Slashdot Mirror
Windows Home Directory Encryption?
An anonymous reader writes "Home directory encryption has been available on Linux for a while now, and it is definitely a smart, useful feature as it is not usually necessary to encrypt the entire drive, just the private documents and software profiles in the home directory. Windows is getting better about keeping everything that needs to be private in the user's home folder. Is there a similar solution for Windows to securely, and preferably transparently, encrypt the home directory only? (Preferably open source so that the code is available for peer review)."
But it usually comes with an email demanding money for decryption. If you want to keep something private, you should not use Windows.
Comment removed based on user account deletion
(1) Right Click the directory
(2) Left Click Properties
(3) Left Click "Advanced" near the bottom
(4) Check with you Left Moust button "Encrypt contents to secure data"
(5) Left Click OK, wait until it finishes
The directory would appear green thereafter, indicated it's encrypted and can only be accessed by the owner. Home edition might not have encryption enabled, mind you.
Google for "windows directory encryption" would lead you to the answer anyway.
"Preferably Open Source".
Truecrypt can encrypt the entire OS partition.
Enterprise and government have access to the Windows source to review it. Unless you are suggesting that OP plans to read through it himself?
3laws: No freebies, no backsies, GTFO.
"Pref"
If you put it that way, there physically cannot be an open source solution here, because Windows itself is closed-source.
No matter how great open-source encryption software you can find,
On Windows, you can't have a home directory, let-alone run software to be able to encrypt it, without running closed source software.
The advantage of EFS (Encrypted Filesystem), is it doesn't require any additional software to implement, open source, or otherwise.
I use EFS for some folders at work... but at home I cheaped out and got Windows Home edition... or whatever Vista's non-Business edition is called. I use TrueCrypt for the really critical files.
and do those companies and/or governments choose to implement it?
I think there are two major/popular ways to do what you want that I'm familiar with. There are of course other options, but I've not used them, and won't comment on them.
1. TrueCrypt
This is a simple but very powerful encryption utility that is also open-source. It performs its magic by either encrypting volumes or by using encrypted file containers (a file which contains encrypted data that can be mounted as a virtual drive). The file container approach is very easy to use but you won't be able to use it to encrypt your _entire_ home directory, only elements of it. Effectively, you'd create one or more encrypted file containers and store everything sensitive in them. You could use full volume encryption by storing your entire user profile on a seperate volume, but this is obviously more difficult to setup, depending on your OS. To do something like the latter properly in something like Vista, you'd probably need to do it at install time through an unattend and state which drive the Users directory should be located on, as changing this once installed is not simple and ill-advised.
2. NTFS EFS (Encrypting File System)
Included with all "professional" (ie. not Home/Starter/etc..) editions of Windows since Windows 2000. Enables file-system level encryption tied into NTFS to encrypt individual files/folders on any NTFS device. This has some significant pros, in that not only is it included as a stock component of the OS, but is extremely easy to setup. Just right click on the folder/file you want to encrypt and do so through the Advanced properties. However, getting into the guts of EFS and fiddling with encryption certificates, ciphers, etc... requires some additional skill and research as there is no simple unified front-end to managing EFS like there is for TrueCrypt.
It's important to note that these two encryption suites are very different in how they work. Whereas TC stores data in file containers (unless you encrypt the entire volume), EFS works at the filesystem level and is completely transparent to userland, enabling transparent encryption of anything on the NTFS volume that is user-related. Note that EFS binds to user accounts. You generally can't use EFS to encrypt data that is outside the scope of a user account (such as system files). You'll need full volume encryption technology for that.Microsoft also has BitLocker for full-volume encryption, but this is Vista only, and for home setups, needlessly complicated and difficult to setup, not to mention the TPM requirements for full functionality.
Other things to note would be the importance of portability. TrueCrypt works across Windows/Unix, whereas EFS is obviously specific to Microsoft. I'm not sure if there's an OSS implementation for reading EFS encrypted data under Unixes, but even if there was, I think you'd be mad to use it. You shouldn't be using EFS if portability between OS's is a concern. Also note that whereas TC will have a seperate password, EFS will use your account password for encrypting your user data. This means that if you lose/forget your account password, you _WILL_ lose your EFS encrypted data, unless you've set up things like recovery certificates. Further, if you use a password reset tool to reset your account password outside of your user account, you _WILL_ lose all your EFS encrypted data. Your account password is the key to your EFS data, and so losing it or changing it improperly can have very nasty consequences.
