Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2675
  • Last Modified:

Encryption on Windows - Pros and Cons

Windows Folder EncryptionOn this board, I learned that you can encrypt the folders or files on your hard drive. In case my hard drive is stolen by a thief who will try to attach my hard drive to his computer and access files/folders, this will protect my files/folders on my "stolen" hard drive unless the thief knows the username and password that had the permission to access these folders.

I test that out and it seems to be case. With that I have a couple of questions to those who uses this method to protect the data on their hard drives.

- Is there any downside or anything that I should be aware of beyond what I saw?

I need to implement this for my customer who are worried about possible loss of the hard drive  and confidential files on the hard drive being exposed to the world (by the thief). Before recommending this method (seems simple but effective) against all other commercial software out there you can buy, I want to be sure.

Thanks.
0
sglee
Asked:
sglee
  • 11
  • 5
  • 4
  • +1
9 Solutions
 
kdtreshCommented:
If the user forgets the password, they cannot access their files.
If someone else (parent, child, caregiver, lawyer, etc.) needs access at some point and does not have the password, they cannot access the files.
0
 
sgleeAuthor Commented:
@kdtresh
Have you done this before on single workstation as well as file server?
0
 
kdtreshCommented:
Only on laptops/workstations, and we never had any trouble, but the danger of locking yourself out is there. There may be other risks, but those were the ones off the top of my head.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
sgleeAuthor Commented:
So when you do it on laptops and workstations, can you simply click on C drive and check the checkbox so that you don't have to do it on each folder in the C drive?

Hopefully the user would remember his or her username and password used on their own computers just in case they need to access their hard drive attached to another computer.
If they don't, well tough luck.
0
 
kdtreshCommented:
More information (including a video on how to turn it on): http://windows.microsoft.com/en-us/windows7/products/features/bitlocker

It will lock down if it detects a potential security problem like a change in BIOS. At that point recovery requires a key.

http://windows.microsoft.com/en-us/windows7/help-protect-your-files-using-bitlocker-drive-encryption
0
 
garycaseCommented:
As noted above, the #1 disadvantage (and this happens FAR more often than you might think) is that the user forgets the encryption key.    You CAN save a key file to an external drive (USB flash drive) ... and if they store that in a secure location, it can be used to regain access to the files if they forget the password; have to reinstall the drive on another system due to corruption or system failure;  or if a data recovery service needs it to recover files from a damaged disk.

But in the absence of that key file, the data is NOT recoverable or accessible if they forget.

Basically, think of encryption as a VERY secure safe.    If you lose or forget the combination, it's simply not accessible.
0
 
sgleeAuthor Commented:
I just discovered that Windows BitLocker is only available to Windows 7 Ultimate and Enterprise editions.
All my users use Windows 7 Professional version, so they can't take advantage of it.
It looks like I only have one choice that is to use "Encrpypt Contents to secure data" option.
Can you limit our conversation based on the above premise?
0
 
garycaseCommented:
There are several 3rd party choices for encryption as well.
Check out the free TrueCrypt:  http://www.truecrypt.org/

Your user could also, of course, upgrade to Ultimate using the "Anytime Upgrade" option if they'd prefer to use BitLocker.

Note that WHAT you use to do the encryption doesn't change the discussion above => any encrypted data is still effectively in a securely locked safe;  and if you don't have the key, you won't be able to access the data.
0
 
sgleeAuthor Commented:
@garycase
If I just use "encryption" that comes with Winedows 7 Pro. and if the users remember what their username and password, are we accomplishing the same goal of protecting the data from the hard drive when it is stolen and attached to another PC?
0
 
kdtreshCommented:
When you encrypt the folder, it creates an encryption certificate that you can (and should) back up. It can be used if there is a problem and you need to recover the data.

http://windows.microsoft.com/en-us/windows7/encrypt-or-decrypt-a-folder-or-file
http://windows.microsoft.com/en-us/windows7/back-up-encrypting-file-system-efs-certificate

And yes, it should prevent unauthorized access if someone steals the drive, but only for whichever folder(s) you decide to encrypt.
0
 
sgleeAuthor Commented:
Between BidLocker on Win 7 Ultimate and Encryption on Win 7 Pro., which one is better or the difference is significant enough to choose one over the other?
0
 
garycaseCommented:
Both are excellent protection => but BitLocker encrypts the entire drive, whereas the basic encryption is folder-by-folder.   Far too easy to forget something; or to have multiple keys and forget one (or more) of them.

