Win 10 File Encryption (Improving PC Security) Help
Discussion
Hello there. I would appreciate a little help in improving the physical security of our laptops etc as there have been a lot a burglary's in the area lately.
Our laptops are more than a few years old and the value of them is next to nothing , however I would like some protection knowing that if they were stolen some of our business files are safe if the SSD's are moved to another PC to access. Not worried about our photos etc , just private documents.
I don't want the hassle of the win 10 full disk encryption that on our pcs would require a usb to start so I have downloaded some simple file encryption (LeoMoon QuickCrypt ) that requires a password to unlock the files.
If my win 10 PC is password protected are my passwords that are saved to edge browser and chrome protected if the win 10 login is circumvented or similar? So if the HDD is moved to another computer can the passwords be accessed ?
Thank you.
Nick
Our laptops are more than a few years old and the value of them is next to nothing , however I would like some protection knowing that if they were stolen some of our business files are safe if the SSD's are moved to another PC to access. Not worried about our photos etc , just private documents.
I don't want the hassle of the win 10 full disk encryption that on our pcs would require a usb to start so I have downloaded some simple file encryption (LeoMoon QuickCrypt ) that requires a password to unlock the files.
If my win 10 PC is password protected are my passwords that are saved to edge browser and chrome protected if the win 10 login is circumvented or similar? So if the HDD is moved to another computer can the passwords be accessed ?
Thank you.
Nick
More than a few years old probably means no TPM, so no bitlocker or Windows encryption without a USB stick
OP - I don't think those are necessarily encrypted as things stand. Is it worth buying a couple of small USB sticks like https://www.amazon.co.uk/SanDisk-Cruzer-16GB-Flash... which barely project from the USB port and using those?
One thing to keep in mind with encryption - it makes data recovery far harder so make sure your backups are in good order.
OP - I don't think those are necessarily encrypted as things stand. Is it worth buying a couple of small USB sticks like https://www.amazon.co.uk/SanDisk-Cruzer-16GB-Flash... which barely project from the USB port and using those?
One thing to keep in mind with encryption - it makes data recovery far harder so make sure your backups are in good order.
If the windows password is cracked (Trivial with a boot disk), the attacker will have full access to everything on the computer including cached passwords. They will not be able to reveal the password but they will be able to visit sites you are automatically logged into.
Full disk encryption is really the only defence. An encrypted folder that is protected with just a password can be brute force cracked.
Full disk encryption is really the only defence. An encrypted folder that is protected with just a password can be brute force cracked.
Ransoman said:
If the windows password is cracked (Trivial with a boot disk), the attacker will have full access to everything on the computer including cached passwords. They will not be able to reveal the password but they will be able to visit sites you are automatically logged into.
Full disk encryption is really the only defence. An encrypted folder that is protected with just a password can be brute force cracked.
Just to clarify they will be able to access saved passwords as they are encrypted using userland DPAPI and there will be a machine masterkey stored on the disk.Full disk encryption is really the only defence. An encrypted folder that is protected with just a password can be brute force cracked.
All passwords stored in browsers are effectively in plaintext and can be recovered easily using a masterkey, or a 'shell' in the user session.
In answer to OP as others have said, check out BitLocker for zero-effort solution. If you have non-Win10 Enterprise, it might be less ballache to just acquire an Enterprise key (ebay) and relicense your Win10 to Enterprise, then use Bitlocker - you won't need to reinstall IIRC.
ETA: You can have BitLocker be seamless boot up, or prompt for PIN/Password - without PIN/Password there have been cases of BitLocker keys being recovered from hardware buses but this is welllll outside the things you need to care about.
Wow. Thanks so much for this information.
My PC's don't have the TPM module which is why I wrongly thought that I couldn't use bitlocker without a usb key.
So if I use bitlocker with a password and follow the procedure here .....
https://www.google.com/amp/s/www.howtogeek.com/how...
This would keep my files safe enough for the home user and protect my stored passwords provided that I use a strong enough login password ?
