Skip to content

A Guide to Modern File-Level Encryption

What is file-level encryption?

File-level encryption has long been a common technique to protect file confidentiality and sensitive data at rest. It ensures that selected information is unreadable to unauthorized viewers, regardless of where it’s stored. In contrast to full-disk encryption, where entire partitions or disks are protected, file-level encryption (FLE) protects data in specific files, folders, or storage locations. It also protects the metadata of those files or locations.

One of the main benefits of FLE is that it allows for the separation of duties between data owners and infrastructure administrators. It’s often used to ensure that system administrators (e.g., server admins) cannot view data without need-to-know access. FLE is also used within cloud deployments to ensure that cloud administrators or unauthorized users within the cloud environment are not able to access data.

That said, file-level encryption also has its drawbacks. Because it usually involves installing agents, it can present challenges for companies who want to take advantages of newer software architectures without lots of endpoint management. It can also slow down operations considerably.

But not all file-level encryption is created the same. Below, we’ll explain how there are actually several different types of file-level encryption, and how newer agentless solutions can provide strong data resilience features that have been lacking in traditional agent-based approaches.

What are the main types of file-level encryption?

Agent-based file-level encryption

Agent-based FLE is provided via the installation of an agent or application on a server or client system, tying the user transparently into the system. The agent may be tied to certain folders or files to protect certain data, or it may display itself as a local disk/partition to the user. Either way, the agent itself will control access control to the files it protects.

While agents used to be the most common way to implement file encryption, agent-based data encryption software presents certain challenges. Agents are resource-intensive to manage, and installing and configuring them can be a barrier for companies. Additionally, modern tools like network storage, cloud storage, Platform as a Service (PaaS) solutions, and containers were not designed for agents to be installed on them. That means that newer software-defined infrastructures are not always compatible with agent-based FLE.

Lastly, agents usually introduce a performance drawback. It’s quite common that the tradeoff for stronger security is reduced performance, but agent-based FLE regularly introduces a performance drawback between 5% and 20%, and in some cases up to 30% or 40%.

Abstraction-layer-based file-level encryption

As data sources and storage types increase in diversity, more and more data is produced by applications and automated services that do not involve any human interaction. Many services are also leveraging network as well as cloud storage to store data at rest. Abstraction-layer-based FLE solutions provide an easy way to introduce data security and file protection transparently to this kind of data workflow.

As the name suggests, abstraction layers are services that sit between the application or server and the final file storage location to introduce robust file encryption. The abstraction layer makes installing, maintaining, and configuring agents irrelevant, and data on the end device can be consumed just as it would be from regular network or cloud storage.

Abstraction layers use modern cryptographic solutions to achieve a high level of throughput. Since the cryptographic operation is offloaded from the end device, there’s no competition for CPU power in operations. Modern abstraction-layer-based technologies use cryptographic permutations to achieve minimal or no performance drawback. In some cases, they even improve performance in data flows.

API-based file-level encryption

As our industry moves more and more toward infrastructure as a code (IaC), dynamic deployments, and automation, file-level encryption increasingly needs to serve applications that do not leverage servers or endpoints. API-based file-level encryption is one way to do so.

API-based FLE is a service within an organization’s infrastructure that allows applications to call it for any kind of file protection — from data confidentiality to integrity and availability of important files. By calling a file-level encryption service over API, application developers, infrastructure providers, and data owners/custodians can seamlessly tie data security into their workflows.

Just like abstraction-layer-based FLE, API-based FLE needs to ensure a high throughput of API calls and data to achieve minimal to no performance drawback. APIs can also be very sensitive to latency within data flows, so API-based FLE needs to ensure low latency and fast throughput. Much like with abstraction-layer-based FLE, modern cryptographic solutions are used to achieve low latency and high performance for API-based FLE.

Modern file-level encryption solutions

FLE has come a long way from just encrypting files. Because of the constant growth of files (not to mention the diversity of our consumption of files and storage in our organizations), file-level encryption had to adjust over time. Modern FLE solutions still fulfill the basic promise of encryption — protecting the confidentiality of files — but they can also ensure data integrity and availability as well. This means that, with the right file encryption software, data protection can go much further than preventing the exposure of sensitive data.

ShardSecure offers a modern solution that fits the bill. Our technology provides strong, agentless data confidentiality — but it also ensures robust data resilience with high availability, multiple data integrity checks, and self-healing data. Easy to integrate and transparent to users, ShardSecure’s solution is enabling companies to keep their sensitive data safe while embracing the flexibility and cost savings of the cloud.


Just as the amount of data — and the ways we use and process that data — has ballooned in recent years, so too have the different types of file-level encryption. Modern solutions like ShardSecure’s do not have the performance drawback that legacy file-level encryption does, and they enable organizations to easily implement transparent file-level encryption.

To learn more about ShardSecure and modern file-level encryption, visit our resources page here.