securing your data

 

Laptop with lock and chains

Password Protecting Folders, what are the Options?


I was asked a interesting question - how can I password protect folders to keep unauthorized users from accessing my data?

The answer is "it depends."  Who are you trying to protect your data from?  For example, if somebody breaks into your office and steals your PC that's one thing.  But if you want to protect your folders from your family members or co-workers, that's another thing.  Do you want to protect data on a USB Hard Drive?  Do you have a Home or Professional operating system?   I will go over a few of the features built-in to the operating system and certain applications, and some free and paid alternatives.  Some options aren't folder password protection, however free alternatives are worth discussion.

Application Security

Both Word and Excel documents and worksheets can be password protected on a file by file basis.   You would have to open each file and assign a password to the file, re-save it, and open the next file.  This may be cumbersome if you have hundreds or thousands of files.  Programs exist which can crack the passwords of the password protected Word and Excel data files.

Password Protect Word and Excel Files, a short video on Youtube.com.


Operating System Security - NTFS Folder Encryption
For Windows Vista Business and Higher, or Windows XP Professional


This "scrambles" contents of a Folder and it's sub-folders.  Technically speaking, this is not folder password protection, however in the event of theft, it will be difficult for a thief to read encrypted folders.  This is intended for use on a local hard drive, or a high capacity USB attached hard drive (with the NTFS file system).   This won't work with USB Flash drives, because most flash drives are formatted with the older Fat32 file system.  Windows Folder encryption does not work on Fat or Fat32 Flash Drives.

What this will do:  Encrypt the files so if somebody steals your PC, they will be unable to access your encrypted files.

What is required:  The above operating systems.  This is tied to your logon password.   If you don't have a password, you must use logon passwords.  If your password is easy to guess, someone may be able to access your data if they guess your password.

What this won't do:  If you walk away from your desk without logging off or locking your PC, and a co-worker accesses Microsoft Excel on your PC.   That person will be able to open your files, because you are walking away from the computer and its signed on.

Moving a USB Hard Drive to another computer which has encrypted folders will not be readable by the other computer.

If you forget your password, you will NOT be able to recover your data.

PCNS does not recommend NTFS Encryption.  There are inherent risks if your PC is joined to a Windows Domain.  Few administrators know to keep the Domain Private Keys renewed.  If allowed to expire, you will be unable to access your encryption folders, even if they are on your local hard drive.  As far as a workgroup network, PCNS does not recommend NTFS Encryption, because in a home or small business environment the PC is more susceptible to Operating System crashes.

If your computer crashes and you reinstall windows you may not be able to access the encrypted folder because the machine ID from the original Windows installation is part of the encryption scheme.

Reference Thread

Backing up the Machine (Private) Key


Operating System Security - NTFS Permissions
For Windows Vista Business and Higher, or Windows XP Professional


This is not a way to assign passwords to folders.  It is used in business to protect unauthorized users from accessing files and folders in the corporate world.  NTFS Permissions are generally used on a File Server.  There is less concern about data theft (the files and folders of which could be accessed with moderate effort), because the Server is in a secured, often monitored facility with limited physical access.  This is not individual password protection of folders.  Instead your logon password is used to access the server, and Permissions dictate which folders a user can see.  Users without appropriate permissions are simply locked out of a disallowed folder.

NTFS Permissions uses logon permissions to determine who has access to folders.  For example, suppose you want to lockout everyone except yourself and the "Administrator" user object from accessing the folder C:\Tax-2009 folder.  Assign permissions accordingly (this is not a how-to).  Everyone except yourself will have access to this folder.   What is required:  The above operating systems.

What this won't do:  This will not encrypt your folders, so if someone steals your computer or USB Hard drive, intruders can use "take ownership" and other methods to "grab" control of the folder, thus allowing them to read the contents and open files.  If you walk away from your desk and you do not logoff, the person in the cubicle next to you could open your protected folders.

PCNS does not recommend explicit NTFS Permissions on a removable high capacity USB Hard drive, because Windows arbitrarily assigns Drive Letters to USB Hard Drives, so plugging in a USB Hard Drive may have the drive letter E: one day, and the letter G: next day (say due to inserting another removable media device) and permission settings are hard set in the Windows registry to one specific drive letter.


