How Secure Is Windows Encryption?
Hi Fred. In your newsletter, James spoke about a workaround he found while having problems dealing with a restore and the use of the "make files private" function. As I use an NTFS partition, I have chosen to encrypt the 'My Documents' folder for my standard login on Win2K (Properties/Advanced/Encrypt contents to secure data). The plan was that even if my PC ended up being stolen, no one would be able to read that portion of my disk. I 'double encrypt' the more sensitive stuff using blowfish encryption software and a blowfish encryption password safe. However, your comments about the ability to work around most Windows system security tools has me concerned. I know that even when I'm logged in as an administrator I can't read any of the contents of this folder. Just how secure is the encryption offered by Windows users who are taking advantage of this option?
The documents in your encrypted folders are
potentially secure, given your use of both Windows' Encrypting File System and
Blowfish for your most sensitive data. These are highly effective encryption
algorithms and, if used properly as part of a comprehensive security system,
should lock out just about any potential cracker.
A common mistake, however, is that many users embrace secure encryption but
don't take other precautions. The files may be secure, but the data in them may
not be. Let me explain by analogy.
Someone calls your office and gives your assistant a secret password. She writes
it down and hands you the paper. You store that piece of paper in your physical
safe. Is the password secure? That depends. Was someone in the room with the
caller on the other end of the phone? Was someone listening to your assistant?
Was the password dented into the next sheet of paper on the tablet and, if so,
where is that sheet? Can you trust the caller to keep the password secret? Can
you trust your assistant? Does anyone else have access to the combination of the
safe? The piece of paper may be secure, but the password may not be.
File encryption is like that. The encrypted files usually don't start out
encrypted. Were they in a Word document that was saved? If so, that data was
written to a temp file. Was the original file copied or backed up? If the copy
was deleted, it's possible that it can be "recovered" from your hard disk. Was
the data e-mailed to you? Found on a web site? Can your password be hacked or
guessed?
The best approach is to combine encryption with good password management and
security tools that tie up all the loose ends created when your data is making
its way to its encrypted state.
I use a program called Privacy Eraser Pro (
http://www.privacyeraser.com/ ), but
there are many others. PEP erases temp files, document histories and other
"histories," empties Recycle Bin and ties up other security loose ends. It also
has a feature that takes all the so-called "empty space"--- which is loaded with
fully intact data you have "deleted"--- and wipes it clean with either all
"ones," all "zeros" or randomly chosen "ones" and "zeros." You can choose
Department of Defense standards (three passes), NSA (seven passes) or Peter
Gutmann (35 passes). Privacy Eraser Pro costs $39.95.
It's also a good idea to encrypt entire folders (as you are doing), rather than
just individual files. The reason is that as you use files stored in encrypted
folders, any temp files generated in those folders during use will also be encrypted. Export
certificates and private keys to a USB drive, and keep it hidden somewhere when
the computer is not in use.
And whatever tools you use, make sure you're using
strong passwords. See "How to Build Better Passwords"
http://www.informationweek.com/showArticle.jhtml?articleID=164303537 and the
other info here: http://tinyurl.com/m8cr2
And, if you're really serious about protecting your data, these tips just scratch the surface. For Microsoft's Encrypting File System, there are plenty of good ideas and best practices you may want to review on the Microsoft Web site ( http://tinyurl.com/o4shu ) that will help you use Microsoft tools to protect and secure your files.
Digg
Del.icio.us
Reddit
StumbleUpon
Other
Permalink
