Full Disk Encryption

Mark.87

Sorry if its been done before but I have a quick question about full disk encryption!

I am looking into doing a full disk encryption (say with Windows BitLocker) on a few laptops in work. Will this affect shared cloud based files (on say SkyDrive, SharePoint, DropBox, etc.), i.e. if I am on an encrypted computer and I do up a new Excel spreadsheet and save it to a shared folder on SkyDrive will another person from a different computer be able to read it or will the file be encrypted.

Thanks in advance!

goldenhoarde

Mark.87 wrote: »

Sorry if its been done before but I have a quick question about full disk encryption!

I am looking into doing a full disk encryption (say with Windows BitLocker) on a few laptops in work. Will this affect shared cloud based files (on say SkyDrive, SharePoint, DropBox, etc.), i.e. if I am on an encrypted computer and I do up a new Excel spreadsheet and save it to a shared folder on SkyDrive will another person from a different computer be able to read it or will the file be encrypted.

Thanks in advance!

Its just the copy on the machine that is encrypted on the hard drive. The whole disk is encrypted to stop someone just plugging the HD into another machineand reading your files. The version you upload will not be encrypted so others will be able to view it if you give access

Mark.87

goldenhoarde wrote: »

Its just the copy on the machine that is encrypted on the hard drive. The whole disk is encrypted to stop someone just plugging the HD into another machineand reading your files. The version you upload will not be encrypted so others will be able to view it if you give access

Thanks for the clarification.

Macumazan

Mark.87 wrote: »

Thanks for the clarification.

Hi buddy,

Congrats on taking your security seriously to encrypt your HDD. I would recommend Truecrypt over Bitlocker to encrypt your system as it's more beloved amongst security types, presumably because it's open source.

If you want to keep data in your existing cloud safe, you can use Boxcryptor, which will allow you to encrypt your files in place in the cloud and it's compatible with most popular services like Dropbox.

Personally I have used SpiderOak and Wuala to store my files in the cloud as these are seamlessly encrypted on your device and stored in the cloud, so there's no way to decrypt the info you upload - at least in theory, both these services use proprietary software to do this, so you have to trust they're telling the truth.

If you don't fancy either of these options and have used Truecrypt to secure your system, you can use the software to create a secure encrypted container for your files which you can upload to Dropbox and store any sensitive files in there - you won't have to reupload the container each time as Dropbox simply detects changes within it and uploads these instead.

Best of luck staying safe and if you need any help, do send me a PM.

Mark.87

Macumazan wrote: »

Hi buddy,

Congrats on taking your security seriously to encrypt your HDD. I would recommend Truecrypt over Bitlocker to encrypt your system as it's more beloved amongst security types, presumably because it's open source.

If you want to keep data in your existing cloud safe, you can use Boxcryptor, which will allow you to encrypt your files in place in the cloud and it's compatible with most popular services like Dropbox.

Personally I have used SpiderOak and Wuala to store my files in the cloud as these are seamlessly encrypted on your device and stored in the cloud, so there's no way to decrypt the info you upload - at least in theory, both these services use proprietary software to do this, so you have to trust they're telling the truth.

If you don't fancy either of these options and have used Truecrypt to secure your system, you can use the software to create a secure encrypted container for your files which you can upload to Dropbox and store any sensitive files in there - you won't have to reupload the container each time as Dropbox simply detects changes within it and uploads these instead

Best of luck staying safe and if you need any help, do send me a PM.

I currently use Truecrypt on my personal laptop and on an external hard drive (I think its why they asked me to look into doing the work computers for them). The reason I said Bitlocker is that it is already installed on the computers and after talking to the boss, the advantage of having a master key in case anyone forgets / looses theirs was an advantage in our office.

I have read about Boxcryptor in some other forums and it seems to be the best for cloud encryption at the moment. I have no experience of SpiderOak or Wuala but will defiantly look into them now.