Third Party Tool - Donationware - Truecrypt

Truecrypt is safe, refer to Gibson Research
https://www.grc.com/misc/truecrypt/truecrypt.htm

Truecrypt is a true encryption program, it does not "password protect" folders per se, in its simplest form, you construct a "volume" which holds files, and assign a password to the volume.  If the volume is on a high capacity USB Hard Drive, you move the hard drive to another computer and install TrueCrypt on the other computer.  With the proper password you can access the encrypted volume. It is inherently safer because unlike NTFS encryption, the encrypted file does not rely upon the Private Key of the Windows Operating System.  However, its benefit is also a weakness.  If you used an easy to guess password for the TrueCrypt container, an intruder could guess the password in time.  While not required, TrueCrypt recommends a 20 digit password as a baseline.  An encrypted container can be created on either a Fat32 or an NTFS volume.

If you know what Winzip does, TrueCrypt works in a similar fashion.  You store files in a single file archive.  It works differently in that (a) Winzip's emphasis is compressing files to save space, TrueCrypt does not compress files, it simply scrambles them, so from a security perspective, TrueCrypt is better at securing files.  Winzip, however will dynamically increase the archive size of the Zip "container" file.

TrueCrypt works natively with Windows Explorer - the Encryption container gets it's own drive letter. You have to start TrueCrypt and mount the volume you created.   To add files in Winzip you have to click context menus and maneuver around Winzip to add, remove, and update files.

Drawbacks:  TrueCrypt has a learning curve. Once a volume is created it cannot be enlarged or reduced.  You must create second separate volume if you run the first volume out of space.  If you leave your computer unattended with the TrueCrypt volume mounted, nearby users will be able to access files on the encrypted volume.  Best practice is to lock your PC with a logon password, and keep it secret, or dismount the TrueCrypt volume. PCNS is generally upbeat with TrueCrypt, but there is a learning curve. Also I suggest copying the most important files to a large USB Flash Drive, (up to 64 gigabyte flash drives are available) and storing them unencrypted, and storing them in a media grade fire safe or a bank safe deposit box.  In case of hardware failure or other unforseen problems, losing your TrueCrypt data volume would be most unfortunate.  An alternative to the backup of the encryption container's contents would be an On-Line backup service.

Warning:  If you create a TrueCrypt volume on a removable USB hard Drive (or Flash Drive) you MUST dismount the volume before removing the drive, or data loss will occur.

Note: Veracrypt is a derivative of Truecrypt, in programming terms it's called a fork, and it is under active development.



Third Party Tool - Shareware $40
Password Protect
Protect Folders

Both websites show software that is virtually identical.  I downloaded the 30 day trial from password-protect-software.com.  It works as advertised, however this software is not intended for USB Drives, because removing the hard drive and reinstalling it makes the password protection go away.  In fact, when you provide a password to unlock it, you have to remember to relock it, because if you walk away or turn off your computer the Folder remains unlocked.  This limits its usefulness.


Third Party Tool - Hide Files and Folders - $50
http://www.canadiancontent.net/tech/download-Hide_Files_inclcode_Folders.html

This software uses a kernel level VXD file to incorporate Password Protection to select folders. It does not encrypt files or folders, but it accomplishes the user's primary request - protecting folders independent of login passwords (or lack of login passwords).  If the user walks away from his PC (even if logged on), after the default timeout (1 minute) the folder will automatically lock itself.  If you have a document file open from the password protected folder, and you exceed the 1 minute time limit, you must re-enter the folder password in order to save the changes.  It handled this seamlessly.

Regrettably, the only fault (besides lack of file encryption) I found with it was with a USB Flash Drive.  I setup a folder password on a 4 gig Corsair USB flash drive.  It accepted the folder path without error.  I restarted the PC, and discovered the folder was readily accessible.  It should have prompted for a password.  The password worked as normal from the internal fixed hard drive as normal.  I restarted the user interface, and verified my test folder on the flash drive was set.  It was there but it still did not block the folder.

External Links

http://www.computerhope.com/issues/ch000705.htm
http://www.winability.com/folderguard/
http://www.truecrypt.org/
How to create an Encrypted Container in TrueCrypt, a how-to video on youtube.com.