I'm not looking to defeat Mr Robot , just to stop a chancer getting my PayPal passwords etc , to lessen the worry if it was taken.
My PC's don't have the TPM module which is why I wrongly thought that I couldn't use bitlocker without a usb key.
So if I use bitlocker with a password and follow the procedure here .....
https://www.google.com/amp/s/www.howtogeek.com/how...
This would keep my files safe enough for the home user and protect my stored passwords provided that I use a strong enough login password ?
I'm not looking to defeat Mr Robot , just to stop a chancer getting my PayPal passwords etc , to lessen the worry if it was taken.
You need to address two things:
1. Keeping people out of your PC contents. Bitlocker comes in two guises - true Bitlocker linking to a TPM (Pro/Enterprise versions of Windows, I think) and Windows Device Encryption for lesser versions. If these don't work, the TrueCrypt fork, VeraCrypt is a good and audited option
2. Backup of your stuff. By far the easiest method on Windows is OneDrive, we pay £50 a year as a family and have 1Tb each of storage. Works a treat, I say.
You need to ensure you have a password/PIN/Hello enabled. Turn on "Find my device" too. That means the data will be safe and the rogues' option is to wipe the drive - it's just silicon and electronics in the end.
1. Keeping people out of your PC contents. Bitlocker comes in two guises - true Bitlocker linking to a TPM (Pro/Enterprise versions of Windows, I think) and Windows Device Encryption for lesser versions. If these don't work, the TrueCrypt fork, VeraCrypt is a good and audited option
2. Backup of your stuff. By far the easiest method on Windows is OneDrive, we pay £50 a year as a family and have 1Tb each of storage. Works a treat, I say.
You need to ensure you have a password/PIN/Hello enabled. Turn on "Find my device" too. That means the data will be safe and the rogues' option is to wipe the drive - it's just silicon and electronics in the end.
nickofh said:
I'm not looking to defeat Mr Robot , just to stop a chancer getting my PayPal passwords etc , to lessen the worry if it was taken.
I'd also strongly recommend adding two-factor authentication for things like PayPal, email accounts, Amazon, eBay, etc and link it to an authenticator app on your smartphoneEdited by StephenP on Friday 26th November 11:36
StephenP said:
nickofh said:
I'm not looking to defeat Mr Robot , just to stop a chancer getting my PayPal passwords etc , to lessen the worry if it was taken.
I'd also strongly recommend adding two-factor authentication for things like PayPal, email accounts, Amazon, eBay, etc and link it to an authenticator app on your smartphoneEdited by StephenP on Friday 26th November 11:36
what's the point in encryption if the device is stolen or destroyed in a fire? you don't have the data
Thank you again.
I will be looking at these suggestions over the weekend and implementing what I can with my old hardware.
I have my data backups on an external HDD lock well away in a fireproof box. ( Really just my family vids and photos I care about ) .
I had no idea the passwords stored in my browser were so vunerable. I thought the win log In was sufficient protection for this. Definitely addressing that straight away.
I will be looking at these suggestions over the weekend and implementing what I can with my old hardware.
I have my data backups on an external HDD lock well away in a fireproof box. ( Really just my family vids and photos I care about ) .
I had no idea the passwords stored in my browser were so vunerable. I thought the win log In was sufficient protection for this. Definitely addressing that straight away.
nickofh said:
Thank you again.
I will be looking at these suggestions over the weekend and implementing what I can with my old hardware.
I have my data backups on an external HDD lock well away in a fireproof box. ( Really just my family vids and photos I care about ) .
[bold]I had no idea the passwords stored in my browser were so vunerable. I thought the win log In was sufficient protection for this. Definitely addressing that straight away. [/bold]
You would be relying on the thief to even know about DPAPI, which is a long shot. But yes, effectively it is 'take encrypted blob of passwords', and 'apply masterkey from hard drive = plaintext'I will be looking at these suggestions over the weekend and implementing what I can with my old hardware.
I have my data backups on an external HDD lock well away in a fireproof box. ( Really just my family vids and photos I care about ) .
