Protect a Partition - Use Bitlocker or Something Else?
I have a Dell workstation running Windows 7 Ultimate 64-bit. Two disk drives. Drive one has the C: partition and the recovery partition. Drive two has two partitions - the Windows swap file and a partition that holds all my data files (call it F: below).
I would like to secure the data on F:. Actually, there are two folders on F: that have the information I really want to secure. The other folders are optional.
I want protection that is reasonably secure, reliable, and easy to use. I do not need military-quality protection, though.
My questions:
* Would Bitlocker suffice for this? What are the pro's and con's of using Bitlocker?
* If I use Bitlocker what should I look out for? (I already know about the Microsoft articles and plan to read them. I'm looking for any practical expert advice you may have.)
* If not Bitlocker, then what?
* Is it practical to protect just those two folders or should I protect the entire F: partition?
* Should I consider protecting C: since Windows and programs such as Office store temp files in various places on C:?
Thanks.
I would like to secure the data on F:. Actually, there are two folders on F: that have the information I really want to secure. The other folders are optional.
I want protection that is reasonably secure, reliable, and easy to use. I do not need military-quality protection, though.
My questions:
* Would Bitlocker suffice for this? What are the pro's and con's of using Bitlocker?
* If I use Bitlocker what should I look out for? (I already know about the Microsoft articles and plan to read them. I'm looking for any practical expert advice you may have.)
* If not Bitlocker, then what?
* Is it practical to protect just those two folders or should I protect the entire F: partition?
* Should I consider protecting C: since Windows and programs such as Office store temp files in various places on C:?
Thanks.
Free encryption tool
http://www.truecrypt.org/
http://www.truecrypt.org/
Depends on what you are worried about ?
If someone takes your computer, what are you worried will be revealed ?
That will determine what needs to be encrypted.
I hope this helps !
If someone takes your computer, what are you worried will be revealed ?
That will determine what needs to be encrypted.
I hope this helps !
ASKER
The data to be protected are financial records and client data. All are stored on the F: drive within three folders.
What makes Truecrypt Open a better solution in your view?
What makes Truecrypt Open a better solution in your view?
Not proprietary for a start.
If you have issues with bitBlocker, you may end up paying $$$ to MS to get it fixed, if at all.
Check the options of both and you can decide for yourself, which offers the most flexibility in terms of backup, install, and options.
For financial records I would also consider encrypting the C drive and any drive that has a pagefile or temp folder.
If you have issues with bitBlocker, you may end up paying $$$ to MS to get it fixed, if at all.
Check the options of both and you can decide for yourself, which offers the most flexibility in terms of backup, install, and options.
For financial records I would also consider encrypting the C drive and any drive that has a pagefile or temp folder.
BitLocker is fine for your situation -- and indeed it fully encrypts the entire volume, so you don't have to worry about any temporary files or auto-save files that may be on the system drive. TrueCrypt is also a good choice -- it has the advantage that it doesn't require the Ultimate version and isn't proprietary to Microsoft ... but neither of those are of any significance in your case.
Regardless of which you use, be CERTAIN that you have a good backup of the encryption key. While I'm sure you keep good backups of your data (which I presume you'll also keep encrypted), neither the current data nor the backups can be read without the appropriate encryption key(s). Losing the encryption key is FAR worse than losing a password -- for all practical purposes there is simply no way to recover the data without the key.
Regardless of which you use, be CERTAIN that you have a good backup of the encryption key. While I'm sure you keep good backups of your data (which I presume you'll also keep encrypted), neither the current data nor the backups can be read without the appropriate encryption key(s). Losing the encryption key is FAR worse than losing a password -- for all practical purposes there is simply no way to recover the data without the key.
ASKER
SysExpert - thanks for elaborating.
Garycase - you raise some excellent points and a further question or two that I had not thought of.
Given that the data (F:) is on one disk drive and C: is on a different disk drive, should I encrypt both C: and F:? And should I encrypt the Windows swap partition that is on the disk drive with F:?
I keep two types of backup.
MozyHome offsite backup with my own keyword. Everything that MozyHome backs up is on F:. Will MozyHome still be able to read the files from F: for backup once Bitlocker is enabled?
I also do local backups to an external Western Digital MyBook drive. Those are not encrypted at this point. I suppose I should use Bitlocker to encrypt that MyBook drive partition?
