Compression and encryption

D

David Walker

I will be using a system that's running Windows XP Pro (SP3) as a backup
target, probably using an FTP server, to back up some home and work files
-- the computer will be in a remote location (across town).

I would like to have both encryption (in case the computer gets stolen) and
compression active on the folders that the data gets backed up to. I would
prefer not to Zip the files for various reasons (such as, I don't want to
have to mass-unzip them in case the source computer loses a hard drive).

I could tell Windows to compress the files that get written to the folder,
and use a third-party folder encryption program, OR I could tell Windows to
encrypt the files, but then I would have to use something else to compress
them.

(Mode-Z for FTP only compresses the data during transfer, right? Once it's
written to the target disk, it will be stored "normally" I think.)

I would appreciate any suggestions anyone has. Thanks.


David Walker
 
P

Patrick Keenan

David Walker said:
I will be using a system that's running Windows XP Pro (SP3) as a backup
target, probably using an FTP server, to back up some home and work files
-- the computer will be in a remote location (across town).

I would like to have both encryption (in case the computer gets stolen)
and
compression active on the folders that the data gets backed up to. I
would
prefer not to Zip the files for various reasons (such as, I don't want to
have to mass-unzip them in case the source computer loses a hard drive).

I could tell Windows to compress the files that get written to the folder,
and use a third-party folder encryption program, OR I could tell Windows
to
encrypt the files, but then I would have to use something else to compress
them.

(Mode-Z for FTP only compresses the data during transfer, right? Once
it's
written to the target disk, it will be stored "normally" I think.)

I would appreciate any suggestions anyone has. Thanks.


David Walker

As noted, you must understand EFS if you want to successfully or safely use
it. But it does rely on being able to log into the account, so if you set
your PC to log in automatically, you've bypassed all the protection that
encryption might offer in case of theft.

You must have strong passwords on the encrypted account, and you cannot have
them set to be remembered.

And yes, you absolutely must export the certificates and understand how to
re-import them. If you change the account, you must repeat this.

HTH
-pk
 
L

Lem

David said:
I will be using a system that's running Windows XP Pro (SP3) as a backup
target, probably using an FTP server, to back up some home and work files
-- the computer will be in a remote location (across town).

I would like to have both encryption (in case the computer gets stolen) and
compression active on the folders that the data gets backed up to. I would
prefer not to Zip the files for various reasons (such as, I don't want to
have to mass-unzip them in case the source computer loses a hard drive).

I could tell Windows to compress the files that get written to the folder,
and use a third-party folder encryption program, OR I could tell Windows to
encrypt the files, but then I would have to use something else to compress
them.

(Mode-Z for FTP only compresses the data during transfer, right? Once it's
written to the target disk, it will be stored "normally" I think.)

I would appreciate any suggestions anyone has. Thanks.


David Walker

This bears repeating a third time: make sure to export your
certificates to removable media.
See "Best practices for the Encrypting File System"
http://support.microsoft.com/kb/223316/en-us

And you are correct that NTFS does not support compression and
encryption at the same time. Given the current low cost of hard drives,
why even bother with compression?

--
Lem -- MS-MVP

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm
 
D

David Walker

Windows XP Pro comes with EFS (encrypting file system). Be sure to
export the EFC certificate to removable media so you have it should
you ever have to reinstall the OS. You'll need to import that cert to
regain access to the encrypted file created under the old instance of
Windows that used that cert. Read all the included help (Start ->
Help and Support) on EFS before using it. The EFS cert is available
when you login, so be sure to use *strong* login credentials for
whatever account under which you use EFS. If you use any auto-login
utility then you choose to eliminate any security since anyone
powering up that host will login under your account and have access as
yourself to those EFS protected files.

Truecrypt (free) can encrypt using file containers or an entire
partition. However, you'll need to enter the password when you boot
the remote host to open the Truecrypt container so you can read/write
to it. You won't have access to the encrypted container until you
provide the password, and the same for anyone else that cracks your
Windows login.

