Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows Home Directory Encryption?

timothy posted more than 5 years ago | from the we-see-you-anonymous-reader dept.

Data Storage 121

An anonymous reader writes "Home directory encryption has been available on Linux for a while now, and it is definitely a smart, useful feature as it is not usually necessary to encrypt the entire drive, just the private documents and software profiles in the home directory. Windows is getting better about keeping everything that needs to be private in the user's home folder. Is there a similar solution for Windows to securely, and preferably transparently, encrypt the home directory only? (Preferably open source so that the code is available for peer review)."

cancel ×

121 comments

Sorry! There are no comments related to the filter you selected.

Sure, it's been available for years. (5, Funny)

freenix (1294222) | more than 5 years ago | (#27264405)

But it usually comes with an email demanding money for decryption. If you want to keep something private, you should not use Windows.

Re:Sure, it's been available for years. (0)

Anonymous Coward | more than 5 years ago | (#27265235)

#$usltmp(43_ui2Zclq6>MN7`|_I.

Warning: Known sockpuppet/troll (0)

Anonymous Coward | more than 5 years ago | (#27266077)

User [slashdot.org] maintains more than a dozen sockpuppet accounts [slashdot.org] on Slashdot.

Re:Warning: Known sockpuppet/troll (2, Insightful)

Zero__Kelvin (151819) | more than 5 years ago | (#27267407)

Who cares if the person is a known troll? In this case he is merely stating a well known fact.

Twitter troll, mod down (0)

Anonymous Coward | more than 5 years ago | (#27266935)

n/t

Try here... (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27264411)

For all your encryption needs, go here: at cowtax [cowtax.com]

Flamebait? Moderator, SUCK MY NEGRO CHOCOLATE BALL (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27265301)

I have only one ball because Yoda ate the other.
 
  SOMEONE PLEASE EXPLAIN HOW THE PARENT IS FLAMEBAIT. Or at least mod him up and then mod him troll. Gah, this is annoying. Douche.
 
CAPTCHA: incest
 
Wow, shouldn't have come to Kentucky for spring break..

truecrypt (0)

Anonymous Coward | more than 5 years ago | (#27264429)

make a truecrypt image, copy over the userprofile folder and make a junction to it.

Truecrypt: Open source, free, works very well. (4, Informative)

Futurepower(R) (558542) | more than 5 years ago | (#27264477)

Truecrypt [truecrypt.com] can encrypt the entire OS partition.

Re:Truecrypt: Open source, free, works very well. (0)

Anonymous Coward | more than 5 years ago | (#27264849)

That's OK for some countries, the hidden O/S option might be useful (since you'd have to give them the password for the "official" volume unless you don't mind rubberhose attacks).

But it's not a good idea if you are trying to enter other countries. You don't even want them to know you are using crypto.

Because:
1) They might just decide to use that as an excuse to get a free laptop.
2) Your project could be jeopardized.

Now the odds of the authorities reacting in unwanted ways just because they see crypto goes down if millions of people have crypto bundled and active on their O/S whether they know it or not:

See: https://bugs.launchpad.net/ubuntu/+bug/148440 [launchpad.net]

BTW while Windows EFS can be useful I feel it's been designed more as data protection in case your system is stolen. It's not so good in many other scenarios.

Re:Truecrypt: Open source, free, works very well. (0)

Anonymous Coward | more than 5 years ago | (#27265949)

(since you'd have to give them the password for the "official" volume unless you don't mind rubberhose attacks)

Not every country is as barbaric as the US of A, you know?

Re:Truecrypt: Open source, free, works very well. (0)

Anonymous Coward | more than 5 years ago | (#27266431)

Not every country is as barbaric as the US of A, you know?

The U.S. government has killed or caused the death of 11,000,000 people and invaded or bombed 25 countries since the end of the 2nd world war. The U.S. has the highest percentage of its people in prison [wikimedia.org] of any country in the history of the world. The U.S. government just arranged a financial collapse [motherjones.com] and an enormous theft of taxpayer money.

Are you calling that barbaric?

Well, good.

Re:Truecrypt: Open source, free, works very well. (1)

AmiMoJo (196126) | more than 5 years ago | (#27265895)

The parents speak wisely. Using Truecrypt to encrypt your entire HDD is by far the best option.

Think of it this way - do you put locks on all your cupboards, chain the TV, Hi-Fi and sofa to the floor, install multiple safes to keep all your private correspondence in, or you simply lock the front door?

By encrypting everything you don't have to think about what you need to encrypt, if programs are leaking data any other ways (temporary files etc) and you don't have to use any special software beyond typing your password in once at boot time.

Re:Truecrypt: Open source, free, works very well. (0)

Anonymous Coward | more than 5 years ago | (#27265919)

And you get the wonderful performance benefit of having your executables encrypted!! Yay!

TrueCrypt is not noticeably slow. (3, Interesting)

Futurepower(R) (558542) | more than 5 years ago | (#27266345)

I suppose you mean to imply that TrueCrypt makes your computer slower. I suppose that may be true, but I haven't noticed it. TrueCrypt seems to be very, very well designed.

Note that there are TrueCrypt versions for both Windows XP and Vista, Mac OS X, and Linux. All are free and open source.

Because my hotkey script contains a password, I've installed AutoHotkey [autohotkey.com] in an encrypted TrueCrypt container. (A TrueCrypt container is either a file or an entire partition.) So, every time I use a hotkey, the system must get it from an encrypted file and be decrypted. I don't notice any difference in speed between that and when AutoHotkey was installed on an unencrypted OS partition.

I've used TrueCrypt for years and had no problems with it. Most software has numerous shortcomings. The biggest problem I can think of now with TrueCrypt is that the documentation doesn't explain the /q command line option very well. That's very minor, a problem not even in the program itself. (Yes, I suggested a re-write in the TrueCrypt forum, and yes, I offered to do the re-writing myself.)

I haven't yet experimented with encrypting the entire OS partition. I have experimented with encrypting an entire data partition; I didn't notice a speed difference. However, I found that it is better not to encrypt data partitions, it is easier to make an encrypted container on the data partition. That's especially true if the container can be the size of one DVD, 4.7 gigabytes, less the space necessary for the unencrypted TrueCrypt software. Then you can just dismount the container and burn a DVD backup of the container file and the TrueCrypt software.