I can't really recommend either method, you really need to research and have a play with both to decide which you prefer. I will say that if you are going the full-volume encryption route, I'd highly recommend TrueCrypt over BitLocker for home setups. The general trend I've observed from using both is that they both are very powerful tools, and can both easily get the job done when setup properly. However, TrueCrypt is more geared towards home/smaller setups, while EFS/BitLocker can work on anything from an individual box to a centrally managed enterprise network. T
In Windows they call home directories 'user profiles'. Commonly (in a windows domain environment), they live on a server, and automatically get copied to whatever workstation you log into.
Folders in there could be encrypted, however, certain folders in your profile are loaded by the system, and you may be unable to login if they get encrypted.
If you use EFS, your certificates and private keys for actually decrypting/encrypting files, are stored in your profile too.
Downside of EFS: your home directory decryption is linked to your login password, and a digital certificate.
If someone alters your password not through the normal password change process (i.e. an Administrator uses 'reset password'), you lose access to your private keys, and thus your encrypted files.
Because the cert and keys in the keystore are required, if you backup encrypted files to a USB thumbdrive using NTFS, you can't read them on another computer, even if you know the login password you were using when you encrypted them.
*It's too dumb to realize you only want it encrypted while it's in that folder.
Author said he wanted only the home directory (I'm assuming you mean %USERPROFILE%) encrypted. While TrueCrypt can natively encrypt the entire drive, there is an addon available to perform only encryption on your "Documents and Settings\Username" folder. The enhancement is available at http://tcgina.t35.com/ Of course, truecrypt is available at www.truecrypt.org Even though I use truecrypt for the entire drive, I separately use TCGINA so that I can have a portable encrypted container of just my user profile, so that I have a compact way to transport my documents, program settings, etc.
One very important thing to remember if you choose to use Windows built in encryption is that it uses the Windows password to encrypt the keys, and by default that password is stored using an LM hash which is extremely insecure (in addition to the NTLM which is less insecure).
To prevent this, you can either modify a registry setting to disable LM Hashes, or you can pick a password 15 characters or longer (since LM is limited to 14, it will be filled in with garbage and NTLM used instead).
Note that this also applies if you use TrueCrypt or some other program, but use the same password as you use for Windows.
Pie? I like pie!
I suppose you mean to imply that TrueCrypt makes your computer slower. I suppose that may be true, but I haven't noticed it. TrueCrypt seems to be very, very well designed.
/q command line
option very well. That's very minor, a problem not even in the program itself.
(Yes, I suggested a re-write in the TrueCrypt forum, and yes, I offered to do
the re-writing myself.)
Note that there are TrueCrypt versions for both Windows XP and Vista, Mac OS X, and Linux. All are free and open source.
Because my hotkey script contains a password, I've installed AutoHotkey in an encrypted TrueCrypt container. (A TrueCrypt container is either a file or an entire partition.) So, every time I use a hotkey, the system must get it from an encrypted file and be decrypted. I don't notice any difference in speed between that and when AutoHotkey was installed on an unencrypted OS partition.
I've used TrueCrypt for years and had no problems with it. Most software has numerous shortcomings. The biggest problem I can think of now with TrueCrypt is that the documentation doesn't explain the
I haven't yet experimented with encrypting the entire OS partition. I have experimented with encrypting an entire data partition; I didn't notice a speed difference. However, I found that it is better not to encrypt data partitions, it is easier to make an encrypted container on the data partition. That's especially true if the container can be the size of one DVD, 4.7 gigabytes, less the space necessary for the unencrypted TrueCrypt software. Then you can just dismount the container and burn a DVD backup of the container file and the TrueCrypt software.
TrueCrypt has been 100% reliable for me. There has never been a hint of a problem that might cause loss of data.
TrueCrypt developers: TrueCrypt is a wonderful gift to the world. Thanks!
