Community Newsletter: Q&A: Encrypting and password protecting files and folders on my PC
- 9/7/07 10:42 AM
Relatively so...
by John.Wilkinson - 9/3/07 4:37 PM
In reply to: Is Winzip secure? by beliche
Assuming you are referring to 256-bit AES encryption, you can, for the most part, rest assured that your data is protected. There have been a few successful attacks on AES, but it remains one of the most popular encryption algorithms and approved by the NSA for the storage of top secret information.
John
E-mail Encrypting
by thomasconsidine - 9/7/07 9:38 AM In reply to: Relatively so... by John.Wilkinson
Gentleman,
My problem is the state of Nevada Identity Theft law will require encryption of all electronic transmissions with the exception of faxes.
How can small businesses comply with the law without paying high prices for software?
And if not what software is out there to assist?
Additionally, the Nevada Identity Theft law considers e-mails addresses as sensitive information if it contains;
First & last name, first initial and last name, basically anything thing witch identifies a person.
What's your recommendation for compliance?
Encrypting files and folders
by Vince.Rosati - 9/7/07 1:00 PM In reply to: E-mail Encrypting by thomasconsidineSeveral have said that to use the Microsoft EFS encryption, just right-click, select PROPERTIES, then ADVANCED.
If I do that on a folder on my C:\ drive, everyhting works as stated. However, if I try it on a folder that is on a memory stick, I do not see the ADVANCED tab. I see only RED ONLY, HIDDEN, and ARCHIVE.
What's up?
Vince
It must be NTFS-formatted...
by John.Wilkinson - 9/7/07 4:36 PM
In reply to: Encrypting files and folders by Vince.Rosati
EFS will work on any internal or external drive, including flash drives and memory cards, as long as the drive is NTFS-formatted, for only it is supportive of the encryption. Since most flash drives come formatted as FAT32 you'll need to copy your files off and then reformat it to work.
Also, remember than any files encrypted will only be accessible while you are logged into your account on your computer/network. They will not be usable should you need to access them from a public computer or another Windows account. It's also wise to backup your EFS key, just in case something goes awry with your account.
John
It must be NTS Formatted
by Vince.Rosati - 9/8/07 6:20 AM In reply to: It must be NTFS-formatted... by John.Wilkinson
John,
Thanks for the reply. It is important that you mentioned that the EFS-encrypted files could only be seen on the computer that made them. I was going to use the stick to transport files between computers at different locations.
I guess I'll use TrueCrypt?
Thanks again,
Vince
That'll work, but...
by John.Wilkinson - 9/8/07 2:38 PM
In reply to: It must be NTS Formatted by Vince.Rosati
TrueCrypt will work, but make sure that you either have it installed on each computer you plan on using or enable the "traveller mode" option to make it portable.
Good luck.
John
P.S. You can use EFS across multiple computers, but it would require backing up your key and applying it to each computer you plan on using. Not only is it a hassle but if it's ever a public computer you use it's possible for a future user to get your key after you're done and have full access to any files on any computer secured by that key. Thus, it's fine if you have several computers you use, each with your own username/password, but generally not an option if you need to quickly access your files using a friend's or other public computer.
That'll work but ... (Encrypting Folders)
by Vince.Rosati - 9/9/07 9:04 AM In reply to: That'll work, but... by John.Wilkinson
John,
I must be getting old! I thought that I already responded, thanking you for your latest info about EFS. I am going to (try to) use it for my own computers (Home and work).
Thanks so much for your time and expertise.
Vince
About EFS and its have its shortcomings !! BY: Pankaj Singh
by pankajsingh_iiita - 9/15/07 3:39 PM In reply to: It must be NTS Formatted by Vince.RosatiAnswer:
Security features such as logon authentication or file permissions protect network resources from unauthorized access. However, anyone with physical access to a computer such as a stolen laptop can install a new operating system on that computer and bypass the existing operating system’s security. In this way, sensitive data can be exposed. Encrypting sensitive files by means of EFS adds another layer of security. When files are encrypted, their data is protected even if an attacker has full access to the computer’s data storage.
Only authorized users and designated data recovery agents can decrypt encrypted files. Other system accounts that have permissions for a file—even the Take Ownership permission—cannot open the file without authorization. Even the administrator account cannot open the file if that account is not designated as a data recovery agent. If an unauthorized user tries to open an encrypted file, access is denied.
