i need to encrypt a folder on windows but how to prevent domain admin from reading this folder when i input the key to decrypt that folder?

0

well i searched the site for software that encrypt folders on the harddisk and i found recommendation for TrueCrypt or similar products.
but the thing i wanted to know is that if i open a file on the encrypted Folder then will be the domain admin able to access my files on that encrypted folder using the default windows shares "\PCName\x$\" ? since the files are now unencrypted to any windows process. or i am wrong with my thoughts ?
the problem actually is that i want to keep private files on work machine with reserving my privacy and denying the admin from seeing my private files.

Karim

Posted 2010-10-03T19:37:39.980

Reputation: 1 062

Answers

5

If you do not trust a machine (and/or it's admin) then simply do not access anything you do not want to reveal - encrypted or otherwise.

Whatever method you use to encrypt/decrypt must make the file contents available to the machine (obviously, that's the point of decrypting it), and so also it's processes and the admin.

You might also be giving away the encryption key and password, so could reduce the security of everything you've got encrypted on that machine, not just the files that you open.

That said, you can store encrypted material in an untrusted location, as long as you do not decrypt it in an untrusted location.

DMA57361

Posted 2010-10-03T19:37:39.980

Reputation: 17 581

so this is a valid concern? but is there a way that lets the current user only access the files but when the domain admin access the files it will be with domain/admin user so it will be a different user with no access to the saved password or this is not right? – Karim – 2010-10-03T19:51:15.873

2@Karim - An evil admin could have a keylogger installed as far as you know. Then whatever you type is accessible to him, that includes your passwords. You simply can not be 100% sure to keep your files private on a computer you don't have 100% control over. – Nifle – 2010-10-03T20:00:34.600

yeah but i am not talking extreme cases like a key logger, because having a keylogger maybe illegal in my opinion.but getting files from the company pc is not as far as know.of course cracking encrypted files of an employee is not legal too in my opinion. – Karim – 2010-10-03T20:07:15.603

2@Karim: "in my opinion" is not a very valid legal statement. – Hello71 – 2010-10-03T22:21:32.387

@Hello71: that is because i am not a lawyer, anyway i was asking about the technical aspect and not the legal one, because in each country laws are different so we can discuss this topic forever and besides the law aspect of this problem dont belong here, maybe on legaloverflow.com or something :) – Karim – 2010-10-03T22:37:45.103

1

Yes, if you connect a drive to a computer, the domain admin will be able to see your files. The domain admin is trusted with access to anything the computer currently has access to. If you don't trust the computer administrator, don't trust the computer.

However, I find it unlikely the system administrator will be waiting for you to connect a drive so he can make a copy of all your personal files. As long as you unmount a TrueCrypt volume when you're not using it, you're probably reasonably safe. Once it's unmounted, someone could only access it again if they had your volume's password (perhaps there is a keylogger on the computer).

Why are you worried about this? Assuming this is a computer and network owned by a business you work for, I think the two most common reasons would be:

  1. You do not trust your system administrator. This is a concern perhaps you want to address with management. Since the system administrator often can access nearly anything in the company, if you have reason to believe they are not trustworthy, management should know about it.

  2. You are doing something clandestinely and are afraid of getting caught. You should be! If your workplace does not want you using their time and their resources for some activity, don't do it.

The only way to ensure the system administrator cannot access your files is to access them from a computer outside of his/her control. Perhaps bring a laptop with you and access the files from that machine.

Stephen Jennings

Posted 2010-10-03T19:37:39.980

Reputation: 21 788

well the admin dont have the autority to acccess my personal files, and i think any reasonable company policy will allow me to have such files on the work machine, for example i think its legal to see my bank statment from my work machine on my break time and save them to a place on the work machine , but the domain admin shoulndt see this information, i am not talking about work related information or something. – Karim – 2010-10-03T19:54:24.177

In that case you must either trust the system administrator implicitly or not use a computer under his/her control. – Stephen Jennings – 2010-10-03T19:58:34.873

