jwcolby
jwcolby at colbyconsulting.com
Mon Jun 7 07:18:33 CDT 2004
I bought SecurStar and it seems to work well.
John W. Colby
www.ColbyConsulting.com
-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Stuart McLachlan
Sent: Monday, June 07, 2004 8:11 AM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Windows 2000/XP native folder/file encryption
On 7 Jun 2004 at 13:36, Gustav Brock wrote:
> Hi all
>
> How secure is this? Or to put it in other words: how likely is it that
> someone picking up a lost laptop can not gain access to the content of
> your encrypted files?
>
Doubtful security - see below.
> We have a client requesting this level of security but our experience
> with Windows 2000/XP native encryption is nil and we don't want to
> "sell" the client false security.
>
A better bet for securing data is to use the freeware TrueCrypt
Get it while you can from http://www.freewebs.com/thinker2004/
There's currently a dispute going on over the technology between TrueCrypt
and
SecurStar who bought Scramdisk and E4M and turned them into DriveCrypt, so
www.truecrypt.org is currently down.
or the commercial PGPDisk (freeware if you pick up a version of PGP prior to
v6.5)
Either of these will create a *very* secure partition or virtual drive on
the
laptop Just use that drive to store all data. If you don't have the
passphrase
to open the virtual drive, not only can't you access the data, you can't
even
tell that there is any data to be recovered.
As for EFS:
>From http://www.markusjansson.net/exp.html
There is very little reason to use EFS on Win2k standalone installation
since
it does not offer real protection in Windows2k. It is possible to reset the
administrators passphrase (even with Syskey enabled and stored in floppy)
and
login as admin. This can be done by simply booting the computer in other
operating system and deleting the SAM file and manipulating the registry so
that Windows does not want to have Syskey during startup. If Syskey is not
present, resetting the administrators passphrase is much easier.
Administrator
can do many things and is the default recovery agent of EFS. In any case,
once
you have logged in as admin, you can decrypt all data encrypted with EFS in
that computer.
In theory, it *is* possible in standalone Windows 2000 to have secure
EFS,
but it is very, very, very complicated to archive. In theory, by exporting
the
administrators recovery certificate or designating some other recovery agent
AND implementing Syskey to passphrase or floppy, it *might* be possible to
prevent anyone from reading EFS encrypted files. It is always possible to
login
as administrator, but if the administrator does not have the recovery keys,
he
cant decrypt EFS files... And since the Syskey *prevents* tampering the
other
accounts, it is in *theory* safe (if hacker deletes SAM file, then other
accounts loose their vital piece of information and cant be used and
therefore
they cant get access to private key). But in practise...well...who really
knows? I STRONGLY recommend not to use EFS in Windows 2000 unless the
computer
is a part of domain and the settings/security policies are good and the
actual
computer where the certificates are stored is in safe place so nobody can
get a
physical access to it and Syskey for each computer is stored in passphrase
or
in floppy format. Use PGPdisk instead and you dont have to worry about these
kinds of issues with Windows 2000!
--
Lexacorp Ltd
http://www.lexacorp.com.pg
Information Technology Consultancy, Software Development,System Support.
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com