Better data and boot security for Windows PCs

Topic

New Reply

	TOP STORY Better data and boot security for Windows PCs
	By Fred Langa Fundamental changes in PCs, including UEFI, BIOS, and Secure Boot, can interfere with classic security techniques such as whole-disk encryption. But a simple, free, two-step process provides extremely reliable data and system-boot security for all Windows versions, on virtually all PC hardware.

---

The full text of this column is posted at windowssecrets.com/top-story/better-data-and-boot-security-for-windows-pcs (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

The use of the bios password does not protect you from someone who gets access to your computer (stolen laptop) and is willing to remove the hard drive. The contents of the drive would be visible. Given that this is true, why even bother with this step? What protection is it providing? I have been reverting Win 8 back to Win 7 and using TrueCrypt to encrypt the entire drive, instead.

Reply | Quote

Having used TrueCrypt on an XP system I was reluctant to ‘give up without a fight’ in getting it to cooperate on my new Win 8.1 system. And guess what? It works like a champ… as long as one sticks with ONLY encrypting non-system volumes or partitions. I use both. Encrypted volumes are used mainly for removable media (USB sticks) and whole partitions can be encrypted on any hard drive. The 7zip method is OK, I guess, but it seems to be a bit labyrinthine when compared to having TrueCrypt automatically mount (after entering the password, of course) all encrypted volumes and partitions at boot time.
The instructions provided with the TrueCrypt app are perfectly adequate in setting up either scenario.

Reply | Quote

As Jon says, taking a hard disk out of a laptop would lose its protection. I assume that booting from Linux (either a dual boot or from a memory stick) will have the same effect.

Eliminate spare time: start programming PowerShell

Reply | Quote

I don’t get it. The article talks about encryption to keep data secure. Fred goes on to talk about the use of 7-ZIP to encrypt your files and folders. But, if I read it correctly, 7-ZIP only creates encrypted .7z files and leaves the original files intact and unsecure!! What’s the point? I don’t want to create a ZIP-like file of my files and folders, I want to encrypt my files and folders so if someone steals my hard drive, the data is secure.

Maybe someone can explain how creating a .7z file secures my original data?

Reply | Quote

Greetings!

Fred did then go on to say: “Your next step is to test the archive to make sure that encryption and compression worked properly. If it did — and that’s almost always the case — you can then delete the original files, so that only the encrypted archive remains.”

Reply | Quote

Greetings!

Fred did then go on to say: “Your next step is to test the archive to make sure that encryption and compression worked properly. If it did — and that’s almost always the case — you can then delete the original files, so that only the encrypted archive remains.”

So I’m supposed to work with .7z files instead of actual files? The 7-ZIP method is fine if ARCHIVING is your goal, but to encrypt files and folders that you use day-to-day with 7-ZIP is ridiculous. Not to mention deleting the original files, as was stated is not secure because the original files could be recovered easily unless you use a secure delete utility.

TrueCrypt is the best as it is transparent to the user and allows one to work as normal.

Reply | Quote

Greetings!

” (For complete security, be sure to empty the Windows trash.)” Unless sector data is overwritten, can’t it be recovered? Does “emptying the trash” overwrite the data?

Reply | Quote

Greetings!

” (For complete security, be sure to empty the Windows trash.)” Unless sector data is overwritten, can’t it be recovered? Does “emptying the trash” overwrite the data?

Windows does not by default overwrite data when deleting files and folders, including emptying the trash. CCleaner will do the job if set properly, for Trash. Eraser (Description) will do the job for everything else. If you’re encrypting, you need to make sure you aren’t leaving recoverable traces behind. Fred must know this, but he failed to mention it in the article.

-- rc primak

Reply | Quote

I tried using 7Zip to encrypt a folder. This it did and it opens with the password. However, if I try to edit a file, even a 232kb one, it seems to be unencrypting the whole archive and takes a long time (I cancelled before it finished it was taking so long). Is this normal behaviour? It wouldn’t seem so in Fred’s email.

Eliminate spare time: start programming PowerShell

Reply | Quote

If I were to install 7Zip and encrypt some files would those files, which are also in Dropbox, have a conflict when I access them from my phone/tablet? I had these same files password protected and when I tried to open them from Dropbox on my phone and/or tablet Dropbox couldn’t handle it. I had to remove the passwords in order to open them from phone and tablet.

Reply | Quote

This is the first time I have found Fred to write something that is way off in a long time. To go from describing TrueCrypt as one of the most popular FOSS programs in use, to noting that it does not work for whole-disk encryption of boot volumes with Windows 8, to abandoning it entirely and switching to recommending 7-zip is just ridiculous.

TrueCrypt works fine with Windows 7, the most popular version of Windows at the moment. It also works fine with Windows 8 except for the whole-disk encryption of the boot volume. So just back off from that and separate your major storage from the boot volume and your major storage in a separate volume. Problem solved.

7-zip does NOT replace the functionality in TrueCrypt. It is a poor substitute. 7-zip works exceedingly well for what it does, however. Both are recommended.