TrueCrypt has been 100% reliable for me. There has never been a hint of a problem that might cause loss of data.

TrueCrypt developers: TrueCrypt is a wonderful gift to the world. Thanks!

My opinion is that it's necessary that encryption software be open source; I would never run proprietary encryption software because of the possibility that some rogue employee installed a back door. Also, the U.S. government believes it can force U.S. commercial companies to install surveillance functions in both hardware and software; executives and employees who disagree can be put in prison secretly. I suppose that isn't done very often, but like everything a government does in secret, there are unintended consequences. One of the consequences is that in some cases it may be considered unsafe to use U.S. products. It isn't only the U.S. banking system that is out of control.

Also, since I mentioned AutoHotkey, I will say that it is excellent, although the programming language is a bit quirky. My main AutoHotkey script is now 1563 lines; I use it a lot. It is Windows only.

AutoHotkey is great for Hotkeys and also open source and free. If you want to run scripts that interact with a Windows GUI as though someone is moving a mouse and typing at a keyboard, then AutoIt [autoitscript.com] is better. AutoHotkey and AutoIt co-exist perfectly. The two had a common origin.

TrueCrypt encrypted containers can be formatted as NTFS or FAT file systems. I haven't tried other file systems. All the Windows file system utilities work perfectly inside TrueCrypt encrypted containers: Windows Explorer, ChkDsk.exe, FsUtil.exe, Format.com, and Defrag.exe. I've found the free open source JkDefrag [kessels.com] to be a better defragmenter; it works perfectly inside TrueCrypt containers.

Re:TrueCrypt is not noticeably slow. (2, Informative)

Butterspoon (892614) | more than 5 years ago | (#27266449)

TrueCrypt encrypted containers can be formatted as NTFS or FAT file systems. I haven't tried other file systems.

I can add ext3 to the list of filesystems known to work with TrueCrypt, useful for apps such as Nautilus and TightVNC that create files with colons in their name.

Also, although this is slightly off-topic, you can easily store a Linux home directory and mount it in place, i.e. just one big volume in /home/username which you can mount with

$ truecrypt -t volume.tc ~

and the full home directory replaces the previously empty directory.

The OP is asking for something similar on Windows but that's much trickier on NTFS and Windows for a variety of reasons - TrueCrypt still doesn't allow mounting at a junction point, and a directory used for this purpose must be empty, and by the time you've logged in, you've already got a lot of files open (e.g. your registry hive).

Necessary: Encrypt the ENTIRE Windows OS partition (1)

Futurepower(R) (558542) | more than 5 years ago | (#27266627)

"The OP is asking for something similar on Windows but that's much trickier on NTFS and Windows for a variety of reasons..."

Good points.

It is necessary to encrypt the entire Windows OS partition. That's because Windows scatters files everywhere. For example, on one installation of Windows XP with I seem to remember 4 users, I found that temporary files were stored in 47 locations.

That just begins to describe all the scattering. Commercial programs store files in lots of places. There's a lot of stuff stored in the Windows registry files.

Re:Truecrypt: Open source, free, works very well. (0)

Anonymous Coward | more than 5 years ago | (#27266097)

Depends who you want to lock out. If it's other user-accounts on the same computer, encrypting your complete partition will not do any good.
That would be like locking the front-door to keep your house-mates out of your room.

The parents speak wisely not ... (1)

Zero__Kelvin (151819) | more than 5 years ago | (#27267575)

"The parents speak wisely. Using Truecrypt to encrypt your entire HDD is by far the best option."

In Windows most user data is stored under Documents and Settings but misbehaving applications may put it elsewhere . On Linux all user data is always under /home, which is typically a separate partition either on the same physical media or another storage medium or mediums. Therefore, if you want to protect your data rather than the OS itself:

  • In Windows you need to encrypt the whole OS to be sure no private data is exposed
  • With Linux encrypting /home is not only preferred, but makes much more sense

Re:Truecrypt: Open source, free, works very well. (0)

Anonymous Coward | more than 5 years ago | (#27268589)

By encrypting everything you don't have to think about what you need to encrypt,

By thinking once (when you lay out the directories) you don't have to think again later, too. Get /home, swap, and maybe (depends on what you're doing) /var, and -- hey, this all sounds familiar, as though someone else already thought about the issue decades ago.

Anyway, to answer the original question: the best way to do this on Windows, is to do it in Linux and then install Samba.

Re: truecrypt: dangerous license (0)

Anonymous Coward | more than 5 years ago | (#27266423)

Truecrypt has a whacky license (http://www.mail-archive.com/distributions@lists.freedesktop.org/msg00270.html ), so you are better off with FreeOTFE which is dm-crypt compatible though it may not encrypt everything.

It's the same thing with proprietary RAID systems - you barely the layout of the data on disk, so if your array dies, you have to get one that is equivalent. Nice vendor-lock in, and truecrypt is similar.

The license looks fine to me. (1)

Futurepower(R) (558542) | more than 5 years ago | (#27266513)

What is wrong with the TrueCrypt license [truecrypt.org] ?

Quoting from the section about making your own modifications to TrueCrypt and calling it by a different name: "Note: TrueCrypt and the TrueCrypt logos are trademarks of the TrueCrypt Foundation. The goal is not to monetize the name or the product, but to protect the reputation of TrueCrypt, and to prevent support issues and other kinds of issues that might arise from the existence of similar products with the same or similar name. Even though TrueCrypt and the TrueCrypt logos are trademarks, TrueCrypt is and will remain open-source and free software."

Basically, the license says, "You can do anything you like except 1) engage in fraud using the TrueCrypt name, and 2) make TrueCrypt code non-free."

If there is anything objectionable, I don't see it.

EFS? (2, Funny)

404 Clue Not Found (763556) | more than 5 years ago | (#27264435)

Isn't Windows's own Encrypting File System feature designed to do this very thing?

Re:EFS? (4, Insightful)

zonky (1153039) | more than 5 years ago | (#27264465)

"Preferably Open Source".

