EFS and Disk Image Backup Questions....

Discussion in 'privacy technology' started by Matt Cole, Jul 11, 2016.

  1. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    Hi

    I am looking into encrypting a few key files and folders on my PC (small one man business).

    BitLocker seemed a like overkill and seems to have the potential seriously to complicate my next step which is to create a disk image in case of total disaster and loss of drives.

    I would be looking to create this image on 2 external hard drives (one off and one on site).

    So I am looking at EFS.

    My questions are to do with PROCESS and also SECURITY.

    PROCESS:

    Do I:

    1. Encrypt the relevant files on my PC disk with EFS.

    2. Copy the disk image - still encrypted - to my external hard drive.

    3. Retrieve the disk image, copy on to new hard drive, and be able to start using the encrypted files as normal (assuming I have my certificate and password)

    OR:

    Have I misunderstood how this works?.perhaps all files on the disk need to decrypted on the original disk before disk imaging, then re-encrypted on the external hard drive (and on the original disk); then decrypted on the external disk before the disk image is copied to a new hard drive where the relevant files would need to be re-encrypted again?

    I very much hope this make sense. It is a little tortuous...:)

    SECURITY

    If I have understood correctly, EFS requires a very secure password. Not a problem.

    It also creates a 'certficate' every time you encrypt something. This is a piece of software that you need to be able to read the encrypted files.

    This certificate by default is stored with the encypted file. You can, as a measure of extra security, back this certificate up (say, to a USB stick) , delete it from the original file and at a stroke massively increase the security of your encryption by ensuring that you need both the password and the certificate on the USB stick to access the encrypted files.

    Is this correct?

    So I could in theory remove the certificate from the encrypted files at the point of making the disk image, and pick it up again once the image has been retrieved / copied across to a new disk?

    Presumably, though, with referfence to my 'originating' PC hard disk, the certificate needs to remain with the encrypted files on the disk because otherwise the encrypted files become unreadable? Unless I want to plug in my USB certificate to my main PC as part of my daily routine to work on these files every day ( as I do)? Or can the encrypted files be 'read' by the 'originating' PC without the certificate.....?

    Again, I really hope that makes sense....

    Apologies for the detail - all help gratefully received!
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Hope I can help, am using both Bitlocker and EFS in a SMB context.

    We had a roundup some time back of various disk encryption options, including EFS and Bitlocker - it might help you to review them and the reference links that are in the thread.

    https://www.wilderssecurity.com/threads/hard-disk-encryption-options.372834/page-3#post-2470793

    I've kind-of got the impression that you're not completely clear about how these facilities might work in the context of security and backup, please forgive me if this isn't the case. Both Bitlocker (in suitable circumstances) and EFS have the merit of being completely transparent to the user, and indeed to the backup process in some instances.

    My personal preference is to only use disk images for "vanilla" backup purposes, for machine or standard build purposes, but not for data backup, which I'd do on a file-basis. The disk images are then done before bitlocker's applied. Of course some of the more advanced backup software is bitlocker aware, but I'm not interested in that.

    I see Bitlocker and EFS as fulfilling somewhat different and complimentary functions. Bitlocker's the only way of achieving FDE (in the MS context, obviously there's truecrypt/veracrypt and bestcrypt alternatives), and this is important because file fragments etc could otherwise be exposed. EFS is useful on machines that don't have a TPM, or where Bitlocker's applied, but you don't trust other users of the system. The guide above gives information on what EFS might be applied to.

    EFS is based on a certificate held in the user certificate store - once you're logged in, you get access and you don't need further passwords - so is only as good as your login security. You can make backups of this certificate protected by a password, and this would normally be stored separately from the machine in question (and is also a mechanism for synchronising certificates on different machines so they can read the same encrypted file).

    But EFS doesn't really travel very well, so for data backup, including off-site stuff, I'd use truecrypt/bitlocker encrypted external drives, with the data files not protected by EFS on those.
     
  3. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    Hello deBoetie, and thanks very much for this, very helpful indeed.

    And, no, you're not wrong about my lack of knowlegde or experience in this area!

    There's a lot to digest here so I will go away and do exactly that - but hope to be posting a few follow-up questions before long, hope that's OK.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    You're welcome - and I would also recommend a bit of experimentation and confidence in tackling these things, the water isn't that cold, and once you take the plunge, it's all pretty manageable. Given you have working backups!

    I'd also recommend thinking about password & certificate management, and account authentication, because these have a big impact on the effectiveness and integrity of your system (and so you won't feel you'll get locked out of everything if there's a problem!)

    I've had good experience of using Yubikey in conjunction with Windows Accounts for strengthening authentication.
     