Part of that MyBook drive is a partition where Acronis stores images of C:. I assume I would NOT protect that partition.
A strong second about storing the encryption keys. For Mozy I keep it in writing locally and also in a bank safe deposit box!
Garycase - you raise some excellent points and a further question or two that I had not thought of.
Given that the data (F:) is on one disk drive and C: is on a different disk drive, should I encrypt both C: and F:? And should I encrypt the Windows swap partition that is on the disk drive with F:?
I keep two types of backup.
MozyHome offsite backup with my own keyword. Everything that MozyHome backs up is on F:. Will MozyHome still be able to read the files from F: for backup once Bitlocker is enabled?
I also do local backups to an external Western Digital MyBook drive. Those are not encrypted at this point. I suppose I should use Bitlocker to encrypt that MyBook drive partition?
Part of that MyBook drive is a partition where Acronis stores images of C:. I assume I would NOT protect that partition.
A strong second about storing the encryption keys. For Mozy I keep it in writing locally and also in a bank safe deposit box!
ASKER
I just sent Mozy technical support the question about MozyHome compatibility with Bitlocker. I'll share their response.
Definitely interested in what they say. I was looking at a few Mozy forums when comment came in, and they apparently have had some issues with encrypted drives in the past ... it's not clear if they've been resolved since (which you should know when they reply).
r.e. your question above on the MyBook ==> Yes, I'd use "Bitlocker to Go" to encrypt that so your backup is secure. Note that if you're not concerned about physical security when the MyBook is connected to YOUR system, you can set BitLocker to remember the key for that drive when it's connected to that specific computer. Makes it a bit more seamless if this is a drive you connect/disconnect a lot and store physically elsewhere.
Note also that BitLocker requires NTFS formatting ... I believe Western Digital still ships MyBooks with FAT32 formatting -- if so (and you haven't already reformatted yours) you'll need to change it to NTFS formatting. [You can do this without any data loss with Windows' "Convert" utility]
r.e. your question above on the MyBook ==> Yes, I'd use "Bitlocker to Go" to encrypt that so your backup is secure. Note that if you're not concerned about physical security when the MyBook is connected to YOUR system, you can set BitLocker to remember the key for that drive when it's connected to that specific computer. Makes it a bit more seamless if this is a drive you connect/disconnect a lot and store physically elsewhere.
Note also that BitLocker requires NTFS formatting ... I believe Western Digital still ships MyBooks with FAT32 formatting -- if so (and you haven't already reformatted yours) you'll need to change it to NTFS formatting. [You can do this without any data loss with Windows' "Convert" utility]
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, things are now coming into focus.
Mozy Tech Support initially said that Mozy "didn't work well" with encrypted drives. I pushed back and asked for details including if he could consult with a Level 2 tech. Here is the follow-up response:
I appologize for that last bit of information. I spoke to a Level 2 technician and he corrected me. Mozy can backup Bitlocker drives. Because Bitlocker actually does full drive encryption and when you're logged in to a "bitlocked" drive it's as if it's not even encrypted. So yes you will be able to back up a "bitlocked" drive.
So, it appears I can use Bitlocker with the F: data partition.
Acronis continues to be unclear although it seems the answer is mostly no. These knowledge base and forum articles seem to suggest that only a sector-by-sector backup would work reliably:
http://kb.acronis.com/cont
http://forum.acronis.com/f
http://forum.acronis.com/f
At this point my plan is to enable Bitlocker on the F: partition, probably along with the computer's TPM1.2 security. I'll use Bitlocker to Go to secure the MyBook drive partition and use garycase's suggestion about having Bitlocker remember that key. Given the Acronis situation I plan to leave C: unencrypted. My only concern there is temp files so I'll just need to be careful about finding and erasing them.
Regarding the partition with the Windows swap file: SysExpert suggested encrypting it. Garycase - any thoughts?
I welcome your further thoughts.
Mozy Tech Support initially said that Mozy "didn't work well" with encrypted drives. I pushed back and asked for details including if he could consult with a Level 2 tech. Here is the follow-up response:
I appologize for that last bit of information. I spoke to a Level 2 technician and he corrected me. Mozy can backup Bitlocker drives. Because Bitlocker actually does full drive encryption and when you're logged in to a "bitlocked" drive it's as if it's not even encrypted. So yes you will be able to back up a "bitlocked" drive.