Re:EFS? (1, Funny)

Anonymous Coward | more than 5 years ago | (#27264487)

"preferably"

Re:EFS? (2, Funny)

Anonymous Coward | more than 5 years ago | (#27264529)

"Pref"

Re:EFS? (1, Funny)

Anonymous Coward | more than 5 years ago | (#27264889)

"Pre"

Re:EFS? (2, Funny)

Anonymous Coward | more than 5 years ago | (#27265057)

Pie? I like pie!

Re:EFS? (1)

Quantos (1327889) | more than 5 years ago | (#27265243)

mmmmm...

Hair Pie...

Re:EFS? (2, Insightful)

ozphx (1061292) | more than 5 years ago | (#27264521)

Enterprise and government have access to the Windows source to review it. Unless you are suggesting that OP plans to read through it himself?

Re:EFS? (5, Insightful)

zonky (1153039) | more than 5 years ago | (#27264595)

and do those companies and/or governments choose to implement it?

The windows source isn't realy available! (0)

Anonymous Coward | more than 5 years ago | (#27266299)

Wrong! The code is non compilable, so even if you have said windows source code, how are you to know that it is the source code of the binaries running on your system.

You don't.

One of the keystones of open source security systems is that you can build your own binaries from the sourcecode that you reviewed.

Re:The windows source isn't realy available! (0)

Anonymous Coward | more than 5 years ago | (#27266357)

RTFSummary. OP doesn't give a shit, he wants to install some crap thats probably been reviewed. Most people get binaries and cant be fucked checking an md5sum.

Re:EFS? (2, Insightful)

mysidia (191772) | more than 5 years ago | (#27264545)

If you put it that way, there physically cannot be an open source solution here, because Windows itself is closed-source.

No matter how great open-source encryption software you can find,

On Windows, you can't have a home directory, let-alone run software to be able to encrypt it, without running closed source software.

The advantage of EFS (Encrypted Filesystem), is it doesn't require any additional software to implement, open source, or otherwise.

Re:EFS? (1)

gzipped_tar (1151931) | more than 5 years ago | (#27264671)

I think on Windows one can have a home directory but I don't know whether you can make it a mount point for a separate partition encrypted transparently (which would ease maintenance). Anyway, I'm not sure... haven't used Windows for quite some time.

Re:EFS? (5, Informative)

mysidia (191772) | more than 5 years ago | (#27264733)

In Windows they call home directories 'user profiles'. Commonly (in a windows domain environment), they live on a server, and automatically get copied to whatever workstation you log into.

Folders in there could be encrypted, however, certain folders in your profile are loaded by the system, and you may be unable to login if they get encrypted.

If you use EFS, your certificates and private keys for actually decrypting/encrypting files, are stored in your profile too.

Downside of EFS: your home directory decryption is linked to your login password, and a digital certificate.

If someone alters your password not through the normal password change process (i.e. an Administrator uses 'reset password'), you lose access to your private keys, and thus your encrypted files.

Because the cert and keys in the keystore are required, if you backup encrypted files to a USB thumbdrive using NTFS, you can't read them on another computer, even if you know the login password you were using when you encrypted them.

*It's too dumb to realize you only want it encrypted while it's in that folder.

Re:EFS? (1)

nitzmahone (164842) | more than 5 years ago | (#27265797)

"If someone alters your password not through the normal password change process (i.e. an Administrator uses 'reset password'), you lose access to your private keys, and thus your encrypted files."

This is only true for local (eg, non-domain) accounts. Domain account passwords can be changed administratively without affecting the keys.

Re:EFS? (1)

itsme1234 (199680) | more than 5 years ago | (#27265861)

I don't know about recent incarnations of Windows but traditionally the file names are stored in clear in EFS; I see this as a huge disadvantage.

The problem with the propagation of the "encrypted" attribute to mostly any NTFS filesystems where you copy files to can't be underestimated. Probably well (security-wise) intended the problem is that users copy files to external drives and are somehow under the impression that having the external drive itself is enough to have access to the info on it. The problem can be from annoying (copy files from computer A, can't read on computer B) to full-scale disaster (make regular backups on external drives, test them in an uninformed fashion by browsing around and opening random files, have hdd crash or windows reinstall - poof all your files are gone, including the ones from the untouched hdd in your safe).

And of course any solution that encrypts a bunch of folders on a windows machine is bound to be incomplete with info leaking everywhere. Even if you are scared to have obvious encryption on your machine I would still recommend truecrypt (system/full) disk encryption. You can customize the password prompt to your liking (or have nothing at all, just looks like system has crashed/locked up), you can install multiple OSes and boot by default in an unencrypted one, you can have the decoy encrypted OS and so on.

Re:EFS? (2, Insightful)

BitZtream (692029) | more than 5 years ago | (#27266797)

You can customize the password prompt to your liking (or have nothing at all, just looks like system has crashed/locked up), you can install multiple OSes and boot by default in an unencrypted one, you can have the decoy encrypted OS and so on.

You know, I see this sort of thing all the time with TruCrypt and I have to ask ... Short of a few government agencies and a few paranoid dorks, who the hell uses this? It can't be used on a server unless you want a reboot to cause the server to require a human to fix it, so its really only useful to end users, more specifically laptops. In which case, if your data is THAT important, why the fuck are you carrying it around on a laptop in the first place?

This is just ridiculous. Its great the TrueCrypt does it, but anyone who actually needs it is probably going to use a different more obscure method, just to make it that much harder to bypass.

I guess maybe its the audiophile cryptographers who need to encrypt their laptops so no one realizes that their $1500 headphones and Monster cables are bullshit and sound the exact same as my $10 pair after you've heard the same sound effect 30k times while playing F.E.A.R. ...

Re:EFS? (1)

itsme1234 (199680) | more than 5 years ago | (#27267741)

Usually a reboot on a server DOES require a human to fix it. But yes, it's not intended for servers because they tend to be pretty well locked up (unless it is your home server and you'll be better off running Linux anyway and in any case it doesn't matter if the server goes down until you go home and can enter the password).
The UK government loses laptops by the thousands, truecrypt would do a lot of good here. The argument that you shouldn't carry the data on the laptop is moot as some users have only one computer. Even if you don't have tons of secret documents you still have some pictures, some IM accounts, maybe some bank info in your browser cache and so on. Are you trying to say that you just don't care if somebody has access to your notebook? Can you give me access to have a look?
Also there's the case when the disk breaks under warranty. I understand you buy another desktop which you keep secured so you don't keep private data on the notebook but what do you do when the disk on the desktop dies and you still have warranty? Destroy it physically (and take a loss because otherwise you would be entitled to a replacement)? If you have it all encrypted you just send it back without worries for what info has your computer ever saw.
The installation is a breeze, the performance hit and other disadvantages are minimal and the OP obviously wants to bother with encryption. What's the problem then?

