Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Better data and boot security for Windows PCs




    TOP STORY

    Better data and boot security for Windows PCs


    By Fred Langa

    Fundamental changes in PCs, including UEFI, BIOS, and Secure Boot, can interfere with classic security techniques such as whole-disk encryption. But a simple, free, two-step process provides extremely reliable data and system-boot security for all Windows versions, on virtually all PC hardware.

    The full text of this column is posted at windowssecrets.com/top-story/better-data-and-boot-security-for-windows-pcs (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    New Lounger
    Join Date
    Dec 2009
    Location
    vermont, usa
    Posts
    24
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The use of the bios password does not protect you from someone who gets access to your computer (stolen laptop) and is willing to remove the hard drive. The contents of the drive would be visible. Given that this is true, why even bother with this step? What protection is it providing? I have been reverting Win 8 back to Win 7 and using TrueCrypt to encrypt the entire drive, instead.

  3. #3
    New Lounger
    Join Date
    Nov 2012
    Posts
    9
    Thanks
    0
    Thanked 7 Times in 2 Posts
    Having used TrueCrypt on an XP system I was reluctant to 'give up without a fight' in getting it to cooperate on my new Win 8.1 system. And guess what? It works like a champ... as long as one sticks with ONLY encrypting non-system volumes or partitions. I use both. Encrypted volumes are used mainly for removable media (USB sticks) and whole partitions can be encrypted on any hard drive. The 7zip method is OK, I guess, but it seems to be a bit labyrinthine when compared to having TrueCrypt automatically mount (after entering the password, of course) all encrypted volumes and partitions at boot time.
    The instructions provided with the TrueCrypt app are perfectly adequate in setting up either scenario.

  4. #4
    WS Lounge VIP access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    1,725
    Thanks
    147
    Thanked 156 Times in 149 Posts
    I tried using 7Zip to encrypt a folder. This it did and it opens with the password. However, if I try to edit a file, even a 232kb one, it seems to be unencrypting the whole archive and takes a long time (I cancelled before it finished it was taking so long). Is this normal behaviour? It wouldn't seem so in Fred's email.

  5. #5
    WS Lounge VIP access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    1,725
    Thanks
    147
    Thanked 156 Times in 149 Posts
    As Jon says, taking a hard disk out of a laptop would lose its protection. I assume that booting from Linux (either a dual boot or from a memory stick) will have the same effect.

  6. #6
    New Lounger
    Join Date
    May 2014
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I don't get it. The article talks about encryption to keep data secure. Fred goes on to talk about the use of 7-ZIP to encrypt your files and folders. But, if I read it correctly, 7-ZIP only creates encrypted .7z files and leaves the original files intact and unsecure!! What's the point? I don't want to create a ZIP-like file of my files and folders, I want to encrypt my files and folders so if someone steals my hard drive, the data is secure.

    Maybe someone can explain how creating a .7z file secures my original data?

  7. #7
    New Lounger
    Join Date
    Dec 2009
    Location
    Shelter Island, NY, USA
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Greetings!

    Fred did then go on to say: "Your next step is to test the archive to make sure that encryption and compression worked properly. If it did — and that's almost always the case — you can then delete the original files, so that only the encrypted archive remains."

  8. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Shelter Island, NY, USA
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Greetings!

    " (For complete security, be sure to empty the Windows trash.)" Unless sector data is overwritten, can't it be recovered? Does "emptying the trash" overwrite the data?

  9. #9
    New Lounger
    Join Date
    May 2014
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If I were to install 7Zip and encrypt some files would those files, which are also in Dropbox, have a conflict when I access them from my phone/tablet? I had these same files password protected and when I tried to open them from Dropbox on my phone and/or tablet Dropbox couldn't handle it. I had to remove the passwords in order to open them from phone and tablet.

  10. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Massachusetts
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This is the first time I have found Fred to write something that is way off in a long time. To go from describing TrueCrypt as one of the most popular FOSS programs in use, to noting that it does not work for whole-disk encryption of boot volumes with Windows 8, to abandoning it entirely and switching to recommending 7-zip is just ridiculous.

    TrueCrypt works fine with Windows 7, the most popular version of Windows at the moment. It also works fine with Windows 8 except for the whole-disk encryption of the boot volume. So just back off from that and separate your major storage from the boot volume and your major storage in a separate volume. Problem solved.

    7-zip does NOT replace the functionality in TrueCrypt. It is a poor substitute. 7-zip works exceedingly well for what it does, however. Both are recommended.

