• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 161
  • Last Modified:

Best encryption for PC?

Not all my clients have TPM chip.  What are some alternatives for encrypting files or drives for PC-based installations?
0
supportoranges
Asked:
supportoranges
  • 6
  • 4
  • 3
  • +2
8 Solutions
 
Dave HoweSoftware and Hardware EngineerCommented:
Truecrypt is free (and offers both whole disk and mount-as-needed file encryption). You can also use Bitlocker with a removable (usb) device for the key storage.

for file encryption, you can use a variety of tools (7-zip for example does good archive encryption, but obviously you need to unarchive the files before you can use them)
0
 
supportorangesAuthor Commented:
thank you!

truecrypt folks seem to be pulling out - see their website.

for bitlocker with usb key i still require TPM chip, right?

i will look into 7-zip.  is that preferred over winzip?
0
 
McKnifeCommented:
The decision whether to use a TPM or not is a tough one.
What some people don't realize: without a TPM, your users having a key to the drive can manipulate their own hard drives! They could for example make themselves administrators by mounting their drives to another machine and doing an offline attack. They cannot do this with a TPM.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
EirmanChief Operations ManagerCommented:
Truecrypt is as good as is ever was when development & support ceased.
You can get the last version and documentation here.
It was never compromised.

However, my personal favourite encryption programs for corporate and personal use
are made by Jetico
0
 
Dave HoweSoftware and Hardware EngineerCommented:
TC7.1a is still fine - audit project has hired NCC to complete phase 2, and there are plenty of groups happy to continue development.  see https://www.grc.com/misc/truecrypt/truecrypt.htm for example ;)
0
 
Natty GregIn Theory (IT)Commented:
truecrypt and 7zip over winzip any day
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Winzip is commercial software, and comes with support (at a price of course) - the Winzip encryption is every bit as good as 7z - in fact, you can get 7z to do Winzip encryption by selecting "AES-256" in Zip archive mode.  Conversely though, 7z is free, and its crypto is every bit as good as winzip :)

If you were going to go commercial, you would be better served looking at Winrar - its crypto is also good, and its ability to create self-healing archives can be a useful defense against data loss (see also though the "par" protocol, which allows you to add redundancy to arbitrary collections of files by calculating raid6 style parity blocks.

Regarding TC security, it would also be advised to keep an eye on This Site which tracks the status of the auditing effort :)
0
 
McKnifeCommented:
I tried to point out that one should go for tpm if you don't fully trust your employees (and who does ;) for security reasons.
So if your devices don't have a TPM (laptops usually will have one), you could arm your systems with one. Some mainboards let you place a TPM-Chip on an empty socket. Those can be very, very cheap, depending on the make, 10-50 USD.

So again, I would really recommend to use the TPMs whenever possible.
0
 
EirmanChief Operations ManagerCommented:
In your case, I don't recommend encryption programs intended for individual files/folders such as
Winzip, Winrar, 7zip etc. (These are very useful if you want encrypt individual file(s) before emailing).

In your case, I really think you should opt for Volume Encryption.
As the whole disk is encrypted, everything is automatically encrypted and there is no repeated entry of passwords.
Because the password is only entered once, you can make it long, which is important for effective security.
After that, the regular user can forget about security ...... it's all automatic.

Truecrypt, and Bestcrypt were mentioned above as good examples of Volume Encryption.
Others are also listed in the Wikipedia article.
0
 
supportorangesAuthor Commented:
Everyone was helpful, thank you!
0
 
EirmanChief Operations ManagerCommented:
A final comment supportoranges .....

Winzip, Winrar, 7zip etc. are not encryption programs!

They are primarily compression/decompression programs with encryption features.
0
 
supportorangesAuthor Commented:
Thank you for the clarity on that!
0
 
Dave HoweSoftware and Hardware EngineerCommented:
That is one of those complex questions, Firman. They are a program that can do encryption, and do it well (a lot of commercial encryption programs were shown to do it very poorly indeed). Most file encryption programs *also* compress, as that makes it just a little harder to determine what the original file was, or even its size.

Some courts have also taken a very very negative view to dedicated encryption programs, claiming that that makes the offence charged an aggravated instance, as obviously you are trying to hide it if you are encrypting (hopefully, as more people encrypt to avoid liability on loss of media, or the NSA having a good look, that attitude will change a bit)
0
 
EirmanChief Operations ManagerCommented:
Good points Dave,
At least in Ireland I am (more or less) beyond the long arm of the NSA and it's UK equivalent.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Sadly, the US believe they have a remit to hack any other country - and being in Ireland, GCHQ believe they are permitted to do so too.  But we would be getting all political going into that, and it doesn't help the OP.

Bottom line really is though, are Winzip or 7z good examples of encryption software, or bad? both do a good job (as does Winrar) although the downside of course is that you need to create unencrypted copies of the files before you can access them (as opposed to something that integrates to the file system and can use the files "on the fly" as though they were unencrypted)

I think everyone should have truecrypt and 7z (or the portable equivalents) in their toolkits, use *at least* TLS for internet and email, and know how to use (again, at least) s/mime - because its in nobody else's interests to promote your privacy, only yours.
0
 
McKnifeCommented:
Dave, please try to work on documents in a 7z-archive - it works without decrypting them, changes are saved. This is not possible with all compression software's, of course.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
@McKnife - I recall looking at that a few years ago, and found that 7z in fact extracts a copy of the file in the windows temp dir, then opens that copy. Its possible that has changed of course.....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 6
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now