Encryption advice

[Stan Brown]

My situation is that, since restoring my backups to a replacement
hard drive, I have Windows 7 booting, but no system partition. As I
understand things, that means I can't run Bitlocker.

In a recent thread, it was pointed out that it's child's play for
anyone with physical access to my laptop to read all my files, say by
booting Linux on a CD. So I want to encrypt the partition that has
my personal records on it. (Let's say C: is programs and doesn't
need encryption, D: is personal data that I need to encrypt.)

Is it worth the effort of wiping the hard drive, installing Windows
fresh and letting it create a System partition (will it do that?),
then restoring everything, just so I can run Bitlocker? Or is there
a reasonable alternative? For instance, is TrueCrypt robust enough
to handle a 10 GB encrypted drive? And if I do that, the drive will
look like one file to Acronis TrueImage, so there goes the ability to
do incremental backups.

 

[...winston]

Inline.

"Stan Brown" wrote in message

My situation is that, since restoring my backups to a replacement
hard drive, I have Windows 7 booting, but no system partition. As I
understand things, that means I can't run Bitlocker.
- Correct

In a recent thread, it was pointed out that it's child's play for
anyone with physical access to my laptop to read all my files, say by
booting Linux on a CD. So I want to encrypt the partition that has
my personal records on it. (Let's say C: is programs and doesn't
need encryption, D: is personal data that I need to encrypt.)
- Someone else will have to answer on whether or not encryption will prevent
the savvy Linux snooper access to your Win7 D:\ drive data.

Is it worth the effort of wiping the hard drive, installing Windows
fresh and letting it create a System partition (will it do that?),
then restoring everything, just so I can run Bitlocker?
- Clean installing Windows to a wiped hard drive (i.e. unallocated space)
thereby instructing the Windows DVD to use the entire partition or create a
partition for Win7 (leaving the rest unallocated for Win7 Disk Management to
create later as other drives, e.g. D:\) will create two partitions - one for
the System and one for Windows.
- Restoring - Define 'restore' further (OEM Restoration that takes the
machine to as-shipped condition, reinstall Windows, clone from another
drive, from a Windows image created post the clean Windows install..etc. ???

Or is there a reasonable alternative? For instance, is TrueCrypt robust
enough to handle a 10 GB encrypted drive? And if I do that, the drive will
look like one file to Acronis TrueImage, so there goes the ability to do
incremental backups.
- Sorry, not a TrueCrypt user (maybe the FAQ will help
http://www.truecrypt.org/faq)
- Acronis True Image (at least for my preferred version-2010) requires one
to image the System partition in addition to the Windows partition.
- Separately, is the 10GB only for data (seems small for Windows and
possibly even so for long term data needs).

 

[R. C. White]

Hi, Stan.

...I have Windows 7 booting, but no system partition.

Impossible! Windows cannot boot without a System Partition.

But it does not have to be a separate partition serving as ONLY the System
Partition. Setup.exe can simply add the few mandatory startup files to an
existing primary partition. To see which of your partitions is in fact your
System Partition, run Disk Management (diskmgmt.msc) and look at the labels
in the Status column of the Volume List, or in each partition's segment in
the Graphical View. Exactly ONE of those partitions should have the System
status. Exactly one partition should have the Boot status, too, and a
single partition can have both System and Boot status. (My guess is that
your Drive C: has both System and Boot status.)

Win7 is the first version of Windows to create a separate small hidden
partition to be used as the System Partition, often with no drive letter.
This partition does not get created in all cases; when a System Partition
already exists (such as in an Upgrade or dual-boot installation), Setup.exe
just adds the required files to the existing System Partition, amending the
existing startup files as necessary. If Setup did create the small
partition with no letter, it should appear in Disk Management, along with
the other partitions.

This topic (System Partition and Boot Volume) has been discussed here many
times.

