Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Home Directory Encryption?

Posted by timothy on from the we-see-you-anonymous-reader dept.

An anonymous reader writes "Home directory encryption has been available on Linux for a while now, and it is definitely a smart, useful feature as it is not usually necessary to encrypt the entire drive, just the private documents and software profiles in the home directory. Windows is getting better about keeping everything that needs to be private in the user's home folder. Is there a similar solution for Windows to securely, and preferably transparently, encrypt the home directory only? (Preferably open source so that the code is available for peer review)."

2 of 121 comments (clear)

  1. Re:Two suggestions by cbhacking · · Score: 3, Interesting

    Very good post, thank you.

    A couple small points:
    You can actually create a user profile outside of the standard location once your system is installed - no need to do it at install time. There's a single registry key that controls the folder where new accounts go; setting it, then creating a brand new account and logging into it, will put the profile in the new location.

    Alternatively, it is possible to change the location of an existing profile if you're determined enough. It's a bitch, though - definitely not recommended. I've found it MUCH easier to install, create a throw-away/backup account at install time, use it to set the location for new accounts to another drive, and then create your *real* account on that drive.

    Finally, while BitLocker is definitely complex on Vista, Win7 includes much better UI and more options for key protection. On my beta Win7 tablet, it's literally a matter of right-click on a drive, select "Turn on BitLocker" from the context menu, select protectors I want to use (say, a passphrase plus I need to have a specific USB device attached - no TPM needed, and all user-configurable), and let it do its thing for a little while.

    As a side note, Win7 BitLocker can also encrypt removable drives - very handy if you need to move sensitive data in physical media, and it includes a tool allowing you to decrypt them on older versions of Windows.

    --
    There's no place I could be, since I've found Serenity...
  2. TrueCrypt is not noticeably slow. by Futurepower(R) · · Score: 3, Interesting

    I suppose you mean to imply that TrueCrypt makes your computer slower. I suppose that may be true, but I haven't noticed it. TrueCrypt seems to be very, very well designed.

    Note that there are TrueCrypt versions for both Windows XP and Vista, Mac OS X, and Linux. All are free and open source.

    Because my hotkey script contains a password, I've installed AutoHotkey in an encrypted TrueCrypt container. (A TrueCrypt container is either a file or an entire partition.) So, every time I use a hotkey, the system must get it from an encrypted file and be decrypted. I don't notice any difference in speed between that and when AutoHotkey was installed on an unencrypted OS partition.

    I've used TrueCrypt for years and had no problems with it. Most software has numerous shortcomings. The biggest problem I can think of now with TrueCrypt is that the documentation doesn't explain the /q command line option very well. That's very minor, a problem not even in the program itself. (Yes, I suggested a re-write in the TrueCrypt forum, and yes, I offered to do the re-writing myself.)

    I haven't yet experimented with encrypting the entire OS partition. I have experimented with encrypting an entire data partition; I didn't notice a speed difference. However, I found that it is better not to encrypt data partitions, it is easier to make an encrypted container on the data partition. That's especially true if the container can be the size of one DVD, 4.7 gigabytes, less the space necessary for the unencrypted TrueCrypt software. Then you can just dismount the container and burn a DVD backup of the container file and the TrueCrypt software.

    TrueCrypt has been 100% reliable for me. There has never been a hint of a problem that might cause loss of data.

    TrueCrypt developers: TrueCrypt is a wonderful gift to the world. Thanks!

    My opinion is that it's necessary that encryption software be open source; I would never run proprietary encryption software because of the possibility that some rogue employee installed a back door. Also, the U.S. government believes it can force U.S. commercial companies to install surveillance functions in both hardware and software; executives and employees who disagree can be put in prison secretly. I suppose that isn't done very often, but like everything a government does in secret, there are unintended consequences. One of the consequences is that in some cases it may be considered unsafe to use U.S. products. It isn't only the U.S. banking system that is out of control.

    Also, since I mentioned AutoHotkey, I will say that it is excellent, although the programming language is a bit quirky. My main AutoHotkey script is now 1563 lines; I use it a lot. It is Windows only.

    AutoHotkey is great for Hotkeys and also open source and free. If you want to run scripts that interact with a Windows GUI as though someone is moving a mouse and typing at a keyboard, then AutoIt is better. AutoHotkey and AutoIt co-exist perfectly. The two had a common origin.

    TrueCrypt encrypted containers can be formatted as NTFS or FAT file systems. I haven't tried other file systems. All the Windows file system utilities work perfectly inside TrueCrypt encrypted containers: Windows Explorer, ChkDsk.exe, FsUtil.exe, Format.com, and Defrag.exe. I've found the free open source JkDefrag to be a better defragmenter; it works perfectly inside TrueCrypt containers.