How Secure Is Windows Encryption?

Hi Fred. In your newsletter, James spoke about a workaround he found while having problems dealing with a restore and the use of the "make files private" function. As I use an NTFS partition, I have chosen to encrypt the ‘My Documents’ folder for my standard login on Win2K (Properties/Advanced/Encrypt contents to secure data). The plan was that even if my PC ended up being stolen, no one would be able to read that portion of my disk. I ‘double encrypt’ the more sensitive stuff using blowfish encryption software and a blowfish encryption password safe. However, your comments about the ability to work around most Windows system security tools has me concerned. I know that even when I’m logged in as an administrator I can’t read any of the contents of this folder. Just how secure is the encryption offered by Windows users who are taking advantage of this option?

The documents in your encrypted folders are potentially secure, given your use of both Windows’ Encrypting File System and Blowfish for your most sensitive data. These are highly effective encryption algorithms and, if used properly as part of a comprehensive security system, should lock out just about any potential cracker.

A common mistake, however, is that many users embrace secure encryption but don’t take other precautions. The files may be secure, but the data in them may not be. Let me explain by analogy.

Someone calls your office and gives your assistant a secret password. She writes it down and hands you the paper. You store that piece of paper in your physical safe. Is the password secure? That depends. Was someone in the room with the caller on the other end of the phone? Was someone listening to your assistant? Was the password dented into the next sheet of paper on the tablet and, if so, where is that sheet? Can you trust the caller to keep the password secret? Can you trust your assistant? Does anyone else have access to the combination of the safe? The piece of paper may be secure, but the password may not be.

File encryption is like that. The encrypted files usually don’t start out encrypted. Were they in a Word document that was saved? If so, that data was written to a temp file. Was the original file copied or backed up? If the copy was deleted, it’s possible that it can be "recovered" from your hard disk. Was the data e-mailed to you? Found on a web site? Can your password be hacked or guessed?

The best approach is to combine encryption with good password management and security tools that tie up all the loose ends created when your data is making its way to its encrypted state.

I use a program called Privacy Eraser Pro ( ), but there are many others. PEP erases temp files, document histories and other "histories," empties Recycle Bin and ties up other security loose ends. It also has a feature that takes all the so-called "empty space"— which is loaded with fully intact data you have "deleted"— and wipes it clean with either all "ones," all "zeros" or randomly chosen "ones" and "zeros." You can choose Department of Defense standards (three passes), NSA (seven passes) or Peter Gutmann (35 passes). Privacy Eraser Pro costs $39.95.

It’s also a good idea to encrypt entire folders (as you are doing), rather than just individual files. The reason is that as you use files stored in encrypted folders, any temp files generated in those folders during use will also be encrypted. Export certificates and private keys to a USB drive, and keep it hidden somewhere when the computer is not in use.

And whatever tools you use, make sure you’re using strong passwords. See "How to Build Better Passwords" and the other info here:

And, if you’re really serious about protecting your data, these tips just scratch the surface. For Microsoft’s Encrypting File System, there are plenty of good ideas and best practices you may want to review on the Microsoft Web site ( ) that will help you use Microsoft tools to protect and secure your files.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

Fred Langa

About Fred Langa

Fred Langa is senior editor. His LangaList Newsletter merged with Windows Secrets on Nov. 16, 2006. Prior to that, Fred was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others.