I am not expert on these things (encryption), but I have done some reading and found some issues with Encrypted File System I don’t like. I may not describe the issues correctly, so this is just my opinion more than anything.
1. In Windows 2000, don’t even bother. It can be bypassed with their recovery agent or administrator. So if you lose your laptop, the data can be accessed.
2. In XP, it is better and more secure. I think there is no data recovery agent, but I think a local administrator account on a non-domain install of XP will still have the private keys.
3. The private keys are on that hard drive!
4. You still see all the files. The file names are all viewable, and that may be a security risk for some companies. It’s better than nothing, but I don’t like that too much.
5. You can’t encrypt the whole system. Or a whole partition for that matter. You must encrypt a folder, and at that, only the files in that folder are encrypted.
6. Here’s the one I like least… with EFS, when you open a file, it is decrypted to a tmp file. This file is deleted once you finish with it, but as you know, files are not “wiped” from the drive when they delete, they just remove the pointer to it. So unless data is overwritten in that place of the drive, that data is accessible to anyone. If you had a spreadsheet with SSN’s or credit card numbers, and you just happen to lose your system to someone who knows what to do with it, you got a big problem!!
7. There’s more, I just can’t think of them.
Anyway, after doing some reading… I found that Bitlocker in Vista will be a very nice solution. But you have to buy Enterprise or Ultimate versions of Vista to get it. Bitlocker can encrypt the entire OS partition. Now that is nice! That is exaclty what we wanted! And if you set it up correctly, using a key or PIN at boot, it will make an extremely secure setup. One drawback, you can only encrypt the partition the OS is on, not other partitions. You’ll need to use normal EFS for them.
That’s nice, but I have Vista Business. And I don’t want to spend more money right now. Plus, on my main system and pretty much all my clients, they have 2000 and XP. Guess what I found to get me by? TrueCrypt. www.truecrypt.org. Nice product!! And it’s open-source and free!!!!
With TrueCrypt, you can password protect an entire partition with AES 256-bit encryption. You can use multiple ciphers and even key based access using a USB drive. (Bitlocker can do the USB drive thing too!) It’s a tiny program running in the systray. And in my case, I am just running a password authentication and 256bit AES on a separate partition, so my performance is pretty good too, though not as fast without encryption. Now, with XP I will be making redirections to My Documents to that private drive, and saving all my “work-in-progress” there. That, to me, operates reasonably, and pretty darn secure. I could do more to secure it, like use a key file on my usb key drive. Then you cannot get into any of my private data without the key drive inserted! But I need to test that first.
TrueCrypt can also create a virtual drive from a file.ï¿½ That might be handy, but performance is just a little slower that way.ï¿½ It cannot encrypt your OS partition though, which is a drag, but at least I can encrypt a separate partition and you cannot see the file system structure.ï¿½ It has a lot of neat features. Definitely worth trying if you want lock down things.