Hey guys:
This is most definitely OT so please contact me off list. (don't want to annoy anyone)
I come to you all because of all your wisdom. =)
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone
decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files
on the harddrive.
I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party
apps seem to do a better job than what Microsoft gives you.
Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data...
Thoughts??
Brandon
Wow, sounds like TrueCrypt it is.....not a single other app was suggested!!!
Thank you gentlemen!
Save yourself some grief and buy a self-encrypting disk (SED) instead.
OS transparent so you won't have the endemic problems with oops it no
longer boots and I can't just boot a live cd and access my business
critical data.
-Bill
There's also PGP WDE (Whole Disk Encryption)
Brandon Kim <brandon.kim@brandontek.com> Tippte am 2010-12-09T19:24-0500:
Hey guys:
[snip]
I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone
decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files
on the harddrive.
we are using Sophos its ecrypton for busniess with central keysever etc.
Jan
I've been using these and they work great as long as you are using BIOS boot, they don't work with out additional software, with the Mac EFI boot.
Johno
* Brandon Kim:
I know windows has bitlocker, but I don't know if that is available
for Win2003?
I believe EFS is available in Windows XP and Windows 2003 Server, too.
Software-based solutions have the advantage that they are somewhat
more testable and reviewable. If it's all in the disk, you can't
really be sure that the data is encrypted with a static key, and the
passphrase is used for access control only. The latter approach seems
to be somewhat common with encrypting storage devices, unfortunately.
After some research, I find that recovery of EFS (available for Win 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be problematic. It has to do with keys, file ownerships, etc., etc., etc. Plan for disaster and know how to recover before you encrypt with EFS.
--Curtis
After some research, I find that recovery of EFS (available for Win
2000/2003/XP/Vista/7) encrypted files in the case of disaster can be
problematic. It has to do with keys, file ownerships, etc., etc.,
etc. Plan for disaster and know how to recover before you encrypt
with EFS.
This is an interesting point .. it depends on what the "disaster" is
that you plan for.
In many cases, the "disaster" is the seizure or loss of the device, it
which case it's appropriate NOT to have any method of key recovery. In a
corporate context, it's debatable if key escrow and multikey methods
mitigate the risk or compound it.
Regards,
Michael Holstein
Cleveland State University
Good point, but I'm thinking in terms of failure of the machine that physically houses the files. You and I both know that you're not going to be able to replace server hardware with identical hardware and even if you do, the Windows SID will change. Restoring the system state is going to be a useless exercise. Therefore you will need the keys to decrypt/re-encrypt the files on a new device after you restore from backup. If the disk is lost or stolen, then hell no, I don't want the thief to be able to restore the data.
All of this is moot if you're running in a virtual environment and you have good snapshots/backups of your VM.
--Curtis
It's not just common; it's the official standard. The API doesn't let
you set the key or read the bare data. It let's you input a password
to unlock both drive and encryption key and it let's you tell the
drive to generate a new encryption key ("cryptographic erase"). So
yes, you have to trust that the manufacturer is doing what they claim.
This caused me some concern when I first got it, but at the end of the
day I'm not trying to protect my files from someone with the resources
to reconfigure hard drives in a way that allows them to go after the
raw data without entering the password. I'm trying to protect them
from the casual roadside thief.
-Bill
+1 - You mentioned Windows 2003 - with truecrypt, you need to type in
the password to boot the computer. For desktops and laptops, that's
fine, but if your DC looses power or something, you don't want to be the
one to have to go around and type in the password for all those servers...
Ben
+1 Truecrypt
It's a very good solution, which lacks some of the complications of using
BitLocker that others here have described, but is arguably just as secure in
terms of cipher usage, and is very well written.
Please note that you do *not* have to use Truecrypt in whole-disk-encryption
mode (the comment "*with Truecrypt, you need to type in the password to boot
the computer*" is not necessarily true - it depends how you set it up). TC
has a second usage mode in which you use it to create an encrypted container
(in a conventional file or a dedicated disk partition) which appears as a
Windows drive when "mounted" (by the TC driver software). I'd bet that far
more people use it in this mode than those who use it for WDE ... many folks
use it to keep data on memory sticks (and other portable storage media)
safe.
Icing on the cake: TC also has Mac and Linux versions, and the container
files are portable between all 3 environments.
Cheers
Nick