Solved

Protect a Partition - Use Bitlocker or Something Else?

Posted on 2010-08-19
17
1,072 Views
Last Modified: 2012-05-10
I have a Dell workstation running Windows 7 Ultimate 64-bit. Two disk drives. Drive one has the C: partition and the recovery partition. Drive two has two partitions - the Windows swap file and a partition that holds all my data files (call it F: below).

I would like to secure the data on F:. Actually, there are two folders on F: that have the information I really want to secure. The other folders are optional.

I want protection that is reasonably secure, reliable, and easy to use. I do not need military-quality protection, though.

My questions:

* Would Bitlocker suffice for this? What are the pro's and con's of using Bitlocker?

* If I use Bitlocker what should I look out for? (I already know about the Microsoft articles and plan to read them. I'm looking for any practical expert advice you may have.)

* If not Bitlocker, then what?

* Is it practical to protect just those two folders or should I protect the entire F: partition?

* Should I consider protecting C: since Windows and programs such as Office store temp files in various places on C:?

Thanks.
0
Comment
Question by:Peter Bye
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 33475939
Truecrypt Open source is probably a better choice.


I hope this helps !
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33475947
Free encryption tool
http://www.truecrypt.org/
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33475985
Depends on what you are worried about ?

If someone takes your computer, what are you worried will be revealed ?

That will determine what needs to be encrypted.

I hope this helps !
0
 

Author Comment

by:Peter Bye
ID: 33476182
The data to be protected are financial records and client data. All are stored on the F: drive within three folders.

What makes Truecrypt Open a better solution in your view?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33476395
Not proprietary for a start.

If you have issues with bitBlocker, you may end up paying $$$ to MS to get it fixed, if at all.

Check the options of both and you can decide for yourself, which offers the most flexibility in terms of backup, install, and options.

For financial records I would also consider encrypting the C drive and any drive that has a pagefile or temp folder.
0
 
LVL 70

Expert Comment

by:garycase
ID: 33476475
BitLocker is fine for your situation -- and indeed it fully encrypts the entire volume, so you don't have to worry about any temporary files or auto-save files that may be on the system drive.     TrueCrypt is also a good choice -- it has the advantage that it doesn't require the Ultimate version and isn't proprietary to Microsoft ... but neither of those are of any significance in your case.

Regardless of which you use, be CERTAIN that you have a good backup of the encryption key.     While I'm sure you keep good backups of your data (which I presume you'll also keep encrypted), neither the current data nor the backups can be read without the appropriate encryption key(s).     Losing the encryption key is FAR worse than losing a password -- for all practical purposes there is simply no way to recover the data without the key.
0
 

Author Comment

by:Peter Bye
ID: 33476941
SysExpert - thanks for elaborating.

Garycase - you raise some excellent points and a further question or two that I had not thought of.

Given that the data (F:) is on one disk drive and C: is on a different disk drive, should I encrypt both C: and F:? And should I encrypt the Windows swap partition that is on the disk drive with F:?

I keep two types of backup.

MozyHome offsite backup with my own keyword. Everything that MozyHome backs up is on F:. Will MozyHome still be able to read the files from F: for backup once Bitlocker is enabled?

I also do local backups to an external Western Digital MyBook drive. Those are not encrypted at this point. I suppose I should use Bitlocker to encrypt that MyBook drive partition?

Part of that MyBook drive is a partition where Acronis stores images of C:. I assume I would NOT protect that partition.

