Solved

Encryption on Windows - Pros and Cons

Posted on 2013-11-07
23
2,284 Views
Last Modified: 2013-11-15
Windows Folder EncryptionOn this board, I learned that you can encrypt the folders or files on your hard drive. In case my hard drive is stolen by a thief who will try to attach my hard drive to his computer and access files/folders, this will protect my files/folders on my "stolen" hard drive unless the thief knows the username and password that had the permission to access these folders.

I test that out and it seems to be case. With that I have a couple of questions to those who uses this method to protect the data on their hard drives.

- Is there any downside or anything that I should be aware of beyond what I saw?

I need to implement this for my customer who are worried about possible loss of the hard drive  and confidential files on the hard drive being exposed to the world (by the thief). Before recommending this method (seems simple but effective) against all other commercial software out there you can buy, I want to be sure.

Thanks.
0
Comment
Question by:sglee
  • 11
  • 5
  • 4
  • +1
23 Comments
 
LVL 6

Accepted Solution

by:
kdtresh earned 223 total points
ID: 39631484
If the user forgets the password, they cannot access their files.
If someone else (parent, child, caregiver, lawyer, etc.) needs access at some point and does not have the password, they cannot access the files.
0
 

Author Comment

by:sglee
ID: 39631530
@kdtresh
Have you done this before on single workstation as well as file server?
0
 
LVL 6

Expert Comment

by:kdtresh
ID: 39631570
Only on laptops/workstations, and we never had any trouble, but the danger of locking yourself out is there. There may be other risks, but those were the ones off the top of my head.
0
 

Author Comment

by:sglee
ID: 39631602
So when you do it on laptops and workstations, can you simply click on C drive and check the checkbox so that you don't have to do it on each folder in the C drive?

Hopefully the user would remember his or her username and password used on their own computers just in case they need to access their hard drive attached to another computer.
If they don't, well tough luck.
0
 
LVL 6

Assisted Solution

by:kdtresh
kdtresh earned 223 total points
ID: 39631701
More information (including a video on how to turn it on): http://windows.microsoft.com/en-us/windows7/products/features/bitlocker

It will lock down if it detects a potential security problem like a change in BIOS. At that point recovery requires a key.

http://windows.microsoft.com/en-us/windows7/help-protect-your-files-using-bitlocker-drive-encryption
0
 
LVL 70

Assisted Solution

by:garycase
garycase earned 167 total points
ID: 39631756
As noted above, the #1 disadvantage (and this happens FAR more often than you might think) is that the user forgets the encryption key.    You CAN save a key file to an external drive (USB flash drive) ... and if they store that in a secure location, it can be used to regain access to the files if they forget the password; have to reinstall the drive on another system due to corruption or system failure;  or if a data recovery service needs it to recover files from a damaged disk.

But in the absence of that key file, the data is NOT recoverable or accessible if they forget.

Basically, think of encryption as a VERY secure safe.    If you lose or forget the combination, it's simply not accessible.
0
 

Author Comment

by:sglee
ID: 39631829
I just discovered that Windows BitLocker is only available to Windows 7 Ultimate and Enterprise editions.
All my users use Windows 7 Professional version, so they can't take advantage of it.
It looks like I only have one choice that is to use "Encrpypt Contents to secure data" option.
Can you limit our conversation based on the above premise?
0
 
LVL 70

Assisted Solution

by:garycase
garycase earned 167 total points
ID: 39631915
There are several 3rd party choices for encryption as well.
Check out the free TrueCrypt:  http://www.truecrypt.org/

Your user could also, of course, upgrade to Ultimate using the "Anytime Upgrade" option if they'd prefer to use BitLocker.

Note that WHAT you use to do the encryption doesn't change the discussion above => any encrypted data is still effectively in a securely locked safe;  and if you don't have the key, you won't be able to access the data.
0
 

Author Comment

by:sglee
ID: 39632047
@garycase
If I just use "encryption" that comes with Winedows 7 Pro. and if the users remember what their username and password, are we accomplishing the same goal of protecting the data from the hard drive when it is stolen and attached to another PC?
0
 
LVL 6

Assisted Solution

by:kdtresh
kdtresh earned 223 total points
ID: 39632072
When you encrypt the folder, it creates an encryption certificate that you can (and should) back up. It can be used if there is a problem and you need to recover the data.

http://windows.microsoft.com/en-us/windows7/encrypt-or-decrypt-a-folder-or-file
http://windows.microsoft.com/en-us/windows7/back-up-encrypting-file-system-efs-certificate

And yes, it should prevent unauthorized access if someone steals the drive, but only for whichever folder(s) you decide to encrypt.
0
 

Author Comment

by:sglee
ID: 39632079
Between BidLocker on Win 7 Ultimate and Encryption on Win 7 Pro., which one is better or the difference is significant enough to choose one over the other?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Assisted Solution

by:kdtresh
kdtresh earned 223 total points
ID: 39632092
0
 
LVL 70

Assisted Solution

by:garycase
garycase earned 167 total points
ID: 39632305
Both are excellent protection => but BitLocker encrypts the entire drive, whereas the basic encryption is folder-by-folder.   Far too easy to forget something; or to have multiple keys and forget one (or more) of them.

