Windows Home Directory Encryption? 121
An anonymous reader writes "Home directory encryption has been available on Linux for a while now, and it is definitely a smart, useful feature as it is not usually necessary to encrypt the entire drive, just the private documents and software profiles in the home directory. Windows is getting better about keeping everything that needs to be private in the user's home folder. Is there a similar solution for Windows to securely, and preferably transparently, encrypt the home directory only? (Preferably open source so that the code is available for peer review)."
Simple solution (Score:5, Informative)
(2) Left Click Properties
(3) Left Click "Advanced" near the bottom
(4) Check with you Left Moust button "Encrypt contents to secure data"
(5) Left Click OK, wait until it finishes
The directory would appear green thereafter, indicated it's encrypted and can only be accessed by the owner. Home edition might not have encryption enabled, mind you.
Google for "windows directory encryption" would lead you to the answer anyway.
Truecrypt: Open source, free, works very well. (Score:5, Informative)
Re:Simple solution (Score:2, Informative)
just fyi, you can only decrypt an encrypted Windows directory under the same install of Windows that it was originally encrypted on.
Two suggestions (Score:5, Informative)
1. TrueCrypt
This is a simple but very powerful encryption utility that is also open-source. It performs its magic by either encrypting volumes or by using encrypted file containers (a file which contains encrypted data that can be mounted as a virtual drive). The file container approach is very easy to use but you won't be able to use it to encrypt your _entire_ home directory, only elements of it. Effectively, you'd create one or more encrypted file containers and store everything sensitive in them. You could use full volume encryption by storing your entire user profile on a seperate volume, but this is obviously more difficult to setup, depending on your OS. To do something like the latter properly in something like Vista, you'd probably need to do it at install time through an unattend and state which drive the Users directory should be located on, as changing this once installed is not simple and ill-advised.
2. NTFS EFS (Encrypting File System)
Included with all "professional" (ie. not Home/Starter/etc..) editions of Windows since Windows 2000. Enables file-system level encryption tied into NTFS to encrypt individual files/folders on any NTFS device. This has some significant pros, in that not only is it included as a stock component of the OS, but is extremely easy to setup. Just right click on the folder/file you want to encrypt and do so through the Advanced properties. However, getting into the guts of EFS and fiddling with encryption certificates, ciphers, etc... requires some additional skill and research as there is no simple unified front-end to managing EFS like there is for TrueCrypt.
It's important to note that these two encryption suites are very different in how they work. Whereas TC stores data in file containers (unless you encrypt the entire volume), EFS works at the filesystem level and is completely transparent to userland, enabling transparent encryption of anything on the NTFS volume that is user-related. Note that EFS binds to user accounts. You generally can't use EFS to encrypt data that is outside the scope of a user account (such as system files). You'll need full volume encryption technology for that.Microsoft also has BitLocker for full-volume encryption, but this is Vista only, and for home setups, needlessly complicated and difficult to setup, not to mention the TPM requirements for full functionality.
Other things to note would be the importance of portability. TrueCrypt works across Windows/Unix, whereas EFS is obviously specific to Microsoft. I'm not sure if there's an OSS implementation for reading EFS encrypted data under Unixes, but even if there was, I think you'd be mad to use it. You shouldn't be using EFS if portability between OS's is a concern. Also note that whereas TC will have a seperate password, EFS will use your account password for encrypting your user data. This means that if you lose/forget your account password, you _WILL_ lose your EFS encrypted data, unless you've set up things like recovery certificates. Further, if you use a password reset tool to reset your account password outside of your user account, you _WILL_ lose all your EFS encrypted data. Your account password is the key to your EFS data, and so losing it or changing it improperly can have very nasty consequences.
