Addressing loopholes in encryption
-
- SilverLounger
- Posts: 2419
- Joined: 28 Mar 2010, 01:49
Addressing loopholes in encryption
There is a huge loophole in encryption. It only works while a drive is locked. Once you unlock the drive, the information is vulnerable.
For example:
Jane logs on to Windows and unlocks her data drive. Her laptop is stolen. All of the unencrypted information is stolen. The battery dies and the thief restarted it after he gets a power cord. The data drive is locked again and encrypted, but it is too late. The thief already has all of Jane's information.
Is it possible to set up Bitlocker so that it automatically encrypts a data drive every time a computer hibernates (or even better, each time it locks)?
Is it possible to set up encryption on certain files within a data drive so that even when a data drive is unlocked, certain files within the data drive remain encrypted until and unless they are specifically unlocked so that they remain secure even if the laptop is stolen while the data drive is unlocked/
For example:
Jane logs on to Windows and unlocks her data drive. Her laptop is stolen. All of the unencrypted information is stolen. The battery dies and the thief restarted it after he gets a power cord. The data drive is locked again and encrypted, but it is too late. The thief already has all of Jane's information.
Is it possible to set up Bitlocker so that it automatically encrypts a data drive every time a computer hibernates (or even better, each time it locks)?
Is it possible to set up encryption on certain files within a data drive so that even when a data drive is unlocked, certain files within the data drive remain encrypted until and unless they are specifically unlocked so that they remain secure even if the laptop is stolen while the data drive is unlocked/
Regards,
JMT
JMT
-
- Administrator
- Posts: 12856
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Addressing loopholes in encryption
There are many ways you can encrypt files, each has benefits and disadvantages.
If you use Veracrypt instead of Bitlocker then you have options to auto-dismount when user session locked, or when entering power-saving, or even after no data has been read/written to the partition for a specified period of time.
You can encrypt individual Microsoft office files using the built in features in Word, Excel etc. Similarly you can encrypt PDF files when you create them.
If you use Veracrypt instead of Bitlocker then you have options to auto-dismount when user session locked, or when entering power-saving, or even after no data has been read/written to the partition for a specified period of time.
You can encrypt individual Microsoft office files using the built in features in Word, Excel etc. Similarly you can encrypt PDF files when you create them.
StuartR
-
- SilverLounger
- Posts: 2419
- Joined: 28 Mar 2010, 01:49
Re: Addressing loopholes in encryption
StuartR: Thanks. Can I encrypt individual folders using Bitlocker or MS Office? Or does this software work only with individual drives / files?
Regards,
JMT
JMT
-
- PlutoniumLounger
- Posts: 16415
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Addressing loopholes in encryption
Thanks Stuart, for prompting me to see what I have been missing since I started using Veracrypt!
Cheers
Chris
Most of my hair had already fallen out by the time I learned that mousse is spelled with two esses
-
- SilverLounger
- Posts: 2155
- Joined: 25 Jan 2010, 02:12
Re: Addressing loopholes in encryption
The first rule of security is if you don't physically control the device you are not secure. There has to be some personal responsibility involved too. Perhaps Jane should re-boot the machine if she is going to leave it in a position to be stolen. Or just re-boot whenever it is left unattended. There are some things you can't fix.
See How to Lock BitLocker Encrypted Drive in Windows for options.
See How to Lock BitLocker Encrypted Drive in Windows for options.
Joe
-
- Administrator
- Posts: 12856
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Addressing loopholes in encryption
Bitlocker will encrypt partitions
MS Office will encrypt files
Veracrypt (or similar tools) can encrypt individual folders, or partitions.
You could use a password protected zip file to protect a set of files that you store together, so that's a bit like an encrypted folder.
StuartR
-
- SilverLounger
- Posts: 2419
- Joined: 28 Mar 2010, 01:49
-
- PlutoniumLounger
- Posts: 16415
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Addressing loopholes in encryption
Hi Stuart.
I can't see how this solves what I think is the problem in the original post, to wit "Once you unlock the drive, the information is vulnerable."
When TrueCrypt or VeraCrypt unlocks my data partition, all 219GB of data is visible to malware that wants to exploit it.
When PKZip unzips my password-protected zip file, all 10MB of data is visible to malware that wants to exploit it.
This is a difference in magnitude, to be sure, but not in logic. If I use a different password for each 10MB zip file I have reduced my vulnerability, but still an all The Thief already has all or some of my information.
I may have misunderstood the problem, in which case I hope I will be corrected!
Cheers
Chris
Most of my hair had already fallen out by the time I learned that mousse is spelled with two esses
-
- SilverLounger
- Posts: 2419
- Joined: 28 Mar 2010, 01:49
Re: Addressing loopholes in encryption
Chris,
The point is that if you have very sensitive data that you need protected, you can always keep it protected while the drive is unlocked, except for when you specifically need to access it. However, if you do not use the method that StuartR proposed, then that data is always vulnerable, even when you are not accessing it, the moment your drive is unlocked.
