Windows Home Directory Encryption?

An anonymous reader writes "Home directory encryption has been available on Linux for a while now, and it is definitely a smart, useful feature as it is not usually necessary to encrypt the entire drive, just the private documents and software profiles in the home directory. Windows is getting better about keeping everything that needs to be private in the user's home folder. Is there a similar solution for Windows to securely, and preferably transparently, encrypt the home directory only? (Preferably open source so that the code is available for peer review)."

Re:Two suggestions

[cbhacking]

Very good post, thank you.

A couple small points:
You can actually create a user profile outside of the standard location once your system is installed - no need to do it at install time. There's a single registry key that controls the folder where new accounts go; setting it, then creating a brand new account and logging into it, will put the profile in the new location.

Alternatively, it is possible to change the location of an existing profile if you're determined enough. It's a bitch, though - definitely not recommended. I've found it MUCH easier to install, create a throw-away/backup account at install time, use it to set the location for new accounts to another drive, and then create your *real* account on that drive.

Finally, while BitLocker is definitely complex on Vista, Win7 includes much better UI and more options for key protection. On my beta Win7 tablet, it's literally a matter of right-click on a drive, select "Turn on BitLocker" from the context menu, select protectors I want to use (say, a passphrase plus I need to have a specific USB device attached - no TPM needed, and all user-configurable), and let it do its thing for a little while.

As a side note, Win7 BitLocker can also encrypt removable drives - very handy if you need to move sensitive data in physical media, and it includes a tool allowing you to decrypt them on older versions of Windows.

TrueCrypt is not noticeably slow.

[Futurepower(R)]

I suppose you mean to imply that TrueCrypt makes your computer slower. I suppose that may be true, but I haven't noticed it. TrueCrypt seems to be very, very well designed.

Note that there are TrueCrypt versions for both Windows XP and Vista, Mac OS X, and Linux. All are free and open source.

Because my hotkey script contains a password, I've installed AutoHotkey [autohotkey.com] in an encrypted TrueCrypt container. (A TrueCrypt container is either a file or an entire partition.) So, every time I use a hotkey, the system must get it from an encrypted file and be decrypted. I don't notice any difference in speed between that and when AutoHotkey was installed on an unencrypted OS partition.

I've used TrueCrypt for years and had no problems with it. Most software has numerous shortcomings. The biggest problem I can think of now with TrueCrypt is that the documentation doesn't explain the /q command line option very well. That's very minor, a problem not even in the program itself. (Yes, I suggested a re-write in the TrueCrypt forum, and yes, I offered to do the re-writing myself.)

I haven't yet experimented with encrypting the entire OS partition. I have experimented with encrypting an entire data partition; I didn't notice a speed difference. However, I found that it is better not to encrypt data partitions, it is easier to make an encrypted container on the data partition. That's especially true if the container can be the size of one DVD, 4.7 gigabytes, less the space necessary for the unencrypted TrueCrypt software. Then you can just dismount the container and burn a DVD backup of the container file and the TrueCrypt software.

TrueCrypt has been 100% reliable for me. There has never been a hint of a problem that might cause loss of data.

TrueCrypt developers: TrueCrypt is a wonderful gift to the world. Thanks!

My opinion is that it's necessary that encryption software be open source; I would never run proprietary encryption software because of the possibility that some rogue employee installed a back door. Also, the U.S. government believes it can force U.S. commercial companies to install surveillance functions in both hardware and software; executives and employees who disagree can be put in prison secretly. I suppose that isn't done very often, but like everything a government does in secret, there are unintended consequences. One of the consequences is that in some cases it may be considered unsafe to use U.S. products. It isn't only the U.S. banking system that is out of control.

Also, since I mentioned AutoHotkey, I will say that it is excellent, although the programming language is a bit quirky. My main AutoHotkey script is now 1563 lines; I use it a lot. It is Windows only.

AutoHotkey is great for Hotkeys and also open source and free. If you want to run scripts that interact with a Windows GUI as though someone is moving a mouse and typing at a keyboard, then AutoIt [autoitscript.com] is better. AutoHotkey and AutoIt co-exist perfectly. The two had a common origin.

TrueCrypt encrypted containers can be formatted as NTFS or FAT file systems. I haven't tried other file systems. All the Windows file system utilities work perfectly inside TrueCrypt encrypted containers: Windows Explorer, ChkDsk.exe, FsUtil.exe, Format.com, and Defrag.exe. I've found the free open source JkDefrag [kessels.com] to be a better defragmenter; it works perfectly inside TrueCrypt containers.

Avoid Windows file encryption.

[Futurepower(R)]

Windows file encryption should not be used. It has extreme shortcomings. Many people have lost their data because of Windows file encryption. This information has been verified by several Microsoft technical support people.

Re:EFS?

[Zeinfeld]

"Preferably Open Source".

This is not a good faith question. Nobody is going to waste their time writing an open source extension to a proprietary operating system that duplicates the functionality of the core O/S. And if they did the result is probably not going to be worth using because nobody with sense is going to use and test it.

What this amounts to is that the slashcrew will post pretty much anything that panders to their biases and so they will post without thinking a question that is clearly designed to provide the answer 'no'.

Same thing happens on the camera forums. For years Canon fanatics used to appear in Nikon forums to ask about full frame sensor cameras. Then Nikon came out with a model that beat the Canon and then some and they started asking about fast prime lenses. Now that Nikon have started releasing a new range of fast primes they are asking about constant aperture f/4 zooms. None of it makes the slightest sense. Very few professional photographers would regard the Canon lenses as superior to Nikon in optical quality and certainly not in range. The Canon super-teles were much better at focus speed at one point because Nikon had their heads up their butts with their insistence on only putting the motor in the camera. But that changed long ago.

This type of question is not helpful unless what you really want to do is to have an argument for the sake of it and fix the terms of debate so you are bound to win.

At this point we have five windows boxes, three macs and a Linux box operating in the house. Of the nine machines the Linux box was by far the hardest to get running because the geniuses at Ubuntu decided to write a 700Mb distribution on a format with a maximum design capacity of 650Mb.

There is plenty of stupidity to go round. If people want to take pot shots, Linux is just as open to stupidity as anything else. When someone makes a similar attack on Linux the response is typically 'but these people are volunteers'.

Windows has this feature built in, end of story.