RC
--
R. C. White, CPA
San Marcos, TX
(e-mail address removed)
Microsoft Windows MVP (2002-2010)
Windows Live Mail 2011 (Build 15.4.3538.0513) in Win7 Ultimate x64 SP1


"Stan Brown" wrote in message

My situation is that, since restoring my backups to a replacement
hard drive, I have Windows 7 booting, but no system partition. As I
understand things, that means I can't run Bitlocker.

In a recent thread, it was pointed out that it's child's play for
anyone with physical access to my laptop to read all my files, say by
booting Linux on a CD. So I want to encrypt the partition that has
my personal records on it. (Let's say C: is programs and doesn't
need encryption, D: is personal data that I need to encrypt.)

Is it worth the effort of wiping the hard drive, installing Windows
fresh and letting it create a System partition (will it do that?),
then restoring everything, just so I can run Bitlocker? Or is there
a reasonable alternative? For instance, is TrueCrypt robust enough
to handle a 10 GB encrypted drive? And if I do that, the drive will
look like one file to Acronis TrueImage, so there goes the ability to
do incremental backups.

 

[Peter Jason]

My situation is that, since restoring my backups to a replacement
hard drive, I have Windows 7 booting, but no system partition. As I
understand things, that means I can't run Bitlocker.

In a recent thread, it was pointed out that it's child's play for
anyone with physical access to my laptop to read all my files, say by
booting Linux on a CD. So I want to encrypt the partition that has
my personal records on it. (Let's say C: is programs and doesn't
need encryption, D: is personal data that I need to encrypt.)

Is it worth the effort of wiping the hard drive, installing Windows
fresh and letting it create a System partition (will it do that?),
then restoring everything, just so I can run Bitlocker? Or is there
a reasonable alternative? For instance, is TrueCrypt robust enough
to handle a 10 GB encrypted drive? And if I do that, the drive will
look like one file to Acronis TrueImage, so there goes the ability to
do incremental backups.

Now I use TrueCrypt and thumb drives for any sensitive material. Given
the capacity of these USB devices, their small size, the new USB3
type, and most importantly the ability to detach them from the
computer, it's the only way to go.

No-one can find your data if it isn't there.

I tried TrueCrypt on a disk partition together with the "hidden drive"
facility but I lost data when some of this was overwritten. The USB
thumbs are working fine, and making a backup is to another is easy.

Like hiding things from burglars, never keep everything in the one
place.

 

[Stan Brown]

Now I use TrueCrypt and thumb drives for any sensitive material. Given
the capacity of these USB devices, their small size, the new USB3
type, and most importantly the ability to detach them from the
computer, it's the only way to go.

No-one can find your data if it isn't there.

Thanks for your suggestion. But I really do want to keep the
convenience of storing information on my computer's hard drive. And
performance would be an issue too, since I have only USB2 ports.

I do keep some data in a TrueCrypt volume on a thumb drive, but it's
the stuff I work on almost every day and need to carry back and forth
to both jobs. I'm looking for something I can do with the much
larger volume on my hard drive.

 

[Paul]

Thanks for your suggestion. But I really do want to keep the
convenience of storing information on my computer's hard drive. And
performance would be an issue too, since I have only USB2 ports.

I do keep some data in a TrueCrypt volume on a thumb drive, but it's
the stuff I work on almost every day and need to carry back and forth
to both jobs. I'm looking for something I can do with the much
larger volume on my hard drive.

There is some info here, on a "split-load" tool for converting a Vista
single partition install, into a SYSTEM-RESERVED+C: type split partition setup.
What isn't clear from this article, is whether BdeHdCfg.exe moves
boot files off C: onto the new partition, or it's just BitLocker specific
info which is stored on the partition. All that's really mentioned here,
is the creation of a new partition (made from whatever spare space
can be scraped together by the tool). The size seems to be larger than typical
default System Reserved (perhaps 100MB on Win7, 200MB on Win8). You could
clear the way for such a tool, by having some unallocated space for the
partition, and ensure you're down to three primary partitions, leaving
room for this tool to create a fourth partition.