Thanks for the tips

Nika Bolokov

Be careful if its got Windows 8. I wrecked a laptop trying to do a full disk encryption a few months ago. Not sure if the encryption software has been updated since then.

Mark.87

Nika Bolokov wrote: »

Be careful if its got Windows 8. I wrecked a laptop trying to do a full disk encryption a few months ago. Not sure if the encryption software has been updated since then.

Ye it is W8. Can you give me a bit more info on what happened / any feedback from Microsoft? My plan is to wait until 8.1 is fully released to update all the computers and do the encryption.

Nika Bolokov

Basically encryption went OK but the laptop would not reboot. Had made a disk too, still no luck. I read various pieces on the net and it seemed to be kind of split as to whether it would work, the software site at the time did not say it supported Windows 8 so its my own fault for giving it a go.

The partitions in Windows 8 are apparently different to other versions and a lot of Win 8 systems will come as UEFI-based computers on GPT disks so thats where the problems lies given the nature of a lot of the popular encryption software thats free.

Just using Axcrypt to encrypt individual files and folders especially before upload to any cloud and find that still works wonderfully. Great free piece of software but not for full disk encryption.

Gotham

Furthermore I'd like to point out that there is a lot of misinformation about encrypting Dropbox with Trucrypt. The short answer: Dont do it.

When you create a trucrypt partition as a file it has a long key and a short key, the short key is the password you need to remember to unlock the file, the long key however is only created during the creation of the partition.
Everytime you add a file to the partition, the signature of the partition changes and Dropbox uploads it.
If someone had access to enough of these encrypted versions, they could deduce the long encryption key by examining how the file changed.
Dropbox actually facilitates this by giving you a "history" option, so you could retrieve all the previous versions and break the encryption by examining them.

Dropbox and Truecrypt do not mix well, despite what tutorials online will have you believe.

I've never used Boxcryptor but I would be wary that it's just a simple convenience wrapper and the real security concerns have not been considered.

Nika Bolokov

Gotham wrote: »

Furthermore I'd like to point out that there is a lot of misinformation about encrypting Dropbox with Trucrypt. The short answer: Dont do it.

When you create a trucrypt partition as a file it has a long key and a short key, the short key is the password you need to remember to unlock the file, the long key however is only created during the creation of the partition.
Everytime you add a file to the partition, the signature of the partition changes and Dropbox uploads it.
If someone had access to enough of these encrypted versions, they could deduce the long encryption key by examining how the file changed.
Dropbox actually facilitates this by giving you a "history" option, so you could retrieve all the previous versions and break the encryption by examining them.

Dropbox and Truecrypt do not mix well, despite what tutorials online will have you believe.

I've never used Boxcryptor but I would be wary that it's just a simple convenience wrapper and the real security concerns have not been considered.

Anyone else using Axcrypt for this ? Any problems identified ?

Gotham

Nika Bolokov wrote: »

Anyone else using Axcrypt from this ? Any problems identified ?

I've never heard of Axcrpt but upon inspection it doesn't seem to do anything "special".
Truecrypt is different because it creates a container file for other files to go inside, that container file + Dropbox do not go well together.
If Axcrypt encrypts files individually, it shouldn't be a problem when combined with dropbox.

LoLth

Gotham wrote: »

Furthermore I'd like to point out that there is a lot of misinformation about encrypting Dropbox with Trucrypt. The short answer: Dont do it.

When you create a trucrypt partition as a file it has a long key and a short key, the short key is the password you need to remember to unlock the file, the long key however is only created during the creation of the partition.
Everytime you add a file to the partition, the signature of the partition changes and Dropbox uploads it.
If someone had access to enough of these encrypted versions, they could deduce the long encryption key by examining how the file changed.
Dropbox actually facilitates this by giving you a "history" option, so you could retrieve all the previous versions and break the encryption by examining them.

Dropbox and Truecrypt do not mix well, despite what tutorials online will have you believe.