While I agree that encryption provides useful protection, I have to note that I've seen FAR more data lost by the legitimate owner of the data than I've seen actually protected from theft.     I can't over-emphasize the importance of retaining copies of the keys !!
0
 
sgleeAuthor Commented:
@garycase
 I can't over-emphasize the importance of retaining copies of the keys !!  ---> When I enabled encryption on a folder, it does not ask for any key(s). What keys are you referring to?
0
 
sgleeAuthor Commented:
I have a question. I am going to choose between two choices - Encryption on  Windows 7 Pro  or BitLocker on Windows 7 Ultimate - before making my recommendation to my customer.

There are 5 users in the office and they all have Windows 7 Pro OS. The receptionist PC is also being used as File Server. It has two hard drives - Drive C has OS only, Drive D has data files/folders. I set up a share on entire D drive for everyone in the office.

First question: Whether I choose Encryption or BitLocker, does it change as to how users access the files/folders from the D drive on the receptionist PC?
Do those users have to do anything special to access D drive after Encryption or BitLocker is enabled?

2nd question: if the answer is NO to my first question, then the difference is when the D drive/hard drive is stolen and is attached to another PC and someone tries to open this hard drive, BitLocker will require a Key whereas Encryption will require username/password?
0
 
Rich RumbleSecurity SamuraiCommented:
How did I miss this thread? Have a look at my article: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
Read up on why you'd want to do full disk encryption, and the caveats to using file/folder level encryption. EFS in my opinion should be turned off domain wide, unless you plan to do it right, it's hard to recover, unless you want to pay $1200 to do it. I recover EFS data for people all the time, that 1200 can be recouped in no time.

To your questions: When the OS is running, it looks no different to anyone. When someone steals the HDD and tries to read it they can't. That is all that FDE is giving you, physical theft protection.
-rich
0
 
sgleeAuthor Commented:
Flash DriveBitLocker Status in Control PanelBitlocker in ProgressTPM Status on this computerI just installed Win7 Ultimate on a several years old workstation and tured on BitLocker.
It said this computer did not have TPM. Therefore the system will try to use USB flash drive to store the encryption and decryption key.
When I start BitLocker, I don't see the progress bar moving as seen above.
Does this mean that I can't enable Bitlocker on this computer?
0
 
Rich RumbleSecurity SamuraiCommented:
You can, you have to have the USB key around when you want to use/access it though.  These steps might help you complete the encryption: http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
Remember when the drive is mounted, it's clear-text to the OS, so the data is only protected when that drive is not mounted. Anyone who has access to that PC, or drive/share can see what you see when it's mounted, unless you have NTFS permissions set to forbid that access.
-rich
0
 
sgleeAuthor Commented:
BitLocker Progress ScreenI followed instructions off the link.
I right clicked on C drive and  choose "Turn on Bitlocker", but it goes to the same screen above instead of asking for a secure password.
0
 
Rich RumbleSecurity SamuraiCommented:
Half-way down are the instructions on how to use it Without TPM :) You have to edit the local gpo (or push one out via AD) using gpedit.msc. If you did that already I'm stumped.
-rich
0
 
sgleeAuthor Commented:
You were correct.  Half way down, I saw what to do w/o TPM. So I edited GPEDIT.msc and tried to enable, but another problem. It says my disk/hard drive is dynamic. It has to be basic disk according to the error message.
Let me convert it to dynamic disk and post the result.

BTW if I want to protect the file server RAID hard disks, what options are there?
Does Windows 2008 R2 has the same functionality as Windows Ultimate BitLocker?
0
 
Rich RumbleSecurity SamuraiCommented:
it should, I've not tried Bl on a server, typically servers are in locations where theft of the HDD's is less likely so they don't need FDE because BL is only protecting drives from physical theft, it's not "encrypted" when the OS is running.
-rich
0
 
sgleeAuthor Commented:
I successfully tried BitLocker on Windows 7 Ultimate. It is pretty simple and straightforward. All you have to remember is to either Print, store in USB or save onto another HD the unlock key. When I removed the HD from the original PC and move it to another PC, it was asking for the unlock key during boot process. When I entered it, it started right up.
I think it is far better then encrypting a folder by folder and having to deal with permission to other users ... etc.

Thanks for your help.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 11
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now