Windows XP Pro EFS (Encrypted File System), is it now secure?

[Escalader]

Hi All:

A Fellow member here suggested I need to narrow my focus on topics and then get more direct answers. Here is my try at that:

G1) My 1st goal is to minimize the chance of a hacker getting at my DATA, financial records, tax stuff etc and to find out what level of encryption ( if any) I need. DATA only since I can always reinstall vendor software.

G2) Find out if XP Pro EFS can do the job for me, or should I just wait till Vista stablizes. I don't want to pay for xp prop then have to pay again for vista. I believe all I need to do is encrypt data files.

I use a router, HW Firewall, ZA Pro to keep the baddies out, and McAfee SitAdvisor. I use Bitdefender and Spysweeper to find them if they get in. Also run Spybot S&D and Spyware Doctor from time to time.

Escalader

[nadirah]

I'm not quite familiar with the XP Pro EFS since I've never even used it before myself, but it seems quite ok to use and it should be able to protect your critical data. You may consider performing backups in this case. You need to have the NTFS file system for xp pro efs to work, lets assume you are using NTFS here.

Of course there are other freeware encryption programs available that use industry-standard encryption algorithms, for example, axcrypt:
http://axcrypt.axantum.com/
Some nice documentation is available. Of course, this is just a suggestion.

[Escalader]

Thanks:
So many tools so little time...

My research contiues, the October PC World has an review and ranking of 3 tools. DEStlock+3.2.4, Namo Filelock 3.10, T3 Basic Security.
Reviewer points out struggle twixt usability and robustness.

It seems to me that if one goes into encryted files at all usability should not be expected as much as say ease of starting a virus scan, one click and foregt it.

Simplicy doesn't match up well with complexity of purpose!

Let's argue these out!

Escalader

[Devinco]

Quote:

Originally Posted by Escalader

G1) My 1st goal is to minimize the chance of a hacker getting at my DATA, financial records, tax stuff etc and to find out what level of encryption ( if any) I need. DATA only since I can always reinstall vendor software.

Encrypting your data will not stop a hacker from gaining access to it. The purpose of encryption is to stop a burglar or robber who steals the computer or hard drive from getting your data. Encryption may delay hackers and malware getting to your data (they need to install a keylogger to steal your password to the encrypted files), but it will not stop them.

If physical theft is of no concern, encryption may still provide a little benefit against hackers by providing a delay before the bad guys can get the data.
For example, you encrypt your tax stuff which you only access once a year. During the year you get infected and have keyloggers installed, etc.
Since you don't type in the password to the encrypted tax file until tax time, the files are secure until then. This delay may give you enough time to discover the infection and deal with it before your password and tax files are compromised.
But if you access the encrypted data on a daily basis, then encryption does not offer protection against hackers or malware.

Quote:

Originally Posted by Escalader

G2) Find out if XP Pro EFS can do the job for me, or should I just wait till Vista stablizes. I don't want to pay for xp prop then have to pay again for vista. I believe all I need to do is encrypt data files.

Don't know the answer to the thread's question.
If you don't get an answer here, you might try the TrueCrypt forum or the PGP forum. Those are specialized forums that deal only with encryption.
If you want to learn more about encryption try a search in this forum for encryption (Search Titles Only) and read through some of the threads. There is a lot of good info.

Quote:

Originally Posted by Escalader

I use a router, HW Firewall, ZA Pro to keep the baddies out, and McAfee SitAdvisor. I use Bitdefender and Spysweeper to find them if they get in. Also run Spybot S&D and Spyware Doctor from time to time.

Add to that some good security practices (safe hex) and that is what will really protect your data, not encryption. Don't let the bad guys in and the data will be safe.

Quote:

Originally Posted by Escalader

It seems to me that if one goes into encryted files at all usability should not be expected as much as say ease of starting a virus scan, one click and foregt it.

Security vs. Convenience. You want to protect your data from physical theft and so you have to type in a password to access the data yourself.

Quote:

Originally Posted by Escalader

Let's argue these out!

Why not discuss?

[Escalader]

Hi Devinco:

Great response. I had the notion that encrypted data would be hacker proof!