http://support.microsoft.com/kb/933246/en-us

The same tool is mentioned here, with respect to Windows 7, with the
difference being that the small System Reserved is not supposed to have
a drive letter. The first article seems to claim the tool will exit if
the OS isn't Vista. Perhaps a different version of the tool was written
for Windows 7 ?

http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx

This article seems to want the small partition to be the active (boot) partition.
This also gives the impression, once you do the Anytime Upgrade to your
OS, the bdehdcfg.exe tool would magically appear (it could be linked from
the store, into some place where it can be used). The tool is likely
stored on all Windows 7 disks, just not labeled as such. This is just
a guess (as I can see Ultimate files resting in the store of my
Home Premium laptop).

http://technet.microsoft.com/en-us/library/dd875534(WS.10).aspx

In any case, I don't think you have to reinstall Win 7. There is likely
a path to setting up BitLocker, even if you currently only have
a single partition setup.

Not that I'm liking what I'm seeing on the topic of BitLocker in
other articles on the web. The comments aren't a confidence builder.
You want to make absolutely sure you have a recovery key stored
somewhere, and, that you don't rely on the TPM alone (i.e. add pin),
and that when you're finished a computing session, the computer is
"completely off", to prevent some of the exploits. AFAIK, a TPM can
be reset by others, so you have to be able to handle a situation
where you have to set up the TPM again (this might also happen,
if an encrypted disk is moved to another piece of hardware).

http://windowsteamblog.com/windows/...hive/2009/12/07/windows-bitlocker-claims.aspx

"Our discussions of Windows BitLocker have always been to communicate
that it is intended to help protect "data at rest" (e.g. when the machine
is powered off)."

Leaving the machine in sleep, may not meet that objective. Read up
on the various claimed exploits, for more info.

Paul

 

[Stan Brown]

[replying to my query on the advisability of reinstalling windows so
as to have the special System partition that supports Bitlocker]

There is some info here, on a "split-load" tool for converting a Vista
single partition install, into a SYSTEM-RESERVED+C: ...

http://support.microsoft.com/kb/933246/en-us

The same tool is mentioned here, with respect to Windows 7, ...

http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx

This article seems to want the small partition to be the active (boot) partition.

Yes, that's my impression, learned the hard way, by not having one
when I restored my backup to a replacement hard drive after mine
crashed.

In any case, I don't think you have to reinstall Win 7. There is
likely a path to setting up BitLocker, even if you currently only
have a single partition setup.

Not that I'm liking what I'm seeing on the topic of BitLocker in
other articles on the web. The comments aren't a confidence builder.

http://windowsteamblog.com/windows/...hive/2009/12/07/windows-bitlocker-claims.aspx

"Our discussions of Windows BitLocker have always been to communicate
that it is intended to help protect "data at rest" (e.g. when the machine
is powered off)."

Thanks, Paul, for your thoughtful reply, most of which I've snipped.

I have to apologize: I left out a crucial piece of information
because I didn't know it was crucial: I have Windows Home Premium,
which means Bitlocker isn't supported. (You have to have Ultimate or
Enterprise to encrypt with Bitlocker; I discovered that only this
morning while doing my own research.)

But based on what you say, Bitlocker seems kind of scary. Come to
think of it, any form of encryption seems kind of scary because it
adds another point of possible failure to my own access of my data.
So it becomes a question of balancing the risks: the likelihood of
losing physical access to my computer is fairly low because I keep it
with me when I take it out, which is not very frequently, but the
likelihood of losing my encrypted data through failure of the
encryption mechanism is also fairly low. I'll have to think about
this some more.

FWIW, /Windows 7 Annoyances/ recommends two freeware alternatives for
people with Home Premium who are therefore unable to use Bitlocker or
the file and folder encryption, and one of them is TrueCrypt. If I
remember correctly, the other is FreeOTFE. A comparison between the
two, with further links, is here:

http://www.brighthub.com/computing/smb-security/articles/41053.aspx

One plus is that TrueCrypt also runs in Linux.

 

[Paul]

Thanks, Paul, for your thoughtful reply, most of which I've snipped.

