC & ITAR Readiness: Per-file encryption ensures that ITAR technical data is never accidentally "exported" to unauthorized users, even if they have access to the underlying storage folder.
FAQs: Per-File Encryption
Does per-file encryption slow down user performance?
Modern processors with AES-NI instructions make the performance impact of per-file encryption virtually invisible to the end user. The "friction" is measured in milliseconds, while the security gain is immeasurable.
How does Theodosian deliver industry leading per-file encryption?
Theodosian takes per-file encryption to the "Atomic Level."
- Zero-Knowledge Architecture: We never see your keys or your data.
- Invisible UX: We automate the key management lifecycle, so employees don't have to manage passwords or "vaults"; the file just works for authorized users.
- Dynamic Geofencing: We link Context-Aware Access to every file. If a file is opened in a restricted region, Theodosian blocks the individual file key instantly, preventing a data breach before it happens.
Additional Resources:
Data Governance Doesn't End When the File Leaves: The Case for Persistent File-Level Governance
File-Centric Zero Trust: Why Security Has to Live in the File, Not the Network