Re:EFS? (1)

BitZtream (692029) | more than 5 years ago | (#27266755)

If an administrator changes your password the administrator can still access your files as ActiveDirectory stores a copy of the encryption key for administrator usage in just such cases as you describe.

You can encrypt to a USB thumbdrive and use the data on multiple machines within a domain environment just fine as long as you always are using a login with access to the encryption key, such as the original encryptor or an administrator account.

Personally, as someone who works for a thumb drive manufacture, I wouldn't worry about encryption on your thumbdrive, its likely to fail before anyone can do anything useful with it anyway! (J/K of course, we only sell the drives to peddle our encryption software, but thumbdrives are extremely unreliable none the less :)

Re:EFS? (1)

mysidia (191772) | more than 5 years ago | (#27267007)

If an administrator changes your password the administrator can still access your files as ActiveDirectory stores a copy of the encryption key for administrator usage in just such cases as you describe.

Most home user machines are standalone XP Home, so there is no backup of the users keys stored in AD, in that case.

That would be a considerable flaw, in that the backup is only available to some users...

Re:EFS? (2, Informative)

plague3106 (71849) | more than 5 years ago | (#27267329)

If someone alters your password not through the normal password change process (i.e. an Administrator uses 'reset password'), you lose access to your private keys, and thus your encrypted files.

You can mitigate this though by backing up your EFS certificate, which is recommended.

http://technet.microsoft.com/en-us/library/cc756891.aspx [microsoft.com]

Re:EFS? (1)

gruhnj (195230) | more than 5 years ago | (#27269169)

The multiple computer problem in a domain is solved by setting up a PKI through certificate services. This combined with a logon script to encrypt the profile directory takes care of those problems. If you are doing EFS on a large scale in a domain you would be crazy not to use a PKI. Another advantage to this is should the certificate get lost you can set recovery keys that a admin can use to decrypt the data.

This can also in a windows domain be used to create bitlocker keys as well which encrypts the entire system.

Re:EFS? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27266277)

"Preferably Open Source".

It's built into the OS, so it's as open source as any other part of Windows. If open source is that important to you then you probably won't be using Windows anyway. Besides, it's pretty clear that the OP didn't know about EFS, and so was thinking about third-party tools. I think the standard in that case might be different.

Re:EFS? (2, Interesting)

Zeinfeld (263942) | more than 5 years ago | (#27266931)

"Preferably Open Source".

This is not a good faith question. Nobody is going to waste their time writing an open source extension to a proprietary operating system that duplicates the functionality of the core O/S. And if they did the result is probably not going to be worth using because nobody with sense is going to use and test it.

What this amounts to is that the slashcrew will post pretty much anything that panders to their biases and so they will post without thinking a question that is clearly designed to provide the answer 'no'.

Same thing happens on the camera forums. For years Canon fanatics used to appear in Nikon forums to ask about full frame sensor cameras. Then Nikon came out with a model that beat the Canon and then some and they started asking about fast prime lenses. Now that Nikon have started releasing a new range of fast primes they are asking about constant aperture f/4 zooms. None of it makes the slightest sense. Very few professional photographers would regard the Canon lenses as superior to Nikon in optical quality and certainly not in range. The Canon super-teles were much better at focus speed at one point because Nikon had their heads up their butts with their insistence on only putting the motor in the camera. But that changed long ago.

This type of question is not helpful unless what you really want to do is to have an argument for the sake of it and fix the terms of debate so you are bound to win.

At this point we have five windows boxes, three macs and a Linux box operating in the house. Of the nine machines the Linux box was by far the hardest to get running because the geniuses at Ubuntu decided to write a 700Mb distribution on a format with a maximum design capacity of 650Mb.

There is plenty of stupidity to go round. If people want to take pot shots, Linux is just as open to stupidity as anything else. When someone makes a similar attack on Linux the response is typically 'but these people are volunteers'.

Windows has this feature built in, end of story.

EFS is NOT included in Windows Home editions. (2, Insightful)

WoTG (610710) | more than 5 years ago | (#27264559)

I use EFS for some folders at work... but at home I cheaped out and got Windows Home edition... or whatever Vista's non-Business edition is called. I use TrueCrypt for the really critical files.

Re:EFS? (1)

zidane2k1 (971794) | more than 5 years ago | (#27264685)

Yeah. It isn't open source, but the OP didn't seem to "require" it. Also, EFS isn't available on XP Home or Vista Home, but if he has the pricier editions then it's no problem.

Re:EFS? (1, Funny)

Anonymous Coward | more than 5 years ago | (#27266237)

Isn't Windows's own Encrypting File System feature designed to do this very thing?

Yes, and it's been around since Windows 2000. It's hard to believe that someone posting on Slashdot (and the Slashdot editors) didn't know about this.

And to cut off any other similar questions, Windows has also included the capability to play music and video files since at least Windows 95.

Re:EFS? (1)

GMFTatsujin (239569) | more than 5 years ago | (#27268637)

How about displaying transparent PNGs? Or properly rendering CSS?

Admittedly, I've been out of the loop for a while. You may have upgraded information.

Re:EFS? (0)

Anonymous Coward | more than 5 years ago | (#27269111)

There is an unresolved issue with EFS interacting with Indexing services, such MS's new indexing search. When you combine those two with some of the new Anti-Virus application version it will corrupt the files that are encrypted.

Simple solution (4, Informative)

jsse (254124) | more than 5 years ago | (#27264461)

(1) Right Click the directory
(2) Left Click Properties
(3) Left Click "Advanced" near the bottom
(4) Check with you Left Moust button "Encrypt contents to secure data"
(5) Left Click OK, wait until it finishes


The directory would appear green thereafter, indicated it's encrypted and can only be accessed by the owner. Home edition might not have encryption enabled, mind you.

