Hard Disk encryption - how to do that ?

Status
Not open for further replies.

semar

Active Member
Licensed User
Longtime User
Dear all,
I need a way to automatically encrypt the whole HD when I shut down a windows 10 notebook, so that even if stolen, the data would not be accessible without knowing the password to decrypt the HD.

I've read about the VeraCrypt software which could do the job, however I don't have a direct experience with it, and that's why I ask here. Another alternative would be Windows Bit Locker, which as far as I read, is native with Windows 10 enterprise, ultimate, and pro, but it needs a special TPM chip available however on Dell, Lenovo and HP laptops.

Basically I need a reliable system that I can trust on. There are private and sensible data and projects that I need to protect in case of steal.

Suggestions, experiences and hints are more than welcome.
 

Cableguy

Expert
Licensed User
Longtime User
I had a manager here in the company I work for, that used a "remote server".
It worked inline with TeamViewer but it was hosted as a remote server (like a VPS but with desktop acess). Só all the "sensitive" data and programs (he actually could use it just like a local desktop computer and install programs and use them) were hosted remotely...
I know, it's not what you asked, but is "another" option I think
 

sorex

Expert
Licensed User
Longtime User
I think it's sort of auto enabled in the later Win10 Pro builds.

I noticed it when I wanted to clone a fresh installed Win10 on a NUC or BRIX mini desktop but it was impossible to clone the partition as it was marked special. I had to boot up windows again and disable the bitlocker on that disk/partition first and then disable bitlocker completely.

If you have a home version you can upgrade it to pro without reinstalling. It will just download and enable some Pro specific things in your current install.
 

semar

Active Member
Licensed User
Longtime User
I had a manager here in the company I work for, that used a "remote server".
It worked inline with TeamViewer but it was hosted as a remote server (like a VPS but with desktop acess). Só all the "sensitive" data and programs (he actually could use it just like a local desktop computer and install programs and use them) were hosted remotely...
I know, it's not what you asked, but is "another" option I think
Thank you Cableguy, yes the remote server + VPS is also a viable solution, however it would add some level of complexity. I've proposed it to my customer, but it seems to prefer the classical solution (local laptop). Anyway thank you very much for your hint :)
 
Last edited:

semar

Active Member
Licensed User
Longtime User
I think it's sort of auto enabled in the later Win10 Pro builds.

I noticed it when I wanted to clone a fresh installed Win10 on a NUC or BRIX mini desktop but it was impossible to clone the partition as it was marked special. I had to boot up windows again and disable the bitlocker on that disk/partition first and then disable bitlocker completely.

If you have a home version you can upgrade it to pro without reinstalling. It will just download and enable some Pro specific things in your current install.
Hi sorex, many thanks for your answer.
The solution witn win10 pro, which has BitLocker native, is quite promising. I have a question though. I want to clone the entire HD to another HD in case of data disaster, so that my customer can change the Laptop HD with the cloned one, and flawlessy continue to work with it, as nothing were happened. Obviously, the cloned HD should be encrypted like the original. In oder words, the cloned HD should be exactly the same of the source one.
Is that possible without disabling BitLocker ? It is important, that the cloned HD results also encrypted like the original one.

Regards,
Sergio
 

Cableguy

Expert
Licensed User
Longtime User
Hi sorex, many thanks for your answer.
The solution witn win10 pro, which has BitLocker native, is quite promising. I have a question though. I want to clone the entire HD to another HD in case of data disaster, so that my customer can change the Laptop HD with the cloned one, and flawlessy continue to work with it, as nothing were happened. Obviously, the cloned HD should be encrypted like the original. In oder words, the cloned HD should be exactly the same of the source one.
Is that possible without disabling BitLocker ? It is important, that the cloned HD results also encrypted like the original one.

Regards,
Sergio

I guess that, "possible", yes, but windows systems are very hardware dependant, and the simple hdd change would not be so "flawless" and almost certainly your customer would not be ready to "continue to work" without having to first get the system software to get in tune with the hardware... I guess even if it were the exact same model...
 

semar

Active Member
Licensed User
Longtime User
@Cableguy,
yes you're definately right ! Now I'm confused.
I would like to offer my customer a solution, that protects the data from steal and/or hardware failure.
If I can't clone - and flawlessy reuse it - an encrypted HD I should look for other solutions.

If the whole laptop is stolen, I need at least an encrypted backup of the data, in order to install it in to a new laptop.
I must dig on the BitLocker features, the problem is that my Win7 is not BitLocker compatible. So I could try only on a brand new laptop with, for example, win10Pro.
The question: can BitLocker create an encrypted backup of some data - I mean, not the entire HD ? Can BitLocker "import" an encrypted data and decrypt it, providing the right passwordkey ?