  5. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    Thanks again.

    Re password management - I use LastPass to generate (and store) passwords. This has 2 step authentication on it. I plan to have a copy of my password there - but slightly 'modified' with a mnemonic so that I can recall it easily but so that it will be nonsense to others. I'll also have a print out copy of this locked away in my office.

    Re Certificate management - I think I was groping towards something like that in my original post. Is there anyway I can read up a little on what my options are here? I'm not sure I've totally grasped it. iI'm guessing this is a question of a code that I could save safely somewhere (LastPass?) and which I can retrieve in case of disaster so that I can decrypt my encrypted files. So more of a question of not getting locked out rather than my original idea which was one of security (removing a certificate to another place so a third party could not decrypt files even if they had a password...)?

    Re Yubikey - thanks again. I was going to ask about this as I see you mention it in your other post. I use 2 step authentication as a matter of habit now with google, dropbox and lastpass, so beniog able to add this in sounds good to me. Does it work with EFS?

    I'll stop now - but I am working on a more specific questions about EFS - I hope you can bear with me!
     
  6. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    Right

    I've read the posts on the link you sent, for which many thanks.

    On reflection, I think I'd still like to focus on the EFS side of things....

    .To clarify:

    I think I have communicated poorly re my plan.

    I see 2 distinct processes:

    Data backup - to cloud (Carbonite) and 2 external hard drives (one on and one off site)

    Disk Image - to 2 external hard drives (one on and one off site)

    Each serving different purposes (normal data backup vs emergency kitchen-sink-and-all operating system / application / data transplant in case of disaster).

    I'd also like to encrypt some folders on my PC hard drive to keep them private. I would want this encryption to hold good on my external hard drive backups, my cloud backup and my disk image

    I don't have TPM on my machine. Also, as there are only a handful of folders that are sensitive, I thought FDE might be overkill and may lead to some unintended complications. Plus, from the posts on the link you sent me I see:

    1. your mention of EFS being more practical for laptops (I forgot to mention that I will have one of these in circulation, too)

    For some classes of use, and particularly on a laptop, it simply isn't realistic to be popping in a strong password every time you have to reboot, because they are up and down so often.

    and


    2 the post by krustytheclown2 which matches my situation (ie one man business, all support off site so no one else with regular physical access to my machine):

    Encrypting your home folder is going to protect your privacy in the case of the seizure/theft of your computer almost as well as FDE (in that it will shield your personal data not what programs you have installed and such), but it may not protect well against surreptitious modification of your system by somebody with physical access.

    Thus, I thought EFS might be a sensible, less intrusive option.

    Assuming I was using EFS, then....

    Re the Carbonite cloud backup, it seems that the data MUST be unencrypted before it can be backed up to Carbonite and they then give it their own encryption. So I am faced with the choice between NOT encrypting my files on my PC OR encrypting and the decrypting quickly before backup, followed by quickly encrypting again. I've no idea if this is feasible or practical.

    Re the data backup (not the disk image) to the external hard drives, the same question arises for me. Do / should / can I backup the encrypted files and expect normal retrieval, or do I need to decrypt before backup and then re-encrypt? Is this possible / practical?

    Re disk imaging: when you say The disk images are then done before bitlocker's applied;would the same apply for EFS files? Or could I take an image of the disk, EFS encrypted files and all, and confidently expect trouble-free retrieval down the line if and when I need to copy the disk image to new drives after a disaster? Or do I need to follow the same decrypt - disk image - re-encrypt process?

    Re EFS: when you say But EFS doesn't really travel very well can you be more specific? Does this mean that EFS on an external hard drive is not reliable? (either unsafe or prone to being unretrievable)?
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    So, with EFS on several machines, you'll need to copy the certificate between them and then install, for your user account. It's best to mark EFS at a folder level, as this then applies encryption to everything in that folder. You may need to be careful to include areas in the LAD, because there can be a huge amount of leakage there, depending on the application. Synchronisation (say between laptop and desktop) can still be a problem, because EFS is not encrypted to network shares.

    The problem comes more in respect of the backups. In a disaster recovery situation, not only will you need to mount your backup, you'll also need to find the separate disk you put the certificate on, and install that first. Not something I'm comfortable with, it's extra complication when you need it least, and I want to be able to recover and mount a backup drive on any system including Linux. So, for that reason, I'd recommend the external HDD backup be protected by FDE - something like Truecrypt/Veracrypt with a long strong password. Just one thing to remember - you can't remember a certificate!