So, it appears I can use Bitlocker with the F: data partition.
Acronis continues to be unclear although it seems the answer is mostly no. These knowledge base and forum articles seem to suggest that only a sector-by-sector backup would work reliably:
http://kb.acronis.com/cont
http://forum.acronis.com/f
http://forum.acronis.com/f
At this point my plan is to enable Bitlocker on the F: partition, probably along with the computer's TPM1.2 security. I'll use Bitlocker to Go to secure the MyBook drive partition and use garycase's suggestion about having Bitlocker remember that key. Given the Acronis situation I plan to leave C: unencrypted. My only concern there is temp files so I'll just need to be careful about finding and erasing them.
Regarding the partition with the Windows swap file: SysExpert suggested encrypting it. Garycase - any thoughts?
I welcome your further thoughts.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mantvydas - Thanks. You raise some very valuable points. Regarding primarily your last paragraph - do I need to have C: protected to gain these added protections? Or is it sufficient to enable TPM? I ask since Acronis True Image will not work with encrypted drives so I have to forego that if I use encryption on the C: drive.
Are there any downsides to encrypting the E: partition that has the Windows swap file (and nothing else)?
I assume plugging USB devices (flash drive, camera, headset) in or out of the PC does not cause a need to re-enter the Bitlocker password?
Are there any downsides to encrypting the E: partition that has the Windows swap file (and nothing else)?
I assume plugging USB devices (flash drive, camera, headset) in or out of the PC does not cause a need to re-enter the Bitlocker password?
Plugging/unplugging USB devices does not trigger any requirements from BitLocker unless the USB device is a BitLocker protected drive ... in which case you'll be prompted for the key for that device (unless you've set it to be remembered with that specific drive/computer combo.
BitLocker works fine with Windows swap file ... so a swap file on its own BitLocker protected partition would be a good way to ensure there are no recoverable "bits" in the swap file. You may have other temporary files you want to put on that partition (e.g. Windows TEMP file folder ... which many programs will use by default for temporary data).
BitLocker works fine with Windows swap file ... so a swap file on its own BitLocker protected partition would be a good way to ensure there are no recoverable "bits" in the swap file. You may have other temporary files you want to put on that partition (e.g. Windows TEMP file folder ... which many programs will use by default for temporary data).
ASKER
Garycase - that's an excellent idea to move the Windows TEMP folder over to the swap file partition so it gets protected along with the swap file.
I guess the primary open aspect is whether as Mantvydas suggested C: needs to be protected for Bitlocker to provide maximum security. The primary downside to this is the incompatibility with Acronis True Image for maintaining an image of the system partition. But it may be a worthwhile security trade-off.
I guess the primary open aspect is whether as Mantvydas suggested C: needs to be protected for Bitlocker to provide maximum security. The primary downside to this is the incompatibility with Acronis True Image for maintaining an image of the system partition. But it may be a worthwhile security trade-off.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Outstanding. I just have to get Windows Backup to start. I clicked the setup link and it just sits there. I digress, though. I'll either figure that out or post a separate question.
This sounds like a great solution. Encrypt C:, E: (swap), F: (data) with Bitlocker.
Encrypt the external hard drive with Bitlocker to Go. Tell Bitlocker to remember the key so I don't have to use it each time. (Physical security for it is not much concern.)
Stop using Acronis True Image. Use Windows Backup to create a system image.
Continue using MozyHome for an encrypted offsite backup of the data.
Garycase - I can't imagine having a multi-boot with 8 OSs. One is bad enough. (smile)
Thank you everyone. You have been so helpful in navigating the options and dependencies to devise a workable solution. I'll go award points. That will be difficult - I wish I had more than 500 available.
This sounds like a great solution. Encrypt C:, E: (swap), F: (data) with Bitlocker.
Encrypt the external hard drive with Bitlocker to Go. Tell Bitlocker to remember the key so I don't have to use it each time. (Physical security for it is not much concern.)
Stop using Acronis True Image. Use Windows Backup to create a system image.
Continue using MozyHome for an encrypted offsite backup of the data.
Garycase - I can't imagine having a multi-boot with 8 OSs. One is bad enough. (smile)
Thank you everyone. You have been so helpful in navigating the options and dependencies to devise a workable solution. I'll go award points. That will be difficult - I wish I had more than 500 available.
I hope this helps !