Reply | Quote

I was also confused about the focus on 7-zip and no mention of how Truecrypt seems to be working just fine in most other ways on Windows 8.1 and UEFI. But it is also alarming that there haven’t been any newer versions of Truecrypt for a couple years. I know they already ask for donations, but perhaps they would be well-served in using the model of charging some small fee for Truecrypt to funnel into development. I’m concerned that Truecrypt is going to freeze where it is and perhaps not work at all on the next version of Windows. It is working fine for me on Win 8.1, but all I have ever done is encrypt folders. I would agree that there is cause for worry on Truecrypt’s future, but using something like 7-zip just isn’t the answer. If that is the best ongoing answer for affordable encryption, that is indeed cause for concern.

Reply | Quote

Sometimes it’s best to avoid going overboard with security stuff. I advise all my clients to avoid encryption and compression like syphilis for their home machines and ask if they really think that they need to encrypt or even compress their drives. Just because you can take advantage of advanced features like this, it’s not always wise to do so.

Overhead issues aside, the problem with either one becomes painfully obvious when they get whacked with a virus or have a disk error or a disk failure. You can’t clone the drive, you can’t fix it, and you can’t make it a secondary drive and copy their files to another drive. In short, you’re screwed.

Trust me. When this happens, you WILL reevaluate your reasoning.

Reply | Quote

Whilst I agree that for most home users you can certainly go overboard with encryption, there are several flaws with the file and folder encryption strategy. A key one is that even though your files may be encrypted (assuming you’ve remembered to encrypt all the important ones), as soon as you start working on them, content will find its way, unencrypted, into temporary files, print spooling files and the swap and hyber files. If I were advising anyone professional, e.g. an accountant, I’d have to warn them of the severe legal and regulatory consequences if they couldn’t guarantee that ALL their client personal data was encrypted. One of the many lessons of Heartbleed is how easy it is to scan random data for anything sensitive. And the Unix strings command has been able to do that for decades.

As for boot security, I wouldn’t trust it against anything more than an opportunist attack. Truecrypt has been criticised as not having been subject (until recently) to independent audit, but at least it’s open source (though even that is a 2-edged sword as it means the bad guys and intelligence community can comb it for exploitable flaws). But we know nothing about the implementation of BIOS or hard disk password locking, either in terms of the quality of design or implementation, or whether the manufacturers have built in secret back doors for their own purposes, as has recently become evident that domestic router manufacturers have.

But a big advantage of full disk encryption is that it’s fit-and-forget. No password manager needed and no messing with a password every time you want to open a file in a different folder. Very little opportunity to make mistakes.

Reply | Quote

Whilst I agree that for most home users you can certainly go overboard with encryption, there are several flaws with the file and folder encryption strategy. A key one is that even though your files may be encrypted (assuming you’ve remembered to encrypt all the important ones), as soon as you start working on them, content will find its way, unencrypted, into temporary files, print spooling files and the swap and hyber files. If I were advising anyone professional, e.g. an accountant, I’d have to warn them of the severe legal and regulatory consequences if they couldn’t guarantee that ALL their client personal data was encrypted. One of the many lessons of Heartbleed is how easy it is to scan random data for anything sensitive. And the Unix strings command has been able to do that for decades.

CCleaner can overwrite the majority of these temporary locations once the session is over, or during a session if you are really concerned. UNIX strings is not as powerful at extracting secured data as it once was.

As for another post by someone else (bobdog) about not being able to easily clone or recover a drive with encrypted Folders, this is not true. Only Full Drive Encryption (FDE) makes cloning and recovery difficult, if Image Backup or cloning as backup beofre a disaster is your method of protection. You should have unencrypted current versions backed up locally on a drive which is kept away from the computer mwhen not being used for backup operations, in any event. Probably a second copy, offsite.

-- rc primak

Reply | Quote

only Whole Drive Encryption makes cloning and recovery difficult, .

Would that not depend on whether hardware or software based FDE were to be used??

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Would that not depend on whether hardware or software based FDE were to be used??

Quite likely. I am not so technically educated as to know.

-- rc primak

Reply | Quote

I’d agree with BobDog. I would consider it a bad idea, even in a business setting, to encrypt the entire drive. As Fred notes, many of the system files are pointless to encrypt and you introduce a major layer of potential problems.

At one point, I used TrueCrypt to encrypt several key folders on my system. Then one day, it hiccuped and those files were toast. They’re typically the LAST files you want to loose. I’ve not touched TrueCrypt since. I do use 7-Zip and have found it quite reliable but am more inclined to use the even more standard Zip format for maximum accessibility. I do use encryption for the web and portable media. But I also back up that stuff.

Your best security is access control. I don’t find reducing my own access anywhere near as productive. You really have to be careful about getting carried away with security that increases the potential for problems.

Reply | Quote

I keep all of my documents in DropBox and I don’t think that the 7z method works well in this case. My archive is over 15GB, and it changes if I alter anything, so the entire archive would be written to DropBox every time I make any document changes or add anything. Very inefficient.

Reply | Quote

I don’t know if this applies to all motherboards, but if physical access to a computer is available, it’s easy to defeat pre-boot security passwords on my Intel desktop motherboard by opening the computer case, changing the BIOS configuration jumper, and clearing the existing passwords. This lead me to understand that the little metal tab with the hole in it on the back of my computer case was for a small padlock to prevent opening the case – at least for those without a hacksaw.

Reply | Quote