|
|
John Kemp
Senior Security Engineer
kemp@ns.uoregon.edu
What can you do to protect yourself? If you have sensitive information stored on your personal computer, you should consider using file encryption. File encryption is a tool that can be used to protect critical data assets. If a desktop or a laptop is stolen but the critical data on the machine has been secured with authentication and encryption, it's less likely that the data will be exposed. Similarly, if a computer is connected to the Internet and a network break-in occurs, encrypted data is less likely to become a source of more serious problems. Below is a description of some of the more popular tools that can be used to perform file and folder encryption on Windows systems.
1. Axantum AxCrypt
http://axcrypt.axantum.com/
AxCrypt is a free file encryption utility for Windows that integrates very well with the Windows environment. Upon installation, the utility adds an AxCrypt option to the Windows file dialog that allows you to encrypt or decrypt files. Encrypted files are saved with a .axx extension and are stored using an AES encryption format. The authentication used for the encryption can be either a password, which can be up to 22 characters in length, or a randomly generated key file.
AxCrypt has some features that make it very easy to use. When a file is decrypted, the program will automatically launch the correct application for the associated file type. When the associated application is closed, the utility will automatically re-encrypt the edited file. This makes the utility very convenient to use because you don't have to remember to encrypt the file after you're done editing. The program can also be configured to cache the password key in memory, so that you don't have to type the key repeatedly when opening and closing the file for repeated edits. These features can be enabled or disabled in the file dialog menu. When a directory is selected, the program performs encryption or decryption on all of the files within the directory. The program also includes support for self-extracting .exe files.
Fig. 1: The AxCrypt dialog box.
2. CP Lab's File Encryption XP
http://www.cp-lab.com/filecrypt/
CP Lab offers some fairly easy-to-use encryption products. One of these is
"File Encryption XP," a straightforward program that allows you to encrypt
and decrypt files or folders. The program adds "Encrypt," "Decrypt," and "Wipe"
options to the Windows file selection menu. The program uses the Blowfish algorithm
for encryption, and encrypted files are identified by a .fex extension. You
may also create standalone self-extracting files that are password-protected
by using this program.
It should be noted that the operation of CP Lab File Encryption XP is as simple as it can be. When a file is encrypted, it creates the .fex file, and when a file is decrypted it replaces the original source file. Users are required to remember to re-encrypt the source file when they are finished editing. The program costs between $10 and $25, depending on the number of licenses purchased.
3. PKWare PKZip9 for Windows
http://www.pkware.com/
PKWare offers a number of products built around its popular zip file compression format. PKZip9 includes advanced encryption features that add to the capabilities of the software. The program adds a PKZip option to the Windows file dialog. In the Security section of the PKZip options, you can select either an older or newer style of encryption. The older historical PKZip password-based encryption type is chosen by selecting "Traditional: Password." Newer types of encryption are chosen by selecting "Strong: Password," which enables the use of the AES or 3DES encryption options. PKZip also supports the use of certificates for authentication and for digital signatures.
As you might expect, PKZip has the look and feel of a compression utility. File operations take the form of "adding to an archive" or "extracting from an archive." For those users who are working with large files and frequently require compression as part of their work process, it can be useful to have both encryption and compression available within the same program.
PKWare has a number of products that build upon the foundation provided by its original compression product. A PKZip command-line tool extension can be purchased which can be used to automate batch processing. A SecureZip version of the PKZip program provides additional email support features, such as the ability to specify multiple recipients when using certificates with email. The PKZip program itself costs between $9 and $29, depending on the number of licenses purchased.
4. GNU Privacy Guard
http://www.gnupg.org/
http://www.gpg4win.org/
GnuPG is a free implementation of the OpenPGP standard. PGP is a fully distributed public-key system that can be used for document signatures and file encryption. The keys used by PGP are created by each individual user. A private/secret key is maintained by the user and kept in a secure location. The private key is also protected by a user-selected password. The other half of the user-generated key pair is a public key that is sent to a public keyserver. All users can access the public keyserver to allow for encrypting a document targeted for a particular user, or to verify the digital signature of a document sent by a particular user. PGP is often associated with email security. The Enigmail plugin for Mozilla Thunderbird, for example, is a popular tool for adding PGP support to email.