[bold]I had no idea the passwords stored in my browser were so vunerable. I thought the win log In was sufficient protection for this. Definitely addressing that straight away. [/bold]
Hello.
Bitlocker set up and working on my pc after changing some of the settings to allow it. Thank you so much for the advice. Next one to secure is my wife's laptop. So with that at the startup before windows , does it mean that the entire contents are encrypted including the passwords that in my browsers etc and that it is plenty sufficient for an average laptop . Do I still need to keep my win logon password protected following the bit locker startup ? Is it ok to have them the same ?
Thank you.
Nick
nickofh said:
Do I still need to keep my win logon password protected following the bit locker startup ? Is it ok to have them the same ?
you probably want to keep the windows logon password protected, so you can just lock the laptop with windows L when you step away from it rather than shutting it down to use bitlocker's security during a comfort break.I use Cryptomater for anything important. Its free and basically encrypts a file/folder. It can be used to create encrypted folders on most cloud driver (iCloud, Dropbox etc) meaning you can also access your data using your mobile phone / tablet.
The password is not stored online and if you forget it you will not be getting your files back.
https://cryptomator.org
The password is not stored online and if you forget it you will not be getting your files back.
https://cryptomator.org
nickofh said:
Bitlocker set up and working on my pc after changing some of the settings to allow it. Thank you so much for the advice. Next one to secure is my wife's laptop. So with that at the startup before windows , does it mean that the entire contents are encrypted including the passwords that in my browsers etc and that it is plenty sufficient for an average laptop . Do I still need to keep my win logon password protected following the bit locker startup ? Is it ok to have them the same?
https://support.microsoft.com/en-gb/windows/findin...
If you ever need it & haven't made a backup you can kiss goodbye to your data.
Hello there.
Thanks again for the assistance, today I have set up bitlocker on my wifes laptop, its a little newer than mine and has the TMP 1.2. The drive encryption went ok seemingly and it says that its active , I also checked in a cmd prompt and it said fully encrypted. I got the keys printed off for secure storage too.
The query I have is that it did not ask me to set up a really long password like it did on my laptop ( the older one shown above without TMP). I didnt have to put in any extra password like I did before. When I shutdown the laptop and restart it looks entirely normal , as it did before bitlocker was running and I just unlock the PC with the password. Is this how it should be on this different PC?( No bitlocker screen at around Bios time / before boot ) I also didn't set bitlocker up on the Lenovo recovery partition , is that needed?
Thank you.
Nick
I did try to view some videos but really wanted a clear answer as my wife takes her laptop out more for work and also has more client files that I feel we need to protect.
Thanks again for the assistance, today I have set up bitlocker on my wifes laptop, its a little newer than mine and has the TMP 1.2. The drive encryption went ok seemingly and it says that its active , I also checked in a cmd prompt and it said fully encrypted. I got the keys printed off for secure storage too.
The query I have is that it did not ask me to set up a really long password like it did on my laptop ( the older one shown above without TMP). I didnt have to put in any extra password like I did before. When I shutdown the laptop and restart it looks entirely normal , as it did before bitlocker was running and I just unlock the PC with the password. Is this how it should be on this different PC?( No bitlocker screen at around Bios time / before boot ) I also didn't set bitlocker up on the Lenovo recovery partition , is that needed?
Thank you.
Nick
I did try to view some videos but really wanted a clear answer as my wife takes her laptop out more for work and also has more client files that I feel we need to protect.
Hello there.
I'm not sure about that. My first time using BitL on my other laptop needs me to enter a long password at startup, so I was expecting the same on this one. Im happy with just the windows login password if that gives a little protection. As long as it's not too easily circumvented by moving the drive or resetting the password through a boot disk. I think that following instructions I could manage that.
Any advice?
Thanks
I'm not sure about that. My first time using BitL on my other laptop needs me to enter a long password at startup, so I was expecting the same on this one. Im happy with just the windows login password if that gives a little protection. As long as it's not too easily circumvented by moving the drive or resetting the password through a boot disk. I think that following instructions I could manage that.
Any advice?
Thanks
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff