Encrypting files in a windows environment
Ehmn, the 'industry standard' for client-side (laptop/desktop) and server-side (network share) workgroup file encryption in a Microsoft SMB environment is -- you're not going to like this -- don't do it. Seriously, very very few people do this, for many good reasons.
OK, you said "requirement", so the next best solution is Microsoft Encrypting File System together with Active Directory for management.
The good properties of EFS are:
The encryption is almost completely transparent to end users. EFS files are used just as plain un-encrypted files are; decryption permissions are inherited from the logged on Windows user account.
Pretty good performance, EFS is integrated with NTFS and decently fast.
Advanced management capabilities. Via Active Directory you can create multiple layers of admin accounts for unlocking files in an emergency; handle team / group / department permissions, etc.
Bad sides:
If you ever loose all keys, then you're in deep deep trouble.
Setting up a good, robust & safe EFS infrastructure for a company is a lot of work, and requires very careful risk assessment. You might start by reading this overview, and read the "Recovery" section twice.
A few applications, mostly client-server style apps which run on a desktop PC but use user credentials other than the logged in user, will fail to run. Or worse yet, run, but silently fail.
A few applications may have strange bugs. For example, with EFS my Google Chrome browser is frequently complaining about an unclean shutdown and looses its settings. Without EFS I do not have this issue.
EFS can be counter-intuitive. For example, the default behavior is that if you copy an EFS file to an unencrypted destination via common icon drag'n'drop, then the file is transparently de-crypted. But if you do the exact same via some command line tools, then the file remains encrypted. This has tricked more than one file backup, and caused data loss.
You can't set multiple users to decrypt a file without explicitly adding their cert to the file though Windows Explorer (from what we have discovered)
The solution is Active Directory & Group Policies. Active Directory can be daunting. No offense intended, but if this is new to you, then maybe you should find an experienced Microsoft sysadmin to lend a hand with the design.
Regarding Truecrypt: Personally, I would never use Truecrypt for this. I love Truecrypt, and use it every day on my own PC's. But at heart it is a single-computer solution, with no group management / multi-PC deployment tools / multi-layered key management capabilities. It's not the right tool for workgroups / companies, other than perhaps full-disk laptop harddisk encryption (and even there, Bitkeeper is stronger on management capabilities).
TrueCrypt does offer the option of providing network shares:
Sharing over Network
If there is a need to access a single TrueCrypt volume simultaneously from multiple operating systems, there are two options:
A TrueCrypt volume is mounted only on a single computer (for example, on a server) and only the content of the mounted TrueCrypt volume (i.e., the file system within the TrueCrypt volume) is shared over a network. Users on other computers or systems will not mount the volume (it is already mounted on the server).
Advantages: All users can write data to the TrueCrypt volume. The shared volume may be both file-hosted and partition/device-hosted.
Disadvantage: Data sent over the network will not be encrypted. However, it is still possible to encrypt them using e.g. SSL, TLS, VPN, or other technologies.
Remarks: Note that, when you restart the system, the network share will be automatically restored only if the volume is a system favorite volume or an encrypted system partition/drive (for more information on how to configure a volume as a system favorite volume, see the chapter System Favorite Volumes).
A dismounted TrueCrypt file container is stored on a single computer (for example, on a server). This encrypted file is shared over a network. Users on other computers or systems will locally mount the shared file. Thus, the volume will be mounted simultaneously under multiple operating systems.
Advantage: Data sent over the network will be encrypted (however, it is still recommended to encrypt them using e.g. SSL, TLS, VPN, or other appropriate technologies to make traffic analysis more difficult and to preserve the integrity of the data).
Disadvantages: The shared volume may be only file-hosted (not partition/device-hosted). The volume must be mounted in read-only mode under each of the systems (see the section Mount Options for information on how to mount a volume in read-only mode). Note that this requirement applies to unencrypted volumes too. One of the reasons is, for example, the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent (which could result in data corruption).
Although used widely there is still an amount of stigma associated with the use of TrueCrypt in the enterprise, mainly based on the anonymity of the developers (which some may see as a good thing!), see this write up
Truecrypt’s source code has never been the subject of a thorough review, nor is there any reason to rely on the credentials of the developers, since they remain anonymous.
So part of the question would have to be, can I deploy this within my organisation rather than does it do what we need.
Hope this helps.
The only one i have experience with is CREDANT. It should be able to provide all the services that you need. It is not open source, which seems not to be a problem from how your question reads.
I know that CheckPoint (the sec appliance company) has a product that has been called Pointsec. I'm not too familiar with it, but it's also something to investigate.
On a side note, TrueCrypt is by no means an enterprise grade tool. It lacks basic administration options. I am not saying that TrueCrypt is not a good tool, i use it at home all the time, but it's not built to serve even a small business.
If CREDANT or CheckPoint doesn't have what you're looking for,use them as a place to start your research. Also, please let us know what you came up with, I'm interested if there are any more applicable options on the market.
Another idea is to contact any current security appliance vendor you have (assuming that you like their products). Talk to your PaloAlto people, CheckPoint people, Cisco people, Juniper people, etc... and see what they have to say.