Windows Laptop Security – Encryption and Other Options - Part 1 of 2
In Part 1, we look at Windows file and folder encryption of sensitive data. In addition, we review the best practice of storing data on the network vs. the laptop. We will look at the options for file and folder encryption in Part 2, along with at least two options for recovering stolen laptops.
Please note that the Home versions of Windows XP and Vista do not have the EFS encryption option available. Thus we assume that Windows XP Professional or Vista Business or higher are being used as the laptop operating system.
Windows XP Professional Encryption Options
With more and more companies equipping their employees with laptops, it is imperative to provide some type of data encryption, at the very minimum, at the ‘file’ level.
With the advent of Windows XP Professional and higher (Vista Business and above), Microsoft introduced the Encrypting File System (EFS), which allows a user to encrypt files and folders to ensure the safety and privacy of the data.
EFS is a built-in Windows file and folder encryption capability that is accessible when you right-click on a file, choose “Properties,” and click the “Advanced” button from the General tab. Select the check-box for “Encrypt contents to secure data” then, once you click OK, you will be asked if you want to back up the private key – best practice recommends that you choose “Yes” and backup the private key, which will be helpful in case of corruption, loss of the laptop, or other such issues. Then follow the related screens to back up your private key – you will be asked to assign a password. Assign a password to your private key, and note the location where it will be backed up. Continue clicking through until you reach “Finish.” At this point, your private key is backed up. Make a copy of your private key and store it in a secure off-site location. Even if someone finds it, without your password, the private key is useless.
If you are performing encryption at the folder level, you may choose “Encrypt this folder and all its contents.” After doing that, any file you later add to the folder automatically becomes encrypted. And likewise, once you are logged in to the system and/or network with your proper username and password (the same username under which you initially performed the file or folder encryption), then when you access files in the encrypted form, they automatically are unencrypted; and re-encrypted when closed.
There are also third-party Windows file and folder encryption utilities (see references below), some of which are commercial cost-based, and some of which are free. One such free utility is “AxCrypt,” which uses the AES-128 and SHA-1 encryption algorithms to encrypt files and folders. Simply invoke the utility, choose which folder or file(s) to encrypt, and then assign a password. Always retain the password, as this acts as your “private key” to later unlock and decrypt the files. Some nice features of AxCrypt include the fact that it asks the user if it should delete the original (unencrypted) file after encryption, and the fact that it allows the user to create a self-decrypting executable. With the self-decrypting executable option, the encrypted file or folder is given a “.exe” suffix and, therefore, the resulting encrypted “.exe” file can be taken to other systems and decrypted, using the correct password, without the need for installing AxCrypt client software on the target system.
Other third-party Windows Laptop file and folder encryption offerings
The below products can be found from the above link:
* Adrosa File Protector (AFP) – Uses AES 128 to 256-bit, 3DES 192 and has drag & drop batch mode
* Crypt4Free – Uses Blowfish 448-bit or DESX 128-bit and has a password generator
* PixelCryptor - uses an image (graphic) as a basis for the key
* File Waster and File Buddy - encryption and “true” erase
* AxCrypt – Allows for encrypted files that are self-decrypting (no need to install client at target)
Best Practice - Network File Storage vs. Laptop File Storage
A simple best practice is to store minimal unencrypted data on your laptop, and store more sensitive data on network drives at your workplace. This provides yet another measure of securing your laptop data: if your laptop is stolen, it has no sensitive data on it.
Windows Vista Encryption – EFS (Encrypting File System)
A Guide to Encrypting Files in Vista
Don’t forget to check out Part 2 of Windows Laptop Security, where we discuss encryption of an entire o/s or hard drive.
This post is part of the series: Windows Laptop Security - Encryption and Other Options
In this series, we review Windows file encryption, folder encryption, o/s hard drive encryption, sensitive data best practices, and we take a brief look at lost or stolen laptop recovery tools.