  11. #11
    Lounger
    Join Date
    Dec 2009
    Location
    Grand Rapids MI USA
    Posts
    49
    Thanks
    4
    Thanked 1 Time in 1 Post
    I was also confused about the focus on 7-zip and no mention of how Truecrypt seems to be working just fine in most other ways on Windows 8.1 and UEFI. But it is also alarming that there haven't been any newer versions of Truecrypt for a couple years. I know they already ask for donations, but perhaps they would be well-served in using the model of charging some small fee for Truecrypt to funnel into development. I'm concerned that Truecrypt is going to freeze where it is and perhaps not work at all on the next version of Windows. It is working fine for me on Win 8.1, but all I have ever done is encrypt folders. I would agree that there is cause for worry on Truecrypt's future, but using something like 7-zip just isn't the answer. If that is the best ongoing answer for affordable encryption, that is indeed cause for concern.

  12. #12
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by DirtySox View Post
    Greetings!

    " (For complete security, be sure to empty the Windows trash.)" Unless sector data is overwritten, can't it be recovered? Does "emptying the trash" overwrite the data?
    Windows does not by default overwrite data when deleting files and folders, including emptying the trash. CCleaner will do the job if set properly, for Trash. Eraser (Description) will do the job for everything else. If you're encrypting, you need to make sure you aren't leaving recoverable traces behind. Fred must know this, but he failed to mention it in the article.
    -- Bob Primak --

  13. #13
    2 Star Lounger bobdog's Avatar
    Join Date
    Jan 2001
    Posts
    108
    Thanks
    3
    Thanked 5 Times in 4 Posts
    Sometimes it's best to avoid going overboard with security stuff. I advise all my clients to avoid encryption and compression like syphilis for their home machines and ask if they really think that they need to encrypt or even compress their drives. Just because you can take advantage of advanced features like this, it's not always wise to do so.

    Overhead issues aside, the problem with either one becomes painfully obvious when they get whacked with a virus or have a disk error or a disk failure. You can't clone the drive, you can't fix it, and you can't make it a secondary drive and copy their files to another drive. In short, you're screwed.

    Trust me. When this happens, you WILL reevaluate your reasoning.
    Last edited by bobdog; 2014-05-15 at 13:41.

  14. #14
    New Lounger
    Join Date
    Feb 2004
    Location
    Hertfordshire, England
    Posts
    22
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Whilst I agree that for most home users you can certainly go overboard with encryption, there are several flaws with the file and folder encryption strategy. A key one is that even though your files may be encrypted (assuming you've remembered to encrypt all the important ones), as soon as you start working on them, content will find its way, unencrypted, into temporary files, print spooling files and the swap and hyber files. If I were advising anyone professional, e.g. an accountant, I'd have to warn them of the severe legal and regulatory consequences if they couldn't guarantee that ALL their client personal data was encrypted. One of the many lessons of Heartbleed is how easy it is to scan random data for anything sensitive. And the Unix strings command has been able to do that for decades.

    As for boot security, I wouldn't trust it against anything more than an opportunist attack. Truecrypt has been criticised as not having been subject (until recently) to independent audit, but at least it's open source (though even that is a 2-edged sword as it means the bad guys and intelligence community can comb it for exploitable flaws). But we know nothing about the implementation of BIOS or hard disk password locking, either in terms of the quality of design or implementation, or whether the manufacturers have built in secret back doors for their own purposes, as has recently become evident that domestic router manufacturers have.

    But a big advantage of full disk encryption is that it's fit-and-forget. No password manager needed and no messing with a password every time you want to open a file in a different folder. Very little opportunity to make mistakes.

  15. #15
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Courtenay, BC
    Posts
    244
    Thanks
    9
    Thanked 16 Times in 15 Posts
    I'd agree with BobDog. I would consider it a bad idea, even in a business setting, to encrypt the entire drive. As Fred notes, many of the system files are pointless to encrypt and you introduce a major layer of potential problems.

    At one point, I used TrueCrypt to encrypt several key folders on my system. Then one day, it hiccuped and those files were toast. They're typically the LAST files you want to loose. I've not touched TrueCrypt since. I do use 7-Zip and have found it quite reliable but am more inclined to use the even more standard Zip format for maximum accessibility. I do use encryption for the web and portable media. But I also back up that stuff.

    Your best security is access control. I don't find reducing my own access anywhere near as productive. You really have to be careful about getting carried away with security that increases the potential for problems.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •