Best encryption sw for home laptop

I've been researching encryption software for a few days and I think
I'd better ask for some help. Please excuse me if I say something
here that shows my ignorance. And feel free to correct me, I'm trying
to learn about this so I can make the best decision.
It looks like PGP and Truecrypt are well thought of, but I don't think
they have everything I want. I'm looking for
1) Excellent encryption so that it would be beyond the means of any
individual or group to get my data.
2) Ability to set up sort of a virtual drive or set up a folder so
that anything that I put there is automatically encrypted.
3) Ability to create and send encrypted files to people and they can
open them if I tell them the password or key
4) Ability to put encrypted backups on DVDs.
Am I asking too much for one product? I like the idea of an open
source product, but I guess a lot of people trust products that aren't
open source, so I guess I could too maybe. If there is something that
meets my needs, I'm willing to pay for it, so it doesn't have to be
free.
Thanks a lot everybody, I appreciate your input.

emailchrisco@gmail.com

wrote:
> I've been researching encryption software for a few days and I think
> I'd better ask for some help. Please excuse me if I say something
> here that shows my ignorance. And feel free to correct me, I'm trying
> to learn about this so I can make the best decision.
> It looks like PGP and Truecrypt are well thought of, but I don't think
> they have everything I want. I'm looking for
> 1) Excellent encryption so that it would be beyond the means of any
> individual or group to get my data.

EFS, TrueCrypt and GnuPG.

> 2) Ability to set up sort of a virtual drive or set up a folder so
> that anything that I put there is automatically encrypted.

EFS, TrueCrypt.

> 3) Ability to create and send encrypted files to people and they can
> open them if I tell them the password or key

TrueCrypt. Now for GPG this must be done manually.

> 4) Ability to put encrypted backups on DVDs.

TrueCrypt, GnuPG. Again, the latter needs manual invocation.

Sebastian Gottschalk

Thanks Sebastian.
I also wanted to ask about secure file delete (what hapens if I delete
a file from the encrypted folder?) and about the danger of having some
data in plain text in the swap file (or page file) that cold be taken
from there more easily that the encrypted area. Also this. My
situation is that I usually leave my computer up and running, even when
I leave the house and overnight it is left on. So if a thief steals it
(and they don't turn it off or reboot it) are they past my encryption
defenses since I was just there and was working with encrypted data?

emailchrisco@gmail.com

wrote:
> Thanks Sebastian. I also wanted to ask about secure file delete (what
> hapens if I delete a file from the encrypted folder?)

TrueCrypt: The reference to the file data is deleted. Now if someone
obtained your encrypted container, he could still recover the data if he
knew the key.

EFS: As above, but the symmetric key associated with file is
overwritten. As this key is usually per-file and never exported, it's a
bit safer.

In any case, a secure overwrite of either the file itself or the free
space after deleting removes the data. Now that's why I have an "shred
-z" in my crontab.

> and about the danger of having some data in plain text in the swap
> file (or page file)

Yeah, that might be a problem. However, what about common crypto
solutions for the swap file? On Linux you've got dmcrypt and
crypto-loop, on Windows you may take a look at CryptoSwap Guerilla.

> are they past my encryption defenses since I was just there and was
> working with encrypted data?

Yes. A crypto filesystem only protects a cold filesystem and should be
transparently accessible in active state. Either dismount it (manually
or automatically on idling) or use/add a file-based encryption.

Sebastian Gottschalk

wrote in news:1150745738.468582.228900
@h76g2000cwa.googlegroups.com:

>
> Thanks Sebastian.
> I also wanted to ask about secure file delete (what hapens if I delete
> a file from the encrypted folder?) and about the danger of having some
> data in plain text in the swap file (or page file) that cold be taken
> from there more easily that the encrypted area. Also this. My
> situation is that I usually leave my computer up and running, even when
> I leave the house and overnight it is left on. So if a thief steals it
> (and they don't turn it off or reboot it) are they past my encryption
> defenses since I was just there and was working with encrypted data?


0. You can delete a file from a truecrypt volume as simply (or as
elaborately) as you wish - just as with any other drive. However, this
does seem superfluous since the encryption provides all the protection you
would normally need).

1. It is possible to have the swap file encrypted by having it on a
Truecrypt volume. The volume is mounted with the "system" mount option -
it's in the Truecrypt documentation.

2. You can encrypt much of the "user space" by using the third-party
truecrypt addon TCGINA at:

http://www.truecrypt.org/third-party-projects/tcgina/

3. If you leave the machine up and running then the files on any mounted
Truecrypt drives are accessible unencrypted - the thief has full access
(how would the machine know the difference between the thief and you?). As
a minimum you should use "Logo L" (or run the equivalent: rundll32.exe
user32.dll, LockWorkStation This works better if you have fast user
switching enabled - which you shouldn't!) to lock the machine (which will
stop amateurs at least). Fanatics will make sure that there are no other
routes in (LAN, firewire, etc.).