Google for "windows directory encryption" would lead you to the answer anyway.

Re:Simple solution (5, Funny)

BigBuckHunter (722855) | more than 5 years ago | (#27264655)

(1) Right Click the directory (2) Left Click Properties (3) Left Click "Advanced" near the bottom (4) Check with you Left Moust button "Encrypt contents to secure data" (5) Left Click OK, wait until it finishes

What's next? Are you going to suggest using NTBackup to back files up? Netmeeting to do an H323 conference with the office? Use 'windows' degragmenter? Remote Desktop instead of VnC? Crazy talk I say!

BBH

Re:Simple solution (0, Troll)

Ralish (775196) | more than 5 years ago | (#27265055)

EFS is very powerful in the right hands, the simple encryption checkbox betrays the real power lying just beneath the surface. I do find it amusing when people criticise complex encryption architectures because not everything is exposed in a pretty UI. Would you feel better if there were some nice Aero encryption animations?

NTBackup is absolutely solid as a basic backup solution; I know many people who are very unhappy with Microsoft that it isn't present in Vista and 2008.

NetMeeting is effectively obsolete, it has been superceded by Windows Meeting Space; get with the times.

Windows Defragmenter is rubbish, I'll give you that.

Remote Desktop is an excellent solution for remote desktop of Windows machines and handles more advanced UI features like desktop compositing far better than most alternatives I've used. Why would I bother installing something like VNC when RDP can do everything I and most others need?

I know your post was meant to be ridiculing various Windows features, but it really just reveals your ignorance.

Re:Simple solution (2, Insightful)

Anonymous Coward | more than 5 years ago | (#27265137)

I know your post was meant to be ridiculing various Windows features, but it really just reveals your ignorance.

I thought it was meant to be ridiculing people who choose Windows and then don't know/use the core elements that actually make it worth using....

The RDP that comes with 2008 is really quite neat; you can now administer remote "RDP Apps" that, in my mind, totally replace Citrix and the like. Granualar application-level ACLs via RDP -- what's not to like? I wish there was a fully open source alternative that was that powerful. NX/VNC gets close, but the server isn't OSS... meh.

Avoid Windows file encryption. (2, Interesting)

Futurepower(R) (558542) | more than 5 years ago | (#27266657)

Windows file encryption should not be used. It has extreme shortcomings. Many people have lost their data because of Windows file encryption. This information has been verified by several Microsoft technical support people.

Re:Avoid Windows file encryption. (0)

Anonymous Coward | more than 5 years ago | (#27267965)

It has the same shortcoming as any other encryption scheme. If you forget the password or lose the keys you're hosed.

Export the keys [microsoft.com] to a thumbdrive (or two), write down the password and put it all in a safe.

Re:Simple solution (1)

BigBuckHunter (722855) | more than 5 years ago | (#27265183)

I know your post was meant to be ridiculing various Windows features, but it really just reveals your ignorance.

Quite the contrary. My NY style sarcasm sometimes is a little overboard for you interweb folks. It would never occur to me to pay money, download, and install an alternative to any of these packages, with the possible exception of an entirely different OS.

That said.. I wasn't aware that Meeting Space was an H323 and T120 app. It looks more like a WebX competitor and Sharepoint accessory than a Netmeeting replacement.

Windows Defrag is fine for any system. Any further optimization is polishing a turd. EFS and RDP work as advertised. NTBackup will be missed by all.

BBH

Re:Simple solution (1)

Ralish (775196) | more than 5 years ago | (#27265215)

In which case I owe you an apology for my snarky reply ;)

There's so many Slashdot posters/trolls who are completely ignorant of what they are talking about with regards to Microsoft products and technology, that I find it can be very difficult to sift out the ignorant from those select few who know what they are talking about but are talking in jest.

Once again, my apologies for my unwarranted snarky reply!

Re:Simple solution (1)

BigBuckHunter (722855) | more than 5 years ago | (#27268933)

No apology necessary. This is slashdot after all. I will say that there does seem to be a windows paradigm where users feel obligated to purchase, download, and install software for functionality already offered by the default OS. For example:

People wanting to defrag download speedDisk. People wanting to surf the web download firefox. People wanting to burn CDs purchase Nero, and so on and so forth. It's as if they do not even try to use the built-in software any more. It always struck me as odd. My wife installed solitaire from some MSN Gaming site. She says that it's "better than the solitaire already installed". I'm putting her on Ubuntu next week.

BBH

Re:Simple solution (0)

Anonymous Coward | more than 5 years ago | (#27267365)

NY sarcasm is still well below the internet sarcasm standard. Keep trying though, you guys will get there eventually.

Re:Simple solution (1)

fat_mike (71855) | more than 5 years ago | (#27265087)

This is considered brief:

http://www.bacula.org/en/dev-manual/Brief_Tutorial.html [bacula.org]

The sixth result involves rsync.

I've written batch files in the normal Windows shell, using Winzip with 256 bit encryption that take less time than trying to read the documentation for any Linux backup tool.

Nice try with the Net Meeting crap, nobody uses it and you know that.

The defrag tool in Windows isn't written by Microsoft so try again. It actually does a better job than watching my XFS tools kill my MythTV storage directory. Oh, and don't forget that most of the Linux defrag is imaginary. Journals my ass.

Remote Desktop, I add a remote user and I'm done. I don't have to worry about the X server and my X client not liking each other. It just works.

Re:Simple solution (0)

Anonymous Coward | more than 5 years ago | (#27265205)

He was being sarcastic. You're just being silly.

Re:Simple solution (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27266413)

What the fuck is your problem? You fat wanker.

Re:Simple solution (2, Informative)

Anonymous Coward | more than 5 years ago | (#27264695)

just fyi, you can only decrypt an encrypted Windows directory under the same install of Windows that it was originally encrypted on.

Re:Simple solution (4, Informative)

mlts (1038732) | more than 5 years ago | (#27264775)

Vista and Windows Server 2008 prompt you to back up your encryption key. Then, if you do need to reinstall, you import that key into your key store, and you can decrypt the files.

With XP, you have to manually make a data recovery agent key by using cipher /r, then import the created certificate as a data recovery policy.