You will never be 100% safe, but StuarR's suggestion gets you more security than just using Bitlocker alone does.
The point is that if you have very sensitive data that you need protected, you can always keep it protected while the drive is unlocked, except for when you specifically need to access it. However, if you do not use the method that StuartR proposed, then that data is always vulnerable, even when you are not accessing it, the moment your drive is unlocked.
You will never be 100% safe, but StuarR's suggestion gets you more security than just using Bitlocker alone does.
Regards,
JMT
JMT
-
- PlutoniumLounger
- Posts: 16415
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Addressing loopholes in encryption
Agreed.
That was behind my thought that "This is a difference in magnitude, to be sure, but not in logic."
A degree of probability.
Take my password file, for example. "Passwords.doc" as a poor example.
Whether or not I have opened that file in MSWord, as long as that file is exposed and available to be opened by MSWord, it is vulnerable.
Had you a second keyboard available on my computer, you might see that file "T:\Greaves\Administration\Passwords.doc" using File Explorer, and quickly copy that file to a memory key and be a thousand dollars (my net worth!) richer by nightfall.
The same applies if "you" were a piece of malware that spent ten seconds every minute looking for new or changed files.
But this point is true regardless of whether the partition is encrypted (BitLocker, Truecrypt, Veracrypt) or whether just a part of the folder is unzipped (T:\Greaves\Administration\ImportantStuff.zip).
"Vulnerable" is "Vulnerable" no matter how it is made "Invulnerable" at intervals.
Cheers
Chris
Most of my hair had already fallen out by the time I learned that mousse is spelled with two esses
-
- Administrator
- Posts: 12856
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Addressing loopholes in encryption
If this is important to you then use Veracrypt, which is free, and set your data partition to auto-dismount after you have not read/written to it for 5 minutes
You do not have the required permissions to view the files attached to this post.
StuartR
-
- SilverLounger
- Posts: 2419
- Joined: 28 Mar 2010, 01:49
Re: Addressing loopholes in encryption
How heavy is VeraCrypt's dismounting and mounting process on processing resources? I imagine mounting and dismounting will occur very frequently throughout the day if it is set to auto-dismount after 5 min. of inactivity.
Regards,
JMT
JMT
-
- Microsoft MVP
- Posts: 1347
- Joined: 24 May 2013, 15:33
- Location: Warminster, PA
Re: Addressing loopholes in encryption
If the document file has been assigned a password for opening, and if the file is not currently open, then it isn't vulnerable any more than any other file encrypted in the same way with the same encryption key would be. According to https://en.wikipedia.org/wiki/Microsoft ... protection,ChrisGreaves wrote: ↑10 Jan 2021, 19:24Whether or not I have opened that file in MSWord, as long as that file is exposed and available to be opened by MSWord, it is vulnerable.
That might be a reason for you to give up Word 2003 at long last...Office 2007–2013 employed 128-bit key AES password protection which remains secure. Office 2016 employed 256-bit key AES password protection which also remains secure.
The Office 97–2003 password protection used 40-bit key RC4 which contains multiple vulnerabilities rendering it insecure.
-
- Administrator
- Posts: 12856
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Addressing loopholes in encryption
Dismounting uses very little. Mounting intentionally uses many iterations of a compute intensive process, to increase how long it takes, and make it harder to use a brute force attack.
StuartR
-
- PlutoniumLounger
- Posts: 16415
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Addressing loopholes in encryption
Quite so, Jay. That was sloppy writing on my part.Jay Freedman wrote: ↑16 Jan 2021, 20:29If the document file has been assigned a password for opening, and if the file is not currently open, then it isn't vulnerable any more than any other file ...ChrisGreaves wrote: ↑10 Jan 2021, 19:24...that file is exposed and available to be opened by MSWord, it is vulnerable.
I was thinking of a regular, non-Word-password-protected document.
I think of three levels of protection:
(1) Encryption of a partition or folder tree by a product such as Veracrypt or Truecrypt.
(2) Encryption of a folder tree or collection of files by a product such as PKZip25 or WinZip variants
(3) Password protection of a Document by MSWord, or of an Excel workbook by Excel.
I was trying to say that whether one or both of levels (1) and (2) are employed, once the DOC/XLS is exposed, it is vulnerable.
I might then have added that "password protection at the application level would provide a third level of protection"
That day may yet come, Jay. The defining moment will be when my Word6.0 program code, migrated to Word97, then Word2000, and then Word2003 ceases to function, or I find myself trying to parse a string of characters that absolutely needs a feature of Office 2043 that I absolutely cannot code for myself in what is in essence Word97/VBA. By that time I will be 97, and it may be time for me to say goodbye to Word97... That might be a reason for you to give up Word 2003 at long last...
Cheers
Chris
Most of my hair had already fallen out by the time I learned that mousse is spelled with two esses