Benefits of EFS
EFS allows users to store confidential information about a computer when people who have physical access to wer computer could otherwise compromise that information, intentionally or unintentionally. EFS is especially useful for securing sensitive data on portable computers or on computers shared by several users. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs). In a shared system, an attacker can gain access by starting up a different operating system. An attacker can also steal a computer, remove the hard drives, place the drives in another system, and gain access to the stored files. Files encrypted by EFS, however, appear as unintelligible characters when the attacker does not have the decryption key.
Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When users open a file, it is decrypted by EFS as data is read from disk. When they save the file, EFS encrypts the data as it is written to disk. Authorized users might not even realize that the files are encrypted because they can work with the files as they normally do.
How EFS Works
The following steps explain how EFS works.
1. EFS uses a public-private key pair and a per-file encryption key to encrypt and decrypt data. When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. The FEK is encrypted with the user’s public key, and the encrypted FEK is then stored with the file.
2. Files can be marked for encryption in a variety of ways. The user can set the encryption attribute for a file by using Advanced Properties for the file in My Computer, storing the file in a file folder set for encryption, or by using the Cipher.exe command-line utility. EFS can also be configured so that users can encrypt or decrypt a file from the shortcut menu accessed by right-clicking the file.
3. To decrypt files, the user opens the file, removes the encryption attribute, or decrypts the file by using the cipher command. EFS decrypts the FEK by using the user’s private key, and then decrypts the data by using the FEK.
Because EFS needs most of the OS to be loaded before it can work, it suffers a chicken-and-egg problem: it can't encrypt core operating system files, including the pagefile, because the system needs to be able to decrypt those files in order to use EFS.
Enabling Encrypt/Decrypt on the Windows Explorer Menu:
Some organizations may find it easier to enable EFS by placing "Encrypt" and "Decrypt" on the Microsoft Windows Explorer context menu when a file is right-clicked with the mouse. To enable this feature, under the following registry hive path, create a DWORD value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
DWORD Name: EncryptionContextMenu
Value: 1
Note This registry value must be created and does not exist by default.
Windows Server 2003 enables the Encryption Details button to also be added to the Explorer menu by creating a registry file *.reg) with the following information and running the registry batch file for each user:
[HKEY_CLASSES_ROOT\*\Shell\Encrypt To User...\Command]
@="rundll32 efsadu.dll,AddUserToObject %1"
With Vista, we can use EFS to encrypt the pagefile
In Vista only the OS drive will be encryptable with BitLocker. If we have separate data volumes, they'll still need to use EFS, but the encryption can be complete.
The Encrypting File System (EFS) has always been one of Windows XP's more popular features, but it did have its shortcomings. The Windows XP version was somewhat difficult to manage, and we could experience data loss if we accidentally lost the keys. In Windows Vista, Microsoft completely redesigned EFS to make it a little bit easier to use.
Recommendation:
Cypherix's Cryptainer, It is 128 bit encryption. We can download the program, and then just follow the steps. We make a folder, give it a password and then move the files we want encrypted into it. It is fast, easy and I do not see the average hacker being able to hack 128 bit encryption. If someone physically accesses your computer and they open up cryptainer they will need the user password to get into the files and/or folders that are in it.
For your specific question I'd recommend TrueCrypt, which is an open-source project (check Sourceforge). With Truecrypt you can set up a file on a drive (or even the whole drive) which is encrypted. You then mount that file as if it were a physical drive (with a letter or in a folder redirection), and your software doesn't have to know that the files they are reading/writing are encrypted.
Keys for Truecrypt can be either passwords, file(s) on the machine or a combination of both. For example, you could have a set of files on a USB drive, which MUST be in the PC AND have a password to enter, if you need that level of security.
Kruptos 2 - Kruptos 2 is an easy to use Encryption/Wipe/Self Extraction utility:
Kruptos 2 is a very easy to use and powerful 128 bit file encryption utility that allows you to secure any sensitive files stored on your PC or portable storage device. Kruptos 2 includes a powerful file shredding utility, and the ability to generate self decrypting files. Kruptos 2 currently works with the following versions of Microsoft Windows (2000/XP/2003 Server) and with all known file types. Features and benefits quick to download, simple to install and very easy to use. Based on public domain encryption algorithm. The algorithm has not been modified in any way. Absolutely no back doors, hidden keys or any other method of decoding encrypted data without the correct key. So if you lose your password, you lose your data. Ideal for secure transportation of files on potable storage devices, such portable hard drives, USB storage keys.