I've never used Boxcryptor but I would be wary that it's just a simple convenience wrapper and the real security concerns have not been considered.

curiosity here....

if truecrypt encrypts the volume using a block cypher (with the block size equal to the block size of the disk blocks - thats an overuse of the word block... I'm sorry!). then even if the attacker could see that a block had changed, how could they deduce the initial encryption key (the long key generated at encryption time) unless they
A: know exactly what the contents of the block is now, and was before it was changed (assuming no padding is used so a 4byte block unencrypted is a 4 byte block encrypted)

or

B: know the unencrypted contents of the block preceeding the changed block (truecrypt uses AES? , so the encryption of the previous block is used to seed the encryption of the next block).

I'm not saying you're wrong, I'm just wondering how it could be done as I'm not aware of any software that uses anything other than brute force that could do it and I'd be interested in learning.

possible protection against this:

empty dropbox folder.
fill it with random goodness (using dd or something similar)
encrypt as a volume using truecrypt
delete the contents of the volume
copy in the data you want to keep encrypted.

that way, at no time is there an unencrypted signature of your files stored in dropbox history.

Dropbox volume markers / headers could give it away if the entire dropbox folder was encrypted but would storing an encrypted volume within dropbox not circumvent that?

a problem I would see with that would be, synching. the entire volume would be synchronised every time as dropbox has no way to determine individual file changes (unless dropbox synchronises based on changed blocks, in which case a change to 1 block would cause 2 blocks - n and n+1 - to change and they would be synchronised).

RangeR

Mark.87 wrote: »

I currently use Truecrypt on my personal laptop and on an external hard drive (I think its why they asked me to look into doing the work computers for them). The reason I said Bitlocker is that it is already installed on the computers and after talking to the boss, the advantage of having a master key in case anyone forgets / looses theirs was an advantage in our office.

TrueCrypt does this too, by default.

Comparing Bitlocker and TrueCrypt here

I don't see benefits of Bitlocker over TrueCrypt. Bitlocker, if I'm not mistaken requires either TPM or a USB Key. TrueCrypt requires only a password.

Bitlocker
TPM - Steal the machine and you have all the data.
USB Key - "Borrow" the USB Key and you have all the data.

TrueCrypt
Password - You have to force the password out of the user, in order to gain access to the machine. Even if it's very forceful coercion, TrueCrypt allows for two passwords. One for a dummy partition and one for the real data.

RangeR

Actually, another pro for TC is that it's open source.

What this means, in this case, is that many, many, many people have picked through the code and have found no back doors. If the last month has thought us anything, it's that Microsoft [and other large techs] can't be trusted not to have backdoors to Gov/Agencies.

I wouldn't use Bitlocker.

Gotham

LoLth wrote: »

I'm not aware of any software that uses anything other than brute force that could do it and I'd be interested in learning.

There is no public software to do this, it has to be manually written - I will search for the research document concluding this.
My information is based on a paper that a professor told me about casually, but I've never got to read yet, so let me try to dig that one out.
Here is some generic info though that is relevant: http://security.stackexchange.com/questions/10987/are-backups-of-truecrypt-volumes-with-different-pass-phrases-a-security-risk

The only protection against it is to create a new volume anytime you change the data inside it.
The "signature" i was referring to is just the hash of the file, dropbox checks for the hash before uploading. - You mention this at the end of your post.

timmywex

bedlam wrote: »

You can not centrally manage TrueCrypt, it's great if you have a few devices to protect, good luck when you have hundreds.



Proof please? Truecrypt is woefully unaudited and only now are there movements to try and get independent audits performed. (See "reasonable paranoia")

...Open source, where people assume that others have reviewed the code so they won't bother...

Given a choice between truecrypt and nearly any other software produced by a company for the same task - Id be going with TrueCrypt.

Mark.87

RangeR wrote: »

TrueCrypt does this too, by default.

I wasn’t aware that it could. In fact the vary article you linked too states that Bitlocker “supports multiple authentication options” whereas TrueCrypt “doesn't offer any way to recover your encrypted partition if you lose your passphrase”

If someone could clarify this for me as it will certainty impact the decision!

