2

I've been looking into Encryption of my data for some time now; I've decided to move ahead with VeraCrypt for encryption all of my partitions (I have 2 disks in 1 laptop) except for the OS (C:) partition.

(Reason being, I don't want to risk the possible complications & potential data loss, eg. when trying to update Windows, there can be conflicts with VeraCrypt).

I would like however, to at least encrypt some portion(s) of my OS partition. Specifically, the "C:\Users" is my priority at this time.

If I am able to encrypt the "C:\Users" directory, I imagine that I would need this to be decrypted during system boot or Windows loading screen? (or at least before user login?) Otherwise the user data will be inaccessible to the system.

There are products such as AxCrypt, however, I'm not aware of it having any functionality to decrypt selected files/folders during system boot (please correct me if this is otherwise).

I would like to please know, are there any publicly available software that can accomplish what I'm seeking to do?

Or, is there any possible workaround otherwise (without doing full encryption of OS disk/partition)?

(Preferably an open source program, free or relatively inexpensive).)

(I currently have Windows 10 Home edition. I'm not interested in BitLocker or Windows 10 Pro at this time.)

Thank you.

Added Note:

I understand the risks of partial encryption (such as data leaks in swap/temporary files, etc...) I'm not very paranoid about bits of my data possibly being discovered in those cases, I don't really have high-risk data that needs protecting, but still, I'd like some protection rather than none.

To be clear, I would like to be able to:

  1. Encrypt the "C:\Users" directory.
  2. Upon Windows Boot/Load, be offered the option to decrypt the the "C:\Users" directory (which seems necessary before being able to load/login to user profiles).
  3. After entering the correct password, the "C:\Users" directory will be decrypted, then Windows will continue to load/prepare user profiles for login.
  4. I would like to avoid full disk/partition encryption.
Andrew Davis
  • 21
  • 2
  • 1
    "(Reason being, I don't want to risk the possible complications & potential data loss, eg. when trying to update Windows, there can be conflicts with VeraCrypt)." You'll have way more complications and higher risk of data loss if you try to hack together a system like you described. You'll be way better off just going with full-disk encryption. – Joseph Sible-Reinstate Monica Jun 24 '21 at 04:22

2 Answers2

0

I am unaware of a software, that would exactly work as you described it.

However I would strongly advise against your described procedure, as it might not give you as much security as you would probably expect. See here for examples. I'd therefore recommend heading for full disk encryption which can easily be done i.e. with Veracrypt.

Do you have any specific reasons, why you would like to avoid full disk encryption?

In the end, it depends on your attacker model, which way to go. I guess there might be less software out there with your described procedure, as it won't defend well against common attacker models.

Euphrasius von der Hummelwiese
  • 1,018
  • 4
  • 20
  • Thanks for your response. (I up-voted, but it can't appear because I'm new here) I had previously asked this (similar) question in the VeraCrypt forum, and should have included here this bit that I previously wrote: "I understand the risks of partial encryption (such as data leaks in swap/temporary files, etc...) I'm not very paranoid about my data possibly being discovered in those cases, I don't really have high-risk data that needs protecting, but still, I'd like some protection rather than none." – Andrew Davis Feb 04 '19 at 10:31
  • At the moment, I'm more concerned about the OS stability and avoiding data loss (being locked out of decrypting my entire system if something went wrong), over fear that some bits of data could leak into a few places. I'm at very low risk of being physically hacked (my laptop/disks do not leave home), but I prefer some encryption rather than none. – Andrew Davis Feb 04 '19 at 10:32
  • Regarding avoiding full disk encryption: VeraCrypt doesn't yet work perfectly for Windows full OS disk encryption. Issues can arise during Windows updates, and you have to do some sort of workaround injection or something of the sort, to avoid issues, each time you update Windows (that's what I read from several places). In the VeraCrypt forum, I believe they don't deny this, but they said to look out for updates, as they are working on fixing these issues for Windows. – Andrew Davis Feb 04 '19 at 10:33
  • With all my other partitions encrypted, for the C: I'm mostly only concerned with the "C:\Users" directory. Even if there are data leaks, I believe most of it will be leaked in this location? AppData, Temp files... from what I'm aware, most of the data-leak risk is contained within the C:\Users directory. Also, I may be able to have a slight performance boost in not encrypting the entire OS drive, but only the user data (only a guess at this point). – Andrew Davis Feb 04 '19 at 10:34
  • You have made some pretty interesting trade-off here, comparing risk of getting data stolen and risk of data loss by updates. I think to defend data loss you should consider a backup strategy. To defend data getting stolen, you should consider encryption. I can however confirm, that rarely the boot-up is affected after Win10 updates, but it never lead to data loss on my side (using True/VeraCrypt for more than 10 years now) Anyways, if you store your sensitive data on a different partition, you can easily mount it even with a different OS, in case your C: partition will not boot. – Euphrasius von der Hummelwiese Feb 04 '19 at 10:41
0

First of all, encrypting only a directory is a Bad Idea.

You risk that crypto keys end up in the page/hibernation file, and is readable to all. Hibernation file has to be read at start of boot to restore state.

Second, you will have all kinds of leaks in temporary directories.

Set up bitlocker. It's integrated with the OS, and works fine across upgrades. I've been using Bitlocker on one laptop for four-five years, with zero problems. Whole disk encryption solves a lot of problems when it comes to possible unintended data leaks.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • Thanks for your response (I up-voted, but it can't appear because I'm new here). That's a good point about the page/hibernation file, I'll have a look into this more. --- I had previously asked this (similar) in the VeraCrypt forum, and should have included here this bit that I previously wrote: "I understand the risks of partial encryption (such as data leaks in swap/temporary files, etc..) I'm not very paranoid about my data possibly being discovered in those cases, I don't really have high-risk data that needs protecting, but still, I'd like some protection rather than none." – Andrew Davis Feb 04 '19 at 10:35
  • Regarding BitLocker: As I have more than one Laptop (could end up with 3-4 in the future), and also would like a process I can replicate for others, without investment costs, I would like to avoid being forced to purchase Windows Pro for each system. Still, I will strongly consider what you said, those are good points. I'll look into this and consider. – Andrew Davis Feb 04 '19 at 10:37
  • You may look into [EFS](https://en.wikipedia.org/wiki/Encrypting_File_System) if you're aware of the pitfalls. That's available in win10 home afaik. – vidarlo Feb 04 '19 at 10:43