Easiest-to-manage encryption for Windows 7? (other than BitLocker)
May 6, 2011 8:44 AM Subscribe
What are the easiest-to-administer alternatives to BitLocker for file or hard drive encryption on a Windows 7 laptop?
I have sensitive (but not perilously sensitive) information on company laptops for myself and several colleagues (who are in different geographies; I rarely see them and I do not trust them to configure anything more complicated than Outlook). I do not need to prevent a foreign government intent on accessing my data, I just want to make sure that a petty thief who steals a laptop out of a car or hotel can't easily recover sensitive client information.
I've been using BitLocker for encryption for the last year, and it was wonderful. Dead simple to manage, easy to tell colleagues over the phone how to use it, transparent in day-to-day usage, better sleep at night, etc. I believe part of the simplicity stems from our laptops including TPM hardware.
We recently changed hardware and Windows 7 Ultimate is no longer an option from Lenovo. Professional is all we can get, and it does not include BitLocker.
So, I need to pick a new encryption solution. I don't mind paying. My priority is for something that integrates well with Windows and works easily. I don't want to spend time remotely debugging obscure command-line settings, and I really don't want to have colleagues lose valuable files because they screw up. I don't need full hard drive encryption (I'm just trying to minimize exposure from a lost laptop by encrypting work files) but if that is the best option I'm open to it.
An alternative might be upgrading from Windows 7 Pro to Ultimate, but I have no idea if this is even remotely possible given how much tweaking Lenovo seems to do to Thinkpads.
Thoughts / suggestions / experience with TrueCrypt or other utilities?
Thank you!
I have sensitive (but not perilously sensitive) information on company laptops for myself and several colleagues (who are in different geographies; I rarely see them and I do not trust them to configure anything more complicated than Outlook). I do not need to prevent a foreign government intent on accessing my data, I just want to make sure that a petty thief who steals a laptop out of a car or hotel can't easily recover sensitive client information.
I've been using BitLocker for encryption for the last year, and it was wonderful. Dead simple to manage, easy to tell colleagues over the phone how to use it, transparent in day-to-day usage, better sleep at night, etc. I believe part of the simplicity stems from our laptops including TPM hardware.
We recently changed hardware and Windows 7 Ultimate is no longer an option from Lenovo. Professional is all we can get, and it does not include BitLocker.
So, I need to pick a new encryption solution. I don't mind paying. My priority is for something that integrates well with Windows and works easily. I don't want to spend time remotely debugging obscure command-line settings, and I really don't want to have colleagues lose valuable files because they screw up. I don't need full hard drive encryption (I'm just trying to minimize exposure from a lost laptop by encrypting work files) but if that is the best option I'm open to it.
An alternative might be upgrading from Windows 7 Pro to Ultimate, but I have no idea if this is even remotely possible given how much tweaking Lenovo seems to do to Thinkpads.
Thoughts / suggestions / experience with TrueCrypt or other utilities?
Thank you!
Best answer: upgrading from Windows 7 Pro to Ultimate
I don't have experience upgrading, but an install of W7 Ultimate from the standard install onto my (company) Thinkpad was totally painless and everything works flawlessly, graphics, fingerprint reader, the lot. So an upgrade is likely to be totally satisfactory.
posted by anadem at 3:10 PM on May 6, 2011 [1 favorite]
I don't have experience upgrading, but an install of W7 Ultimate from the standard install onto my (company) Thinkpad was totally painless and everything works flawlessly, graphics, fingerprint reader, the lot. So an upgrade is likely to be totally satisfactory.
posted by anadem at 3:10 PM on May 6, 2011 [1 favorite]
Another option is to set up TrueCrypt with whole-drive encryption. This will replace the Windows bootloader with the TrueCrypt one, and the user will have to enter a passphrase to unlock the hard drive. I did this once on a Win7 laptop (shortly after Win7 came out) and it was relatively painless; you can tell TrueCrypt to do the whole-drive encryption on an existing Windows installation, and performance isn't bad at all.
From the user's point of view, they have to enter a password when the machine boots up. That's basically it. One caveat is that there might be some issue with putting the machine to sleep, as the encryption key is still in memory. I haven't looked at TrueCrypt recently, so I'm not sure if this is handled better. I think hibernation is OK, so you may just configure the laptop to hibernate when the lid closes, instead of sleeping. This may take a few seconds longer, etc., and you should obviously test it to see how well this works.
One bonus is that you can modify the boot loader message. You can leave the screen totally blank, you can put in a "IF LOST CALL XXX: REWARD", etc., instead of the default "ENTER PASSPHRASE" prompt.
posted by chengjih at 3:30 PM on May 6, 2011
From the user's point of view, they have to enter a password when the machine boots up. That's basically it. One caveat is that there might be some issue with putting the machine to sleep, as the encryption key is still in memory. I haven't looked at TrueCrypt recently, so I'm not sure if this is handled better. I think hibernation is OK, so you may just configure the laptop to hibernate when the lid closes, instead of sleeping. This may take a few seconds longer, etc., and you should obviously test it to see how well this works.
One bonus is that you can modify the boot loader message. You can leave the screen totally blank, you can put in a "IF LOST CALL XXX: REWARD", etc., instead of the default "ENTER PASSPHRASE" prompt.
posted by chengjih at 3:30 PM on May 6, 2011
1- Though I don't use it, whole-drive encryption seems easiest.
2- Lost files aren't a problem because the users are backing up their data anyway, right?
posted by gjc at 9:20 PM on May 6, 2011
2- Lost files aren't a problem because the users are backing up their data anyway, right?
posted by gjc at 9:20 PM on May 6, 2011
This thread is closed to new comments.
TrueCrypt is pretty painless for this sort of thing. After installing it, use the Volume Creation wizard to walk you through creating a virtual drive. Then assign it a drive letter and it will show up as a standard drive in Windows. Save all of your important documents there. No command line settings or extra maintenance needed.
posted by burnmp3s at 9:01 AM on May 6, 2011