Windows Encryption Software
Hey guys: This is most definitely OT so please contact me off list. (don't want to annoy anyone) I come to you all because of all your wisdom. =) I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive. I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party apps seem to do a better job than what Microsoft gives you. Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data... Thoughts?? Brandon
Truecrypt John Menerick On 12/9/2010 4:24 PM, Brandon Kim wrote:
Hey guys:
This is most definitely OT so please contact me off list. (don't want to annoy anyone)
I come to you all because of all your wisdom. =)
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive.
I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party apps seem to do a better job than what Microsoft gives you.
Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data...
Thoughts??
Brandon
NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service.
Wow, sounds like TrueCrypt it is.....not a single other app was suggested!!! Thank you gentlemen!
Date: Thu, 9 Dec 2010 16:27:05 -0800 From: jmenerick@netsuite.com To: nanog@nanog.org Subject: Re: Windows Encryption Software
Truecrypt
John Menerick
On 12/9/2010 4:24 PM, Brandon Kim wrote:
Hey guys:
This is most definitely OT so please contact me off list. (don't want to annoy anyone)
I come to you all because of all your wisdom. =)
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive.
I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party apps seem to do a better job than what Microsoft gives you.
Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data...
Thoughts??
Brandon
NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service.
On Thu, Dec 9, 2010 at 7:24 PM, Brandon Kim <brandon.kim@brandontek.com> wrote:
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive.
Save yourself some grief and buy a self-encrypting disk (SED) instead. OS transparent so you won't have the endemic problems with oops it no longer boots and I can't just boot a live cd and access my business critical data. -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
I've been using these and they work great as long as you are using BIOS boot, they don't work with out additional software, with the Mac EFI boot. Johno On Dec 9, 2010, at 20:20, William Herrin <bill@herrin.us> wrote:
On Thu, Dec 9, 2010 at 7:24 PM, Brandon Kim <brandon.kim@brandontek.com> wrote:
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive.
Save yourself some grief and buy a self-encrypting disk (SED) instead. OS transparent so you won't have the endemic problems with oops it no longer boots and I can't just boot a live cd and access my business critical data.
-Bill
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 12/9/2010 8:20 PM, William Herrin wrote:
On Thu, Dec 9, 2010 at 7:24 PM, Brandon Kim <brandon.kim@brandontek.com> wrote:
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive. Save yourself some grief and buy a self-encrypting disk (SED) instead. OS transparent so you won't have the endemic problems with oops it no longer boots and I can't just boot a live cd and access my business critical data.
-Bill
+1 - You mentioned Windows 2003 - with truecrypt, you need to type in the password to boot the computer. For desktops and laptops, that's fine, but if your DC looses power or something, you don't want to be the one to have to go around and type in the password for all those servers... Ben
Brandon Kim <brandon.kim@brandontek.com> Tippte am 2010-12-09T19:24-0500:
Hey guys:
[snip]
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive.
we are using Sophos its ecrypton for busniess with central keysever etc. Jan
* Brandon Kim:
I know windows has bitlocker, but I don't know if that is available for Win2003?
I believe EFS is available in Windows XP and Windows 2003 Server, too. Software-based solutions have the advantage that they are somewhat more testable and reviewable. If it's all in the disk, you can't really be sure that the data is encrypted with a static key, and the passphrase is used for access control only. The latter approach seems to be somewhat common with encrypting storage devices, unfortunately.
On 12/10/2010 8:21 AM, Florian Weimer wrote:
I believe EFS is available in Windows XP and Windows 2003 Server, too.
Software-based solutions have the advantage that they are somewhat more testable and reviewable. If it's all in the disk, you can't really be sure that the data is encrypted with a static key, and the passphrase is used for access control only. The latter approach seems to be somewhat common with encrypting storage devices, unfortunately.
After some research, I find that recovery of EFS (available for Win 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be problematic. It has to do with keys, file ownerships, etc., etc., etc. Plan for disaster and know how to recover before you encrypt with EFS. --Curtis
After some research, I find that recovery of EFS (available for Win 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be problematic. It has to do with keys, file ownerships, etc., etc., etc. Plan for disaster and know how to recover before you encrypt with EFS.