GnuPG is free, and you may download a pre-compiled Windows version of the software directly from the gpg4win.org website. This version includes the primary GPG application, as well as utilities such as the Gnu Privacy Assistant. The GPA utility gives you a Windows utility for performing key management, and it includes a File Manager utility which can be used to perform encryption and signing operations on files. The Gpg4Win package is similar to this basic package, but also includes the GPGee plugin for Microsoft Explorer file encryption and the GPGol plugin for Microsoft Outlook email encryption.
The Windows Encrypting File System (EFS) is also a public-key system. In this case, the tools for generating and managing the keys are already included within the Microsoft operating system. Key management tends to be handled in a more tightly controlled manner when an organization is using EFS as opposed to PGP. Key storage can be integrated into an Active Directory domain or be included as part of a larger Public Key Infrastructure system. Recovery Agents can be designated to support the recovery of encrypted data under special circumstances. As you might expect, the management of this kind of public key infrastructure can be complex.
Once it is up and running, the operation of EFS is largely transparent. The user's private certificate is accessed and cached by the operating system upon login. From that point on, file access requires no special actions. You enable encryption simply by setting the attributes for the File or Folder within Windows Explorer.
Please note that the Windows NTFS filesystem is the only filesystem type that supports EFS. Also be aware that the use of NTFS file system attributes can create additional challenges when a full system recovery is required.
This article has focused primarily on file encryption. Encryption can be applied at many different stages within a data management life cycle. For example, there are products that perform encryption at the application level, at the filesystem level, at the partition level, or at the disk level. Some of the products are software only, and some include hardware components. Some of the products use simple passwords, while others include smart cards, USB tokens, or biometric readers that use fingerprints as the key for decoding the encrypted data.
One example of a simple hardware disk encryption interface that is being bundled with external drive enclosures is the Enova X-Wall IDE interface. Enova manufactures IDE interface boards that can supply DES or 3DES encryption to transform the stream of data as it travels to and from the hard disk. Tokens are included with the drive that are keyed to match the specific interface. The tokens are plugged into external connectors wired to the interface. When the token is removed, the drive is inaccessible. The CoolDrives SecureDisk enclosure and the Macally PHR-250CE enclosure are examples of products that use this type of technology.
There are also a number of products that are software-based which can be used to create encrypted virtual filesystems. Once the new filesystem is created and mounted, the encryption operations are transparent to the user. During the process of mounting the filesystem, a password or other token is requested. The open-source product TrueCrypt is one example of this kind of utility. Jetico's Bestcrypt and Cypherix's Cryptainer are examples of commercial products of this kind.
At the other end of the spectrum there are small, self-contained applications which can be used to provide secure data storage. Password manager software and electronic wallet software are examples of these kinds of applications. People typically use such applications to store things like passwords or credit card numbers in an easy-to-use, secure location. KeePass Password Safe is an example of a freely available password storage application (see Fig. 2 below). It is available for Windows, PocketPC, and various flavors of Unix. Another open source password storage utility is Password Safe, which you may download from http://passwordsafe.sourceforge.net/. Illium Software's eWallet is an example of a commercial password storage utility for PocketPC and Windows.
The type of data security approach you use will depend on a number of factors. In some cases, the approach will be determined by the type of data you are dealing with. In other cases, it will simply be a matter of personal preference. In either case, there are plenty of applications to choose from, and you should be able to find one that fits your requirements.
When you are working with sensitive data, be aware of the risk level associated with that data. If possible, this kind of data should be kept off of a computer. If that is not possible, then you should probably be storing the data in an encrypted format. Additional measures you can take are to try to keep the computer disconnected from the Internet. Often you will find that sensitive data is kept on isolated computer networks, or on computers that are behind a firewall.
As always, data security should be one layer of security in an overall multi-layered security plan. This is known as "defense in depth." It is assumed that you are already taking normal security precautions by performing patches, running antivirus software, running antispyware, and utilizing some type of firewall software. File encryption is the additional layer of security that can protect you when all of the other layers have failed.
Fig. 2: Keepass Password Safe menu options.