I have to apologize: I left out a crucial piece of information
because I didn't know it was crucial: I have Windows Home Premium,
which means Bitlocker isn't supported. (You have to have Ultimate or
Enterprise to encrypt with Bitlocker; I discovered that only this
morning while doing my own research.)

But based on what you say, Bitlocker seems kind of scary. Come to
think of it, any form of encryption seems kind of scary because it
adds another point of possible failure to my own access of my data.
So it becomes a question of balancing the risks: the likelihood of
losing physical access to my computer is fairly low because I keep it
with me when I take it out, which is not very frequently, but the
likelihood of losing my encrypted data through failure of the
encryption mechanism is also fairly low. I'll have to think about
this some more.

FWIW, /Windows 7 Annoyances/ recommends two freeware alternatives for
people with Home Premium who are therefore unable to use Bitlocker or
the file and folder encryption, and one of them is TrueCrypt. If I
remember correctly, the other is FreeOTFE. A comparison between the
two, with further links, is here:

http://www.brighthub.com/computing/smb-security/articles/41053.aspx

One plus is that TrueCrypt also runs in Linux.

I suppose it all depends on what you're trying to protect against.

As a joke, I wrote my own "encrypter" once What it did, was reverse
the nibbles in all the data bytes. So 0x34 became 0x43. Any grade schooler
could figure it out, but it was a quick (reversible) way to make it
hard for people to scan stuff. For example, say the IT department is
scanning all disks using a "file" tool that looks for file signatures.
Well, none of the signatures on those files would work, and they'd
all be "data" In terms of program design, the intention was,
that two invocations of the tool would bring back the original file.
And in terms of "error multiplication", there isn't any with a method
like that. If you use some heavyweight polynomial math, then a bit
error in the encrypted file, can have more downstream impact on
the decrypted file.

Anyway, I'm not expecting you to do that. Just demonstrating you can
have a bit of fun if you want.

*******

The hard drive industry has announced they're bringing FDE (full disk
encryption) to all hard drives in the near future. So perhaps your
next computer, that will be an option. Right now, FDE exists on a
limited line of drives, but the issue with it, is support at installation
time (BIOS support or OS support when it needs to be unlocked). Whatever
solution they come up with, I presume will work for everybody, instead
of a select few with "executive" laptops. The advantage of FDE, is
no compute overhead - the hard drive controller chip does the AES
calculation, instead of the CPU. And at full speed.

Paul

 

[Ed Cryer]

I suppose it all depends on what you're trying to protect against.

As a joke, I wrote my own "encrypter" once What it did, was reverse
the nibbles in all the data bytes. So 0x34 became 0x43. Any grade schooler
could figure it out, but it was a quick (reversible) way to make it
hard for people to scan stuff. For example, say the IT department is
scanning all disks using a "file" tool that looks for file signatures.
Well, none of the signatures on those files would work, and they'd
all be "data" In terms of program design, the intention was,
that two invocations of the tool would bring back the original file.
And in terms of "error multiplication", there isn't any with a method
like that. If you use some heavyweight polynomial math, then a bit
error in the encrypted file, can have more downstream impact on
the decrypted file.

Anyway, I'm not expecting you to do that. Just demonstrating you can
have a bit of fun if you want.

*******

The hard drive industry has announced they're bringing FDE (full disk
encryption) to all hard drives in the near future. So perhaps your
next computer, that will be an option. Right now, FDE exists on a
limited line of drives, but the issue with it, is support at installation
time (BIOS support or OS support when it needs to be unlocked). Whatever
solution they come up with, I presume will work for everybody, instead
of a select few with "executive" laptops. The advantage of FDE, is
no compute overhead - the hard drive controller chip does the AES
calculation, instead of the CPU. And at full speed.

Paul

That's interesting, but it's got me wondering how they're going to
implement the encryption algorithm.
Obviously it can't be the same for all that brand of HD; nor could it
just be "one up" for the next on the production line.
They must have some kind of randomisation technique in mind; perhaps
generated locally when the HD is first used.

Ed