This is an interesting point .. it depends on what the "disaster" is that you plan for. In many cases, the "disaster" is the seizure or loss of the device, it which case it's appropriate NOT to have any method of key recovery. In a corporate context, it's debatable if key escrow and multikey methods mitigate the risk or compound it. Regards, Michael Holstein Cleveland State University
After some research, I find that recovery of EFS (available for Win 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be problematic. It has to do with keys, file ownerships, etc., etc., etc. Plan for disaster and know how to recover before you encrypt with EFS. This is an interesting point .. it depends on what the "disaster" is that you plan for.
In many cases, the "disaster" is the seizure or loss of the device, it which case it's appropriate NOT to have any method of key recovery. In a corporate context, it's debatable if key escrow and multikey methods mitigate the risk or compound it. Good point, but I'm thinking in terms of failure of the machine that
On 12/10/2010 9:33 AM, Michael Holstein wrote: physically houses the files. You and I both know that you're not going to be able to replace server hardware with identical hardware and even if you do, the Windows SID will change. Restoring the system state is going to be a useless exercise. Therefore you will need the keys to decrypt/re-encrypt the files on a new device after you restore from backup. If the disk is lost or stolen, then hell no, I don't want the thief to be able to restore the data. All of this is moot if you're running in a virtual environment and you have good snapshots/backups of your VM. --Curtis
On Fri, Dec 10, 2010 at 8:21 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
Software-based solutions have the advantage that they are somewhat more testable and reviewable. If it's all in the disk, you can't really be sure that the data is encrypted with a static key, and the passphrase is used for access control only. The latter approach seems to be somewhat common with encrypting storage devices, unfortunately.
It's not just common; it's the official standard. The API doesn't let you set the key or read the bare data. It let's you input a password to unlock both drive and encryption key and it let's you tell the drive to generate a new encryption key ("cryptographic erase"). So yes, you have to trust that the manufacturer is doing what they claim. This caused me some concern when I first got it, but at the end of the day I'm not trying to protect my files from someone with the resources to reconfigure hard drives in a way that allows them to go after the raw data without entering the password. I'm trying to protect them from the casual roadside thief. -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
http://xkcd.com/538/ On Fri, Dec 10, 2010 at 9:58 AM, William Herrin <bill@herrin.us> wrote:
On Fri, Dec 10, 2010 at 8:21 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
Software-based solutions have the advantage that they are somewhat more testable and reviewable. If it's all in the disk, you can't really be sure that the data is encrypted with a static key, and the passphrase is used for access control only. The latter approach seems to be somewhat common with encrypting storage devices, unfortunately.
It's not just common; it's the official standard. The API doesn't let you set the key or read the bare data. It let's you input a password to unlock both drive and encryption key and it let's you tell the drive to generate a new encryption key ("cryptographic erase"). So yes, you have to trust that the manufacturer is doing what they claim.
This caused me some concern when I first got it, but at the end of the day I'm not trying to protect my files from someone with the resources to reconfigure hard drives in a way that allows them to go after the raw data without entering the password. I'm trying to protect them from the casual roadside thief.
-Bill
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Fri, Dec 10, 2010 at 12:24 AM, Brandon Kim <brandon.kim@brandontek.com> wrote:
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive.
I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party apps seem to do a better job than what Microsoft gives you.
+1 Truecrypt It's a very good solution, which lacks some of the complications of using BitLocker that others here have described, but is arguably just as secure in terms of cipher usage, and is very well written. Please note that you do *not* have to use Truecrypt in whole-disk-encryption mode (the comment "*with Truecrypt, you need to type in the password to boot the computer*" is not necessarily true - it depends how you set it up). TC has a second usage mode in which you use it to create an encrypted container (in a conventional file or a dedicated disk partition) which appears as a Windows drive when "mounted" (by the TC driver software). I'd bet that far more people use it in this mode than those who use it for WDE ... many folks use it to keep data on memory sticks (and other portable storage media) safe. Icing on the cake: TC also has Mac and Linux versions, and the container files are portable between all 3 environments. Cheers Nick
participants (12)
-
Ben Carleton
-
Brandon Kim
-
Chad Dailey
-
Curtis Maurand
-
Florian Weimer
-
Jan-Philipp Warmers
-
John Menerick
-
John Orthoefer
-
Michael Holstein
-
Nick Boyce
-
Suresh Ramasubramanian
-
William Herrin