Re:Simple solution (1)

modestgeek (1449921) | more than 5 years ago | (#27266637)

I know this story is about home encryption, but in a domain environment with PKI implemented, recovery of EFS keys is possible by those au.

Password (3, Informative)

pavon (30274) | more than 5 years ago | (#27264991)

One very important thing to remember if you choose to use Windows built in encryption is that it uses the Windows password to encrypt the keys, and by default that password is stored using an LM hash which is extremely insecure (in addition to the NTLM which is less insecure).

To prevent this, you can either modify a registry [microsoft.com] setting to disable LM Hashes, or you can pick a password 15 characters or longer (since LM is limited to 14, it will be filled in with garbage and NTLM used instead).

Note that this also applies if you use TrueCrypt or some other program, but use the same password as you use for Windows.

Re:Password (2, Informative)

Ralish (775196) | more than 5 years ago | (#27265075)

It's worth noting this only applies to pre-Vista machines. Vista and newer do support LM hashes, but they must be explicitly enabled manually in the systems security policy.

You raise an excellent point though, checking the password policy strength is a very good idea. You should ideally be mandating the usage of NTLMv2, and forbidding the usage of anything earlier (NTLMv1/LM) in the system security policy. If this is just a home box, not connected to a corporate network, then this should not be a problem.

LM is required for legacy Windows clients (think 9x and pre-win2k in some cases). Samba can handle NTLM, I'm not certain about NTLMv2. Really, it's unlikely anyone these days has a need for LM hashes, unless you require things like file sharing with ancient Windows operating systems. In which case, you have bigger problems :)

Re:Password (1)

cbhacking (979169) | more than 5 years ago | (#27265435)

Up to XP, the insecure hash was used. On Vista and above (probably Server 2003 as well, don't know) it is disabled by default.

nteresting side note: Unless Group Poilcy was set up to enable this, even an Administrator can not unlock a non-Administrator's encrypted files/folders. The encryption is tied to a hash of the user's password, and while an Admin can force any user (including another Admin) to change their password, doing so will render the encrypted data unrecoverable unless you have the key from some other source.

Re:Password (1)

BitZtream (692029) | more than 5 years ago | (#27266691)

The password is stored that way only if you are in a compatibility mode. By default new ADS systems don't store the password that way. You must enable backwards compatibility with older DOMAIN controllers in order for the lm hash system to be used.

If you're in a 2003 or newer ActiveDirectory, then its not an issue.

Re:Simple solution (1)

massysett (910130) | more than 5 years ago | (#27266477)

Google for "windows directory encryption" would lead you to the answer anyway.

Indeed. It would be nice if this Ask Slashdot feature had truly interesting questions, rather than "I was too lazy to use a search engine" questions.

Re:Simple solution (0)

Anonymous Coward | more than 5 years ago | (#27266721)

If you are not interested in the discussion, please don't comment.

Surprised there isn't a policy for this (1)

TinBromide (921574) | more than 5 years ago | (#27264473)

I know its possible to make user directories private from within windows, and I'd be surprised if microsoft didn't have an existing policy for rolling out EFS (as stated above) to user folders.

If this is a single computer not on a network, why not use truecrypt to encrypt the entire drive? I have not noticed ANY slow down on any relatively modern system running whole drive encryption. Its a simple 45 minute process for less than 100gig drives.

I'm not familiar with any open source alternative to this, but you shouldn't have to look anywhere beyond the tools available on a windows active directory.

Re:Surprised there isn't a policy for this (1)

TinBromide (921574) | more than 5 years ago | (#27264483)

Hi, Me again, by the way, even though your FILES may live entirely in the documents and settings/username folder, the page file, 4 out of 5 registry hives, and other forensically important data exists outside of the user folder which may be recoverable to a determined attacker with whole drive access.

Three letters (1)

Foolhardy (664051) | more than 5 years ago | (#27264541)

EFS [wikipedia.org] .

Right click on your profile, go to properties, advanced, check the encrypt box. Alternatively, cipher /e /s on your profile dir. 5 seconds of googling surely would have revealed this.

BitLocker (0)

Anonymous Coward | more than 5 years ago | (#27264669)

Vista introduces something where you can encrypt C: using the TPM chip on your motherboard as a key...

Two suggestions (5, Informative)

Ralish (775196) | more than 5 years ago | (#27264731)

I think there are two major/popular ways to do what you want that I'm familiar with. There are of course other options, but I've not used them, and won't comment on them.

1. TrueCrypt
This is a simple but very powerful encryption utility that is also open-source. It performs its magic by either encrypting volumes or by using encrypted file containers (a file which contains encrypted data that can be mounted as a virtual drive). The file container approach is very easy to use but you won't be able to use it to encrypt your _entire_ home directory, only elements of it. Effectively, you'd create one or more encrypted file containers and store everything sensitive in them. You could use full volume encryption by storing your entire user profile on a seperate volume, but this is obviously more difficult to setup, depending on your OS. To do something like the latter properly in something like Vista, you'd probably need to do it at install time through an unattend and state which drive the Users directory should be located on, as changing this once installed is not simple and ill-advised.

2. NTFS EFS (Encrypting File System)
Included with all "professional" (ie. not Home/Starter/etc..) editions of Windows since Windows 2000. Enables file-system level encryption tied into NTFS to encrypt individual files/folders on any NTFS device. This has some significant pros, in that not only is it included as a stock component of the OS, but is extremely easy to setup. Just right click on the folder/file you want to encrypt and do so through the Advanced properties. However, getting into the guts of EFS and fiddling with encryption certificates, ciphers, etc... requires some additional skill and research as there is no simple unified front-end to managing EFS like there is for TrueCrypt.

It's important to note that these two encryption suites are very different in how they work. Whereas TC stores data in file containers (unless you encrypt the entire volume), EFS works at the filesystem level and is completely transparent to userland, enabling transparent encryption of anything on the NTFS volume that is user-related. Note that EFS binds to user accounts. You generally can't use EFS to encrypt data that is outside the scope of a user account (such as system files). You'll need full volume encryption technology for that.Microsoft also has BitLocker for full-volume encryption, but this is Vista only, and for home setups, needlessly complicated and difficult to setup, not to mention the TPM requirements for full functionality.

