EFS for an entire drive?
February 19, 2007 12:01 PM Subscribe
Is it possible to set EFS (Windows encryption) for an entire drive?
I can set EFS for a folder, but not for an entire drive. Is there a way around this?
Encrypting a folder means newly created subfolders and files are encrypted from the get go. However, I cannot apply EFS to a root drive, meaning I have to seperately go to each new folder in the root of the drive and enable encryption, which takes a long time.
I'm using Vista's new incremental backup to an external drive, but I'd like to be able to keep the files encrypted. Vista doesn't see Truecrypt volumes are removable hard drives and so won't let you choose that as a default target. EFS works, but it slow to apply after the fact.
Can I set it so that all new files and/or folders on a given drive are encrypted?
Encrypting a folder means newly created subfolders and files are encrypted from the get go. However, I cannot apply EFS to a root drive, meaning I have to seperately go to each new folder in the root of the drive and enable encryption, which takes a long time.
I'm using Vista's new incremental backup to an external drive, but I'd like to be able to keep the files encrypted. Vista doesn't see Truecrypt volumes are removable hard drives and so won't let you choose that as a default target. EFS works, but it slow to apply after the fact.
Can I set it so that all new files and/or folders on a given drive are encrypted?
I doubt you can encrypt the whole drive.
How would users who are authorized users of your machine but lack the certificate be able to use the box if the whole drive was encrypted?
Why not just throw everything in a single "secret stuff" directory?
posted by mrbugsentry at 12:09 PM on February 19, 2007
How would users who are authorized users of your machine but lack the certificate be able to use the box if the whole drive was encrypted?
Why not just throw everything in a single "secret stuff" directory?
posted by mrbugsentry at 12:09 PM on February 19, 2007
Vista doesn't see Truecrypt volumes are removable hard drives
Is this still true when you select the option under Mount Options, labeled "Mount volume as removable medium"?
posted by philomathoholic at 12:54 PM on February 19, 2007
Is this still true when you select the option under Mount Options, labeled "Mount volume as removable medium"?
posted by philomathoholic at 12:54 PM on February 19, 2007
I have to separately go to each new folder in the root of the drive and enable encryption, which takes a long time.
Might there be a command-line way to do this, so as to enable scripting?
posted by philomathoholic at 1:06 PM on February 19, 2007
Might there be a command-line way to do this, so as to enable scripting?
posted by philomathoholic at 1:06 PM on February 19, 2007
Best answer: If you're using Vista, why not use BitLocker? It's much improved vs. the EFS stuff that came before, and you definitely can encrypt entire volumes.
More info here.
posted by AaronRaphael at 1:36 PM on February 19, 2007
More info here.
posted by AaronRaphael at 1:36 PM on February 19, 2007
Response by poster: philomathoholic:
Yes, as far as my testing shows.
--
There are no other authorized users of this computer, or the external drive. I don't like to share ;)
--
Bitlocker only seems to apply to internal drives, unless I'm mistaken there's also no way to apply bitlocker to a secondary drive.
posted by tiamat at 1:46 PM on February 19, 2007
Yes, as far as my testing shows.
--
There are no other authorized users of this computer, or the external drive. I don't like to share ;)
--
Bitlocker only seems to apply to internal drives, unless I'm mistaken there's also no way to apply bitlocker to a secondary drive.
posted by tiamat at 1:46 PM on February 19, 2007
at minimum it requires two volumes: the encrypted one, and one that contains the bootloader and os kernel and encryption libraries (i.e. you need something that can boot far enough to decrypt the encrypted volume)
assuming there are tweaks for vista similar to xp, why not simply put \Users and \Progra~1 on separate volumes (could be partitions, whole separate disks, whatever you like), notify the os of their new whereabouts, and then encrypt those volumes from their respective roots...
not sure you can get away with encrypting the system directory tho.
posted by dorian at 5:52 PM on February 19, 2007
assuming there are tweaks for vista similar to xp, why not simply put \Users and \Progra~1 on separate volumes (could be partitions, whole separate disks, whatever you like), notify the os of their new whereabouts, and then encrypt those volumes from their respective roots...
not sure you can get away with encrypting the system directory tho.
posted by dorian at 5:52 PM on February 19, 2007
Response by poster: In the end...
Looks like there is no way of using EFS on an entire drive, BUT...
BitLocker whole disk encryption can be setup after you create the system, if you do the following
Enable Flash keys instead of bios TPM: Gpedit Instructions
and creating a new active parition of at least 1.5 gb where the system boot instructions can be stored, unencrypted...
Setup BitLocker after installing windows
And actually, you can trick the windows backup to send the files to a truecrypt volume, you just have to manually create a network share that points to it and is shared with full access each time you use it (disconnect from any unsecure networks first, of course).
Now I just need to find out if the whole disk backup is encryted, if you have the system protected by bitlocker....
posted by tiamat at 7:55 PM on February 21, 2007
Looks like there is no way of using EFS on an entire drive, BUT...
BitLocker whole disk encryption can be setup after you create the system, if you do the following
Enable Flash keys instead of bios TPM: Gpedit Instructions
and creating a new active parition of at least 1.5 gb where the system boot instructions can be stored, unencrypted...
Setup BitLocker after installing windows
And actually, you can trick the windows backup to send the files to a truecrypt volume, you just have to manually create a network share that points to it and is shared with full access each time you use it (disconnect from any unsecure networks first, of course).
Now I just need to find out if the whole disk backup is encryted, if you have the system protected by bitlocker....
posted by tiamat at 7:55 PM on February 21, 2007
This thread is closed to new comments.
posted by tiamat at 12:08 PM on February 19, 2007