RangeR wrote: »

Bitlocker, if I'm not mistaken requires either TPM or a USB Key. TrueCrypt requires only a password.

It was my understanding that Bitlocker supports TPM, USB and PIN or passphrase. Perhaps someone could clarify this also.

RangeR wrote: »

Actually, another pro for TC is that it's open source.

What this means, in this case, is that many, many, many people have picked through the code and have found no back doors. If the last month has thought us anything, it's that Microsoft [and other large techs] can't be trusted not to have backdoors to Gov/Agencies.

I wouldn't use Bitlocker.

Just to be clear, I am aware of the advantages of TrueCrypt and the fact that it is open source. I use the software on all my personal machines. Like bedlam said and from what I read elsewhere TrueCrypt is great on a single machine but is not a suitable enterprise level option.

Whereas I am encrypting more and more these days to keep my data from governments and agencies (or at least make them work to get it ) this does not concern my boss. His worries and request for full disk encryption are purely based on the potential for a machine to be lost or stolen hence giving access to company documents and more importantly personal details on staff, partners and clients.

bedlam wrote: »

You can not centrally manage TrueCrypt.

This was my understanding as well. Functionally to centrally manage / have master password is a must have. We are not encrypting people’s personal files, it is company data and as such the company must always be able to access it. Without this functionally what happens if an employee leave on bad terms and we don’t know their encryption key...

If I am wrong and TrueCrypt does support this / similar functions I would appreciate clarification. Likewise if anyone has any other good solutions other than the ones mentioned.

timmywex wrote: »

Given a choice between truecrypt and nearly any other software produced by a company for the same task - Id be going with TrueCrypt.

Again personally I would probably agree with you but I ruled it out as it doesn’t (or at least I don’t think it does) support any functionally required for enterprise.

Mark.87

On a side note that I just thought of while writing the reply to bedlam – is there any way / does anyone have any ideas on how to secure data to prevent employees taking files, databases, etc. with them if they leave the company on “bad” terms?

Obviously the system at present gives different level of file privileges to different people, etc. so please no comments like don’t give them access to it in the first place.

Screaming Monkey

Mark.87 wrote: »

On a side note that I just thought of while writing the reply to bedlam – is there any way / does anyone have any ideas on how to secure data to prevent employees taking files, databases, etc. with them if they leave the company on “bad” terms?

Obviously the system at present gives different level of file privileges to different people, etc. so please no comments like don’t give them access to it in the first place.

a technical solution is not really the answer, just look at Snowden and his NSA friends, with all their technical resources and still the data got out.
seen this lots of times over the years, the only thing slightly effective is having terms/conditions in the employee contract, employee acceptable usage policy and an "employee" termination procedure.

Then if things go bad, sue the **** out of them.

i remember one time a company tried to get an employee after he handed in his notice to sign an employee contract saying he wouldn't copy data or work for a competitor, it ended badly.

SM

RangeR

Mark.87 wrote: »

I wasn’t aware that it could. In fact the vary article you linked too states that Bitlocker “supports multiple authentication options” whereas TrueCrypt “doesn't offer any way to recover your encrypted partition if you lose your passphrase”

If someone could clarify this for me as it will certainty impact the decision

Fair enough on the centrally managed. TrueCrypt can't compete with a single Admin Password.

I apologise. I always thought the TrueCrypt Rescue Disk was in case of lost password etc. It turns out it isn't. It just allows repairing of the bootloader etc. However, having the Rescue CD resets the TC password to it's original one, if the end user subsequently changed it.

However, it still leaves the possibility of getting back. The Administrator should always have the original passwords of each machine.

syklops

Screaming Monkey wrote: »

a technical solution is not really the answer, just look at Snowden and his NSA friends, with all their technical resources and still the data got out.
seen this lots of times over the years, the only thing slightly effective is having terms/conditions in the employee contract, employee acceptable usage policy and an "employee" termination procedure.

