Ways to encrypt sensitive data in Windows

Topic

New Reply

	ON SECURITY Ways to encrypt sensitive data in Windows
	By Lincoln Spector We all have something to hide. No, not those embarrassing party photos; I’m talking about sensitive documents such as medical records, financial statements, work files, and so forth. (Okay, and maybe those embarrassing photos, too.) Encryption is the best way to protect important data from those who might do us harm. Here’s a rundown of encryption options.

---

The full text of this column is posted at windowssecrets.com/on-security/ways-to-encrypt-sensitive-data-in-windows/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

The file encryption tool I use every day in my work is the U. S. Air Force’s Encryption Wizard. A Google search for USAF Encryption Wizard will turn it up. Not being a U. S. Armed Forces employee or contractor, I use the Public version. I encrypt my work-product, reports in either WordPerfect or .docx format, before uploading them to OneDrive.

The actual encryption for the Public (non-U. S. Forces members or contractors) version is done in java. The encryption strength allowed varies. Worldwide one can use 128-bit; in some countries, including where I live, Canada, policy .JAR files are available to put into java to allow AES 256 bit encryption.

Pros: it can be integrated into Windows, so that a right-click on a file and ‘Send To’ has as an option the Encryption Wizard.
Cons: It supports public key encryption but I haven’t really gone into its implementation. Since it uses Java, it is unavailable for all practical purposes on iOS, Android and Chrome OS devices such as my Chromebox.
If you use the AES256 option (assuming that you live in a country that allows this), you have to replace the Java policy .JAR files with the unlimited policy .JAR files, whenever there is a major upgrade to java.

WARNING! If you have integrated the USAF Encryption Wizard into Windows, don’t try to upgrade manually! Uninstall or rather disconnect the program from Windows in the old version of USAF Encryption Wizard, download the new version of the Encryption Wizard and re-integrate into Windows in the new version of the Encryption Wizard.

Although I haven’t done this, the USAF Encryption Wizard should work fine in Mac OS X and in various flavors of Linux.

The program is mature, well-designed and easy to use.

Reply | Quote

The program is mature, well-designed and easy to use.

Unless you are in a non-256bit encryption country. And it is possible that the public version has a back door built-in. I’ll stick with an open source implementation where we can verify the security.

cheers, Paul

p.s. Recent SSDs have hardware encryption built-in and you can enable it using a variety of methods.
https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
http://www.anandtech.com/show/6891/hardware-accelerated-bitlocker-encryption-microsoft-windows-8-edrive-investigated-with-crucial-m500

Reply | Quote

….The actual encryption for the Public (non-U. S. Forces members or contractors) version is done in java. .. .JAR files are available to put into java to allow AES 256 bit encryption….

Thanks for the heads up to an alternative encryption app but running an insecure app (Java) to encrypt would not work for me.

Reply | Quote

Darn fine review of encryption. I did not realize 7-zip had not been updated in five years!

I encrypt my entire hard drives/SSDs with Truecrypt and never had an issue. But I will give the practice some thought now. I would be worried that Windows was keeping caches of what I had loaded throughout a session between boots, that might be available if I kept the OS in an unencrypted partition.

Reply | Quote

Hi, Thanks for an interesting article.
Another interesting encryption solution for the cloud (DropBox, OneDrive or others) is Viivo (free for personal use, paid for commercial use). I’ve been using this for a little while and really like it. Basically it creates a watch drive on your PC, outside of the cloud, that’s unencrypted (you can convert folders under this to encrypted folders if needed with Windows Pro) and anything you put in this folder gets encrypted to your cloud drive for backup and access on other machines (which also need Viivo to decrypt). So your stuff in the cloud is secure. I have it on two PCs and it syncs happily via DropBox in my case between the PCs. I just have to remember to file my sensitive personal stuff in Viivo’s watch container rather than directly in DropBox.
The “old” favourite WinZip also creates encrypted Zip files too if you want. But it’s not free.
Also, I’d like to know more about “encrypted” hard drives and SSDs etc., such as the OPAL drives sold with many laptops these days. How do I know what stuff is encrypted on these or even if the encryption is actually working? I’ve never been able to find out and the only search results I got back were enterprise-level software, way too pricey and difficult for personal use. I asked Lenovo one time about it and they weren’t able to shed any light on it either. In case the PC goes bung, I’d like to know if I can transfer the drive to another and use the encryption key (which I don’t know where to find) to do data recovery. Or is it tied to the PC’s TPM somehow? There’s zero information on how to ensure OPAL drives are actually encrypting their contents. It would remove the need for other software solutions if I could have this assurance.
For Bitlocker whole disk encryption of the boot drive at least (as I’ve done on my Win 8.1 Pro Lenovo Yoga 3), if you don’t have a TPM (trusted platform module) in your PC (just like I don’t have), you have to change the PC settings to allow Bitlocker to work in passphrase-only mode. It’s not obvious how to do this and I have to web-search it each time (dare I say “google it” or “bing it”?).
Paul

Reply | Quote

How do I know what stuff is encrypted on these or even if the encryption is actually working?

Take the drive out of the machine and put it in another, or in an external caddy.
Bitlocker will use the SSD’s built-it encryption rather than do it in software.

cheers, Paul

Reply | Quote

Yes, but no longer updated Truecrypt. Sooner or later you will have to switch to something else.

Reply | Quote

An interesting discussion of Full Disk Encryption in hardware with lots of links.
http://arstechnica.com/civis/viewtopic.php?f=11&t=1243475

cheers, Paul

Reply | Quote

I’m seeking for replacement on TrueCrypt. My choice – is Cybersafe TopSecret. Program shortcomings – its price and lack of support of the containers TrueCrypt. But it not a problem. Need to mount the old container in TrueCrypt, create new container in cybersafe, and simlpy copy from the old container in new container. But thus the program allows not to crypt disks and to work with cryptocontainers. The functionality is better, than in TrueCrypt. It is possible to crypt mail, supports of transparent crypting, crypting of separate files, etc. See http://cybersafesoft.com/products/topsecret/

Reply | Quote