Hi there - does anyone know if the encryption on odrive meets compliance for the new GDPR legislation in Europe? We are planning on keeping data of employees and clients in an encrypted folder.
I know that its password protected - but once you enter the password you’re never asked for it again - so if someone gets onto my computer they will have access to all these sensitive files.
Does this mean it will not meet GDPR requirements?
Interested in someones thoughts here.
I am not familiar enough with the GDPR guidelines to say for sure. I looked into a bit, but the information I found on Encryption didn’t cover this type of vector, but I also may not be looking in the right place. If you have specific documentation sections to look at let me know.
Keep in mind that an attacker would not only need to access your computer, but they would need to login as your user on that computer. This is because the passphrase is kept in an encrypted container that is user-specific and requires the user to have a valid, logged-in session to make use of.
I actually wrote a post going into some of our Encryption details here: Encryption questions: Key storage, decryption process, and others
Keep in mind that we are working on our next version of Encryption, so we are taking a look at things in this area. For example, the ability to set expiration on the storage of the passphrase, and introducing the idea of “locking” files/folders, which would require additional measure to open.