password-protecting a file or folder

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or
one can encrypt the files/folders instead.
Any suggestions for third-party software?

7-zip

--
With over 950 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

Zaidy036

2018-07-19 01:39:44 UTC

7-zip

7_zip is free and easy to use and can be run in a batch.

--
Zaidy036

Jo-Anne

2018-07-19 06:41:32 UTC

7-zip

7_zip is free and easy to use and can be run in a batch.

Thank you. I assume you mean that I can password-protect the zipped files?

--
Jo-Anne

J. P. Gilliver (John)

2018-07-19 10:40:48 UTC

7-zip

7_zip is free and easy to use and can be run in a batch.

Thank you. I assume you mean that I can password-protect the zipped files?

Yes, and that might be a good compromise. I think even the built-in .zip
handler can handle passwords, though I'm not sure about that. How robust
the protection available is is arguable, but as you've conceded nothing
is bulletproof; if all you want is that when thief/hacker tries to
access a file s/he is prompted for a password, this would be a good
first step (perhaps along with not using obvious filenames). Note that
(I think) you can see the _names_ of the files inside a
password-protected .zip file just by looking at it - you only need the
password to actually extract them. Play with it a bit to see if it'd
suit you (and read up on whether the ease of cracking it would suit your
needs).

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Try to tell me to watch something because it's brilliant and everyone says so
and therefore I will love it, too, and you lose me for ever.
- Alison Graham, RT 2016/2/6-12

Zaidy036

2018-07-19 14:01:43 UTC

7-zip

7_zip is free and easy to use and can be run in a batch.

Thank you. I assume you mean that I can password-protect the zipped files?

https://www.7-zip.org/
There is an encrypt file names option

--
Zaidy036

Jo-Anne

2018-07-19 19:19:40 UTC

7-zip

7_zip is free and easy to use and can be run in a batch.

Thank you. I assume you mean that I can password-protect the zipped files?

Yes, and that might be a good compromise. I think even the built-in
.zip handler can handle passwords, though I'm not sure about that. How
robust the protection available is is arguable, but as you've conceded
nothing is bulletproof; if all you want is that when thief/hacker
tries to access a file s/he is prompted for a password, this would be
a good first step (perhaps along with not using obvious filenames).
Note that (I think) you can see the _names_ of the files inside a
password-protected .zip file just by looking at it - you only need the
password to actually extract them. Play with it a bit to see if it'd
suit you (and read up on whether the ease of cracking it would suit
your needs).

https://www.7-zip.org/
There is an encrypt file names option

Thank you for the additional info, Zaidy.

--
Jo-Anne

Jo-Anne

2018-07-19 19:18:53 UTC

7-zip

7_zip is free and easy to use and can be run in a batch.

Thank you. I assume you mean that I can password-protect the zipped files?

Thank you, John. One other question: Someone pointed out that password
protection of folders and files won't work if the disk is moved to
another operating system. As far as I can tell, 7-zip is primarily for
Windows, with something also for Linux. If the program won't run on
other OS's, would the password protection remain?

--
Jo-Anne

J. P. Gilliver (John)

2018-07-19 23:52:19 UTC

In message <piqo6v$5u3$***@dont-email.me>, Jo-Anne <Jo-***@nowhere.com>
writes:
[]

Post by Jo-Anne
Thank you, John. One other question: Someone pointed out that password
protection of folders and files won't work if the disk is moved to
another operating system. As far as I can tell, 7-zip is primarily for
Windows, with something also for Linux. If the program won't run on
other OS's, would the password protection remain?

If you use a scheme which controls _access_ to files/folders with a
password, but doesn't actually encrypt the files themselves (the data in
them), then indeed it won't be protected if the disc is read on a system
that allows access to them another way.

