Encryption

[Timendus]

I've been playing with encryption and security stuff a bit, and I now have my mind set on making an encrypted partition on my harddrive. Does anyone have any experience with software or ways to do this?

Ideal would be if it would act like a "firewall" that protects the drive from processes trying to access it, and asks me if I wish to allow a program access and for how long. When a program gets access, the "firewall" fetches and decrypts the data or encrypts and stores the data for the program. Cross platform would be a plus.

[kv83]

This won't be possible in Windows (XP), since all processes run on "user-level", meaning all proceses may decide whether or not they may access data or not...

[Timendus]

That's what I was thinking, but this package seems to be able to do something like that:
http://www.securstar.com/products_drivecryptpp.php

Only problem with this product is that I don't intend to encrypt my entire computer, just one drive, and it's not free or open source. And I don't like to pay for software, nor to have closed source software taking care of my security...

[benryves]

If using NTFS, just right click the folder(s)/file(s) you want to encrypt, go into properties, and tick the encryption box.

See here.

EDIT: Of course, assumes using Windows XP Professional.

[Timendus]

Ah, yes. I do use Windows XP Pro and NTFS, but this is a bit too transparent for me I have only one user on this machine, and no password, so anyone booting the PC can open any file in a so called encrypted folder. It is also not dependant on a key that I supply but on a certificate that is linked to my profile, I guess, and therefore is stored somewhere on the harddrive. In other words; anyone with some knowledge could crack this even if I did require a login password, which I don't want to.

Besides, I don't trust Microsoft with matters of security, and not just because it's closed source

[Arcane WIzard]

http://www.brienposey.com/kb/working_wi ... yption.asp

As always with computer security it is never enough to use a single security measure. Due to the encryption being attribute based I suggest you also use an Access Control List to ensure user and file level access.

ps. I love how those who ask questions about Windows security are the ones that claim it isn't good.

[Timendus]

I love how those who ask questions about Windows security are the ones that claim it isn't good.

If they didn't think it isn't good, they wouldn't be asking questions about alternatives, so I find that remark a bit redundant. And besides, Microsoft has never been good at security in any of it's products, so I don't think there's any claiming involved, just facts.

I'll take a look at those articles a bit later, but thanks in advance

[coelurus]

Ooh, the possibilities of open source OS alternatives...

[Arcane WIzard]

I love how those who ask questions about Windows security are the ones that claim it isn't good.

If they didn't think it isn't good, they wouldn't be asking questions about alternatives, so I find that remark a bit redundant. And besides, Microsoft has never been good at security in any of it's products, so I don't think there's any claiming involved, just facts.

I'm not talking about people asking about alternatives, I'm talking about peple asking how to use Windows' features. If they are asking about how to use Windows then why do they think they know enough to give a technical opinion about it?

Same thing with pretty much everything else in computing. Like people who complain that Java sucks and then ask me what a nullpointer exception is. Or people who say OOP sucks when they don't even know the difference between a class and an object or a class and a function. :'<

I'll take a look at those articles a bit later, but thanks in advance

kek

Ooh, the possibilities of open source OS alternatives...

Indeed, but the possibilities of people looking further than "oh noes feature x isn't enough to lock down the entire spectrum of information security therefor Windows suckslolz" are quite impressive too as they might include actually learning something about the software almost the entire world uses.

There's a reason why security management standards don't just say use linux/bsd/macos/os2/whatever.

[crzyrbl]

So you dont want to spend money on software....what about hardware? I dont know how much they go for, but you could consider getting a usb fingerprint scanner. My laptop has one intergrated in it so they should be pretty wide spread by now. It came with a folder called My Safe, which can only be opened when I swipe my finger.

[Timendus]

God damn power failure, now I have to start over with this reply

@crzyrbl: That's really nice, but I'm not interested in the hardware but in the software that encrypts that folder. If it's just a bit of hardware and an issue of access rights, anyone can just put some LiveCD in your PC, boot it, mount your harddrive and bypass all security.

Ooh, the possibilities of open source OS alternatives...

Well, I'm only running Windows on this machine currently (it's fairly new) but I intend to make it dual boot with Kubuntu or something, so it would be nice to be able to access my encrypted data from both OSs. In other words; tell me more

Blahblahblah

Go vent your frustrations elsewhere Arcane, I'm not in the mood for that. And I think we all know perfectly well that a) I know what I'm talking about b) Microsoft has a history of crappy security and c) I'm not asking how to use a Windows feature, I'm asking for an alternative that is more robust.

[coelurus]

I understand some people are tired of Windows-bashing. The thing is, Windows vanilla _is_ inferior to some others when it comes to security. It's also hard to draw the lines where an OS ends and 3rd party software starts (esp. for OS OSs).

Timendus, encryption is a funny thing. You said you had one account which everybody could access. This means, you have to either decode your encrypted data by providing a key by hand, by a USB-mem stick or similar (storing the key on the PC? ). This means short, perhaps easily guessed keys or that you really have to look out for where the key goes in mem. As there's just one user account, people could get hold of the information on the USB mem when you plug it in, or even after you've plugged it out...
I'm overdoing it now, but remember why you need the security

There's a lot of documentation on disk encryption in Linux, generally it's about setting up a loop-back device for a disk and encrypt via that. I have no idea how to do that in Windows though.
For simple Windows-Linux compatible encryption, a search turned up this: http://www.truecrypt.org/ . I leave the verification phase to you...

[Arcane WIzard]

If it's just a bit of hardware and an issue of access rights, anyone can just put some LiveCD in your PC, boot it, mount your harddrive and bypass all security.

If the OS on the livecd even supports NTFS then it should be affected by it's permissions too. It could also be done by replacing encrypted files decrypted when using the key thing, then it isn't about permissions but ability to encrypt/decrypt. But that depends on hwo the software/driver for the key thing works.

Ooh, the possibilities of open source OS alternatives...

Well, I'm only running Windows on this machine currently (it's fairly new) but I intend to make it dual boot with Kubuntu or something, so it would be nice to be able to access my encrypted data from both OSs. In other words; tell me more

BSD is supposed to be the most secure by default from what I hear. Most if not all Linux distros are not secure when you install them.

Blahblahblah

Go vent your frustrations elsewhere Arcane, I'm not in the mood for that. And I think we all know perfectly well that a) I know what I'm talking about b) Microsoft has a history of crappy security and c) I'm not asking how to use a Windows feature, I'm asking for an alternative that is more robust.[/quote]I don't care if you're not in the mood. I don't care if you call me frustrated either. a) I think you posts speak for themselves b) complaining Windows users have a history of being fullfledged idiots c) you seemed insterested in ntfs encrypt, that's what I responded to. ntfs encrypt is in fact a windows feature.

-- Lets just restrain ourselves a little please --

[Timendus]

Timendus, encryption is a funny thing. You said you had one account which everybody could access. This means, you have to either decode your encrypted data by providing a key by hand, by a USB-mem stick or similar (storing the key on the PC? ). This means short, perhaps easily guessed keys or that you really have to look out for where the key goes in mem. As there's just one user account, people could get hold of the information on the USB mem when you plug it in, or even after you've plugged it out...

Hmm, yes they could. But they'd probably have to get some software on my PC without me knowing to do that. It would require preperation. But even someone experienced in encryption couldn't read my data if you'd put him behind my freshly rebooted PC without any preperation. And I guess that's already worth a lot

I'm overdoing it now, but remember why you need the security

Good question, I'm not sure myself yet

For simple Windows-Linux compatible encryption, a search turned up this: http://www.truecrypt.org/

I'll look into that too.

that depends on hwo the software/driver for the key thing works.

Yup, that was pretty much my point. It's more the software than the hardware that makes it secure, even though it may feel really secure to use your fingerprint as a key.

[crzyrbl]

but its intergrated, not like they're gonna rip out the fingerprint reader and use a cd. You need a fingerprint to even log on so how are they even gonna execute anything anyways...but you say others use your computer and you want EVERYTHING safe and unaccessable to others without hardware? That sounds pretty much impossible. Even if you have a decent password, you can easily get one of those stealthed usb sticks that read the keys. If you have something like a usb flash drive, or crypto stick, just keep it in your pockets and you'll never have to worry about it.

EDIT:oh yeah....bios....