# Key4C Secure Folder for Windows Service

<figure><img src="/files/Pw7HZWsco4jn8DPotxFJ" alt=""><figcaption></figcaption></figure>

**Key4C Secure Folder for Windows Service** \
is a file system encryption solution designed for Window server environments.\
It securely receives file system encryption keys through a certificate-based secure channel, and performs encryption and decryption directly on the agent. The encryption keys are protected and managed using HSM (Hardware Security Module) keys, ensuring strong security and minimizing the risk of key exposure.\
Even in the event of a ransomware attack, your data remains protected. This solution is also well-suited for meeting compliance requirements related to data encryption regulations.

<mark style="color:blue;">**With Key4C Secure Folder for Windows Service, you can safeguard your server data with confidence and ease.**</mark>

## 1. Service Overview

<figure><img src="/files/ug1elvMCSMx6H6OoJLhK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/X6qJ1iuiGvB55ggfVdU8" alt=""><figcaption></figcaption></figure>

**Is your file system data - the core of corporate asset security — truly protected?**\
When server and backup data are stored in plaintext, the risk of data leakage increases significantly.

* Server data stored in plaintext → **corporate information is directly exposed in case of a breach**
* Internal administrators or employees may abuse privileges to copy or exfiltrate data \
  → **highly vulnerable to insider threats**
* Backup servers without encryption → **data breach damage multiplies, leading to secondary and even tertiary exposure.**

{% hint style="danger" %}
If a server or backup server is compromised, the stored data is exposed as-is, resulting in the resulting in the immediate leakage of personal information and corporate secrets. \
With the **Secure Folder** service applied, even if server data is exfiltrated, it cannot be decrypted - effectively neutralizing the leakage itself.
{% endhint %}

## 2. Service Introduction

<figure><img src="/files/GQfv5rw73FANk2rI0iJK" alt=""><figcaption></figcaption></figure>

{% stepper %}
{% step %} <mark style="color:blue;">**Easy deployment**</mark>**&#x20;optimized for cloud**

Our cloud-based SaaS model reduces the burden of security updates and maintenance, enabling fast and easy deployment
{% endstep %}

{% step %}
**Easy Key Management&#x20;**<mark style="color:blue;">**GUI**</mark>**&#x20;· Secure Channel for&#x20;**<mark style="color:blue;">**DEK Delivery**</mark>

Easily perform complex key management through a web console. Ensure a secure communication channel between the Agent and Key4C service with certificates safely issued by the HSM.
{% endstep %}

{% step %} <mark style="color:blue;">**Protect Encryption Keys**</mark>**&#x20;with HSM-Based Keys**

The DEK generated for file system encryption is securely encrypted with an HSM-generated KEK. DEKs are delivered securely only upon authenticated requests.
{% endstep %}

{% step %} <mark style="color:blue;">**Certified**</mark>**&#x20;for GDPR, HIPAA, PCI DSS, CCPA and more**

When enterprises in regulated sectors use file systems, they must comply with strict requirements for encryption key management, key separation and storage, certification, and verification. Robust standards for encryption and key management must be met.
{% endstep %}
{% endstepper %}

<figure><img src="/files/EQdgseCj0vmr51SpPHL5" alt=""><figcaption></figcaption></figure>

**Compliance with high-level international regulations such as GDPR, HIPAA, and PCI DSS is ensured.**

{% hint style="success" %}
GDPR : General Data Protection Regulation

HIPAA : Health Insurance Portability and Accountability Act

PCI DSS : Payment Card industry Data Security Standard

CCPA : California Consumer Privacy Act
{% endhint %}

## 3. Service Implementation: Before & After

Recent ransomware has evolved into stealing data and threatening to disclose or sell it, making data exfiltration itself a corporate risk even if recovery is possible.

### 3-1. <mark style="color:red;">Before</mark> implementation

* File  system data stored in plaintest → <mark style="color:red;">immediate data leakage in case of breach</mark>
* Backup servers not encrypted → <mark style="color:red;">secondary damage expands</mark>
* Lack of encryption key management system \
  → <mark style="color:red;">non-compliance and difficulty obtaining certifications</mark>
* Insider privilege abuse → <mark style="color:red;">administrators or employees can copy/exfiltrate all data</mark>
* No user-level control → <mark style="color:red;">expansion of insider threats</mark>
* Insider privilege abuse → <mark style="color:red;">unauthorized copying and exfiltration</mark>

### 3-2. <mark style="color:blue;">After</mark> implementation

* Secure file system encryption → <mark style="color:blue;">data exfiltrated cannot be decrypted</mark>
* Encryption applied to both servers and backups → <mark style="color:blue;">prevents double exfiltration and disclosure threats</mark>
* Encryption and key management capabilities → <mark style="color:blue;">enhanced compliance and certification readiness</mark>
* Certificate-based secure communication channel → <mark style="color:blue;">safe transmission of encryption keys (DEK)</mark>
* Attackers cannot obtain plaintext → <mark style="color:blue;">leakage and extortion threats neutralized</mark>
* User-specific encryption key issuance and management → <mark style="color:blue;">minimizes insider threats</mark>

***

## 4. Feature

### 4-1. Secure Key Generation

Easy and fast key generation and management through a web-based GUI

<figure><img src="/files/QN5u9KinDYVgcfv73QAq" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/GbVAbrQgm02HncnggwnN" alt=""><figcaption></figcaption></figure>

**Multiple DEK Issuance and User Assignment**

* Independent file system encryption keys can be issued and managed for each user or department.
* A one -to-one mapping structure without a master key enables a more secure key management system.
* Each DEK is protected by a dedicated HSM-based KEK, ensuring that the compromise of one key does not affect the entire system.

**KEK for Strengthening DEK Security**

* KEKs are generated and stored within the HSM, fundamentally preventing external leakage.
* They comply with domestic and international certification requirements such as ISMS-P and CSAP, making it easier to obtain security certifications.

### **4-2. Secure Folder Agent**

The Client User(Manager) sends a key creation completion email to the end user, providing guidance on downloading and using the Secure Folder Agent. Below is the **Secure Folder Agent** screen.

<figure><img src="/files/hFzmQewkxIe0ayGUFFQ2" alt=""><figcaption></figcaption></figure>

* In Secure Folder Access, click the **\[Connect]** button and enter the PIN to access the folder.
* By clicking the **\[Manage Access]** button and entering the PIN, you can configure the list of files that are accessible within the folder.

***

### 4-3. Secure USE of DEKs

Secure Communication and Key Delivery with Simple Agent Integration

<figure><img src="/files/kl1WlzwORb1vKiRtGvZI" alt=""><figcaption></figcaption></figure>

**Certificate-Based Secure Communication**

* Users perform a simple integration using the information provided by the administrator, and establish a secure communication
* Based on a certificate issued by the HSM, mutual authentication between the Agent and Key4C is performed, and a secure channel is automatically established.
* Users send a request with the ID of the encryption key they want to use, and receive the file system encryption key (DEK) through the secure channel. During this process, the key is never exposed externally.
* File system encryption and decryption operations are performed directly within the Agent in the customer's infrastructure.
* Users continue to read and write files through their applications as usual, but the file system always stores the data in encrypted form.
* Even  if encrypted data is stolen from a server or backup server, it cannot be decrypted without the file system encryption key (DEK).

***

## 5. Service Workflow Diagram

<figure><img src="/files/8kq4y5NQrrsaQ8KPnybk" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://key4c.gitbook.io/key4c_sf/en/undefined/key4c-secure-folder-for-windows-service.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.