While I agree that encryption provides useful protection, I have to note that I've seen FAR more data lost by the legitimate owner of the data than I've seen actually protected from theft.     I can't over-emphasize the importance of retaining copies of the keys !!
0
 

Author Comment

by:sglee
ID: 39632343
@garycase
 I can't over-emphasize the importance of retaining copies of the keys !!  ---> When I enabled encryption on a folder, it does not ask for any key(s). What keys are you referring to?
0
 

Author Comment

by:sglee
ID: 39632697
I have a question. I am going to choose between two choices - Encryption on  Windows 7 Pro  or BitLocker on Windows 7 Ultimate - before making my recommendation to my customer.

There are 5 users in the office and they all have Windows 7 Pro OS. The receptionist PC is also being used as File Server. It has two hard drives - Drive C has OS only, Drive D has data files/folders. I set up a share on entire D drive for everyone in the office.

First question: Whether I choose Encryption or BitLocker, does it change as to how users access the files/folders from the D drive on the receptionist PC?
Do those users have to do anything special to access D drive after Encryption or BitLocker is enabled?

2nd question: if the answer is NO to my first question, then the difference is when the D drive/hard drive is stolen and is attached to another PC and someone tries to open this hard drive, BitLocker will require a Key whereas Encryption will require username/password?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 110 total points
ID: 39641605
How did I miss this thread? Have a look at my article: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
Read up on why you'd want to do full disk encryption, and the caveats to using file/folder level encryption. EFS in my opinion should be turned off domain wide, unless you plan to do it right, it's hard to recover, unless you want to pay $1200 to do it. I recover EFS data for people all the time, that 1200 can be recouped in no time.

To your questions: When the OS is running, it looks no different to anyone. When someone steals the HDD and tries to read it they can't. That is all that FDE is giving you, physical theft protection.
-rich
0
 

Author Comment

by:sglee
ID: 39642614
Flash DriveBitLocker Status in Control PanelBitlocker in ProgressTPM Status on this computerI just installed Win7 Ultimate on a several years old workstation and tured on BitLocker.
It said this computer did not have TPM. Therefore the system will try to use USB flash drive to store the encryption and decryption key.
When I start BitLocker, I don't see the progress bar moving as seen above.
Does this mean that I can't enable Bitlocker on this computer?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 110 total points
ID: 39642630
You can, you have to have the USB key around when you want to use/access it though.  These steps might help you complete the encryption: http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
Remember when the drive is mounted, it's clear-text to the OS, so the data is only protected when that drive is not mounted. Anyone who has access to that PC, or drive/share can see what you see when it's mounted, unless you have NTFS permissions set to forbid that access.
-rich
0
 

Author Comment

by:sglee
ID: 39642665
BitLocker Progress ScreenI followed instructions off the link.
I right clicked on C drive and  choose "Turn on Bitlocker", but it goes to the same screen above instead of asking for a secure password.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39642774
Half-way down are the instructions on how to use it Without TPM :) You have to edit the local gpo (or push one out via AD) using gpedit.msc. If you did that already I'm stumped.
-rich
0
 

Author Comment

by:sglee
ID: 39646930
You were correct.  Half way down, I saw what to do w/o TPM. So I edited GPEDIT.msc and tried to enable, but another problem. It says my disk/hard drive is dynamic. It has to be basic disk according to the error message.
Let me convert it to dynamic disk and post the result.

BTW if I want to protect the file server RAID hard disks, what options are there?
Does Windows 2008 R2 has the same functionality as Windows Ultimate BitLocker?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39647600
it should, I've not tried Bl on a server, typically servers are in locations where theft of the HDD's is less likely so they don't need FDE because BL is only protecting drives from physical theft, it's not "encrypted" when the OS is running.
-rich
0
 

Author Comment

by:sglee
ID: 39650588
I successfully tried BitLocker on Windows 7 Ultimate. It is pretty simple and straightforward. All you have to remember is to either Print, store in USB or save onto another HD the unlock key. When I removed the HD from the original PC and move it to another PC, it was asking for the unlock key during boot process. When I entered it, it started right up.
I think it is far better then encrypting a folder by folder and having to deal with permission to other users ... etc.

Thanks for your help.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now