Best way to encrypt files?

[Yggdrasil]

Hi all, I've got some sensitive information that I don't want to get into the hands of other people; looking online looks like Windows XP has some limited ability to encrypt files and folders, also there are commercial apps to create 'vaults' and whatnot.

What do you guys recommend for protecting your files? I don't want anyone nosy to access them. Examples include:

harddrive gets stole (ya never know)

nosy tech repair dude (not that I'd take my computer to a tech repair dude)

someone sits down at my unlocked computer (i always lock it though)

someone hacks my computer

Thanks in advance!

 

[YeOldeStonecat]

Plenty of free ones out there like TrueCrypt or Comodo
http://www.truecrypt.org/
http://disk-encryption.comodo.com/

 

[Vito_Corleone]

I'm a big fan of truecrypt.

 

[Fint]

For doing a few files, I use a free program named AES Crypt (http://www.aescrypt.com/) which works well.

 

[TechieSooner]

TrueCrypt times a million.
Free, Open Source (since there's tons of folks looking at the code, you know there's no backdoors).

The whole disk encryption in TrueCrypt is awesome. All it does is adds a boatloader to the disk.
Turn on PC, it hits the TC bootloader. You pop in your key, and then it continues booting Windows like normal. Once inside Windows, everything is the same. You literally won't know TrueCrypt is running- it encrypts stuff on the fly. Only time you've got to pop the password in is on bootups.


Edit- and as additional deterrant to people that steal mine, I even have the TrueCrypt bootloader display nothing more than "Boot Error- OS Not Found" on a black screen. 90% of people that steal your laptop would see that, and give up. Only I know to go ahead and type my password at that screen, and hit enter- then it continues booting.

 

[evenglow]

Also http://www.axantum.com/axCrypt if you want to encrypt just files and folders, not whole disk encryption.

 

[TechieSooner]

Also http://www.axantum.com/axCrypt if you want to encrypt just files and folders, not whole disk encryption.

TrueCrypt does just files and folders as well...



It's seriously awesome software. Free and more well known IMO

 

[capnstabn]

I have done deployments for Guardian Edge and Pointsec FDE which are reputable enterprise encryption suites.......and I use TrueCrypt on my mac at home =p. However TrueCrypt has been hacked so don't go storing your government secrets on it.

 

[TechieSooner]

However TrueCrypt has been hacked so don't go storing your government secrets on it.

News to me. Link?

 

[powertower]

I'll throw my vote in also...

TrueCrypt is great.

 

[capnstabn]

News to me. Link?

Google "truecrypt hacked" and there are several articles on it. The encryption itself has not been hacked but there is a bootkit vulnerabilty out there. Using just an encrypted volume for sensitive files would probably be your best bet. Will help performance as well.

 

[TechieSooner]

Google "truecrypt hacked" and there are several articles on it. The encryption itself has not been hacked but there is a bootkit vulnerabilty out there. Using just an encrypted volume for sensitive files would probably be your best bet. Will help performance as well.

It inserts itself into the MBR (Which FWIW requires Administrative or physical access), and intercepts the key entered by the user.
Hardly anything new and hardly a problem with TrueCrypt.

That'd be like saying I hacked my bank's website by being able to capture someone's password with a keylogger

 

[TechieSooner]

I actually went to this "hackers" blog to check out his entry... Have a read through some of the comments people are leaving the moron before you tell someone TrueCrypt has been hacked again:
http://www.peterkleissner.com/?p=11

 

[capnstabn]

I wasn't trying to down TrueCrypt whatsoever....I currently use it on one of my systems. However TrueCrypt does not make you authenticate to the MBR. There are a few more mature and more expensive technologies that do prevent this sort of vulnerability.


Trust TrueCrypt to protect naked pictures of your gf? Yes

Trust TrueCrypt to protect your government secrets? No

 

[TechieSooner]

I wasn't trying to down TrueCrypt whatsoever....I currently use it on one of my systems. However TrueCrypt does not make you authenticate to the MBR. There are a few more mature and more expensive technologies that do to prevent this sort of vulnerability.


Trust TrueCrypt to protect naked pictures of your gf? Yes

Trust TrueCrypt to protect your government secrets? No

1) Outside of Windows, anything can write to the MBR. That's part of the problem with the idiot you mentioned... He doesn't want anything overwriting the MBR. Well, outside of whatever OS you're using: there's no authentication. It's just bits of data, and you can overwrite those from any LiveCD you want to. The data itself stays safe and encrypted.

2) TrueCrypt is acceptable for Top Secret information. The government uses the same encryption for their own use. It'd take 1 Trillion years with the computational power we have today for someone to decrypt my password. That's not good enough?

 

[Valnar]

TrueCrypt is my choice.