A strong second about storing the encryption keys. For Mozy I keep it in writing locally and also in a bank safe deposit box!
0
 

Author Comment

by:Peter Bye
ID: 33477349
I just sent Mozy technical support the question about MozyHome compatibility with Bitlocker. I'll share their response.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 70

Expert Comment

by:garycase
ID: 33477463
Definitely interested in what they say.    I was looking at a few Mozy forums when comment came in, and they apparently have had some issues with encrypted drives in the past ... it's not clear if they've been resolved since  (which you should know when they reply).

r.e. your question above on the MyBook  ==>  Yes, I'd use "Bitlocker to Go" to encrypt that so your backup is secure.     Note that if you're not concerned about physical security when the MyBook is connected to YOUR system, you can set BitLocker to remember the key for that drive when it's connected to that specific computer.      Makes it a bit more seamless if this is a drive you connect/disconnect a lot and store physically elsewhere.

Note also that BitLocker requires NTFS formatting ... I believe Western Digital still ships MyBooks with FAT32 formatting -- if so (and you haven't already reformatted yours)  you'll need to change it to NTFS formatting.    [You can do this without any data loss with Windows' "Convert" utility]
0
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 50 total points
ID: 33477524
I would also suggest  looking  into how Acronis handles encrypted C drive.

0
 

Author Comment

by:Peter Bye
ID: 33478775
Well, things are now coming into focus.

Mozy Tech Support initially said that Mozy "didn't work well" with encrypted drives. I pushed back and asked for details including if he could consult with a Level 2 tech. Here is the follow-up response:

I appologize for that last bit of information.  I spoke to a Level 2 technician and he corrected me.  Mozy can backup Bitlocker drives.  Because Bitlocker actually does full drive encryption and when you're logged in to a "bitlocked" drive it's as if it's not even encrypted.  So yes you will be able to back up a "bitlocked" drive.

So, it appears I can use Bitlocker with the F: data partition.

Acronis continues to be unclear although it seems the answer is mostly no. These knowledge base and forum articles seem to suggest that only a sector-by-sector backup would work reliably:
http://kb.acronis.com/content/1734
http://forum.acronis.com/forum/12432
http://forum.acronis.com/forum/4676

At this point my plan is to enable Bitlocker on the F: partition, probably along with the computer's TPM1.2 security. I'll use Bitlocker to Go to secure the MyBook drive partition and use garycase's suggestion about having Bitlocker remember that key. Given the Acronis situation I plan to leave C: unencrypted. My only concern there is temp files so I'll just need to be careful about finding and erasing them.

Regarding the partition with the Windows swap file: SysExpert suggested encrypting it. Garycase - any thoughts?

I welcome your further thoughts.
0
 
LVL 3

Assisted Solution

by:Mantvydas
Mantvydas earned 175 total points
ID: 33479971
I would vote for Bitlocker.

Pros. Because there's nothing more to pay for to Microsoft, you are already using Ultimate version of Windows 7, and Bitlocker is a feature of it.
It's Microsoft way to encrypt disk, so support is in one hands - you don't need to desperately seek for community support, where noone is responsible, when bad happens.

Cons. None. See lookout below.

Lookout. You have to be careful with hardware changes or BIOS upgrades of the computer. As after every bigger hardware change (bigger: more than one device) you need to reenter Bitlocker key upon computer startup. So having your key accessable at any time is necessary (for example someone at home can read it to you over the phone, save the key somewhere on the internet (can you do that securely enough?))

If not BitLocker. Open source TrueCrypt. Paid Utimaco Safeguard Easy.

Protecting. Only whole partition is possible with Bitlocker.

Considering C: Yes, consider that. Because even with TrueCrypt, then either you need to enter the unlock key in every Windows session you need F:, or, if you don't need a Encryption key every session, then the Encryption Key is somewhere on the disk or RAM for the system to use. So the badguy simply launches system from the unprotected C: drive, by hacking your Windows user password, as it lies in unprotected C:, and grabs the key from RAM.

Going further, even that is not secure enough with TrueCrypt. Even if you protect the C: drive with TrueCrypt, then the key is still somewhere in the Harddisk (otherwise computer wouldn't boot if it wouldn't be there). So the BadGuy who knows TrueCrypt, can put the TrueCrypted harddisk into another computer, and get they Encryption Key from the harddisk.