The zip file format itself is understood by various OSs - IIRR it
predates Windows. And the encryption available _does_ encrypt the actual
data, not just controls access to it - though to varying difficulties,
depending what you use to create them; see VanguardLH's post. I don't
know if 7-zip is Windows only, but if it is, there will certainly be
utilities capable of zipping and unzipping zip files on other systems -
but of course only if you know the password. If I read VLH's post
correctly, not all of such utilities offer the most robust encryption.
(So presumably if you use one that uses the best encryption to create
the zip file, and then try to recover the data using one of the weaker
utilities - whether on the same OS or a different one - you won't
succeed.)

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Less rules means fewer grammar? - Marjorie in UMRA, 2014-1-28 13:14

Jo-Anne

2018-07-20 01:41:45 UTC

Post by J. P. Gilliver (John)
[]

If you use a scheme which controls _access_ to files/folders with a
password, but doesn't actually encrypt the files themselves (the data in
them), then indeed it won't be protected if the disc is read on a system
that allows access to them another way.
The zip file format itself is understood by various OSs - IIRR it
predates Windows. And the encryption available _does_ encrypt the actual
data, not just controls access to it - though to varying difficulties,
depending what you use to create them; see VanguardLH's post. I don't
know if 7-zip is Windows only, but if it is, there will certainly be
utilities capable of zipping and unzipping zip files on other systems -
but of course only if you know the password. If I read VLH's post
correctly, not all of such utilities offer the most robust encryption.
(So presumably if you use one that uses the best encryption to create
the zip file, and then try to recover the data using one of the weaker
utilities - whether on the same OS or a different one - you won't succeed.)

Thank you again, John.

--
Jo-Anne

David E. Ross

2018-07-18 21:27:01 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

I use PGP 10.1.2. There are later versions. However, I think this is
the last version for which the source was made available to the public
for inspection to make sure there were no backdoors.

J. P. Gilliver (John)

2018-07-18 22:31:29 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

I use PGP 10.1.2. There are later versions. However, I think this is
the last version for which the source was made available to the public
for inspection to make sure there were no backdoors.

What, in your mind (Jo-Anne I mean), is the difference between
password-protection and encryption? If you mean by password-protection
that the raw files reside on the disc but access to them is controlled
somehow, then I'd ask what you are thinking about using such a facility
(if it exists) for; if the raw files are on the disc, then someone might
be able to bypass the access controls, unless they're part of the drive
itself rather than the operating system (e. g. by reading the drive in
another computer).

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

"I hate the guys that criticize the enterprise of other guys whose enterprise
has made them rise above the guys who criticize!" (W9BRD, former editor of
"How's DX?" column in "QST")

Jo-Anne

2018-07-18 22:48:45 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

I use PGP 10.1.2. There are later versions. However, I think this is
the last version for which the source was made available to the public
for inspection to make sure there were no backdoors.

I guess what I'm thinking is that I'd like to make it somewhat difficult
for someone who steals my computer or gains access to it through malware
to read the data in certain folders and/or files. From what I've been
told, nothing is guaranteed to protect data--but thought that maybe just
adding a layer would help. I suppose a better approach might be to
remove the folders/files from the computer and keep them only on a
safely stored flash drive, but then my access would be difficult too.

--
Jo-Anne

J. P. Gilliver (John)

2018-07-18 23:15:57 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

I use PGP 10.1.2. There are later versions. However, I think this is
the last version for which the source was made available to the public
for inspection to make sure there were no backdoors.

I guess what I'm thinking is that I'd like to make it somewhat
difficult for someone who steals my computer or gains access to it
through malware to read the data in certain folders and/or files. From
what I've been told, nothing is guaranteed to protect data--but thought
that maybe just adding a layer would help. I suppose a better approach
might be to remove the folders/files from the computer and keep them
only on a safely stored flash drive, but then my access would be
difficult too.

In which case I think you want encryption, not just access control. For
practical purposes, I don't think there'd be much difference from the
user's (your) point of view, at least for small to medium files; if you
want to encrypt large files like video it might take longer, but I can't
imagine you wanting to.