 

[k1pp3r]

2) TrueCrypt is acceptable for Top Secret information. The government uses the same encryption for their own use. It'd take 1 Trillion years with the computational power we have today for someone to decrypt my password. That's not good enough?

The Gov doesn't use truecrypt, so lets not go there.

For home use, use truecrypt, its nice, its free and it works.

Business use, seek a app with support

 

[capnstabn]

1) Outside of Windows, anything can write to the MBR. That's part of the problem with the idiot you mentioned... He doesn't want anything overwriting the MBR. Well, outside of whatever OS you're using: there's no authentication. It's just bits of data, and you can overwrite those from any LiveCD you want to. The data itself stays safe and encrypted..

2) TrueCrypt is acceptable for Top Secret information. The government uses the same encryption for their own use. It'd take 1 Trillion years with the computational power we have today for someone to decrypt my password. That's not good enough?

1) Absolutely correct. The data exchanged before the OS boots is all clear text. Every single FDE software is potentially vulnerable to janitor style attacks. Just not the pre-canned user friendly stuff like evil maid and stoned. This is partially due to the fact that TrueCrypt is open-source.

2) I said that TrueCrypt was hacked....meaning the application itself was exploited. I never said anyone "cracked" AES-256. AES-256 is still the most commonly used uncrackable algorithm for encrypting volumes/drives.

 

[capnstabn]

The Gov doesn't use truecrypt, so lets not go there.

For home use, use truecrypt, its nice, its free and it works.

Business use, seek a app with support

Preferably support where the end users contact the vendor directly =p

 

[TechieSooner]

The Gov doesn't use truecrypt, so lets not go there.

I didn't say they did. I said they used the "same encryption".
For any kind of business use you want something that's easily deployable. TrueCrypt is good for standalone installs only.

2) I said that TrueCrypt was hacked....meaning the application itself was exploited. I never said anyone "cracked" AES-256. AES-256 is still the most commonly used uncrackable algorithm for encrypting volumes/drives.

And there was nothing hacked about TrueCrypt... That's what you don't understand.
Again- it's similar to a keylogger. Like my previous example, it'd be like me saying I hacked into someone's account by keylogging their account information.

 

[SpaceHonkey]

GnuPG (aka GPG), especially if you need to securely exchange files.

 

[MrWizard6600]

+1 for truecrypt. If your a small business looking to keep some pre-patented stuff safe, truecrypt is your best bet. If you've got the abillity to ask a software firm for a few bucks worth of software (and the bucks to have it reviewed... several times), then yeah, a custom implementation (and cyphers are like searches or sorting guys, AES256 is good but it isnt unanamously the "best", no cypher is. quicksort sometimes beats mergesort, and quicksort can be beat by shell sort or insertion/selection sort.. where was I... right, a custom implementation) might be the best solution.

but what I suspect is the best solution for you is actually just good old winrar. Truecrypt is for the most part a better implementation (read: a heavier implementation, the two blobs of bits that are spat out from truecrypt and encryption enabled rar archive are just as entropic as each other) but needs to be downloaded and the UI is a little clunky.

so yeah, if you've got winrar installed there is an option to scramble after compression (using different cyphers in the pro version IIRC), I'd suggest that for a quick-and-easy implementation.

 

[capnstabn]

And there was nothing hacked about TrueCrypt... That's what you don't understand.
Again- it's similar to a keylogger. Like my previous example, it'd be like me saying I hacked into someone's account by keylogging their account information.

"Computer hacking is broadly defined as intentionally accesses a computer without authorization or exceeds authorized access."

 

[keenan]

"Computer hacking is broadly defined as intentionally accesses a computer without authorization or exceeds authorized access."

The point is that this isn't a TrueCrypt vulnerability, it's just the reality of how computers work. Any software is potentially vulnerable to the same attack, and there's no way to prevent against it that can't be overridden, at least without special hardware. You don't blame the crypto engine when an OS-level rootkit ends up on the box and sends credit card numbers to an attacker; this is the same sort of attack.

 

[capnstabn]

The point is that this isn't a TrueCrypt vulnerability, it's just the reality of how computers work. Any software is potentially vulnerable to the same attack, and there's no way to prevent against it that can't be overridden, at least without special hardware. You don't blame the crypto engine when an OS-level rootkit ends up on the box and sends credit card numbers to an attacker; this is the same sort of attack.

Your example describes a worm not a rootkit. I am sure they were well aware of this type of vulnerability when they put their app on these platforms. Yet publicly stated they disregard janitor attacks as being something they will attempt to address. Believe me I am not arguing with you guys for arguments sake. But the design of these platforms has not changed and probably won't for a long time. However other vendors have put countermeasures in to mitigate these types of risks in their own encryption software. Its much easier to circumvent TrueCrypt than some of its competitors and that is the bottom line. Its a great open-source product but its not the best for that reason. And if the vulnerability effects the value of your product......IT IS YOUR PROBLEM.

