Encrypting Folders: Which ones?

[Guest]

Because of the recent government laptop thefts, I'm trying to encrypt folders
on my (C Drive. I have about 150 Dell D-Series Laptops and ALL transfer
some form of Credit Card data 8 - 10 times a month. Obviously, I have to
create a base image to image so many laptops. The laptops run WinXP, SP2;
Office 2003, SP2, Symantec 10 and Windows Defender. Well on my base image
(clean install), elected to encrypt the "C:\WINDOWS" folder, "Documents &
Settings" folder, and the "Programs" folder. After I restarted, all of the
icons on the desktop applications icons AND the Programs Menu icons were
blank and nonfunctional. I then proceeded to remove the encryption from all
three folders but the desktop application icons and Program Menu icons
remained nonfunctional. If I drilled down into the Programs Folder on the
hard drive to access the applications, they launched normally! Yes, I could
replace the desktop's application icons with the original because the desktop
icons are just shortcuts as we all know. But ALL of the Program menu icons
are nonfunctional. For instance, if I go to 'Accessories > System Restore',
System Restore is not fuctional...it too is blank. What could cause this and
what is a viable solution? Which folder or files should I encrypt? Thanks in
advance!

 

[Steven L Umbach]

If you have not seen it yet the white paper at the first link below would be
a good read and it contains many links at the end of the article. A common
problem with EFS or other encryption programs is lack of access to the
encrypted files for the authorized users that can happen if the EFS private
keys are deleted or corrupted so you want to make SURE you have a plan to
minimize such problems such as using a Recovery Agent.

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices

I would not suggest that you encrypt the whole documents and settings folder
or entire user's profile folder but instead encrypt only the folders
containing sensitive data. Your problem is probably a result of the user's
EFS private key being stored in the user's profile which you are trying to
encrypt. In particular they are stored in the user's profile in the
application data\Microsoft\RSA folder. The \Windows folder should also not
be encrypted as it contains system files. You may also want to post in the
Microsoft.public.security.crypto newsgroup.

Steve

 

[Steven L Umbach]

Just to add I don't see how you can configure EFS via an image since the
user you logon with to create the base image will not be the user that uses
the computer. EFS uses PKI which complicates such setup. You might be able
to use a Group Policy logon script using the cipher /E command for when the
actual user logs onto the computer to configure encryption on designated
folders.

Steve

 

[Guest]

My suggestion would be to try and marshal all of the sensitve data into a
folder outside "documents and settings" and encrypt that. Might be difficult
for ecommerce sites with with IE, but Firefox allows for a custom user-data
location.

Possibly worth a look at Truecrypt too. Only tested this briefly but it
seems to perform better in many respects than EFS. (freeware) Plus, it uses a
password which is not user-dependent, unlike EFS keys.

 

[Jeff]

My suggestion would be to try and marshal all of the sensitve data
into a folder outside "documents and settings" and encrypt that.
Might be difficult for ecommerce sites with with IE, but Firefox
allows for a custom user-data location.

Possibly worth a look at Truecrypt too. Only tested this briefly but
it seems to perform better in many respects than EFS. (freeware)
Plus, it uses a password which is not user-dependent, unlike EFS keys.

Sorry to but in, but is TrueCrypt similar to Cryptainer (which I use) or
better than it?

Jeff

 

[Artur]

I use FineCrypt which works with variety of algorithms, supports both
passwords and private keys, has a secure delete and scheduling capability.
Highly recommended.