You'd also need to change your way of working slightly to make sure the
unencrypted versions of the files (they have to be unencrypted for you
to actually use them!) spend as little time on the computer as possible,
and are overwritten with something; they're to be found in page files,
hibernate files, and various buffers.

This isn't my field - this is just what I've picked up over the years.
I've never actually implemented anything.

Depending how far you want to go, there are things that will conceal
even the _existence_ of the files you want to hide. (And these can be
nested too!) If going along those routes, (a) you still have to take
care of the buffers etc. I mention above, (b) if the potential thief or
hacker finds you've got the software to do this hiding (or unhiding so
you can actually get at the files!) on your machine, they'll know to go
looking.

The external flash drive (kept _away_ from your computer!) is probably
easier! (Though the buffer matter still needs attention.)

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

The motto of the Royal Society is: 'Take nobody's word for it'. Scepticism has
value. - Brian Cox, RT 2015/3/14-20

Jo-Anne

2018-07-18 23:19:13 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

I use PGP 10.1.2. There are later versions. However, I think this is
the last version for which the source was made available to the public
for inspection to make sure there were no backdoors.

I guess what I'm thinking is that I'd like to make it somewhat
difficult for someone who steals my computer or gains access to it
through malware to read the data in certain folders and/or files. From
what I've been told, nothing is guaranteed to protect data--but
thought that maybe just adding a layer would help. I suppose a better
approach might be to remove the folders/files from the computer and
keep them only on a safely stored flash drive, but then my access
would be difficult too.

In which case I think you want encryption, not just access control. For
practical purposes, I don't think there'd be much difference from the
user's (your) point of view, at least for small to medium files; if you
want to encrypt large files like video it might take longer, but I can't
imagine you wanting to.
You'd also need to change your way of working slightly to make sure the
unencrypted versions of the files (they have to be unencrypted for you
to actually use them!) spend as little time on the computer as possible,
and are overwritten with something; they're to be found in page files,
hibernate files, and various buffers.
This isn't my field - this is just what I've picked up over the years.
I've never actually implemented anything.
Depending how far you want to go, there are things that will conceal
even the _existence_ of the files you want to hide. (And these can be
nested too!) If going along those routes, (a) you still have to take
care of the buffers etc. I mention above, (b) if the potential thief or
hacker finds you've got the software to do this hiding (or unhiding so
you can actually get at the files!) on your machine, they'll know to go
looking.
The external flash drive (kept _away_ from your computer!) is probably
easier! (Though the buffer matter still needs attention.)

Thank you, John. I'll have to think about this. (It may not be worth
trying.)

--
Jo-Anne

David E. Ross

2018-07-19 19:28:20 UTC

On 7/18/2018 4:15 PM, J. P. Gilliver (John) wrote [in part]:

[snipped]

Post by J. P. Gilliver (John)
You'd also need to change your way of working slightly to make sure the
unencrypted versions of the files (they have to be unencrypted for you
to actually use them!) spend as little time on the computer as possible,
and are overwritten with something; they're to be found in page files,
hibernate files, and various buffers.

[also snipped]

I use Eraser from <http://eraser.heidi.ie/>, which overwrites files to
be erased. There are canned erasing methods within the application that
the user can select. Some overwrite multiple times. The user can also
create additional methods.
--
David E. Ross
<http://www.rossde.com/>

Attorney-General Sessions claims the bible favors imprisoning illegal
aliens. However, God repeatedly commanded us to welcome the stranger in
our land. For example, see the following:
Exodus 22:20 at
<http://bible.ort.org/books/pentd2.asp?ACTION=displaypage&BOOK=2&CHAPTER=22#P2131>
Exodus 23:9 at
<http://bible.ort.org/books/pentd2.asp?ACTION=displaypage&BOOK=2&CHAPTER=23#P2151>
Deuteronomy 10:19 at
<http://bible.ort.org/books/pentd2.asp?ACTION=displaypage&BOOK=5&CHAPTER=10#P5200>

J. P. Gilliver (John)

2018-07-20 00:03:10 UTC

Post by David E. Ross
[snipped]