:confused:
 

Cableguy

Expert
Licensed User
Longtime User
I didn't say you couldn't use it, I just pointed out that, if you aim at doing it to the system hdd, then it will present some challenges.
You can choose to partition the hdd and then encrypt the secondary partition.
This will not, however, protect in case of a stolen/lost laptop. To protect unrigthfull access to the laptop I would suggest biometrical protection
 

semar

Active Member
Licensed User
Longtime User
I didn't say you couldn't use it, I just pointed out that, if you aim at doing it to the system hdd, then it will present some challenges.
You can choose to partition the hdd and then encrypt the secondary partition.
This will not, however, protect in case of a stolen/lost laptop. To protect unrigthfull access to the laptop I would suggest biometrical protection
Are there HD with biometrical protection ? As far as I know, there's only a protection to gain the access to the Laptop/HD, but the data can be read once you extract the HD from the laptop.. (now I'm further more confused : :confused::confused: )
 

sorex

Expert
Licensed User
Longtime User
Sorry for the late response (new year you know) but as I wrote it doesn't seem like straight forward to copy a bit locked partition.

I tried it with Acronis and it refused to copy unless I removed the encryption.

My guess is that it also encrypts the file allocation tables.

There are also programs that can encrypt files and add an specific extention to your files if they are encrypted by that but I doubt it's a good solution for source related tasks.
It's more for Office like files.
 

semar

Active Member
Licensed User
Longtime User
Sorry for the late response (new year you know) but as I wrote it doesn't seem like straight forward to copy a bit locked partition.

I tried it with Acronis and it refused to copy unless I removed the encryption.

My guess is that it also encrypts the file allocation tables.

There are also programs that can encrypt files and add an specific extention to your files if they are encrypted by that but I doubt it's a good solution for source related tasks.
It's more for Office like files.
No problem sorex, thanks for your answer :)

I guess the way to go is, using for example Windows native BitLocker or VeraCrypt:
- encrypt the whole partition where the O.S. resides. The data - and the database - are in this way encrypted as well, since the customer has only one partition.
- regularly encrypt the database and other sensible data, and store it as backup on an external device. Alternatively, save the relevant data and database on an usb-pen-drive and encrypt it.

This way, if the customer looses the laptop, none will be able to retrieve the data without knowing the password. We can then provide the customer a brand new laptop, install the software and restore the data from the encrypted usb-pen-drive.

What do you think about this solution ?
 

Cableguy

Expert
Licensed User
Longtime User
I would go with using the "external" bio-protected hdd as the main secondary drive, using it for ALL non OS related files. This way the data gets automatically encrypted and the best part is, you Don't need to remember the password
 

hibrid0

Active Member
Licensed User
Longtime User
I use BitLocker and that really nice, you just active it, copy the decryptation KEY.
And all is transparent, if any try extract your harddrive need the decryptation key, if change any hardware ask for the decryptation key, if any try to change to Windows user with USB bootable they cant or need the decryptation KEY. If the PC crash or your operating system dead, you will connect to other pc and recover you data with your decryptation key.

On speed I see is really nice, I dont see any overload on the cpu for this task.



I think all corporate laptos or pcs have TPM.
 

Diceman

Active Member
Licensed User
One nice feature with MS Bit Locker is Microsoft automatically provides the private keys to the government authorities when you register Windows. This means they won't be bugging you to gain access to your data with needless warrants. They have been doing this since the 1990's and it works really well.
 

Max Koopman

Member
Licensed User
Longtime User
One nice feature with MS Bit Locker is Microsoft automatically provides the private keys to the government authorities when you register Windows. This means they won't be bugging you to gain access to your data with needless warrants. They have been doing this since the 1990's and it works really well.
Sorry to burst your bubble, but that's complete nonsense about your keys being sent to Microsoft. You should not try and scare people with this type of bad information.
Bitlocker was introduced with Windows Vista in 2006. So 16years after your claim.
 

Diceman

Active Member
Licensed User
My bubble is still intact. I've been around this subject when most programmers were still a twinkle in their father's eye. :cool:

Your Bitlocker keys are indeed sent to Microsoft if you bought a new computer with Windows already installed on it. And we all know Microsoft would never give your recovery keys to anyone else without a valid warrant. <cough><cough> To correct this oversight, you need to re-encrypt your drive and specify the new key be stored locally on a thumb drive or printed.
RECENTLY BOUGHT A WINDOWS COMPUTER? MICROSOFT PROBABLY HAS YOUR ENCRYPTION KEY
https://theintercept.com/2015/12/28...r-microsoft-probably-has-your-encryption-key/


Even the former privacy officer at Microsoft doesn't trust Microsoft with customers' data.
"Yet you might be wise to recall that Caspar Bowden, the man formerly in charge of Microsoft's privacy policy for 40 countries, claims he no longer trusts Microsoft or its software; he added that Microsoft's corporate strategy is to grind down your privacy expectations and that the company's transparency policies are nothing more than "corporate propaganda." "
https://www.csoonline.com/article/2...-alleged-backdoors-in-microsoft-products.html

Former Microsoft Engineer Working on Windows BitLocker Confirms Government Asks Microsoft for Back Doors
http://techrights.org/2014/07/31/microsoft-back-doors-admission/

Report: NSA paid RSA to make flawed crypto algorithm the default
https://arstechnica.com/information...-to-make-flawed-crypto-algorithm-the-default/

If you need to encrypt the entire boot drive, Bitlocker (and BestCrypt) are the only alternatives.

If you only want to encrypt a folder, then there are many alternatives. Here is a list, and many are no longer supported by the developer.
https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
 
Status
Not open for further replies.
Top