    A related approach can also work for your requirement to backup to Carbonite. I don't fancy decrypting and re-encrypting EFS every time you have to do that. One scheme I do is to have a Truecrypt container on the system, which is automounted using a bat file (which includes the password), the file being protected by EFS - this is transparent to the user. The encrypted container holds your sensitive files, but as far as Carbonite's concerned, it's simply a drive letter with unencrypted files. it would also be possible to copy the container file to the backup in this form.

    For the disk image files, any EFS files will be backed up and usable on restoration, provided you have also backed up the user settings (including the certificate store).
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    PS - I take it your 2 factor on LastPass is using Yubikey? Or do you have something else?
     
  9. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    Thanks so much again. A lot here!

    What is LAD? (!)

    In summary:
    • EFS would work for the disk image

    But for backups you'd recommend:
    • full FDE for external drives
    • 'selective, containerised' encryption for the Carbonite backup
    Is this right?

    Also - are you saying that the selective encryption approach would ALSO work for the externa drive backup?

    And re the .bat file etc - is this something you scripted yourself or is it all part of Truecrypt's standard functionality?
    Isn't Turecrypt discontinued? And Veracrypt is also open source - so may be some stability issues? Would Bitlocker be able to achieve the same thing?

    Re 2 factor and LastPass - I do it through my smartphone / Google Authenticartor App.
     
  10. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    PS when you said

    EFS doesn't really travel very well

    did you mean what you later said

    Synchronisation (say between laptop and desktop) can still be a problem, because EFS is not encrypted to network shares.

    Apologies for al the detail here, and thanks again....
     
  11. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    Apologies - rushed into my replies without digesting a little more.

    Re the 'container' approach (which I like the sound of):

    Could this work for ALL environments?
    • PC
    • Laptop
    • External HD backup
    • Carbonite backup
    • Disk Image (if I was to create a regular disk image with an encrypted container, would this - as with EFS - be backed up and usable on restoration)?
    If I am using a container in 3 separate drives (PC, laptop, external), does this means having 3 separate .bat files stored under 3 separate EFS protections (with 3 separate passwords and 3 separate certificates)? Or just one (on the PC, the rest all being copies and controlled by the same .bat file / EFS certificate)?

    And (if I wanted it), could Yubikey / 2 factor be set up on each?
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    EFS doesn't work to network shares unless we're talking WebDAV. That means that laptop-desktop sync (e.g. offline file sync or file-copy-sync tools like GoodSync) won't keep the EFS protection.

    You could of course use a USB stick with EFS files on it instead, and take it between machines, but this is possibly more awkward. One thing you might do, of course, is to use the USB stick as the primary encrypted data drive anyway, with everything else as backups. Up to you.

    I'd certainly want to copy the EFS certificate (minted on one machine) to all the other machine accounts, so you can transfer the files with no further action.

    The container I was referring to is simply a file, and when not in use, can be copied like anything else. It is opened by using "truecript" (say, or veracrypt is currently supported), and this results in a new drive letter being created with the contents of the container exposed as a file system. So the container file can have a full directory/file tree under it. The process of opening the container with truecrypt can be automated in a batch file, that's what I was suggesting protecting with EFS, because it contains the password for the container - unless you're wiling to enter this on every session.

    EFS can also help protect the flotsam generated by application use, as I indicated (e.g. application temporary and backup files) - these are not necessarily on your protected data area, and, particularly after a crash, may contain the sensitive files in clear. But this is partly why I've gone for FDE anyway, I don't have to worry about closing all those doors, or anything like swap etc. It's not the case, by the way, that you can simply EFS everything in your user folder, some care is needed (best practices are described in the other links).

    Once the Truecrypt drive is opened, any file backup including Carbonite can get access to the files.

    As far as the external backup drives are concerned, I just use the volume encryption (not container level) provided by Truecrypt; then everything on the drive is encrypted, and you mount it with Truecrypt when you need it. Or you can use Bitlocker in the same way, you just need a password to open it then all files are available within it.

    One factor you may have not considered fully is disk disposal. It is MUCH simpler to have HDD fail on you or be disposed of IF you have implemented FDE (like Bitlocker or Veracrypt) from the outset, because there is no prospect for leakage if you've used a decent password (which needs to be strong).

    As far as Yubikey is concerned, that protects the Windows Accounts with 2FA (using one slot with HMAC/SHA1), and therefore the EFS side; and on the other slot, the OTP for Lastpass. Very sweet, I've found, and the HMAC/SHA1 also works on Password Safe and KeePass if you want a local password manager, which I do for some purposes. The current Yubikeys also support U2F (for Google authentication), and smartcard stuff including GPG if you wanted that.