Other things to note would be the importance of portability. TrueCrypt works across Windows/Unix, whereas EFS is obviously specific to Microsoft. I'm not sure if there's an OSS implementation for reading EFS encrypted data under Unixes, but even if there was, I think you'd be mad to use it. You shouldn't be using EFS if portability between OS's is a concern. Also note that whereas TC will have a seperate password, EFS will use your account password for encrypting your user data. This means that if you lose/forget your account password, you _WILL_ lose your EFS encrypted data, unless you've set up things like recovery certificates. Further, if you use a password reset tool to reset your account password outside of your user account, you _WILL_ lose all your EFS encrypted data. Your account password is the key to your EFS data, and so losing it or changing it improperly can have very nasty consequences.

I can't really recommend either method, you really need to research and have a play with both to decide which you prefer. I will say that if you are going the full-volume encryption route, I'd highly recommend TrueCrypt over BitLocker for home setups. The general trend I've observed from using both is that they both are very powerful tools, and can both easily get the job done when setup properly. However, TrueCrypt is more geared towards home/smaller setups, while EFS/BitLocker can work on anything from an individual box to a centrally managed enterprise network. The difference in audience shows, as configuring EFS/BitLocker tends to both me more complex and less intuitive, but, there's a lot of power in them hidden away, and they should not be underestimated. Usually for home/small scale setups I'd recommend TrueCrypt in a flash, but your case is somewhat unique and if you're after purely encrypting home user directories, EFS would be worth investigating as well.

I apologise if this post is a bit of a sprawl, but encryption is a complex area, so summarising even the basics and pros/cons of two encryption suites can be tricky.

Re:Two suggestions (3, Interesting)

cbhacking (979169) | more than 5 years ago | (#27265467)

Very good post, thank you.

A couple small points:
You can actually create a user profile outside of the standard location once your system is installed - no need to do it at install time. There's a single registry key that controls the folder where new accounts go; setting it, then creating a brand new account and logging into it, will put the profile in the new location.

Alternatively, it is possible to change the location of an existing profile if you're determined enough. It's a bitch, though - definitely not recommended. I've found it MUCH easier to install, create a throw-away/backup account at install time, use it to set the location for new accounts to another drive, and then create your *real* account on that drive.

Finally, while BitLocker is definitely complex on Vista, Win7 includes much better UI and more options for key protection. On my beta Win7 tablet, it's literally a matter of right-click on a drive, select "Turn on BitLocker" from the context menu, select protectors I want to use (say, a passphrase plus I need to have a specific USB device attached - no TPM needed, and all user-configurable), and let it do its thing for a little while.

As a side note, Win7 BitLocker can also encrypt removable drives - very handy if you need to move sensitive data in physical media, and it includes a tool allowing you to decrypt them on older versions of Windows.

Windows doesn't have a home directory (1)

Logic Worshiper (1480539) | more than 5 years ago | (#27264791)

and it doesn't integrate open source software. The closest thing to the "home" directory on Windows is Documents and Settings -> User Name.

I don't recommend encrypting your "home" directory on Windows, because Windows tends to self destruct, and the last thing you want is for your data to be lost permintaly when that happens. If you have specific files you need to encrypt, try AxCrypt [axantum.com] , make sure you have a portable version of AxCrypt to decrypt the files if needed.

Re:Windows doesn't have a home directory (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27265037)

and it doesn't integrate open source software. The closest thing to the "home" directory on Windows is Documents and Settings -> User Name.

Of course windows has a home directory, and has for at least 15 years. If you look at the environment variables HOMEDRIVE and HOMEPATH, that will tell you exactly where your home directory is located.

I don't recommend encrypting your "home" directory on Windows, because Windows tends to self destruct,

Unlike the ext4 file system [slashdot.org] on linux which automagically loses files?

Properly administered, windows is very stable.

Re:Windows doesn't have a home directory (1)

Ralish (775196) | more than 5 years ago | (#27265117)

Windows does have a home directory, it's the one you correctly indicated. It stores user data and preferences. In this sense, it is identical to Unix home directories.

Windows in my experience only self destructs when the user is either an idiot, or does something incredibly stupid; these often go hand-in-hand. As such, my Windows installation and those I administer never spontaneously combust. Yours on the other hand...

Finally, you can use recovery certificates as others have indicated as a fail safe in the case of a munged Windows installation. This is very similar to TrueCrypt requiring you to backup the TC boot sector.

TrueCrypt + TCGina (5, Informative)

anom (809433) | more than 5 years ago | (#27264863)

Author said he wanted only the home directory (I'm assuming you mean %USERPROFILE%) encrypted. While TrueCrypt can natively encrypt the entire drive, there is an addon available to perform only encryption on your "Documents and Settings\Username" folder. The enhancement is available at http://tcgina.t35.com/ [t35.com] Of course, truecrypt is available at www.truecrypt.org Even though I use truecrypt for the entire drive, I separately use TCGINA so that I can have a portable encrypted container of just my user profile, so that I have a compact way to transport my documents, program settings, etc.

Re:TrueCrypt + TCGina (2, Informative)

Que_Ball (44131) | more than 5 years ago | (#27265641)

Mod this one up.

This is 100% the answer the original post was looking for.

It's open source
It encrypts only the users profile folder
Doesn't require the business, or Vista Ultimate edition of Windows.

And It's not really an ugly hack. the GINA api's are stable and allow Windows to decrypt the data prior to reading the profile.

Don't (1, Insightful)

penguinboy (35085) | more than 5 years ago | (#27264935)

If you're concerned enough to consider encrypting your home directory, you ought to go all the way and use full disk encryption. There are too many artifacts that can escape your home directory (RAM contents saved to swap file or hibernation file) or are never in your home directory to begin with (system logs, print spool, etc).

It's not a complete solution.. (1)

cheros (223479) | more than 5 years ago | (#27265657)

Better be careful with that. Full disk crypto doesn't work unless you're disciplined enough to properly shut Windows down at the end of the day, which means every time you boot you'll lose the usual 15 minutes before you have a usable system.

File based crypto can be set to disconnect on a more useful set of circumstances..

IMHO you need BOTH for good protection.

Re:It's not a complete solution.. (1)

Butterspoon (892614) | more than 5 years ago | (#27266469)

Full disk crypto will encrypt your hibernation and swap files for you, so you're ok if you hibernate at the end of the day.