Then if things go bad, sue the **** out of them.

i remember one time a company tried to get an employee after he handed in his notice to sign an employee contract saying he wouldn't copy data or work for a competitor, it ended badly.

SM

Thats kind of a horse has bolted solution. Sue them after they have leaked sensitive information.

Screaming Monkey, its not the future disgruntled employee which you need to worry about, its all your employees. Make it hard for all of them to get raw access to information, and log all other access.

On the Snowden affair, the NSA is just like any other public service department, big and inefficient. If they had spent a little more time and money on their internal IT systems and policies then Edward Snowdens task would have been a lot more difficult. Saying "if the NSA can't secure their data, then whats the point in trying", is just foolhardy.

I used to work in a place that had an access database with all its customer records. Sometimes if there were to many people accessing it, and you needed to use it, the work around was to copy the database on to your local machine and access it locally. The customer database with names, addresses, GPS co-ordinates and credit card information, now in My Documents. Crazy.

I do Pen Testing and regularly a client comes to us because they are concerned about the configuration of their perimeter firewall. Regularly spending 10 minutes on their premises we can see their perimeter firewall is the least of their problems.

Edit: I absolutely agree with having a termination policy though.

Mark.87

RangeR wrote: »

However, having the Rescue CD resets the TC password to it's original one, if the end user subsequently changed it.

That’s interesting, I never knew the Rescue CD could do that. I will test it out this weekend. Thanks RangeR


I have to agree with you syklops. Clauses, etc. in a contract do form part of it but they are not the entire solution. We too have databases with customer records and files on all our staff. There is nothing too juicy but as it’s not my information I would consider all the data to be sensitive.

Firewalls and risks from outside were covered by an IT company but I would love to suggest some “common sense” methods to improve security from within. I’m all ears if anybody has any suggestions.

syklops

Mark.87 wrote: »

I have to agree with you syklops. Clauses, etc. in a contract do form part of it but they are not the entire solution. We too have databases with customer records and files on all our staff. There is nothing too juicy but as it’s not my information I would consider all the data to be sensitive.

Firewalls and risks from outside were covered by an IT company but I would love to suggest some “common sense” methods to improve security from within. I’m all ears if anybody has any suggestions.

I can't suggest too much common sense things because I don't know what you do or do not have in place already. Feel free to PM me with some details if you want.

timmywex

Mark.87 wrote: »

On a side note that I just thought of while writing the reply to bedlam – is there any way / does anyone have any ideas on how to secure data to prevent employees taking files, databases, etc. with them if they leave the company on “bad” terms?

Obviously the system at present gives different level of file privileges to different people, etc. so please no comments like don’t give them access to it in the first place.

Have a look into data loss prevention (DLP) systems.

LoLth

Microsoft Server (stop the booing!) series has some nice features like data auditing and data security levels. You can flag data as not being printable, downloadable to a hard drive or external drive other than the server, email-able etc.

thing is:
1. you need to be pretty much fully MS-Active Directory integrated. you cant protect something not on an AD controlled fileshare
2. you have to flag the data. A bit like email flagging for archive/keep/junk , users are never going to do it, or they will and they'll do it half arsed. Think of the trouble getting people to archive their email now....multiply that by 10.
3. you cant protect against the cameraphone

Capt'n Midnight

LoLth wrote: »

Microsoft Server (stop the booing!) series has some nice features like data auditing and data security levels.

way more options than most Linux setups.



Here's a good one for most windows users , on the command line

set devmgr_show_nonpresent_devices=1
start devmgmt.msc

when device manager pops up - View, Show Hidden Devices

now go into disk drives

It'll list all the USB keys you've ever used, and if you go into properties - details you lots of interesting info like the first install date too - handy if you've shared data on a key to someone else.


Windows can be very good at Auditing.


Also why I keep telling people you can't clean up all the private info from a windows install

LoLth

nice trick. I knew how to do that through the registry keys, didnt know it was that straightforward through a gui interface.

I'll be adding that to my toolbox now