1# Introduction to the DLP Service
2
3The Data Loss Prevention (DLP) service is a system-level solution provided to prevent data disclosure. It provides capabilities for cross-device file access management, encrypted storage, and access authorization. The data owner can grant the permission (read only, edit, or full control) on a confidential file based on account authentication. The confidential file is encrypted and stored in ciphertext. Only the user who has passed the device-cloud authentication using a DLP-capable device can access or modify the file.
4
5DLP is a system solution. You can implement complete DLP capabilities with little or no adaptation.
6
7The DLP solution consists of the following components:
8
9- DLP permission management service
10
11  Implements functionalities, such as creating a sandbox application and exchanging credentials.
12
13- DLP permission manager application
14
15  Implements functionalities of setting and verifying permissions and rejecting access requests locally. It implements the controlled share that can be perceived by users.
16
17- Cloud module (implemented by developers)
18
19  Sends DLP certificates to the cloud for account-based authentication, generates certificates, and decrypts the DLP files.
20
21## Working Principles
22
23![](figures/dlp-intro.png)
24
25**Generating a DLP File**
26
271. The file owner adds the accounts that can access the confidential file and sets the permissions for the file through the DLP permission manager application.
282. The DLP permission manager application sends the user permission configuration to the DLP permission management service, which encapsulates the configuration into policy information.
293. The DLP permission management service sends the policy information to the cloud module. The cloud module sends the policy information for device-cloud synergy authentication, checks the policy, and generates and issues the credential.
304. The cloud module sends the credential to the DLP permission management service through the DLP permission manager application.
315. The DLP permission manager application encrypts the file and packages the credential and ciphertext into a DLP file.
32
33**Transferring a DLP File**
34
356. The DLP files can be sent to target users in any way. The ciphertext ensures file confidentiality.
36
37**Opening a DLP File**
38
397. The authorized user opens the DLP file on the remote device (for example, using the file manager).
408. The DLP permission manager application parses the DLP file, obtains the encrypted credential, and sends it to the DLP permission management service.
419. The DLP permission management service sends the encrypted credential to the cloud module. The cloud module sends the credential to the cloud for identity authentication, credential verification, and policy parsing, and obtains the authorization policy and encryption key.
4210. The cloud module sends the permission policy and encryption key to the DLP permission manager application through the DLP permission management service.
4311. The DLP permission manager application invokes the DLP permission management service to install a DLP sandbox application for the application and perform access control based on the authorization.
4412. The DLP permission manager application uses a link mechanism to map the plaintext and ciphertext. Based on the open-source Filesystem in Userspace (FUSE), the link mechanism creates a virtual link file (which is mapped to the DLP file) and shares the link file to the application. The application can access and edit the plaintext file, and the operations are synchronized to the DLP file in real time.
4513. When the DLP permission manager application is ready, it starts the sandbox application and transfers the link file descriptor. The sandbox application starts, and the application process opens the link file.
46