Truecrypt (1)

gweihir (88907) | more than 5 years ago | (#27265115)

Put your homedirectory on a separate partition (a very good idea anyways) and then encrypt that using truecrypt. You can also encrypt a less-tnan-professional simgle-partition installation, the overhead for encryption is not too bad.

Re:Truecrypt (1)

tummetott (1505019) | more than 5 years ago | (#27265953)

Put your homedirectory on a separate partition (a very good idea anyways)...

Is this possible?

Re:Truecrypt (1)

Butterspoon (892614) | more than 5 years ago | (#27266533)

You can put "c:\Documents and Settings" in another folder name on a different partition but it's tricky for non-corporate users. You need to burn a copy of your installation CD with a custom OEMINFO.INI and partition your drive first.

I went to the trouble of doing this for my current Windows box and it works beautifully. Now I can reinstall the OS (on the C partition) to a clean state by dd'ing a tar.gz of it from a Live CD without clobbering my user data, and at the same time my backups are more focussed as I'm not bothering with C partition (think \windows and \program files), which I would be reinstalling from installers (and dd'ing, as above) in the event of a disaster.

Re:Truecrypt (1)

RKThoadan (89437) | more than 5 years ago | (#27268097)

It's certainly possible to move the whole Documents and Settings folder to a new drive even after the install. I've done it several times and it isn't all that horrible. It is a lot of manually searching and replacing in the registry though.

http://support.microsoft.com/?kbid=236621 [microsoft.com]

freeballer (1)

freeballer (1160851) | more than 5 years ago | (#27265203)

truecrypt is not an automated process (that I know of), it sorta works if you have portable apps and config files you can import/export, but you'd have to "mount" it, then prob log in. while I've never had need to use ntfs file encryption it would be first -- free option to try I'm sorta wondering what options will be replied so gonna watch this topic myself. oh wells Geo

CrossCrypt (1)

ace123 (758107) | more than 5 years ago | (#27265617)

I've found that CrossCrypt [scherrer.cc] is a really good solution--entirely open source--that works on any version of NT.

If you do not have a separate partition, CrossCrypt will also allow you to mount a file as a drive. This comes in really handy for mounting ISO images as well.

The only tricky bit is if you want to set your entire user profile directory (including registry) to the mounted partition, because this means that you would need to have to run the encryption before you login--probably requiring an administrator user. In my opinion, not worth it. Doing this correctly would probably require magic with a GINA, Service, Utility Manager script, or HKEY_USERS\.Default\ControlPanel\Desktop\SCRNSAVE.EXE

But if you just want to encrypt individual folders, it is simple to do manually using this. And also much more manageable since you don't need the folder decrypted all the time while you are logged in--you just decrypt it to load a document, and unmount the partition once you are finished.

NTFS supports per directory encryption, native (1)

BitZtream (692029) | more than 5 years ago | (#27266713)

NTFS supports per file or directory encryption using a key stored as in the domain controller (or locally for non-domain systems) encrypted with the users password.

Works very well in a domain/activedirectory enviroment as the key is also available to domain administrators if data needs to be recovered due to a 'lost' employee.

Just right click on your home directory in Explorer. Select Properties->Advanced, and check the 'Encrypt contents to secure data' checkbox. When you click OK it will begin encrypting all the files and subdirectories. Any new files created will be created encrypted. If you cancel the conversion process, files that it didn't get to will remain unencrypted, but new files will be encrypted. So in short, don't cancel the initial conversion :)

It works, no one has found any glaring holes in it, no real reason to use anything else unless you're using one of the bottom end versions of Windows that don't include it.

Re: (1)

clint999 (1277046) | more than 5 years ago | (#27266795)

This is considered brief: http://www.bacula.org/en/dev-manual/Brief_Tutorial.html [bacula.org] The sixth result involves rsync.I've written batch files in the normal Windows shell, using Winzip with 256 bit encryption that take less time than trying to read the documentation for any Linux backup tool.Nice try with the Net Meeting crap, nobody uses it and you know that.The defrag tool in Windows isn't written by Microsoft so try again. It actually does a better job than watching my XFS tools kill my MythTV storage directo

why not use windows encryption (1)

AkumaKuruma (879423) | more than 5 years ago | (#27266905)

If you use NTFS, it already supports encryption all the way down to the file level.

PEBKAC (0)

Anonymous Coward | more than 5 years ago | (#27267197)

Windows might be doing better at keeping user data within user directories, but users aren't... Of course, the answer is to not let them have write permissions to those directories, but then janky app developers would have to follow some kind of quality control to make sure their apps run without local Admin permissions.

open source (1)

man_ls (248470) | more than 5 years ago | (#27268777)

TrueCrypt + TCGINA to provide an encrypted user profile. Although, this might not be supported by the newest version, which already offers transparent whole-drive encryption for Windows now.

Easy Solution: TrueCrypt + Redirect My Documents (1)

hviniciusg (1481907) | more than 5 years ago | (#27268995)

You can always use TrueCrypt whit its vast list of encryption algorithms, what u do is you create an encrypted partition and redirect my documents folders to that partition. And vuala. There u have it. Or u can create an encrypted file container and redirect all your documents there. Its open source, itâ(TM)s free and it works.

_NSAKEY (0)

Anonymous Coward | more than 5 years ago | (#27269197)

It does not matter if your solution to encrypt your user directory is Open Source: Much of the underlying operating system is closed-source, a system which you cannot audit and which you cannot find a reason to trust. You should perform a web search on the string "_NSAKEY" to help your understanding of the issues underlying why you should not trust your data storage and encryption to any network-connected installation of any modern Microsoft operating system. If you need reliable security, you should be using an operating system booted from CD image on a non-networked PC and TrueCrypt. You don't know what the OS is phoning home, you don't know what kind of backdoor or weakness the Microsoft encryption engine module is introducing into your data (unless you have the skills of a cryptanalyst or are working for the NSA with a need-to-know and a security clearance) and you also don't know what the hardware is phoning home or squirrelling away in some NVRAM somewhere, waiting for a forensic analyst to recover.

Your requirement that one part of the chain be auditable does not mean that the other, non-auditable portions, are secure.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>