If I get it right the best it can do is delay them or make it harder for a crook to get at the data if he stoled the hard drive.

On my use of word "argue", my age showed through there. At university I was taught that the real meaning was to make your case backed by facts and logic.

That is what I meant be to use of the word. Not the common usage like say a family arguement which as you imply achieves nothing.

I just installed RoboForm, so once I get that working my passwords will be safer not guarenteed but safer. My Zone Alarm also allows me to protect these passwords so I am warned before they go out via a trojan keylogger etc

What do you think about this? Is it overkill?

[Devinco]

Quote:

Originally Posted by Escalader

If I get it right the best it can do is delay them

Hi Escalader,

If you allow hackers and malware to become active on your computer that is correct.
This can be prevented if you take basic security precautions.

Quote:

Originally Posted by Escalader

or make it harder for a crook to get at the data if he stoled the hard drive.

If you use a strong password on the encrypted data, and the crook visits just once and steals the hard drive, laptop, or whole computer, then the data is VERY SECURE.
It will be nearly impossible for the crook to get the data without the password.
In this case, the remote attacker(hacker) is able to get the data easier than the local attacker(burglar).

Quote:

Originally Posted by Escalader

On my use of word "argue", my age showed through there. At university I was taught that the real meaning was to make your case backed by facts and logic.

That is what I meant be to use of the word. Not the common usage like say a family arguement which as you imply achieves nothing.

In that case, let's argue this out!

Quote:

Originally Posted by Escalader

I just installed RoboForm, so once I get that working my passwords will be safer not guarenteed but safer. My Zone Alarm also allows me to protect these passwords so I am warned before they go out via a trojan keylogger etc

What do you think about this? Is it overkill?

If you spend a little time to learn how to use the different features of Roboform, you will find it to be very useful.

An outbound firewall can stop trojans from phoning home. Configure it well and password protect the configuration. That is not overkill.

I think though you are referring to the Zone Alarm ID Vault (MyVault, ID Lock).
This particular feature is worthless.
See here:
http://www.wilderssecurity.com/showthread.php?t=141737
and here:
http://forum.zonelabs.org/zonelabs/b...&message.id=27
View the replies.
Malware can and often does make secure encrypted connections rendering this feature useless.

Nadirah made an excellent point regarding backup.
Whether you are just playing with encryption, seriously implementing it, or not using it at all, BACKUP, BACKUP, BACKUP.
Things can sometimes get corrupted, especially when just beginning to try out encryption. You make a mistake not knowing what you are doing and the data is gone.

[Escalader]

Hi:

i posted a challenge question on ZA Pro forum, saying in so many words that my conclusion is that as a new ZA user I'm learning that the feature doesn't do anything to prevent the realease of private data and to "prove" me wrong.

We will see what they say.

Escalader

PS If you are a member there you could see all the vault problems they have

[Escalader]

After many posts and confusion in the ZA user forum, here is my conclusion as of this date Sept 11, 2006. I haven't quoted from members there for obvious reasons. The following words are MINE and mine alone. Could be wrong but I doubt it.

"So, let me summarize what every one is saying here:

No one can get at data stored in MyVault because it is there only as a hash. This is good.
If a clever KL/Troj did get in and was devious enough to pick sending ports that MyVault doesn't (Not 80, or 25) I'm not protected by ZA. This is bad since you guys know this so will the crook, I'm dead here because these guy's aren't that dumb.
My ISP sets up email with port 110 for in and port 587 for out... so MyVault does zip there
My conclusion now is forget this version of MyVault until ALL ports and sending points are checked and all these "won't help with this or that holes" are plugged up tight.

Rely on the ZA Pro program control/component checking functions only.

What I need now is what detail to look for in checking component program properties to ensure security! Does anybody know of a properties check list or rule set I could get from a safe source?

Regards to all"

[Devinco]

It's even worse, because if the malware uses an encrypted connection over the very ports that MyVault watches, it won't see the contents of the connection (your private data) being transmitted. There is no way that ZA could view this without breaking the encryption, which it can't.
Just because this particular feature doesn't work like it should, doesn't mean that ZA is a bad firewall. It is pretty good and easy to use.
I think any firewall that has a similar feature would also have the same limitations.