It doesn't happen with C: protected and Bitlocker. First, because Windows user password is secured by encrypte drive. And second, because Bitlocker holds the encryption key in the TPM chip on motherboard of the computer, so even if you connect the harddrive to another computer, you can't access the Encryption Key, as the Key is in the TPM of the original computer.



0
 

Author Comment

by:Peter Bye
ID: 33480169
Mantvydas - Thanks. You raise some very valuable points. Regarding primarily your last paragraph - do I need to have C: protected to gain these added protections? Or is it sufficient to enable TPM? I ask since Acronis True Image will not work with encrypted drives so I have to forego that if I use encryption on the C: drive.

Are there any downsides to encrypting the E: partition that has the Windows swap file (and nothing else)?

I assume plugging USB devices (flash drive, camera, headset) in or out of the PC does not cause a need to re-enter the Bitlocker password?
0
 
LVL 70

Expert Comment

by:garycase
ID: 33480474
Plugging/unplugging USB devices does not trigger any requirements from BitLocker unless the USB device is a BitLocker protected drive ... in which case you'll be prompted for the key for that device (unless you've set it to be remembered with that specific drive/computer combo.

BitLocker works fine with Windows swap file ... so a swap file on its own BitLocker protected partition would be a good way to ensure there are no recoverable "bits" in the swap file.     You may have other temporary files you want to put on that partition (e.g. Windows TEMP file folder ... which many programs will use by default for temporary data).
0
 

Author Comment

by:Peter Bye
ID: 33480778
Garycase - that's an excellent idea to move the Windows TEMP folder over to the swap file partition so it gets protected along with the swap file.

I guess the primary open aspect is whether as Mantvydas suggested C: needs to be protected for Bitlocker to provide maximum security. The primary downside to this is the incompatibility with Acronis True Image for maintaining an image of the system partition. But it may be a worthwhile security trade-off.
0
 
LVL 70

Accepted Solution

by:
garycase earned 275 total points
ID: 33480979
Personally, I think the risk of an unencrypted C: drive is very small IF you have moved (a) the swap file;  (b) the TEMP folder; and (c) your e-mail store (if it's local) off of C: to an encrypted drive.    All three of those are simple to do.      Most applications keep their data in your designated documents folder ... and any you use that don't are most likely configurable -- so you can easily ensure they also keep their data in an encrypted drive.

I agree, however, that's it's much simpler to not have to worry about that -- and simply encrypt everything (C: included).     While that may create issues with Acronis, note that Windows 7's built-in Backup utility will easily create a system image ... and it supports BitLocker  [not to mentioned that it's free :-)  ].      Aside from "playing" with it to confirm it works (it does ... and quite well) I don't use it, as I have a complex multi-boot system with 8 OS's that I image fairly regularly -- I use an Image Set with Boot-It NG to do those images (but none of these are encrypted).
0
 

Author Comment

by:Peter Bye
ID: 33481403
Outstanding. I just have to get Windows Backup to start. I clicked the setup link and it just sits there. I digress, though. I'll either figure that out or post a separate question.

This sounds like a great solution. Encrypt C:, E: (swap), F: (data) with Bitlocker.

Encrypt the external hard drive with Bitlocker to Go. Tell Bitlocker to remember the key so I don't have to use it each time. (Physical security for it is not much concern.)

Stop using Acronis True Image. Use Windows Backup to create a system image.

Continue using MozyHome for an encrypted offsite backup of the data.

Garycase - I can't imagine having a multi-boot with 8 OSs. One is bad enough. (smile)

Thank you everyone. You have been so helpful in navigating the options and dependencies to devise a workable solution. I'll go award points. That will be difficult - I wish I had more than 500 available.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Computer crashes on daily bases need help to find the cusses 24 92
Windows Update 22 144
DIal UP Interface 3 30
How do I disable Microsoft Security Essentials on Win7? 7 42
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now