• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Windows Encryption Question

G

groovin

Senior member
i was wondering... suppose i have a laptop running winXP that has a folder full of sensitive files. i want to encrypt that sucker so that whenever i access it for the first time during a login session, i am promtped for a password. after that password is given, i gain access to all the encrypted files until i either log off or restart the comp.

im looking at PGPdisk and cryptainer, both allow you to create an encrypted file which is then mapped as a removable drive into which you can place your files. Both of which ask you for a password when the drive is mounted. Downsides are, with PGP, i have to manually click through the program to ask it to mount the encrypted 'drive' and on cryptainer, it doesnt seem to load on boot up (but this might be a problem with my settings, still looking into it.)

i am aware of EFS because of the informative sticky, but AFAIK, EFS is transparent encrpyption which means that if the users login is compromised, the key and encrypted info is as well. Since there are so many simple tools out there to take apart a users password, i thought this wouldnt work.

I need somethign that's semi transparent... takes little user action, prompts for a password only once per session and starts up at boot.

of course i realize this setup would be far from perfect... there are many things that can compromise this (keyloggers, mem readers, looking at the HD to recover cached files, etc).

any product suggestsion?

thanks
 
If you're in a domain setting, EFS isn't bad. The weaknesses in EFS are around the configuration:
1. Having the data recovery keys on the same PC as the encrypted data (as in standalone mode). In a domain, the Domain\Administrator account is the recovery agent, and it's stored (by default) on the first DC in your domain.
2. The users password. Weak password is the downfall. Again, the domain config helps mitigate this, by:
A. Strong password requirements
B. LONG password requirements (MS recommendation is to use pass-phrases (15-20 character minimum)
C. The user account is not stored in the local SAM db, merely cached, so one couldn't use L0phtcrack on it.
D. Forced password change, and don't allow them (users) to repeat passwords!

There is a way (under XP) to install a certificate with "Strong Protection"...so you're password prompted every time you go to use it. I haven't tried this...so I don't know how often you'd be promted for the encryption password.

Another product you could look at is: SafeBoot. (full disk encryption)
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top