1It will depend entirely on the country you are in. In the UK there are no laws that say a company is legally obliged to let you use their computers for personal business of any kind. Additionally most sysadmins won't have the time to go rooting through your workstations files. Unless you are being investigated for breach of company policy chances are they don't care and won't notice. (I know this is true for me, I have 600 desktops under my control and I certainly don't go around every machine browsing users files unless I've been asked to do so by HR) – chunkyb2002 – 2010-10-03T20:01:00.077

i am not talking that there is a law that allows me or not to use the pc for personal business, if the company tells me i am not allowed its their decision, but what theya re not allowed to do is access my data on the their pc if they allowed to use this pc for personal business. – Karim – 2010-10-03T20:05:52.467

1A company is well within their rights to monitor what their equipment is being used for (especially within their walls), even if they've authorized it for personal use. Not that I think you're doing any of these things, but they certainly don't want to deal with any lawsuits because their computers were used to commit fraud or distribute child porn. – Stephen Jennings – 2010-10-03T20:16:49.680

so the company have the rights to access your private documents? so why not they install ccd in the toilet to monitor employees , maybe someone is sniffing Cocaine there. btw 1. u can't commit fraud by storing some files on your pc. 2. u can't distrubute child porn by storing some files on your pc. u need to transmit it somewhere and i have no problems of them monitoring the web browsing of their employees. – Karim – 2010-10-03T22:45:28.970

and really guys , what is with the illegal activity stuff? who in their sane mind will do something illegal from work? u want to do something illegal you can do it on some street wifi. not in work. – Karim – 2010-10-03T22:49:59.897

@Karim - the point here is that is you are using your work computer you are, by definition, using it for work. The files you put on there are therefore work related, not personal, unless your company has a policy that explicitly states otherwise. I can't comment on any laws (I don't know which country you reside in and I'm hardly a lawyer) but frankly the basic assumption should always be that everything you use, store, write and do on your work machine belongs to them. – DMA57361 – 2010-10-04T09:13:20.343

@DMA57361: this point will be valid if the company dont allow you to use your computer for anything except work. i mean if they allow you to check your mails on your free time then this point wont be valid. this is really an issue that depends on the company policy. but either way they have the right to access your personal files on your work pc. they can punish you for doing personal stuff at work. but i dont think that this will let them own your personal data. – Karim – 2010-10-05T17:07:59.227

@Karim - There's cases of people working for companies doing "personal" projects (might be software, new invention, etc) and then trying to do something with said projects, and the companies taking them to court and winning all rights to the project because some of it was done during that person's work time - so okay, they might not own the data itself, but they probably the intellectual rights to whatever you do. And obviously they can access the data as well. Check your employment contract and/or company policy documents if this may apply to you. – DMA57361 – 2010-10-05T17:22:33.300

@DMA57361: i am not talking about projects , i am talking about personal bank statments, some photos a friend send, and stuff like that, do the company own these too? of course anywork done on work time is the company property because they are paying for you to work for them and not to work for yourself – Karim – 2010-10-06T12:09:42.313

@Karim Depends on how you define "own". They might decide to replace/upgrade your computer - and all your personal data could be destroyed without warning. But, they probably wouldn't be able to broadcast the stuff around (ie, they'd probably lack the copyright unless you took the pictures at work, with their camera), but this is all too fine grained now for me to really be able to comment... The rule I follow is is that I don't keep anything personal on my work machine or network. What things I have to look at or use (which are few) are kept on a personal USB stick. – DMA57361 – 2010-10-06T12:17:04.490

well my rule is too not to keep anything on work pc, althought i did some chating in my free time and that history was kept on the work machine. i wouldnt like that the work admin would read my chat history because he consider that this is work property , but also the same problem applies here , that the admin can copy the content of your personal USB Stick when u have it plugged in. and this was what basicaly the question was, is it possible to prevent this action of the admin accessing my encrypted drive while i have it decrypted temporary by inputing the password. – Karim – 2010-10-06T19:40:05.620

Asked: 2010-10-03T19:37:39.980

Viewed: 2 057 times

Active: 2013-05-09T17:58:46.520