What folders to encrypt with EFS on Windows 7 laptop?

0

Since I've been using my laptop more as a laptop recently (carrying it around) I am now evaluating my strategy to protect confidential information in case it is stolen.

Keep in mind that my laptop is 6 years old (Lenovo T61 with 8 GB or RAM, 2GHz dual core CPU). It runs Windows 7 fine but it is no speedy demon. It doesn't support AES instruction set.

I've been using TrueCrypt volume mounted on demand for really important stuff like financial statements forever. Nothing else is encrypted.

I just finished my evaluation of EFS, Bitlocker and took a closer look at TrueCrypt again.

I've come to conclusion that boot partition encryption via Bitlocker or TrueCrypt is not worth the hassle. I may decide in the future to use Bitlocker or TrueCrypt to encrypt one of the data volumes but at this point I intend to use EFS to encrypt parts of my hard drive that contain data that I wouldn't want exposed.

The purpose of this post is to get your feedback about what folders should be encrypted from the general point of view (of course everyone will have something specific in addition)

Here is what I thought of so far (will update if I think of something else):

1) AppData\Local\Microsoft\Outlook - Outlook files

2) AppData\Local\Thunderbird\Profiles and AppData\Roaming\Thunderbird\Profiles- Thunderbird profiles, not sure yet where exactly data is stored.

3) AppData\Roaming\Mozilla\Firefox\Profiles\djdsakdjh.default\bookmarkbackups - Firefox bookmark backup. Is there a separate location for "main" Firefox bookmark file? I haven't figured it out yet.

4) Bookmarks for Chrome (don't know where it's bookmarks are) and Internet Explorer ($Username\Favorites) - I don't really use them but why not to secure that as well.

5) Downloads\, My Documents\ and My Pictures\ folders

I don't think I need to encrypt, say, latest service pack for Visual Studio. So I will probably create subfolder called "Secure" in all of these folders and set it to "Encrypted". Anything sensitive I will save in this folder.

Any other suggestions? Again, this is from the point of view of your "regular office user".

Joe Schmoe

Posted 2013-06-25T22:48:11.417

Reputation: 575

Question was closed 2013-06-26T15:16:52.463

Answers

1

The problem with piecemeal encryption is that you find yourself overlooking things like browser caches, OS caches, certificate stores, cookies... I read that they did an overhead test on Truecrypt full drive encryption and didn't see a lot of drag. I'd go with FDE if possible - especially if you have anything on the system that you might be doing that exposes anything you might want kept private (banking websites, secure work info...)

Blackbeagle

Posted 2013-06-25T22:48:11.417

Reputation: 6 424

not to mention the hiberfil.sys and pagefil.sys. Although those files can be encrypted. On top of that, if someone can guess/crack your password, which will be easier to access since the drive isnt encrypted, then EFS wont provide protection. – Keltari – 2013-06-26T01:07:07.627

Doesn't guessing/cracking my password equally apply to FDE? – Joe Schmoe – 2013-06-26T02:42:29.250

With FDE, there is no access to any data at all. The only thing they can do is a brute force attack and if the password is decently strong, it becomes too impractical to even bother trying. If they can boot, then they can look around and start developing a profile on you. They can see what sites you visit, possibly infect your system with a malware password harvester. Look at Matt Honan's recent epic hack where because they knew some small, unrelated things, they managed totally own him and all his sites - Google, Apple, Twitter... they killed his iPhone, iPad, Macbook Pro... – Blackbeagle – 2013-06-26T11:28:05.093

0

I'd reconsider not using TrueCrypt's full drive encryption. After the initial setup the only thing you need to do is type the password in when you start the computer. Any recent processor these days has hardware acceleration for AES encryption and can do it several times faster than your hard drive can read/write data. TrueCrypt has a built in benchmark tool if you want to test yourself first.

If you choose not to go with full drive encryption you are most likely going to want to encrypt the following as well.

  • hiberfil.sys (Hibernation file, contains everything that was in your RAM when your computer sleeps)
  • pagefil.sys (Contains running programs which are moved out of RAM
  • Browser caches, history and cookies (browser caches can contain all the data of web pages you've visited)
  • Temp directory (A lot of programs store files temporarily. E.g. All those encrypted Word documents in your "My Documents" could be copied here unencrypted)

Edit: Just checked and it doesn't appear that your laptop does support the AES instruction set. I would still recommend trying TrueCrypt's benchmark to see if there would really be a performance hit.

Dracs

Posted 2013-06-25T22:48:11.417

Reputation: 2 616

Yes, my laptop doesn't support AES instruction set. I have hibernation disabled, so this is not a concern. And I don't care if someone can tell what web pages I visited. Concern about "Temp" directory is valid. However, I am not looking for 100% bulletproof solution - just something good enough to work against "casual" thief that is most likely not that computer literate. – Joe Schmoe – 2013-06-26T02:35:34.630

Asked: 2013-06-25T22:48:11.417

Viewed: 1 104 times

Active: 2013-06-26T02:41:28.747