Abstract: Confidentiality is one of the goals of information security, which is to prevent information from being accessed by unauthorized entities during the course of its storage and distribution. In the enterprise network terminals, they were not allowed to leak sensitive information outside the enterprise application environment for the reason of confidentiality. While in the reality, these information can be leaked outside in the following ways, 1) with floppy disk, USB disk and so on, 2) first printed with printers, and then taken away, and 3) with all kinds of network devices. But unfortunately, there is not a reasonable solution, which can maintain the availability of the system while protecting the confidentiality of sensitive information. In view of this reality, an intranet information disclosure defendable security model based on crypt-isolation is proposed, in which the process's behavior is monitored, and its security level is adjusted dynamically. When a high level process wants to write information to a media that is liable to leak the information outside, the system will encrypt the information automatically. As a result, the user's behavior is controlled, and no sensitive information can be leaked, intentionally or unintentionally. Furthermore, in order to achieve crypt-isolation, a new key management solution is presented. Combined with the existing symmetric encryption algorithms, this key management solution can provide “one person encryption and specified people decryption” ability, which is very worthy.