More legislation requiring encryption
by BenjaminWright - 2/14/08 3:42 PM In reply to: E-mail Encrypting by thomasconsidineThe Nevada legislation requires encryption of data in motion. <a href="http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html">Legislation pending</a> in Michigan and Washington would require encryption of data at rest. http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html
Encrypting and password protecting files and folders on my
by pankajsingh_iiita - 9/15/07 4:02 PM In reply to: Encrypting and password protecting files and folders on my PC by Lee Koo (ADMIN)
Answer:
Security features such as logon authentication or file permissions protect network resources from unauthorized access. However, anyone with physical access to a computer such as a stolen laptop can install a new operating system on that computer and bypass the existing operating system’s security. In this way, sensitive data can be exposed. Encrypting sensitive files by means of EFS adds another layer of security. When files are encrypted, their data is protected even if an attacker has full access to the computer’s data storage.
Only authorized users and designated data recovery agents can decrypt encrypted files. Other system accounts that have permissions for a file—even the Take Ownership permission—cannot open the file without authorization. Even the administrator account cannot open the file if that account is not designated as a data recovery agent. If an unauthorized user tries to open an encrypted file, access is denied.
Benefits of EFS
EFS allows users to store confidential information about a computer when people who have physical access to wer computer could otherwise compromise that information, intentionally or unintentionally. EFS is especially useful for securing sensitive data on portable computers or on computers shared by several users. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs). In a shared system, an attacker can gain access by starting up a different operating system. An attacker can also steal a computer, remove the hard drives, place the drives in another system, and gain access to the stored files. Files encrypted by EFS, however, appear as unintelligible characters when the attacker does not have the decryption key.
Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When users open a file, it is decrypted by EFS as data is read from disk. When they save the file, EFS encrypts the data as it is written to disk. Authorized users might not even realize that the files are encrypted because they can work with the files as they normally do.
How EFS Works:
The following steps explain how EFS works.
1. EFS uses a public-private key pair and a per-file encryption key to encrypt and decrypt data. When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. The FEK is encrypted with the user’s public key, and the encrypted FEK is then stored with the file.
2. Files can be marked for encryption in a variety of ways. The user can set the encryption attribute for a file by using Advanced Properties for the file in My Computer, storing the file in a file folder set for encryption, or by using the Cipher.exe command-line utility. EFS can also be configured so that users can encrypt or decrypt a file from the shortcut menu accessed by right-clicking the file.
3. To decrypt files, the user opens the file, removes the encryption attribute, or decrypts the file by using the cipher command. EFS decrypts the FEK by using the user’s private key, and then decrypts the data by using the FEK.
Because EFS needs most of the OS to be loaded before it can work, it suffers a chicken-and-egg problem: it can't encrypt core operating system files, including the pagefile, because the system needs to be able to decrypt those files in order to use EFS.
Enabling Encrypt/Decrypt on the Windows Explorer Menu:
Some organizations may find it easier to enable EFS by placing "Encrypt" and "Decrypt" on the Microsoft Windows Explorer context menu when a file is right-clicked with the mouse. To enable this feature, under the following registry hive path, create a DWORD value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
DWORD Name: EncryptionContextMenu Value: 1
Note This registry value must be created and does not exist by default.
Windows Server 2003 enables the Encryption Details button to also be added to the Explorer menu by creating a registry file *.reg) with the following information and running the registry batch file for each user:
[HKEY_CLASSES_ROOT\*\Shell\Encrypt To User...\Command]
@="rundll32 efsadu.dll,AddUserToObject %1"
With Vista, we can use EFS to encrypt the pagefile
In Vista only the OS drive will be encryptable with BitLocker. If we have separate data volumes, they'll still need to use EFS, but the encryption can be complete.
The Encrypting File System (EFS) has always been one of Windows XP's more popular features, but it did have its shortcomings. The Windows XP version was somewhat difficult to manage, and we could experience data loss if we accidentally lost the keys. In Windows Vista, Microsoft completely redesigned EFS to make it a little bit easier to use.
Recommendation:
Cypherix's Cryptainer, It is 128 bit encryption. We can download the program, and then just follow the steps. We make a folder, give it a password and then move the files we want encrypted into it. It is fast, easy and I do not see the average hacker being able to hack 128 bit encryption. If someone physically accesses your computer and they open up cryptainer they will need the user password to get into the files and/or folders that are in it.
