Re: Portable hard drive through airport security?

In message <c9lj03puflvsvq2i5bv982t7n69ap7m73q@xxxxxxx> BubbaGump
<BubbaGump@localhost> wrote:

On Tue, 27 Mar 2007 12:56:46 -0600, DevilsPGD
<spam_narf_spam@xxxxxxxxxxxx> wrote:

In message <4607a1b9$0$16398$88260bb3@xxxxxxxxxxxxxxxxx> "RAK"
<raknews@xxxxxxxxx> wrote:

Actually it is almost trivial to open an encrypted Word or Excel file if you
encrypt using the built-in MS system. There are plenty of programs which
will open these files. I once used one to open a file in the office where
someone had forgotten the password, but I forget which one I used.

Three letters: EFS. (Encrypted File System)

With Windows? How do you make sure you export all the key(s) and
other data used for the encryption so that they don't fall into the
wrong hands or get lost if your boot drive is ever corrupted?

How do you make sure you export all the keys? A sticky note on the
drive reminding you to export the keys. Once it's done, it's done, it
only takes a couple minutes.

Exporting the keys isn't tough, and there are a number of options, but I
would simply encrypt the drive, then send the key via a different method
when traveling if the goal is to prevent a physically compromised drive
from being accessed.

For example, if you're traveling between offices, simply transferring
the key via SSL and storing it within the LAN of the destination office
should be sufficient (this is roughly the technique I use when traveling
with confidential data, although I actually leave the key behind and VPN
in to retrieve it the first time, afterward the key is stored on both my
workstation at home and in the office, but not on the laptop physically
traveling with the removable drive)

I'm a
bit paranoid about any sort of encryption that's Windows-based, about
how much the encryption is tied to a particular user account or some
other odd values uniquely chosen and hidden away in the registry or on
the boot drive. For instance, services like iTunes, the new Napster,
MovieLink, and CinemaNow do this for their media files.

It's not exactly hidden, the key is stored in the certificate store. You
can easily import it, export it, move it around, create recovery paths,
whatever else suits your fancy.

The upside is that it's completely transparent for day to day use, once
properly configured, and you can encrypt your %temp% directory and any
other places where data may end up unencrypted. The reason I'm not a
fan of PGP-style solutions is that it requires me to save an unencrypted
version of the file first and then encrypt it, which might leave
recoverable traces on the drive. There is also a chance I'll be in a
hurry and forget to encrypt something. It's also simple enough that my
mom can use it (although she doesn't know she the technical details
about what she is using, or why it works, just that her data can't be
accessed on any PC other then her regular workstation at work without
calling IT)

How physically secure is EFS anyway?

http://www.elcomsoft.com/aefsdr.html

"With AEFSDR (Advanced EFS Data Recovery), protected files can be
decrypted, even when the system is not bootable so you cannot log on,
or when some encryption keys (private or master) have been tampered
with."

Funny, you can decrypt PGP with the a copy of the keys too. In short,
EFS allows recovery agents to decrypt files as well, which helps out
when users don't bother to backup their keys (typical in a large network
environment)

Recovery Agents don't happen by accident, only by explicit administrator
action prior to when the files were initially encrypted and/or when the
original key was lost.

(In other words, if you don't do it in advance, you won't be able to
recover the data after you lose your key)

As I understand it, EFS is essentially considered unbreakable in
practical senses (the whole "heat death of the universe would occur
first" problem), as long as the keys are properly secured, assuming
there are no logic flaws in the implementation.
--
Insert something clever here.
.

Relevant Pages

  • Re: Java Security
    ... (We can pick a private algorithm but decompiling ... Never give encrypt keys on an application. ... give them by phone or letter, or use a SSL http website with the user login, ...
    (comp.lang.java.help)
  • Re: EncryptByCert Problem
    ... with RSA public keys and decryption with RSA private keys. ... Software Design Engineer ... This posting is provided "AS IS" with no warranties, and confers no rights. ... using certificates and asymmetric keys to encrypt all data. ...
    (microsoft.public.sqlserver.security)
  • Re: PGP scripting...
    ... PGP was choosen as it will be used by external as well as internal ... we will also use the same public key to encrypt ... if they work without user interaction, ... > reading the keys, of course). ...
    (SecProg)
  • Re: Encrypting Data...
    ... > I know that MySQL has an AES encrypt function, ... * Store the keyin the database. ... choose new keys, reencrypt all the data, distribute the new keys ... ... use his password to decrypt the keys and then decrypt ...
    (perl.dbi.users)
  • Re: Encrypting Logon Passwords
    ... it reaches 0 the DefaultPassword is automatically removed from the registry. ... >> Therefore I've been looking at ways to encrypt and save the password ... It assigns all of the keys identified above except the ... >> I had to change my Administrator Permissions to access this key in the ...
    (microsoft.public.dotnet.security)