I have used EFS, and I do understand it. HOWEVER, that doesn't really
answer my question: I want both compression and encryption.

Thanks.


David Walker
 
D

David Walker

This bears repeating a third time: make sure to export your
certificates to removable media.
See "Best practices for the Encrypting File System"
http://support.microsoft.com/kb/223316/en-us

And you are correct that NTFS does not support compression and
encryption at the same time. Given the current low cost of hard
drives, why even bother with compression?

I would bother with compresseion because I want to eventually back up
data from several local companies that I work with, and much of the data
is very compressible.

Thanks.

David Walker
 
D

David Walker

As noted, you must understand EFS if you want to successfully or
safely use it. But it does rely on being able to log into the
account, so if you set your PC to log in automatically, you've
bypassed all the protection that encryption might offer in case of
theft.

You must have strong passwords on the encrypted account, and you
cannot have them set to be remembered.

And yes, you absolutely must export the certificates and understand
how to re-import them. If you change the account, you must repeat
this.

HTH
-pk

Thanks; I never have any of my systems set to log on automatically, and
I do have the certificates for the systems that use EFS, exported to a
couple of places (other than the original systems).

David
 
E

Edric

I would bother with compresseion because I want to eventually back up
data from several local companies that I work with, and much of the data
is very compressible.

Thanks.

David Walker
There are plenty of Backup programs out there that will compress the
files as they do their job. Let THEM do the compression for you. As
mentioned many times, the OS will NOT do both for your.
 
D

David Walker

There are plenty of Backup programs out there that will compress the
files as they do their job. Let THEM do the compression for you. As
mentioned many times, the OS will NOT do both for your.

Well, it wasn't really mentioned "many times", although *I* mentioned it
in my first post. Lem mentioned it once.

Backup programs that compress the files generally make Zip files out of
the files they are backing up, since that's just about the only way to
accomplish this.

I think I'll end up with a third-party encryption program, such as
TrueCrypt, and Windows' built-in compression.


David
 
J

John Wunderlich

Compression doesn't work very well with encryption. Why? Because
after being encrypted, there aren't enough repeat patterns to
resolve into a shorter byte string. Encryption pretty much
randomizes the sequence of bytes so compression can't do much more
with it. You have to encrypt before compress, and once encrypted
you won't get much, if any, compression.

You need to make a choice: encryption or compression.

This is not true.

What you describe is encryption and THEN compression (which, as you
state, doesn't work well). Compression FIRST followed by encryption
works very well and is done by default by most OpenPGP compatible
applications. In fact, the compression randomizes the data to be
encrypted making it harder to break the encryption.

Probably the best solution would be to use a program like Truecrypt
along with the Windows built-in compression. Windows would compress
the unencrypted file, then Truecrypt would encrypt the compressed file
for storage.

FWIW
-- John
 
P

Patrick Keenan

David Walker said:
Thanks; I never have any of my systems set to log on automatically, and
I do have the certificates for the systems that use EFS, exported to a
couple of places (other than the original systems).

David

Glad to hear it. As you probably know, most of the time people post here
about encryption is when they are wondering what to do when they didn't
follow those steps.

-pk
 
D

David Walker

This is not true.

What you describe is encryption and THEN compression (which, as you
state, doesn't work well). Compression FIRST followed by encryption
works very well and is done by default by most OpenPGP compatible
applications. In fact, the compression randomizes the data to be
encrypted making it harder to break the encryption.

Probably the best solution would be to use a program like Truecrypt
along with the Windows built-in compression. Windows would compress
the unencrypted file, then Truecrypt would encrypt the compressed file
for storage.

FWIW
-- John

Thanks, that was helpful. That sounds like what I want (because yes,
the compression should happen before the encryption). I have looked at
TrueCrypt a little bit; not much yet, but I'll look at it harder. :)

Thanks again.

David Walker
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top