Windows 7 - Encrypting File System

Cheetah Designs

Cheetah Designs

Cheetah Designs

Associate
Joined
10 Jul 2006
Posts
2,423
I recently had to sell a computer and had to wipe the drives properly before I sold it to ensure that the data wasn't recoverable.

I want to prevent myself having to do this in future and it's my understanding that by encrypting the files I don't want readable, I can keep them safe.

I was looking into the simplest way to do this and noticed that Windows 7 Professional has an inbuilt encryption functionality. (I.e. I can right click on a folder and click encrypt). How fullproof is this encryption?

I understand that if I move something out of that folder or move the folder itself, it is no longer encrypted.

What if my laptop got stolen for instance, would the files be recoverable if they booted into linux to read the files? Is there anyway to hack into the files easily without knowing my windows password?

Essentially, what I am asking is: what are the vulnerabilities of doing this?
 
Cheetah Designs said:
I'm not talking about Bitlocker (not included in Windows 7 Professional anyways IIRC), I am talking about Encrypting File System.

Thanks for the reply.
Click to expand...

right click on folder/files --> properties --> Advanced button --> "Encrypt contents to secure data" checkbox.
 
Cheetah Designs said:
I recently had to sell a computer and had to wipe the drives properly before I sold it to ensure that the data wasn't recoverable.

I want to prevent myself having to do this in future and it's my understanding that by encrypting the files I don't want readable, I can keep them safe.

I was looking into the simplest way to do this and noticed that Windows 7 Professional has an inbuilt encryption functionality. (I.e. I can right click on a folder and click encrypt). How fullproof is this encryption?

I understand that if I move something out of that folder or move the folder itself, it is no longer encrypted.

What if my laptop got stolen for instance, would the files be recoverable if they booted into linux to read the files? Is there anyway to hack into the files easily without knowing my windows password?

Essentially, what I am asking is: what are the vulnerabilities of doing this?
Click to expand...

The crypto in EFS is solid, it uses top quality algorithms with no known vulnerabilities. The key point however is that it's only securing a subset of your disk. For example, you might have an encrypted file that you edit that leaves metadata scattered over the disk, maybe in the temp directory. So you can't guarantee it isn't leaked to unsecured areas of the disk. Also, when you encrypt a file, it isn't securely erased so forensic disk analysis may turn up the unencrypted originals which isn't great! This can be mitigated depending on how you manage the directory structure though.

If the laptop was stolen then any EFS protected files are safe to the extent of the strength of your Windows password. That is, the encryption keys that EFS uses are both derived from and unlocked by your Windows user password. Also, make sure you backup the EFS certificates!

The best solution as theheyes is going the whole way and securing the full disk with Truecrypt.
 
Last edited:
tntcoder said:
The crypto in EFS is solid, it uses top quality algorithms with no known vulnerabilities. The key point however is that it's only securing a subset of your disk. For example, you might have an encrypted file that you edit that leaves metadata scattered over the disk, maybe in the temp directory. So you can't guarantee it isn't leaked to unsecured areas of the disk. Also, when you encrypt a file, it isn't securely erased so forensic disk analysis may turn up the unencrypted originals which isn't great! This can be mitigated depending on how you manage the directory structure though.

If the laptop was stolen then any EFS protected files are safe to the extent of the strength of your Windows password. That is, the encryption keys that EFS uses are both derived from and unlocked by your Windows user password. Also, make sure you backup the EFS certificates!

The best solution as theheyes is going the whole way and securing the full disk with Truecrypt.
Click to expand...

Wow, very interesting points you make!

Can you give some examples of what might leave a metadata trace? Also, why should I backup the EFS certificates? Surely if someone got hold of this backup they could access my files?
 
Cheetah Designs said:
Wow, very interesting points you make!

Can you give some examples of what might leave a metadata trace? Also, why should I backup the EFS certificates? Surely if someone got hold of this backup they could access my files?
Click to expand...

A couple of examples that might leak data across the disk. Working with a Microsoft Office document often creates a hidden temporary file in the same directory containing related info/data to the main document. So lets say you encrypt c:\myEfs and edit c:\secret.doc with msword, you then save and more it to the encrypted folder. Chances are there will be stuff left behind in c:\ at some level. Another example is extracting archives, this commonly makes use of the Windows temporary files directory.