What you are looking for is a guide to securely configure ZoneAlarm and set up a custom rule set (expert rules).

I don't know if there is a good guide specifically for ZA, but...
Here's a good starter: Firewall Questions for beginners

[Escalader]

Thanks, good advice. I have a hardware firewall in front of my router for all compters. And on my PC I have ZA Pro, spysweeper, Bitdefender.

So far so good.

[Markoni]

Hello:

I'm having a problem with EFS. I inadvertently encrypted a directory under Windows 2000. I backed up the 'Documents and Settings' folders (but did not export any keys) before reformatting the hard drive, and was left with quite a number of encryption keys in various locations. I've now switched to XP, and am unable to decrypt the encrypted files (which are still on another drive - I've not been able to move them). Advanced EFS Recovery doesn't do the trick, and I've tried moving the old key files to the XP locations where I presume they should be, but again without success. Is there any way around this problem?

Many thanks for any advice.

[ErikAlbert]

Quote:

Originally Posted by Escalader

Hi Devinco:
Great response. I had the notion that encrypted data would be hacker proof!

That was mistake too. I also assumed that encrypted files protected me against theft by malwares or hackers.
My philosophy was : "As long the thiefs can't read my personal files, I don't care if my files are stolen." but that isn't true.
Encryption protects you against PHYSICAL theft. I was lucky that Devinco corrected my mistake. Thanks again.

[stapp]

I don't really know a lot about this subject. Is this what anyone is talking about?

http://support.microsoft.com/default.aspx/kb/315672

[ErikAlbert]

Quote:

Originally Posted by stapp

I don't really know a lot about this subject. Is this what anyone is talking about?

http://support.microsoft.com/default.aspx/kb/315672

I think they are talking about this :
1. Right click on any folder, like "My Music"
2. Click on "Properties"
3. Click on the tab "General"
4. Click on the button "Advanced"
5. Mark the option "Encrypt contents to secure data" (= EFS)
6. Click "OK" on the rest.

The folder "My Music" is now green and encrypted.

To undo the encryption, repeat the same procedure but UNmark the option in point 5.
Quite simple.

[stapp]

Interesting! So does the windows cipher.exe encrypt and decrypt more or less the same way?

[ErikAlbert]

Quote:

Originally Posted by stapp

Interesting! So does the windows cipher.exe encrypt and decrypt more or less the same way?

Not sure about that, but other members will give you an answer.
I dropped the idea of encryption, it doesn't protect me against what I WANT and my secrets aren't big enough to protect them against physical theft.
I just wanted to pester the thiefs (malwares + hackers) with an encrypted shopping list of my wife.
Since then I'm not interested in encryption anymore.

PS.: I think that freeware TrueCrypt is alot better than EFS.

[Devinco]

Quote:

Originally Posted by Markoni

Hello:

I'm having a problem with EFS. I inadvertently encrypted a directory under Windows 2000. I backed up the 'Documents and Settings' folders (but did not export any keys) before reformatting the hard drive, and was left with quite a number of encryption keys in various locations. I've now switched to XP, and am unable to decrypt the encrypted files (which are still on another drive - I've not been able to move them). Advanced EFS Recovery doesn't do the trick, and I've tried moving the old key files to the XP locations where I presume they should be, but again without success. Is there any way around this problem?

Many thanks for any advice.

Welcome to Wilders Markoni.
While I don't have the solution for you, I think you are looking for a DRA (data recovery agent).
There is some limited info on EFS recovery here:
http://www.microsoft.com/technet/pro.../dataprot.mspx
http://www.microsoft.com/technet/pro...y/cryptfs.mspx

Unless someone knowledgeable if EFS recovery comes along, you might find some answers by asking here:
http://forums.truecrypt.org/
http://forums.pgpsupport.com/

[Devinco]

Quote:

Originally Posted by stapp

I don't really know a lot about this subject. Is this what anyone is talking about?

http://support.microsoft.com/default.aspx/kb/315672

Hi Stapp,

It's close. Cipher.exe is a key component of Windows EFS, it is the encrypting engine. The article you linked to is about using cipher.exe to securely wipe/shred (overwrite with random data) already deleted data. That is like what the Eraser program does when you tell it to Erase the unused space on a drive or when you tell it to erase the recycle bin.