My opinion is that it's necessary that encryption software be open source; I would never run proprietary encryption software because of the possibility that some rogue employee installed a back door. Also, the U.S. government believes it can force U.S. commercial companies to install surveillance functions in both hardware and software; executives and employees who disagree can be put in prison secretly. I suppose that isn't done very often, but like everything a government does in secret, there are unintended consequences. One of the consequences is that in some cases it may be considered unsafe to use U.S. products. It isn't only the U.S. banking system that is out of control.
Also, since I mentioned AutoHotkey, I will say that it is excellent, although the programming language is a bit quirky. My main AutoHotkey script is now 1563 lines; I use it a lot. It is Windows only.
AutoHotkey is great for Hotkeys and also open source and free. If you want to run scripts that interact with a Windows GUI as though someone is moving a mouse and typing at a keyboard, then AutoIt is better. AutoHotkey and AutoIt co-exist perfectly. The two had a common origin.
TrueCrypt encrypted containers can be formatted as NTFS or FAT file systems. I haven't tried other file systems. All the Windows file system utilities work perfectly inside TrueCrypt encrypted containers: Windows Explorer, ChkDsk.exe, FsUtil.exe, Format.com, and Defrag.exe. I've found the free open source JkDefrag to be a better defragmenter; it works perfectly inside TrueCrypt containers.
Windows file encryption should not be used. It has extreme shortcomings. Many people have lost their data because of Windows file encryption. This information has been verified by several Microsoft technical support people.
You know, I see this sort of thing all the time with TruCrypt and I have to ask ... Short of a few government agencies and a few paranoid dorks, who the hell uses this? It can't be used on a server unless you want a reboot to cause the server to require a human to fix it, so its really only useful to end users, more specifically laptops. In which case, if your data is THAT important, why the fuck are you carrying it around on a laptop in the first place?
This is just ridiculous. Its great the TrueCrypt does it, but anyone who actually needs it is probably going to use a different more obscure method, just to make it that much harder to bypass.
I guess maybe its the audiophile cryptographers who need to encrypt their laptops so no one realizes that their $1500 headphones and Monster cables are bullshit and sound the exact same as my $10 pair after you've heard the same sound effect 30k times while playing F.E.A.R. ...
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
This is not a good faith question. Nobody is going to waste their time writing an open source extension to a proprietary operating system that duplicates the functionality of the core O/S. And if they did the result is probably not going to be worth using because nobody with sense is going to use and test it.
What this amounts to is that the slashcrew will post pretty much anything that panders to their biases and so they will post without thinking a question that is clearly designed to provide the answer 'no'.
Same thing happens on the camera forums. For years Canon fanatics used to appear in Nikon forums to ask about full frame sensor cameras. Then Nikon came out with a model that beat the Canon and then some and they started asking about fast prime lenses. Now that Nikon have started releasing a new range of fast primes they are asking about constant aperture f/4 zooms. None of it makes the slightest sense. Very few professional photographers would regard the Canon lenses as superior to Nikon in optical quality and certainly not in range. The Canon super-teles were much better at focus speed at one point because Nikon had their heads up their butts with their insistence on only putting the motor in the camera. But that changed long ago.
This type of question is not helpful unless what you really want to do is to have an argument for the sake of it and fix the terms of debate so you are bound to win.
At this point we have five windows boxes, three macs and a Linux box operating in the house. Of the nine machines the Linux box was by far the hardest to get running because the geniuses at Ubuntu decided to write a 700Mb distribution on a format with a maximum design capacity of 650Mb.
There is plenty of stupidity to go round. If people want to take pot shots, Linux is just as open to stupidity as anything else. When someone makes a similar attack on Linux the response is typically 'but these people are volunteers'.
Windows has this feature built in, end of story.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
If someone alters your password not through the normal password change process (i.e. an Administrator uses 'reset password'), you lose access to your private keys, and thus your encrypted files.
You can mitigate this though by backing up your EFS certificate, which is recommended.
http://technet.microsoft.com/en-us/library/cc756891.aspx
Who cares if the person is a known troll? In this case he is merely stating a well known fact.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun