Hi Folks,
This is probably one of those issues where my requirements seem obvious and common-sensical to me but not to the people who make hardware or software. However, in the interest of developing a complete understanding of my options:
I am looking for recommendations for the simplest possible way to encrypt USB thumb drives. "Simplest possible" means in reference to the end user.
The sole purpose of the thumb drive is to provide offsite backup for important files.
The sole purpose of encrypting the thumb drive is to prevent access by unauthorized people to the contents of the drive if the user loses it.
Here are my requirements:
1. Must be usable by a "standard user" account: No administrative access required.
2. Must not require software to be installed on the computer (installed on the removable drive is okay).
3. Access should be available, ideally, simply by right-clicking the drive in Windows Explorer and entering the password for the drive (like with BitLocker). Less desirable would be for the user to have to manually execute software residing on the drive before being given an interface in which to enter the password. Anything more complicated than that, such as requiring users to copy files to/from the drive, or carry out multiple steps to get to the point where the password can be entered, is not acceptable.
3. The drive should work on any Windows computer of recent vintage, no matter where it was initially set up.
4. Users cannot permanently turn the encryption off.
5. Ideally, the entire drive should be encrypted.
I am prepared to accept that my staff will have to set up these drives initially for the users. That's okay as long as, once that work's been done, the drive functions as described above. And, of course, I can only set up computers under my control, which is why I can't use a system that requires software to be installed on every machine where the drive will be used.
Here is what I've looked at:
BitLocker
Problems: only available on Windows 7 Ultimate, or later. Most of our workstations are Windows 7 Ultimate, but some are Pro. Also, there are a couple of points I'm not sure about with BitLocker:
A. When an internal drive is encrypted on a computer, the user can check a box to essentially turn off the encryption (that is, the drive will be automatically decrypted when the computer is booted). I do not want the user to be able to turn off the encryption on a thumb drive such that, if the drive is inserted into another computer it is automatically decrypted. Does BitLocker allow that?
B. I am not sure that a drive encrypted with BitLocker on a Win 7 machine will be accessible on a Win 10 machine, or vice versa. Does anyone have a definitive answer on that point?
LaCie Private - Public
Problems: Does not work for "standard users", period. Also, requires the drive to be formatted NTFS in order to encrypt more than 4 GB of space.
Rohos
Problems: Requires multiple steps for standard users to access; cannot encrypt more than 4 GB under any circumstances.
VeraCrypt
Problems: Requires software to be installed on the machine.
Hardware Encryption
I took a visual look at the Corsair Flash Padlock drive. It's got dinky little flashing lights and tiny little buttons. I can just imagine what will happen when a user has to get into the drive by poking and punching tiny little buttons with their fingernails while the drive is inserted into the typical fragile USB slot. Not a winner... But are there other hardware encryption options that don't suffer from this or other flaws?
Of course, I am also looking for solutions that are free as in beer. But I am willing to pay a reasonable one-time cost. No way would I pay a recurring cost for a license to access a thumb drive.
Any thoughts are welcome.
Thanks!
Ken Dibble www.stic-cil.org
If you don't want to install any software, other than the OS, and you don't want to spend any money, and dinky (and flimsy, btw) usb devices with built-on encryption aren't reliable, I can't see that you have another choice other than bitlocker.
Upgrade your last Win7Pro systems to something made in this decade and you're all set.
Now, if you want to loosen the requirements, you could install something like TrueCrypt (yeah, reports of its demise are overblown):
http://www.howtogeek.com/203708/3-alternatives-to-the-now-defunct-truecrypt-...
On Mon, Feb 6, 2017 at 3:12 PM, Ken Dibble krdibble@stny.rr.com wrote:
Hi Folks,
This is probably one of those issues where my requirements seem obvious and common-sensical to me but not to the people who make hardware or software. However, in the interest of developing a complete understanding of my options:
I am looking for recommendations for the simplest possible way to encrypt USB thumb drives. "Simplest possible" means in reference to the end user.
The sole purpose of the thumb drive is to provide offsite backup for important files.
The sole purpose of encrypting the thumb drive is to prevent access by unauthorized people to the contents of the drive if the user loses it.
Here are my requirements:
- Must be usable by a "standard user" account: No administrative access
required.
- Must not require software to be installed on the computer (installed on
the removable drive is okay).
- Access should be available, ideally, simply by right-clicking the drive
in Windows Explorer and entering the password for the drive (like with BitLocker). Less desirable would be for the user to have to manually execute software residing on the drive before being given an interface in which to enter the password. Anything more complicated than that, such as requiring users to copy files to/from the drive, or carry out multiple steps to get to the point where the password can be entered, is not acceptable.
- The drive should work on any Windows computer of recent vintage, no
matter where it was initially set up.
Users cannot permanently turn the encryption off.
Ideally, the entire drive should be encrypted.
I am prepared to accept that my staff will have to set up these drives initially for the users. That's okay as long as, once that work's been done, the drive functions as described above. And, of course, I can only set up computers under my control, which is why I can't use a system that requires software to be installed on every machine where the drive will be used.
Here is what I've looked at:
BitLocker
Problems: only available on Windows 7 Ultimate, or later. Most of our workstations are Windows 7 Ultimate, but some are Pro. Also, there are a couple of points I'm not sure about with BitLocker:
A. When an internal drive is encrypted on a computer, the user can check a box to essentially turn off the encryption (that is, the drive will be automatically decrypted when the computer is booted). I do not want the user to be able to turn off the encryption on a thumb drive such that, if the drive is inserted into another computer it is automatically decrypted. Does BitLocker allow that?
B. I am not sure that a drive encrypted with BitLocker on a Win 7 machine will be accessible on a Win 10 machine, or vice versa. Does anyone have a definitive answer on that point?
LaCie Private - Public
Problems: Does not work for "standard users", period. Also, requires the drive to be formatted NTFS in order to encrypt more than 4 GB of space.
Rohos
Problems: Requires multiple steps for standard users to access; cannot encrypt more than 4 GB under any circumstances.
VeraCrypt
Problems: Requires software to be installed on the machine.
Hardware Encryption
I took a visual look at the Corsair Flash Padlock drive. It's got dinky little flashing lights and tiny little buttons. I can just imagine what will happen when a user has to get into the drive by poking and punching tiny little buttons with their fingernails while the drive is inserted into the typical fragile USB slot. Not a winner... But are there other hardware encryption options that don't suffer from this or other flaws?
Of course, I am also looking for solutions that are free as in beer. But I am willing to pay a reasonable one-time cost. No way would I pay a recurring cost for a license to access a thumb drive.
Any thoughts are welcome.
Thanks!
Ken Dibble www.stic-cil.org
[excessive quoting removed by server]
After I sent this, I had a thought that there might be a solution using Portable Apps.
Portable is an outrageous hack in the 90s where a specially-configured drive (it used to be "U3" but that might have just been a trademark) shows up in windows as two devices: a read-only "CD" and a storage device. The CD AutoRuns and software on it can launch and run out of RAM without touching the hdd or requiring admin permissions.
The "CD" can be "burned" in using a special app.
The only problem with this is the whole idea of auto-running software on your USB insertion is as stupid as "Just stick it in and see what happens." But it's still a thing. And, hey! Security.
http://www.pcmag.com/article2/0,2817,2492726,00.asp lists a few contenders near the bottom of the article. Kinda pricy, imho.
As you do with your Mac, on Linux, I can just create an encrypted partition with LUKS and most every linux distro will be able to read it.
On Mon, Feb 6, 2017 at 3:30 PM, Ted Roche tedroche@gmail.com wrote:
If you don't want to install any software, other than the OS, and you don't want to spend any money, and dinky (and flimsy, btw) usb devices with built-on encryption aren't reliable, I can't see that you have another choice other than bitlocker.
Upgrade your last Win7Pro systems to something made in this decade and you're all set.
Now, if you want to loosen the requirements, you could install something like TrueCrypt (yeah, reports of its demise are overblown):
http://www.howtogeek.com/203708/3-alternatives-to-the-now-defunct-truecrypt-...
On Mon, Feb 6, 2017 at 3:12 PM, Ken Dibble krdibble@stny.rr.com wrote:
Hi Folks,
This is probably one of those issues where my requirements seem obvious and common-sensical to me but not to the people who make hardware or software. However, in the interest of developing a complete understanding of my options:
I am looking for recommendations for the simplest possible way to encrypt USB thumb drives. "Simplest possible" means in reference to the end user.
The sole purpose of the thumb drive is to provide offsite backup for important files.
The sole purpose of encrypting the thumb drive is to prevent access by unauthorized people to the contents of the drive if the user loses it.
Here are my requirements:
- Must be usable by a "standard user" account: No administrative access
required.
- Must not require software to be installed on the computer (installed on
the removable drive is okay).
- Access should be available, ideally, simply by right-clicking the drive
in Windows Explorer and entering the password for the drive (like with BitLocker). Less desirable would be for the user to have to manually execute software residing on the drive before being given an interface in which to enter the password. Anything more complicated than that, such as requiring users to copy files to/from the drive, or carry out multiple steps to get to the point where the password can be entered, is not acceptable.
- The drive should work on any Windows computer of recent vintage, no
matter where it was initially set up.
Users cannot permanently turn the encryption off.
Ideally, the entire drive should be encrypted.
I am prepared to accept that my staff will have to set up these drives initially for the users. That's okay as long as, once that work's been done, the drive functions as described above. And, of course, I can only set up computers under my control, which is why I can't use a system that requires software to be installed on every machine where the drive will be used.
Here is what I've looked at:
BitLocker
Problems: only available on Windows 7 Ultimate, or later. Most of our workstations are Windows 7 Ultimate, but some are Pro. Also, there are a couple of points I'm not sure about with BitLocker:
A. When an internal drive is encrypted on a computer, the user can check a box to essentially turn off the encryption (that is, the drive will be automatically decrypted when the computer is booted). I do not want the user to be able to turn off the encryption on a thumb drive such that, if the drive is inserted into another computer it is automatically decrypted. Does BitLocker allow that?
B. I am not sure that a drive encrypted with BitLocker on a Win 7 machine will be accessible on a Win 10 machine, or vice versa. Does anyone have a definitive answer on that point?
LaCie Private - Public
Problems: Does not work for "standard users", period. Also, requires the drive to be formatted NTFS in order to encrypt more than 4 GB of space.
Rohos
Problems: Requires multiple steps for standard users to access; cannot encrypt more than 4 GB under any circumstances.
VeraCrypt
Problems: Requires software to be installed on the machine.
Hardware Encryption
I took a visual look at the Corsair Flash Padlock drive. It's got dinky little flashing lights and tiny little buttons. I can just imagine what will happen when a user has to get into the drive by poking and punching tiny little buttons with their fingernails while the drive is inserted into the typical fragile USB slot. Not a winner... But are there other hardware encryption options that don't suffer from this or other flaws?
Of course, I am also looking for solutions that are free as in beer. But I am willing to pay a reasonable one-time cost. No way would I pay a recurring cost for a license to access a thumb drive.
Any thoughts are welcome.
Thanks!
Ken Dibble www.stic-cil.org
[excessive quoting removed by server]
afaik U3 (which was a pain anyway) doesn't work with Win10 - I had to low-level reformat a couple of usb sticks.
+2 for Truecrypt... Still works Fine and if you are worried about the "reasons" it was abandoned in terms of support then don't worry. Anyone who tries to crack the cryptology must be REALLY desperate to get at your data.
Of course you could always use encrypted zip files.
Dave
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of AndyHC Sent: 07 February 2017 07:29 To: profox@leafe.com Subject: Re: [NF] Drop-Dead Simple USB Drive Encryption
afaik U3 (which was a pain anyway) doesn't work with Win10 - I had to low-level reformat a couple of usb sticks.
[excessive quoting removed by server]
Just a bit more Bitlocker info:
Bitlocker allows you to set up an automatic decrypt on whatever machine(s) you want but the default value is to ask for the decrypt key. For instance, I have my USB drive set up to automatically decrypt but plugging it into any other machine will ask for an unlock key.
My only gripe with USB drives is that when you have a number of them they don't always set themselves up as a permanent drive letter. For instance I have 3 x USB drives that are rotated on a daily basis and I use Syncback to put mirror images onto the disks. Syncback requires a fixed drive mapping (example z:) but windows in its infinite wisdom gives random drive mappings which have to be changed using disk Manager at which stage the auto decrypt of bitlocker takes over and opens the drive. I have tried man, many pieces of software which state that they will force a drive to be mapped to a specific letter but none of them work 100%.
However this is another gripe taking the thread off topic somewhat.
Dave
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Ken Dibble Sent: 06 February 2017 20:13 To: profox@leafe.com Subject: [NF] Drop-Dead Simple USB Drive Encryption
Hi Folks,
This is probably one of those issues where my requirements seem obvious and common-sensical to me but not to the people who make hardware or software. However, in the interest of developing a complete understanding of my options:
I am looking for recommendations for the simplest possible way to encrypt USB thumb drives. "Simplest possible" means in reference to the end user.
The sole purpose of the thumb drive is to provide offsite backup for important files.
The sole purpose of encrypting the thumb drive is to prevent access by unauthorized people to the contents of the drive if the user loses it.
Here are my requirements:
1. Must be usable by a "standard user" account: No administrative access required.
2. Must not require software to be installed on the computer (installed on the removable drive is okay).
3. Access should be available, ideally, simply by right-clicking the drive in Windows Explorer and entering the password for the drive (like with BitLocker). Less desirable would be for the user to have to manually execute software residing on the drive before being given an interface in which to enter the password. Anything more complicated than that, such as requiring users to copy files to/from the drive, or carry out multiple steps to get to the point where the password can be entered, is not acceptable.
3. The drive should work on any Windows computer of recent vintage, no matter where it was initially set up.
4. Users cannot permanently turn the encryption off.
5. Ideally, the entire drive should be encrypted.
I am prepared to accept that my staff will have to set up these drives initially for the users. That's okay as long as, once that work's been done, the drive functions as described above. And, of course, I can only set up computers under my control, which is why I can't use a system that requires software to be installed on every machine where the drive will be used.
Here is what I've looked at:
BitLocker
Problems: only available on Windows 7 Ultimate, or later. Most of our workstations are Windows 7 Ultimate, but some are Pro. Also, there are a couple of points I'm not sure about with BitLocker:
A. When an internal drive is encrypted on a computer, the user can check a box to essentially turn off the encryption (that is, the drive will be automatically decrypted when the computer is booted). I do not want the user to be able to turn off the encryption on a thumb drive such that, if the drive is inserted into another computer it is automatically decrypted. Does BitLocker allow that?
B. I am not sure that a drive encrypted with BitLocker on a Win 7 machine will be accessible on a Win 10 machine, or vice versa. Does anyone have a definitive answer on that point?
LaCie Private - Public
Problems: Does not work for "standard users", period. Also, requires the drive to be formatted NTFS in order to encrypt more than 4 GB of space.
Rohos
Problems: Requires multiple steps for standard users to access; cannot encrypt more than 4 GB under any circumstances.
VeraCrypt
Problems: Requires software to be installed on the machine.
Hardware Encryption
I took a visual look at the Corsair Flash Padlock drive. It's got dinky little flashing lights and tiny little buttons. I can just imagine what will happen when a user has to get into the drive by poking and punching tiny little buttons with their fingernails while the drive is inserted into the typical fragile USB slot. Not a winner... But are there other hardware encryption options that don't suffer from this or other flaws?
Of course, I am also looking for solutions that are free as in beer. But I am willing to pay a reasonable one-time cost. No way would I pay a recurring cost for a license to access a thumb drive.
Any thoughts are welcome.
Thanks!
Ken Dibble www.stic-cil.org
[excessive quoting removed by server]
On Mon, 6 Feb 2017, at 08:12 PM, Ken Dibble wrote:
Hi Folks,
This is probably one of those issues where my requirements seem obvious and common-sensical to me but not to the people who make hardware or software.
I think it's more a case of it seeming like a simple thing to do but if it was actually that simple in practice then there would be plenty of solutions out there already. There are probably plenty of valid hardware and software reasons why.
Search for 'encrypted flash drives' i.e.
http://www.pcworld.com/article/254816/the_best_encrypted_flash_drives.html
On Mon, Feb 6, 2017 at 1:12 PM, Ken Dibble krdibble@stny.rr.com wrote:
The sole purpose of the thumb drive is to provide offsite backup for important files.
[...]
Hardware Encryption
I took a visual look at the Corsair Flash Padlock drive. It's got dinky little flashing lights and tiny little buttons. I can just imagine what will happen when a user has to get into the drive by poking and punching tiny little buttons with their fingernails while the drive is inserted into the typical fragile USB slot. Not a winner... But are there other hardware encryption options that don't suffer from this or other flaws?
The Kingston Data Traveler series drives have hardware crypto, but they're unlocked using a small program stored on separate cleartext partition. They're not cheap however. so after I lost mine I switched to truecrypt/veracrypt.
Given your sole purpose, however, have you totally ruled out automating the backup routine and baking-in file-level crypto?
hth
dt
My first thought is why not buy a thumbdrive with hardware encryption? ($$$, I know)
Portable apps has a version of VeraCrypt, but it says it does require Admin rights to run.
Portable apps also has a version of GPG, which wouldn't need apps.
Finally, what about installing Portable Apps version of 7z on the thumbdrive, using that to compress and encrypt a folder, and then just using the Portable app version of 7z to open the archive?
That way everything is all on the thumb drive, encrypted, and doesn't require elevated privileges.
-
Alan Bourke -
AndyHC -
Dave Crozier -
Dave Thayer -
Ken Dibble -
Ted Roche -
Vince Teachout