 

[keenan]

Your example describes a worm not a rootkit.

Huh? A worm just describes anything that self-replicates. This is totally orthogonal to the definition of a rootkit.

The point is that this attack is not a weakness of TrueCrypt itself, but an attack vector that disk encryption alone cannot protect against since the MBR cannot be encrypted or positively verified without secure storage for key material. All disk encryption techniques are vulnerable to the same basic attack.

However other vendors have put countermeasures in to mitigate these types of risks in their own encryption software. Its much easier to circumvent TrueCrypt than some of its competitors and that is the bottom line. Its a great open-source product but its not the best for that reason. And if the vulnerability effects the value of your product......IT IS YOUR PROBLEM.

The only way to mitigate this risk is to use a TPM to authenticate the MBR. Anything else is just giving you a false sense of security. That's the point the TC developers are making, and I happen to agree with them. There's no point in building security through obscurity into the system, it adds nothing of value. Especially in an open-source product.

If you want security against so-called janitor attacks, buy a TPM or hardware key. Software won't help you. Though even so, if your physical security is broken, you're pretty much screwed no matter what you do.

 

[TechieSooner]

"Computer hacking is broadly defined as intentionally accesses a computer without authorization or exceeds authorized access."

Like keenan explained: I'm not arguing with the term "hacking" here... I'm arguing that TRUECRYPT wasn't hacked.

I seriously don't know how else to explain this. I've even given you an analogy that a junior higher could understand.

Your example describes a worm not a rootkit. I am sure they were well aware of this type of vulnerability when they put their app on these platforms.

Here's another example. Same technology and logic as your TrueCrypt "hack"...
I can access any file on a Windows volume by changing the bootloader and booting into another piece of software (read: another OS). It totally bypasses the Windows authentication, so Windows must be broken!!!!

Those of us that know a little bit about OSes understand that when Windows isn't running: it cannot do anything to secure itself. When the hard drive is booted up with another OS: it can read the bits on that hard drive thus bypassing Windows authentication. Because again: Windows isn't running to secure it.

This is also exactly why encryption is needed in the first place.

However other vendors have put countermeasures in to mitigate these types of risks in their own encryption software.

Here's the second thing you don't understand: "other vendors" have stopped the attack from within Windows just using psuedo security. Think akin to Norton protecting your IE homepage from changing. It theoretically stops it, but we all know there's ways to get around it. To note, that attack can still be bypassed. Again if you're running as Admin- you're screwed regardless. If you're running outside Windows: there's no security controls in place and anything can write to the hard disk.


I don't know how many times I've got to say it, but TrueCrypt hasn't been hacked. The guy that published this "hack" is an idiot. It's a sensationalist article designed to sway people exactly like you into a ruckuss over nothing.
The people that write TrueCrypt know what they're doing. The guy was just too stupid to understand exactly what I'm telling you: that this will be a problem with ANY encryption software.

The only solution, again, is hardware encryption. And TrueCrypt isn't a hardware encryption package.

 

[prochobo]

Why can't we just agree not use TrueCrypt's FDE option and get along ?

 

[TechieSooner]

Why can't we just agree not use TrueCrypt's FDE option and get along ?

Cuz there's nothing wrong with it.

 

[prochobo]

Cuz there's nothing wrong with it.

I meant, why don't we just use the secure volumes instead? Obviously you guys are arguing over the "vulnerability" that can be exploited only in an FDE environment. Take that away, and hey, there's something we all can agree on: TrueCrypt's secure volumes are, well, secure.

 

[TechieSooner]

I meant, why don't we just use the secure volumes instead? Obviously you guys are arguing over the "vulnerability" that can be exploited only in an FDE environment. Take that away, and hey, there's something we all can agree on: TrueCrypt's secure volumes are, well, secure.

FDE encryption encrypts EVERYTHING. No need of having to drag or drop or create volumes in one particular place. You know that everything is encrypted. This includes your program files, Windows files, and anything else that might have traces of personal data.

 

[djBon2112]

Truecrypt.

 

[Neb]

If you want security against so-called janitor attacks, buy a TPM or hardware key. Software won't help you. Though even so, if your physical security is broken, you're pretty much screwed no matter what you do.

After reading up on the "hack" I think this sums up my opinion. If by some odd chance you're unlucky enough to get a MBR rootkit installed onto your systems you have worse issues to worry about

 

[Yggdrasil]

Thanks everyone for the comments. Trying out TrueCrypt now as we speak, but I'm getting a tad hungry so I'm gonna go hack at this apple...

 

[akapaulk]

Windows XP is old.

Upgrade to Windows 7 and use Bit Locker :- )