For your specific question I'd recommend TrueCrypt, which is an open-source project (check Sourceforge). With Truecrypt you can set up a file on a drive (or even the whole drive) which is encrypted. You then mount that file as if it were a physical drive (with a letter or in a folder redirection), and your software doesn't have to know that the files they are reading/writing are encrypted.
Keys for Truecrypt can be either passwords, file(s) on the machine or a combination of both. For example, you could have a set of files on a USB drive, which MUST be in the PC AND have a password to enter, if you need that level of security.
Kruptos 2 - Kruptos 2 is an easy to use Encryption/Wipe/Self Extraction utility:
Kruptos 2 is a very easy to use and powerful 128 bit file encryption utility that allows you to secure any sensitive files stored on your PC or portable storage device. Kruptos 2 includes a powerful file shredding utility, and the ability to generate self decrypting files. Kruptos 2 currently works with the following versions of Microsoft Windows (2000/XP/2003 Server) and with all known file types. Features and benefits quick to download, simple to install and very easy to use. Based on public domain encryption algorithm. The algorithm has not been modified in any way. Absolutely no back doors, hidden keys or any other method of decoding encrypted data without the correct key. So if you lose your password, you lose your data. Ideal for secure transportation of files on potable storage devices, such portable hard drives, USB storage keys.
For Details: Mailto :: pannkaj.login@gmail.com
What about the security offered on flash drives?
by Fred07 - 9/15/07 6:33 PM In reply to: Encrypting and password protecting files and folders on my by pankajsingh_iiitaThis is a fascinating discussion!
I'm not on a network but am online. I disable the connection when I'm not at the computer and only two of us use it but I decided I would remove the files I need secured to a flash drive & unplug it and put it in a safe place. Awkward as this is it provides me with the security I feel I need for financial sites; securities, banks and also websites etc. that are password protected.
I purchased a Memorex Rotodrive which came with a security program "Secure TD" which leads me to the next question... how safe is this program? It looks impressive; the directory does not show at all until I call up the exec file and "log in" with my password. Any files I store in the directory are "protected".
How well is the protection on the flash drive?
How about other software?
by Dan Waldo - 11/24/07 6:03 AM In reply to: Encrypting and password protecting files and folders on my PC by Lee Koo (ADMIN)
This thread is very helpful, folks. Sounds like Cryptainer and TrueCrypt are popular products.
I need to use encryption that is FIPS 140-2 compliant. The Cryptainer people tell me they are compliant but don't have a formal certification. I'm not sure about TrueCrypt.
I was also looking at PGP products, which are certified to be compliant. Does anybody have experience with the PGP Desktop software?
PGP
by cdwatters - 11/27/07 11:38 AM In reply to: How about other software? by Dan WaldoI've use PGP and Truecrypt, and while there are overlaps in functionality, PGP brings more to the table, but PGP was designed with a lot more corporate use in mind, where TrueCrypt is really for the individual's encryption needs.
PGP offers file-level encryption, integration with email, self-decrypting archives, management keys and split keys. PGP also ships with a file secure delete, and other goodies.
Truecrypt does volume and virtual disk level encryption, but does it very quickly and easily.
If you have compliance regs, go with the commercial package.
Re: encrypted files
by Kees Bakker - 1/29/08 2:34 AM
In reply to: PGP by cdwatters
Assuming you encrypted the files using EFS, you can recover the contents if you followed the recommendation in http://support.microsoft.com/kb/223316 to make a backup copy of your certificate.
If you choose not to follow it, you've got some problems you can't solve yourself. You'll need a professional unencrypting company then. See www.lostpassword.com for exeample.
Kees
Encryted Files Cannot be opened due to Corrupted OS
by levihao - 1/29/08 1:25 AM In reply to: Encrypting and password protecting files and folders on my PC by Lee Koo (ADMIN)
Please help. I have encrypted and put passwords on my Microsoft Office Excel files using Windows "Save as - General Options' route. Last week my computer got infected by several viruses - Trojan Horses, etc. and corrupted my entire OS. My OS is Windows XP Pro. I have backed up my files with an 80 Gig Maxtor portable hard disk but I found out (to my horror) that I can not open anymore all the files I have put passwords into. I can not even save it anymore to another disk as the message "Can not access file. File could be encrypted" always comes out.
Is there any way that I can 'retrieve' or re open the files? Or should I consider all files with passwords "doomed"?
Thank you very much in advance for any help I can get. Best Regards to all.
Levi
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