Basically it's common for applications to make use of the Windows tempory files directory, so if you use something like Office, Photoshop etc you don't know that what you did was contained to your encrypted directory or encrypted user profile. Just works out safer to lock up the entire disk.

You should backup your certificate because if that certificate get's lost or corrupted your data is screwed. Maybe your Windows user profile gets corrupted or something, there are numerous examples where people have lost access to EFS volumes because you can't just use a password to decrypt the files like with Truecrypt.

So for that reason it's advised you make an encrypted backup with a good password of the certs and keep them on USB somewhere just for peace of mind.
 
Cheetah Designs said:
Interesting. Thanks for the advice.

Surely the metadata trace thing would be true of all encryption systems that don't encrypt the whole filesystem....right?
Click to expand...

Pretty often the case yer, if you encrypt something outside of a secure system (e.g full disk) then you have to be very careful what traces could have been left behind of the unencrypted version. Usually it's safe as the encrypted version overwrites the original on disk which is fine. Problems occur when you start moving stuff around and have old copies, meta-data etc.
 
tntcoder said:
Pretty often the case yer, if you encrypt something outside of a secure system (e.g full disk) then you have to be very careful what traces could have been left behind of the unencrypted version. Usually it's safe as the encrypted version overwrites the original on disk which is fine. Problems occur when you start moving stuff around and have old copies, meta-data etc.
Click to expand...

Are these the sort of traces that programs like CCleaner clear?

EDIT: I should say "attempt to clear".
 
Last edited:
Cheetah Designs said:
Are these the sort of traces that programs like CCleaner clear?

EDIT: I should say "attempt to clear".
Click to expand...

CCleaner does remove stuff like that yer, but I dont know if it does a secure delete? So running recovery software may well retrieve stuff if it hasn't been overwritten. If it does then that's fine, but you will never be 100% sure it catches every trace...

The risk of being able to recover something useful might be small but it does exist and it's fully plausible you might find the original unencrypted version of something on the disk.

If you're worried about it then just go with full disk encryption, otherwise use EFS or a Truecrypt Container correctly and carefully and you will probably have nothing to worry about :)
 
TrueCrypt the whole drive. All of these concerns about meta-data and temp files simply become a none-issue if the entire HDD is encrypted.

You will still need to backup your keyfiles, preferably to a secure location, but day to day the only thing to remind you that stuff is encrypted is being asked for your TrueCrypt password when you boot your machine.

Also, if you are particularly paranoid, you can do clever stuff with TrueCrypt like create dummy Windows installs that are a front for your real, hidden, OS.
 
Its not that Im particuarly worried, just trying to get a balance between secure data and performance.

If I encrypt the whole drive it will drain battery life nad affect performance. Its just a few files that I want to encrypt (files that already exist and are held in an encrypted zip file). I only ever view them, not edit them.

It wouldnt be the end of the world if someone got the files, but I like to be able to run a pass of ccleaner, then do a freespace wipe and be able to sell the computer rather than wiping the whole drive.

Then I can simply wipe the drive with a quick format before I get rid.
 
With TrueCrypt the performance impact is negligible. I encrypted an entire HDD on an ancient HP laptop last year for a client, and there was no noticeable change in battery life or performance.

As for wiping a drive, why is it such an issue? Just set the wiping software to do its thing and forget about it until it is done. You make it sound like you have to sit there and manually wipe every sector of the HDD using a magnet! :p
 
I was under the impression that it signficantly affected performance (as in halved read/write speeds) and obivously affects CPU usage (encrypting/decrypting) and therefore battery life.

Probably just my way of thinking!
 
There is an impact, as extra work is being done, but if it halved the performance of IO operations, I doubt it would be so popular! I saw no such performance decrease on an old crappy laptop. Anything remotely modern should have no issues.

I should probably put TrueCrypt back on my laptop, if just to confirm the performance impact being small. :p
 
Also new Intel (and soon AMD) CPUs include a dedicated instruction set for AES based crypto which makes disk encryption basically seamless and super duper fast :)
 
You must log in or register to reply here.
Back
Top Bottom