    While we're on this topic, can I also recommend considering virtual machines or sandboxing for browsing etc. What we've discussed so far is how to secure data against local/physical access threats. But if anything, I'm more concerned about remote threats. The current scheme does nothing to help you if the attack has subverted your account and malware is running in it. One way of protecting against that is to have your externally facing applications like browsers and mail run on a virtual machine which has NO access to your sensitive files. It's been many years since I browsed on a "real" machine....
     
  13. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    Once again, huge thanks.

    Re the container / encrypted drive folder - am I right in thinking that BitLocker could also handle this?
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    No, Bitlocker is full-disk (volume) encryption only - but has the advantage of then not proliferating drive letters unnecessarily. MS do not have a container-based encryption facility.

    Container encryption is typically achieved via Truecrypt/Veracrypt (which can also do non-GPT system volume encryption) - and there's also the option of using encrypted zips if you prefer. Things like 7-zip or Peazip offer a variety of file encryption formats with compression in a container (with the whole thing protected by a single password), and also, with some types, encrypting the filenames themselves. The disadvantage of this is that the files are not available as a drive.
     
  15. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Yep, VHD is effectively a complete file-system in a file (hence can act as a container). It's the format used for virtual machines. I haven't suggested using it because it's more a developer/technical facility, so is more fiddly to use, not supported (as in this application), and I don't see any advantages (and some disadvantages) over open-source, unless you're developing your own utilities.

    You can use Bitlocker without TPM (one of the links in the previous round-ups explains - obviously you need the right Windows edition), but you will then need a pin + usb stick (and suitable bios/usb port). That maybe be OK for you, as it's a form of 2FA. I felt it was less useful because if your laptop is stolen, then the usb stick might very well be too. On my laptop that isn't TPM equipped, I use a combination of EFS and Truecrypt containers, and I also have my main confidential data which is offline-synchronised with a TPM-equipped desktop with a file share; the offline files on the portable are automatically encrypted and protected under the user account, and this is also a form of backup. I'd prefer the laptop have TPM though, it makes life much simpler.
     
  17. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    Thanks yet again.

    I think I am coming to a conclusion on my ideal set up thanks to all your input.

    I may possibly post again in this thread with more questions - but let me know if you think you've given me enough already, I won't take it badly! :)
     
  18. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    You're welcome - I figure it's all part of the quid pro quo since I've learned a heap here, and understanding what other people are doing helps as well. I've found it also helps to keep humble and be open to learning.... whilst recognising from a technology perspective, we wouldn't start from here, but it's all we have!

    Just as a thing of raising attention, if you could reply to the post directly, or reference the other user like this: @Matt Cole, it enables alerts, otherwise stuff might get missed.

    PS - LAD is the Local Application Directory where apps store working files under your user profile - it's a hidden directory. You'll find all-sorts there. Although it's not available to other users normally, it IS open to anyone mounting the disk on another system.
     
  19. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    @deBoetie - of course - and thanks again.
     
  20. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32

    I know I pretty much signed off just now....but I did want to run one more thing past you. If I was to remove sensitive folders (essntially data files for applications like outlook and sage and possibly a couple of others) from my PC and put them on a USB stick which in turn was encrypted (either as a full drive, in containers or by folder by EFS), can you these applications being able to work with these data files that are not only encrypted but also in an exernal drive and not on the 'expected' file directory path?

    Idea is to avoid encryption on my main PC (as it appears to cause headaches with backups), but obviate the risk of hostile third parties physically accessing the PC by removing the USB drives (I'd have 2 alternating ones) and locking them away when not in use.

    Regardless of the 'steam age' approach - can you see this working in principle?
     
  21. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    @Matt Cole - steam age is good. I think this is pretty application dependent really, how much flexibility they allow in terms of file placement. Outlook isn't great on that score, nor with keeping the pst file open, that really is steam-age.

    One thing might be useful for you to consider with the Usb-data stick approach, is to look at portable applications (there are a huge number that work this way now) - that way you can run everything on your usb stick including things like browsers and Word processing, and be sure it stays on the stick. Various schemes can be used to back that up, but given the capacity of these things now, you can "always" take it with you. Outlook won't work that way, but Thunderbird does. No idea what Sage does.

    Personally, I take a usb3 HDD with all my data on it, but bootable with a full Linux distro on it, with Linux encrypted Home Folders. That way I know that what I'm running is clean and protected, because I can use a boot menu selector to boot off it clean. Hope that makes sense.
     
  22. Matt Cole

    Matt Cole Registered Member

    Joined:
    Sep 17, 2015
    Posts:
    32
    @deBoetie

    Thanks - that does make sense!
     
Loading...