Regards,

nemo_outis

nemo_outis wrote:

> 1. It is possible to have the swap file encrypted by having it on a
> Truecrypt volume. The volume is mounted with the "system" mount option -
> it's in the Truecrypt documentation.

Have been reading and searching and didn't find anything. Can you point
me somewhere? Can we randomly generate a key and fast-format the volume
or is the key static, therefore always available to Mallory? Also under
Windows?

> 2. You can encrypt much of the "user space" by using the third-party
> truecrypt addon TCGINA at:
>
> http://www.truecrypt.org/third-party-projects/tcgina/

Generally a good idea, but it creates a lot of hassles with system
management and repair.

> As a minimum you should use "Logo L" (or run the equivalent: rundll32.exe
> user32.dll, LockWorkStation This works better if you have fast user
> switching enabled - which you shouldn't!) to lock the machine (which will
> stop amateurs at least). Fanatics will make sure that there are no other
> routes in (LAN, firewire, etc.).

Or, as recently pointed out, USB, which has the same remote direct
memory access feature like FireWire. A sophisticated attacker would
attach a module directly to the memory controller.

Sebastian Gottschalk

Sebastian Gottschalk wrote:
> wrote:

>
> > 3) Ability to create and send encrypted files to people and they can
> > open them if I tell them the password or key
>
> TrueCrypt.

Can Truecrypt do this?

Or are you assuming that the recipient has Truecrypt installed?

Zoltan

nemo_outis wrote:

> 1. It is possible to have the swap file encrypted by having it on a
> Truecrypt volume. The volume is mounted with the "system" mount
> option - it's in the Truecrypt documentation.

Have been reading and searching and didn't find anything. Can you point
me somewhere? Can we randomly generate a key and fast-format the volume
or is the key static, therefore always available to Mallory? Also under
Windows?

superseed: It's a third-party addon and seemingly not so stable.

> 2. You can encrypt much of the "user space" by using the third-party
> truecrypt addon TCGINA at:
>
> http://www.truecrypt.org/third-party-projects/tcgina/

Generally a good idea, but it creates a lot of hassles with system
management and repair.

> As a minimum you should use "Logo L" (or run the equivalent:
> rundll32.exe user32.dll, LockWorkStation This works better if you
> have fast user switching enabled - which you shouldn't!)

As an alternative on a vastly shared system, you might take a look at
SUperior SU, which allows additional logons, but only layered (reads:
you need to log off to get back to your previous user).

to lock the
> machine (which will stop amateurs at least). Fanatics will make sure
> that there are no other routes in (LAN, firewire, etc.).

Or, as recently pointed out, USB, which has the same remote direct
memory access feature like FireWire. A sophisticated attacker would
attach a module directly to the memory controller.

Sebastian Gottschalk

Zoltan wrote:
> Sebastian Gottschalk wrote:
>> wrote:
>
>>> 3) Ability to create and send encrypted files to people and they can
>>> open them if I tell them the password or key
>> TrueCrypt.
>
> Can Truecrypt do this?
>
> Or are you assuming that the recipient has Truecrypt installed?

Definitely. Just create all your files in a TrueCrypt container mounted
on a file, dismount and send the file.

Sebastian Gottschalk

Sebastian Gottschalk <> wrote in
news::

> nemo_outis wrote:
>
>> 1. It is possible to have the swap file encrypted by having it on a
>> Truecrypt volume. The volume is mounted with the "system" mount
>> option - it's in the Truecrypt documentation.
>
> Have been reading and searching and didn't find anything. Can you
> point me somewhere? Can we randomly generate a key and fast-format the
> volume or is the key static, therefore always available to Mallory?
> Also under Windows?


Go to:

http://www.truecrypt.org/user-guide/?s=version-history

and search on "swap" (11th bullet on page under "New Features" briefly
describes the option)

I haven't tried the option myself (I encrypt the whole drive with
Safeboot Solo).


>> 2. You can encrypt much of the "user space" by using the third-party
>> truecrypt addon TCGINA at:
>>
>> http://www.truecrypt.org/third-party-projects/tcgina/
>
> Generally a good idea, but it creates a lot of hassles with system
> management and repair.


I consider TCGINA to be "halfway" between partion/container-file OTFE
encryption (e.g., Truecrypt) and full-HD OTFE encryption (e.g., Safeboot
Solo)


>> As a minimum you should use "Logo L" (or run the equivalent:
>> rundll32.exe user32.dll, LockWorkStation This works better if you
>> have fast user switching enabled - which you shouldn't!) to lock the
>> machine (which will stop amateurs at least). Fanatics will make sure
>> that there are no other routes in (LAN, firewire, etc.).
>
> Or, as recently pointed out, USB, which has the same remote direct
> memory access feature like FireWire. A sophisticated attacker would
> attach a module directly to the memory controller.


Yeah, locking the computer is better than nothing but not a lot better
To my mind, it's for going to the can, not for leaving the machine
running unattended overnight (for which, unhappily, there are no good
solutions - short of a vault).

Regards,

nemo_outis