Erik is right about how to turn on EFS for a folder or file.
By doing that, cipher.exe is being used by Windows.

Markoni is having a problem migrating his EFS encrypted data from Windows 2000 to Windows XP. In order to do this, I think you need to export the keys first. So I think Markoni is out of luck, but I'm not sure.
That is another reason why I don't like EFS, you have to keep track of the matching keys, not just the encrypted file.

[stapp]

Thanks for the informative reply Devinco, lets hope Markoni get a solution for his problem.

[Escalader]

After all the other security I've put in, I've now narrowed my encryption needs down to just my own finincial records.

I process banking data with Quicken 2006, can they work with encryption?
I process tax data with Quicken Tax, can they work with encryption?
I process financial planning data with Excel 2003, can they work with encryption?

In other words specific files. I don't want to have to remember /learn about protecting keys so.... what software is easiest and proven. I don't care if it is free or not just easy,proven, bug free without 500 posts about problems!

That's not asking for much is it?

[Devinco]

Quote:

Originally Posted by Escalader

I process banking data with Quicken 2006, can they work with encryption?

Yes

Quote:

Originally Posted by Escalader

I process tax data with Quicken Tax, can they work with encryption?

Yes

Quote:

Originally Posted by Escalader

I process financial planning data with Excel 2003, can they work with encryption?

Yes

Quote:

Originally Posted by Escalader

That's not asking for much is it?

Not at all.
TrueCrypt or AxCrypt will serve your purpose very well.

[Escalader]

Hey Devinco:

Finally got back to this reponse here, thanks....

"TrueCrypt or AxCrypt will serve your purpose very well"

Given these 2 which one is simplest for my purposes in your view?

Least number of bugs? Strongest mathematics .

Do I have to "keep track of the matching keys, not just the encrypted file? "

Your celtic friend

Escalader

[iceni60]

hi, here's a video tutorial for truecrypt by irongeek, he's well known for his great tutorials

http://www.irongeek.com/i.php?page=videos/truecrypt1

BTW it's worth right-clicking the tutorial and saving it rather then wasting his bandwidth by watching/downloading several times!

[Devinco]

Quote:

Originally Posted by Escalader

Hey Devinco:

Finally got back to this reponse here, thanks....

"TrueCrypt or AxCrypt will serve your purpose very well"

Given these 2 which one is simplest for my purposes in your view?

Least number of bugs? Strongest mathematics .

Do I have to "keep track of the matching keys, not just the encrypted file? "

Your celtic friend

Escalader

I think AxCrypt will be easier to setup and use for this task.
Both of them are mature, stable, and reliable programs.
AxCrypt is better for individual files.
TrueCrypt is better for lots of files, folders, and partitions.
I have not encountered any bugs in the time that I have used them.
They are both open source, which is important for encryption programs to allow peer review.
They will both guard your data securely from physical theft, if you use a strong enough password.
TrueCrypt does have more algorithms and features, but most people end up using AES anyway because it is fast, reliable, and secure.
Both AxCrypt and TrueCrypt use AES (Advanced Encryption Standard).
Which has the strongest mathematics? I couldn't say. But if I knew my important data would be physically stolen tomorrow and there was no way I could prevent it, I would trust either AxCrypt or TrueCrypt to keep the data from being read by the thieves.

No you don't need to keep track of matching keys with either of them.
You just encrypt the file, give it a password, and that's it.
You can move the file, back it up while it is still encrypted so your backup will be encrypted too, all you need to remember is the password. If you forget the password, then you won't be able to get the data.
AxCrypt can even make an encrypted executable version of the encrypted file that can travel with you to another computer so you don't have to install AxCrypt there to access the file.

Remember to keep unencrypted backup copies of the data for a while until you are familiar with the whole encryption, decryption, and backup process.

[Devinco]

Nice tutorial, thanks iceni60.
Much to learn at that site too!