Building a Zero-Trust File Sharing System with EaseFilter
Author : Micheal Alexander | Published On : 14 Jul 2026
When building secure file-sharing systems for enterprise environments, traditional user-mode encryption often falls short. If a user has the key, they can decrypt the file, copy the contents, and bypass your access controls. To achieve true Digital Rights Management (DRM)—where you can enforce expiration dates, prevent unauthorized copying, and revoke access in real time—you need to operate deeper in the operating system.
Enter the EaseFilter Transparent File Encryption SDK.
The EaseFilter File Control SDK operates as a kernel-mode file system mini-filter driver. It intercepts file I/O requests (like opening, reading, and writing) before they reach the file system. This allows developers to inject on-the-fly AES encryption and enforce strict access policies that user-mode applications cannot bypass. In this post, we will explore how to architect a DRM-based file-sharing solution using EaseFilter.
The Technical Foundation: AES_TAG_CONTROL_DATA
At the heart of EaseFilter's DRM capabilities is a C++ structure known as AES_TAG_CONTROL_DATA. When you define access policies in your user-mode application, the SDK serializes those rules into this blueprint.
This structure is highly flexible. It handles fixed rules—like ExpireTime (evaluated by the kernel directly against the system clock) and AccessFlags (which dictate exact I/O permissions like read-only or block-delete). But where does this structure live once a file is encrypted? EaseFilter offers two architectural models for storing this data.
Architecture Model 1: Internal DRM Data (Decentralized)
In the Internal DRM model, the entire AES_TAG_CONTROL_DATA structure is injected directly into the physical bytes of the file itself, acting as an embedded, encrypted file header.
- The Advantage: Offline authentication. Because the expiration date, allowed users, and access rights travel physically with the file (whether sent via email, Slack, or USB), the user does not need an active internet connection to open it.
- The Limitation: Once the file leaves your network, you lose real-time control. You cannot revoke access instantly; you are strictly at the mercy of the hardcoded ExpireTime embedded in the header.
Architecture Model 2: Server-Side DRM (Centralized)
If you need the ability to click "Revoke" on an admin dashboard and immediately lock out a user halfway across the world, you need a centralized model. In this approach, the driver stores a lightweight Custom Tag—acting simply as a unique identifier, like a FileID. All the heavy lifting, rules, and keys live securely in your central database.
The Real-Time Workflow
- Kernel Interception: A user double-clicks the encrypted file. The EaseFilter driver intercepts the IRP_MJ_CREATE request in the kernel.
- Tag Extraction: The driver reads the encrypted file header and extracts the lightweight custom tag (e.g., FileID).
- User-Mode Callback: The driver triggers an event up to your background agent running on the machine.
- Access Control Decision: Your agent makes a secure API call to your remote server. If revoked, the agent tells the filter driver STATUS_ACCESS_DENIED, blocking the handle creation. If valid, it returns ALLOW alongside the ephemeral AES decryption key.
Dynamic Access Control and Audit Logging
The true power of the Server-Side DRM model lies in its ability to manage permissions and track file usage long after the file has left your corporate network. By centralizing the authentication step, you unlock real-time administrative controls and comprehensive security auditing.
Granting and Revoking Access Dynamically
Because the EaseFilter driver intercepts IRP_MJ_CREATE and queries your central server every single time a user attempts to open an encrypted file, your central database acts as the absolute source of truth.
- Instant Revocation: If an employee leaves the company or a file is shared with an unauthorized party, an administrator can simply toggle the user's status to Revoked in the central database. The very next time that user attempts to open the file, the server returns DENY, and the EaseFilter driver instantly blocks the file handle creation.
- Granular Rights Adjustment: You can dynamically modify the AccessFlags. For example, you can grant a user full read/write access on Monday, and downgrade them to read-only access on Wednesday, without ever needing to replace or touch the physical file on the user's device.
Building an Immutable Audit Trail
In a Zero-Trust architecture, knowing who was denied access is just as important as knowing who was granted access. The Server-Side callback mechanism makes centralized auditing trivial and highly reliable.
By capturing this telemetry, security teams gain immediate visibility into their data perimeter. You can monitor for anomalous behavior—such as a user attempting to open a restricted file multiple times from an unauthorized location, or an unexpected background process trying to ingest encrypted data—enabling rapid incident response and simplified compliance reporting.
Conclusion
Choosing between Internal DRM and Server-Side DRM depends entirely on your use case. If you need highly portable, offline files, embedding the full AES_TAG_CONTROL_DATA directly into the file header is incredibly effective.
However, for true Zero-Trust architecture where real-time revocation and audit logging are non-negotiable, leveraging the EaseFilter File Control SDK and Transparent File Encryption SDK to tie a file to a central server using custom tags (e.EncryptionTag) is the ultimate solution. By pushing access controls down to the kernel level, you guarantee that your data remains secure, no matter where it physically resides or what application attempts to open it.
