| |
 |
|
|
Science Forum Index » Cryptography Forum » semi-OT: disk encryption for Windows XP?
Page 1 of 1
|
| Author |
Message |
| Paul Rubin |
 Posted: Fri Dec 26, 2003 9:19 pm |
|
|
|
Guest
|
A friend of mine wants to buy a laptop (any new one probably runs XP,
sigh) and needs a disk encryption program for it. PGPDisk apparently
uses a normal file as a container for a virtual disk, so for example
the swap area is unencrypted.
Any idea how big a vulnerability that is in practice? Anyone know an
alternative? Someone on alt.sys.pgp suggested BestCrypt but I wonder
if there are other opinions here about it. I used to know of some
other programs but I don't think they work under XP. I don't use
Windows myself so I don't pay careful attention to this stuff, though.
Thanks. |
|
|
| Back to top |
|
| nemo outis |
| Posted: Fri Dec 26, 2003 10:46 pm |
|
|
|
Guest
|
In article <7xisk36lyo.fsf@ruckus.brouhaha.com>, Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:
Quote: A friend of mine wants to buy a laptop (any new one probably runs XP,
sigh) and needs a disk encryption program for it. PGPDisk apparently
uses a normal file as a container for a virtual disk, so for example
the swap area is unencrypted.
Any idea how big a vulnerability that is in practice? Anyone know an
alternative? Someone on alt.sys.pgp suggested BestCrypt but I wonder
if there are other opinions here about it. I used to know of some
other programs but I don't think they work under XP. I don't use
Windows myself so I don't pay careful attention to this stuff, though.
Thanks.
You want an OTFE (on-the-fly encryption) program. Such a program
never decrypts to disk - only to memory. The HD need never
contain plaintext - encrypted data on the HD is dynamically
encrypted/decrypted from/to RAM.
There are two forms of OTFE programs, with two variants of the
first form. It sounds like you want the second form.
The first form is a container file which can store a large number
of encrypted files. The two variants are a true container file
in an existing partition, or a full encrypted separate partition.
Both variants of the first form appear as virtual drives.
The second form (the one it sounds like you want) encrypts the
*entire* hard disk including all partitions. (Actually there is
a small unencrypted bootup stub, typically on the MBR, which
remains unencrypted - the paranoid can check its hash, reload
from known-good media, etc.). The beauty of this is that *all*
software and data, including the Windows OS, is encrypted, thus
obviating (most) worries about "leaks" (e.g., swap file,
index.dat, registry, etc.) and making the placing of software
keyloggers, trojan horses, etc. nearly impossible (unless the
user unwittingly installs them from, say, the internet).
Examples of the first form, container OTFE, are PGP, Bestcrypt
(www.jetico.com), Drivecrypt by securstar (www.drivecrypt.com),
and Vdisk by ControlBreak (www.safeboot.com).
Examples of the second form - OTFE encryption of the entire HD -
are: Drivecrypt plus pack (www.securstar.com or
www.drivecrypt.com - $150), Safeboot Solo (www.safeboot.com -
$50), compusec (www.ce-infosys.com.sg - $0), Utimaco's Safeguard
Easy (www.utimaco.com - $?), and Winmagic (www.winmagic.com -
$?). There are some variations in features (token support,
algorithms, etc.) but all supply the core function (entire OTFE
HD encryption) very well.
For entire full HD encryption I have tried Drivecrypt Plus Pack
(legal copy), Safeboot Solo (legal copy), and Safeguard Easy
(bootleg copy). All worked very well, but I personally slightly
prefer Safeboot Solo because of its simplicity and bombproof
robustness. I have not tried compusec (but it's free!) or
Winmagic. Several of these have trial versions available for
download. All use one or more strong proven algorithms (AES,
etc.)
There are a number of subtle issues with these programs re
encrypted backups (with Ghost, Acronis, etc.) but encrypted
backups can be done (despite the disclaimers by the
manufacturers).
Regards, |
|
|
| Back to top |
|
| John E. Hadstate |
| Posted: Sat Dec 27, 2003 11:04 am |
|
|
|
Guest
|
"Paul Rubin" <http://phr.cx@NOSPAM.invalid> wrote in message
news:7xisk36lyo.fsf@ruckus.brouhaha.com...
Quote: A friend of mine wants to buy a laptop (any new one probably runs XP,
sigh) and needs a disk encryption program for it. PGPDisk apparently
uses a normal file as a container for a virtual disk, so for example
the swap area is unencrypted.
Any idea how big a vulnerability that is in practice?
A new issue is beginning to surface with Windows XP/2003: the concept of
trusted source for executables. I don't fully understand all the in's and
out's yet, but I can show you where I stumbled over it.
If I move some of my development projects to a network drive, then attempt
to debug them, things like Services will refuse to load. The executables
have to be on a hard drive that Windows recognizes as "local" as a
prerequisite to being accepted for loading.
In your case this is potentially a problem. If virtual drives are not
"local", you will have to copy some executables to the local hard drive in
order to run them (or just install them on the local hard drive and leave
them there). To my way of thinking, this represents a designed-in security
problem.
<soapbox>
I make a living by, among other things, writing software for Microsoft
O/Ses. I am not a Linux fan, but at this point it should be clear to
everyone that Microsoft has lost touch with reality. Almost everyone with
capable hardware would be better off using Linux and Star Office than with
Windows XP. The only people excepted would be those who actually rely on
and use the programmability of their Office tools or those whose hardware is
not supported by Linux.
</soapbox> |
|
|
| Back to top |
|
| Paul Rubin |
| Posted: Sat Dec 27, 2003 4:54 pm |
|
|
|
Guest
|
"John E. Hadstate" <jh113355@hotmail.com> writes:
Quote: If I move some of my development projects to a network drive, then attempt
to debug them, things like Services will refuse to load. The executables
have to be on a hard drive that Windows recognizes as "local" as a
prerequisite to being accepted for loading.
Are you sure that's not a matter of unchecking a box in some dialog
somewhere, or maybe even just a bug?
Quote: I make a living by, among other things, writing software for
Microsoft O/Ses. I am not a Linux fan, but at this point it should
be clear to everyone that Microsoft has lost touch with reality.
Almost everyone with capable hardware would be better off using
Linux and Star Office than with Windows XP. The only people
excepted would be those who actually rely on and use the
programmability of their Office tools or those whose hardware is not
supported by Linux.
Yeah, I think this person needs to run a specific Windows app for
biostatistics or something like that. Otherwise I'd have probably
recommended an Apple Powerbook. I'm afraid to suggest Linux because I
don't want to spend the rest of my life doing free tech support for
anyone. That's part of the reason I stay away from Windows fairly
carefully and make sure I don't know very much about it, so I don't
have to answer too many tech questions from friends and relatives. ;-)
Do you really think people should use Star Office instead of Open
Office?
Thanks. |
|
|
| Back to top |
|
| |
|
Page 1 of 1
All times are GMT - 5 Hours
The time now is Mon Oct 06, 2008 1:00 pm
|
|