I can't really recommend either method, you really need to research and have a play with both to decide which you prefer. I will say that if you are going the full-volume encryption route, I'd highly recommend TrueCrypt over BitLocker for home setups. The general trend I've observed from using both is that they both are very powerful tools, and can both easily get the job done when setup properly. However, TrueCrypt is more geared towards home/smaller setups, while EFS/BitLocker can work on anything from an individual box to a centrally managed enterprise network. T
Re:EFS? (Score:5, Informative)
In Windows they call home directories 'user profiles'. Commonly (in a windows domain environment), they live on a server, and automatically get copied to whatever workstation you log into.
Folders in there could be encrypted, however, certain folders in your profile are loaded by the system, and you may be unable to login if they get encrypted.
If you use EFS, your certificates and private keys for actually decrypting/encrypting files, are stored in your profile too.
Downside of EFS: your home directory decryption is linked to your login password, and a digital certificate.
If someone alters your password not through the normal password change process (i.e. an Administrator uses 'reset password'), you lose access to your private keys, and thus your encrypted files.
Because the cert and keys in the keystore are required, if you backup encrypted files to a USB thumbdrive using NTFS, you can't read them on another computer, even if you know the login password you were using when you encrypted them.
*It's too dumb to realize you only want it encrypted while it's in that folder.
Re:Simple solution (Score:5, Informative)
Vista and Windows Server 2008 prompt you to back up your encryption key. Then, if you do need to reinstall, you import that key into your key store, and you can decrypt the files.
With XP, you have to manually make a data recovery agent key by using cipher /r, then import the created certificate as a data recovery policy.
TrueCrypt + TCGina (Score:5, Informative)
Password (Score:4, Informative)
One very important thing to remember if you choose to use Windows built in encryption is that it uses the Windows password to encrypt the keys, and by default that password is stored using an LM hash which is extremely insecure (in addition to the NTLM which is less insecure).
To prevent this, you can either modify a registry [microsoft.com] setting to disable LM Hashes, or you can pick a password 15 characters or longer (since LM is limited to 14, it will be filled in with garbage and NTLM used instead).
Note that this also applies if you use TrueCrypt or some other program, but use the same password as you use for Windows.
Re:Password (Score:3, Informative)
You raise an excellent point though, checking the password policy strength is a very good idea. You should ideally be mandating the usage of NTLMv2, and forbidding the usage of anything earlier (NTLMv1/LM) in the system security policy. If this is just a home box, not connected to a corporate network, then this should not be a problem.
LM is required for legacy Windows clients (think 9x and pre-win2k in some cases). Samba can handle NTLM, I'm not certain about NTLMv2. Really, it's unlikely anyone these days has a need for LM hashes, unless you require things like file sharing with ancient Windows operating systems. In which case, you have bigger problems
Re:TrueCrypt + TCGina (Score:3, Informative)
Mod this one up.
This is 100% the answer the original post was looking for.
It's open source
It encrypts only the users profile folder
Doesn't require the business, or Vista Ultimate edition of Windows.
And It's not really an ugly hack. the GINA api's are stable and allow Windows to decrypt the data prior to reading the profile.
Re:TrueCrypt is not noticeably slow. (Score:2, Informative)
TrueCrypt encrypted containers can be formatted as NTFS or FAT file systems. I haven't tried other file systems.
I can add ext3 to the list of filesystems known to work with TrueCrypt, useful for apps such as Nautilus and TightVNC that create files with colons in their name.
Also, although this is slightly off-topic, you can easily store a Linux home directory and mount it in place, i.e. just one big volume in /home/username which you can mount with
$ truecrypt -t volume.tc ~
and the full home directory replaces the previously empty directory.
The OP is asking for something similar on Windows but that's much trickier on NTFS and Windows for a variety of reasons - TrueCrypt still doesn't allow mounting at a junction point, and a directory used for this purpose must be empty, and by the time you've logged in, you've already got a lot of files open (e.g. your registry hive).
Re:EFS? (Score:2, Informative)
If someone alters your password not through the normal password change process (i.e. an Administrator uses 'reset password'), you lose access to your private keys, and thus your encrypted files.
You can mitigate this though by backing up your EFS certificate, which is recommended.
http://technet.microsoft.com/en-us/library/cc756891.aspx [microsoft.com]