Solved

Protect a Partition - Use Bitlocker or Something Else?

Posted on 2010-08-19
17
1,071 Views
Last Modified: 2012-05-10
I have a Dell workstation running Windows 7 Ultimate 64-bit. Two disk drives. Drive one has the C: partition and the recovery partition. Drive two has two partitions - the Windows swap file and a partition that holds all my data files (call it F: below).

I would like to secure the data on F:. Actually, there are two folders on F: that have the information I really want to secure. The other folders are optional.

I want protection that is reasonably secure, reliable, and easy to use. I do not need military-quality protection, though.

My questions:

* Would Bitlocker suffice for this? What are the pro's and con's of using Bitlocker?

* If I use Bitlocker what should I look out for? (I already know about the Microsoft articles and plan to read them. I'm looking for any practical expert advice you may have.)

* If not Bitlocker, then what?

* Is it practical to protect just those two folders or should I protect the entire F: partition?

* Should I consider protecting C: since Windows and programs such as Office store temp files in various places on C:?

Thanks.
0
Comment
Question by:Pete2009
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Truecrypt Open source is probably a better choice.


I hope this helps !
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Free encryption tool
http://www.truecrypt.org/
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Depends on what you are worried about ?

If someone takes your computer, what are you worried will be revealed ?

That will determine what needs to be encrypted.

I hope this helps !
0
 

Author Comment

by:Pete2009
Comment Utility
The data to be protected are financial records and client data. All are stored on the F: drive within three folders.

What makes Truecrypt Open a better solution in your view?
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Not proprietary for a start.

If you have issues with bitBlocker, you may end up paying $$$ to MS to get it fixed, if at all.

Check the options of both and you can decide for yourself, which offers the most flexibility in terms of backup, install, and options.

For financial records I would also consider encrypting the C drive and any drive that has a pagefile or temp folder.
0
 
LVL 70

Expert Comment

by:garycase
Comment Utility
BitLocker is fine for your situation -- and indeed it fully encrypts the entire volume, so you don't have to worry about any temporary files or auto-save files that may be on the system drive.     TrueCrypt is also a good choice -- it has the advantage that it doesn't require the Ultimate version and isn't proprietary to Microsoft ... but neither of those are of any significance in your case.

Regardless of which you use, be CERTAIN that you have a good backup of the encryption key.     While I'm sure you keep good backups of your data (which I presume you'll also keep encrypted), neither the current data nor the backups can be read without the appropriate encryption key(s).     Losing the encryption key is FAR worse than losing a password -- for all practical purposes there is simply no way to recover the data without the key.
0
 

Author Comment

by:Pete2009
Comment Utility
SysExpert - thanks for elaborating.

Garycase - you raise some excellent points and a further question or two that I had not thought of.

Given that the data (F:) is on one disk drive and C: is on a different disk drive, should I encrypt both C: and F:? And should I encrypt the Windows swap partition that is on the disk drive with F:?

I keep two types of backup.

MozyHome offsite backup with my own keyword. Everything that MozyHome backs up is on F:. Will MozyHome still be able to read the files from F: for backup once Bitlocker is enabled?

I also do local backups to an external Western Digital MyBook drive. Those are not encrypted at this point. I suppose I should use Bitlocker to encrypt that MyBook drive partition?

Part of that MyBook drive is a partition where Acronis stores images of C:. I assume I would NOT protect that partition.

A strong second about storing the encryption keys. For Mozy I keep it in writing locally and also in a bank safe deposit box!
0
 

Author Comment

by:Pete2009
Comment Utility
I just sent Mozy technical support the question about MozyHome compatibility with Bitlocker. I'll share their response.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 70

Expert Comment

by:garycase
Comment Utility
Definitely interested in what they say.    I was looking at a few Mozy forums when comment came in, and they apparently have had some issues with encrypted drives in the past ... it's not clear if they've been resolved since  (which you should know when they reply).

r.e. your question above on the MyBook  ==>  Yes, I'd use "Bitlocker to Go" to encrypt that so your backup is secure.     Note that if you're not concerned about physical security when the MyBook is connected to YOUR system, you can set BitLocker to remember the key for that drive when it's connected to that specific computer.      Makes it a bit more seamless if this is a drive you connect/disconnect a lot and store physically elsewhere.

Note also that BitLocker requires NTFS formatting ... I believe Western Digital still ships MyBooks with FAT32 formatting -- if so (and you haven't already reformatted yours)  you'll need to change it to NTFS formatting.    [You can do this without any data loss with Windows' "Convert" utility]
0
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 50 total points
Comment Utility
I would also suggest  looking  into how Acronis handles encrypted C drive.

0
 

Author Comment

by:Pete2009
Comment Utility
Well, things are now coming into focus.

Mozy Tech Support initially said that Mozy "didn't work well" with encrypted drives. I pushed back and asked for details including if he could consult with a Level 2 tech. Here is the follow-up response:

I appologize for that last bit of information.  I spoke to a Level 2 technician and he corrected me.  Mozy can backup Bitlocker drives.  Because Bitlocker actually does full drive encryption and when you're logged in to a "bitlocked" drive it's as if it's not even encrypted.  So yes you will be able to back up a "bitlocked" drive.

So, it appears I can use Bitlocker with the F: data partition.

Acronis continues to be unclear although it seems the answer is mostly no. These knowledge base and forum articles seem to suggest that only a sector-by-sector backup would work reliably:
http://kb.acronis.com/content/1734
http://forum.acronis.com/forum/12432
http://forum.acronis.com/forum/4676

At this point my plan is to enable Bitlocker on the F: partition, probably along with the computer's TPM1.2 security. I'll use Bitlocker to Go to secure the MyBook drive partition and use garycase's suggestion about having Bitlocker remember that key. Given the Acronis situation I plan to leave C: unencrypted. My only concern there is temp files so I'll just need to be careful about finding and erasing them.

