File Encryption on Windows Box
The goal I am seeking is to make my data unrecoverable by a third party even if my computer is stolen and the hard disk falls into the wrong hand. I have found two solutions, both are transparent to normal user operations.
Windows (XP professional and 2003) File Encryption
Follow the following steps to enable Windows File Encryption on a standalone machine:
- If you already have a file encryption certificate (which should contain both private and public key), you can import it using Certificate Console (run command "certmgr.msc", then right click on "Personal->Certificates" and choose "All Tasks->Import"). Otherwise, Windows will automatically generate one for you.
- Make sure file encryption recovery agent is set up. Run command "gpedit.msc", and go to "Computer Configuration->Windows Settings->Security Settings->Public Key Policy->Encryption File System". You only need the public key for the recovery agent. I recommend you export and then delete the private key from your computer. Keep the recovery agent's private key in a very safe place, because this key can decrypted all your encrypted files.
- Use SysKey to instruct Windows not to store startup password on the computer. This is very important because the startup password ultimately protects your user encryption private key. Run "syskey", and choose "Password Startup".
- At least enable encryption on everything in the directory "Documents and Settings/<Your User Name>". Note that if you need to install new applications afterwards, some installer uses "Local Settings->Temp" and you might encounter "Access Denied Error". You can either disable encryption for that directory (not recommended) or run the installer from Admin account (assuming you are not using Admin account and Admin account does not use file encryption).
- The final effect is that all your encrypted files are encrypted with two public keys (yours and the recovery agent's).
Internally, whenever a file is encrypted, a random symmetric encryption key (AES 128 bit) is generated. This AES key is used to encrypt the file. The AES key itself is encrypted using the public key of yours and all recovery agents (RSA 1024 bit) and stored in the file a meta data field. The effect is that anyone who has either your private key or the recovery agent's private key can decrypt your file. The private keys are protected by Windows Protection API. In other words, they are encrypted by each user's master password, which is generated from the hash of the user's logon password. This master password is also encrypted by that hash of the user's logon password. Note that Windows only stores the one-way hash of logon password. The one-way hash is encrypted by SysKey startup password. By default, the SysKey startup password is generated automatically and stored somewhere on the hard disk. To increase security, I recommend use SysKey to instruct Windows to ask you for the startup password every time it boots up.
TrueCrypt
TrueCrypt is open source software. It is very stable. It can be downloaded from here. Compared to Windows File Encryption, the differences are:
- You have to mount TrueCrypt volume before you can use it.
- TrueCrypt does not store password/pass phrase on your computer.
- TrueCrypt allows you to choose from a variety of encryption algorithms with different key length, while Windows File Encryption uses 1024-bit RSA and 128-bit AES (at least, this is true for Windows xp sp1 and sp2).