Regarding the partition with the Windows swap file: SysExpert suggested encrypting it. Garycase - any thoughts?

I welcome your further thoughts.
0
 
LVL 3

Assisted Solution

by:Mantvydas
Mantvydas earned 175 total points
Comment Utility
I would vote for Bitlocker.

Pros. Because there's nothing more to pay for to Microsoft, you are already using Ultimate version of Windows 7, and Bitlocker is a feature of it.
It's Microsoft way to encrypt disk, so support is in one hands - you don't need to desperately seek for community support, where noone is responsible, when bad happens.

Cons. None. See lookout below.

Lookout. You have to be careful with hardware changes or BIOS upgrades of the computer. As after every bigger hardware change (bigger: more than one device) you need to reenter Bitlocker key upon computer startup. So having your key accessable at any time is necessary (for example someone at home can read it to you over the phone, save the key somewhere on the internet (can you do that securely enough?))

If not BitLocker. Open source TrueCrypt. Paid Utimaco Safeguard Easy.

Protecting. Only whole partition is possible with Bitlocker.

Considering C: Yes, consider that. Because even with TrueCrypt, then either you need to enter the unlock key in every Windows session you need F:, or, if you don't need a Encryption key every session, then the Encryption Key is somewhere on the disk or RAM for the system to use. So the badguy simply launches system from the unprotected C: drive, by hacking your Windows user password, as it lies in unprotected C:, and grabs the key from RAM.

Going further, even that is not secure enough with TrueCrypt. Even if you protect the C: drive with TrueCrypt, then the key is still somewhere in the Harddisk (otherwise computer wouldn't boot if it wouldn't be there). So the BadGuy who knows TrueCrypt, can put the TrueCrypted harddisk into another computer, and get they Encryption Key from the harddisk.

It doesn't happen with C: protected and Bitlocker. First, because Windows user password is secured by encrypte drive. And second, because Bitlocker holds the encryption key in the TPM chip on motherboard of the computer, so even if you connect the harddrive to another computer, you can't access the Encryption Key, as the Key is in the TPM of the original computer.



0
 

Author Comment

by:Pete2009
Comment Utility
Mantvydas - Thanks. You raise some very valuable points. Regarding primarily your last paragraph - do I need to have C: protected to gain these added protections? Or is it sufficient to enable TPM? I ask since Acronis True Image will not work with encrypted drives so I have to forego that if I use encryption on the C: drive.

Are there any downsides to encrypting the E: partition that has the Windows swap file (and nothing else)?

I assume plugging USB devices (flash drive, camera, headset) in or out of the PC does not cause a need to re-enter the Bitlocker password?
0
 
LVL 70

Expert Comment

by:garycase
Comment Utility
Plugging/unplugging USB devices does not trigger any requirements from BitLocker unless the USB device is a BitLocker protected drive ... in which case you'll be prompted for the key for that device (unless you've set it to be remembered with that specific drive/computer combo.

BitLocker works fine with Windows swap file ... so a swap file on its own BitLocker protected partition would be a good way to ensure there are no recoverable "bits" in the swap file.     You may have other temporary files you want to put on that partition (e.g. Windows TEMP file folder ... which many programs will use by default for temporary data).
0
 

Author Comment

by:Pete2009
Comment Utility
Garycase - that's an excellent idea to move the Windows TEMP folder over to the swap file partition so it gets protected along with the swap file.

I guess the primary open aspect is whether as Mantvydas suggested C: needs to be protected for Bitlocker to provide maximum security. The primary downside to this is the incompatibility with Acronis True Image for maintaining an image of the system partition. But it may be a worthwhile security trade-off.
0
 
LVL 70

Accepted Solution

by:
garycase earned 275 total points
Comment Utility
Personally, I think the risk of an unencrypted C: drive is very small IF you have moved (a) the swap file;  (b) the TEMP folder; and (c) your e-mail store (if it's local) off of C: to an encrypted drive.    All three of those are simple to do.      Most applications keep their data in your designated documents folder ... and any you use that don't are most likely configurable -- so you can easily ensure they also keep their data in an encrypted drive.

I agree, however, that's it's much simpler to not have to worry about that -- and simply encrypt everything (C: included).     While that may create issues with Acronis, note that Windows 7's built-in Backup utility will easily create a system image ... and it supports BitLocker  [not to mentioned that it's free :-)  ].      Aside from "playing" with it to confirm it works (it does ... and quite well) I don't use it, as I have a complex multi-boot system with 8 OS's that I image fairly regularly -- I use an Image Set with Boot-It NG to do those images (but none of these are encrypted).
0
 

Author Comment

by:Pete2009
Comment Utility
Outstanding. I just have to get Windows Backup to start. I clicked the setup link and it just sits there. I digress, though. I'll either figure that out or post a separate question.

This sounds like a great solution. Encrypt C:, E: (swap), F: (data) with Bitlocker.

Encrypt the external hard drive with Bitlocker to Go. Tell Bitlocker to remember the key so I don't have to use it each time. (Physical security for it is not much concern.)

Stop using Acronis True Image. Use Windows Backup to create a system image.

Continue using MozyHome for an encrypted offsite backup of the data.

Garycase - I can't imagine having a multi-boot with 8 OSs. One is bad enough. (smile)

Thank you everyone. You have been so helpful in navigating the options and dependencies to devise a workable solution. I'll go award points. That will be difficult - I wish I had more than 500 available.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now