You're not quite getting the point I'm making. Jo-Anne is looking into
the possibility of encrypting files, so she can still use them but it's
harder for a thief or hacker to. Utilities like the one you mention make
files irretrievable for anyone - provided you know where they are in the
first place. The point I was making was that when you actually _use_ a
file (edit a document or, copies of the (unencrypted) data will exist in
various buffers (some of which will be written to disc, such as in page
sleep or hibernate files). If you're sufficiently paranoid, you need to
make sure those are erased too - for which you'll first have to know
where they are - as well as the "official" copies of the files
encrypted. I think there are ways of working that minimise such
buffering (usually at the expense of at least _some_ performance) -
things like turning off hibernation/sleep altogether, setting page file
size of zero - not my field.

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Anything you add for security will slow the computer but it shouldn't be
significant or prolonged. Security software is to protect the computer, not
the primary use of the computer.
- VanguardLH in alt.windows7.general, 2018-1-28

Jo-Anne

2018-07-18 22:33:28 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

I use PGP 10.1.2. There are later versions. However, I think this is
the last version for which the source was made available to the public
for inspection to make sure there were no backdoors.

Thank you, David. I'll take a look at it.

--
Jo-Anne

VanguardLH

2018-07-19 00:00:57 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

W7 (Windows 7) does not state which *edition* you have of that OS. The
Professional and Enterprise editions come with EFS (Encrypting File
System). If you use it, make damn sure to setup a recovery agent.

https://en.wikipedia.org/wiki/Encrypting_File_System
(Requires NTFS file system. You didn't say what you use.)

https://msdn.microsoft.com/en-us/library/cc875821.aspx

EFS is something you need to self-educate yourself before committing to
using it. So enjoy reading several articles about it, like:

https://www.nextofwindows.com/things-you-need-to-know-about-using-efs-to-secure-and-protect-your-data-in-windows-7
and
https://www.google.com/search?q=windows+7+efs

As I recall, EFS was tied to your Windows logon - so you'll need one
(instead of blank credentials). That means no sharing of EFS-protected
folders with other Windows accounts under the same or different
instances of Windows. You can't dole out a shared password. With 3rd
party tools that utilize a password, anyone with it can get inside.

I've been twice burned by EFS. I went to TrueCrypt to secrete files
within a mountable container (becomes a drive letter when mounted). You
need to use version 7.1a since the latest version was deliberately
crippled for read-only mode when the authors scurried away (there is
speculation by their behavior that they got a National Security Letter
which legally bars them from revealing getting one, refused to add a
backdoor for the NSA or FBI, and left the last version crippled as a
warrant canary). There are variations of TrueCrypt since it used open
source code, like VeraCrypt.

Any superficial software that bans access to the file or folders using
permissions, ACLs, stacked file drivers, etc will not work when the OS
is not loaded along with that software/drivers. Booting using a
different OS, like from a CD or USB drive, or toting the drive to
another computer running a different instance of Windows will permit
access to all those files and folders. Permissions are enforced per
Windows instance, not across all of them. Using any other OS, whether
it be Windows or Linux, will let you get at the files. While the
container is mounted, you can immediate access to everything inside.
You need to unmount the container (drive) to re-protect its contents.
Logging out or shutting down Windows will also unmount the container.

There are some folder protect tools but they run as stacked file
drivers. That's why I mention they are easily avoided by using a
different OS to read the disk. In another instance of Windows or by
using Linux, the drivers and permissions won't be enforced. Only if
that 3rd party folder protect tool encrypts the folder would its
contents remain safe when using a different booted OS to access the
drive. No 3rd party software needed if you have the Pro or Enterprise
edition of Windows 7 where you can use EFS.

While TrueCrypt can also be used to encrypt an entire volume, like the
partition on the hard disk, even for the OS, I wouldn't suggest it.
Development on TrueCrypt ended before UEFI became ubiquitous in new PC
builds. Use TrueCrypt's whole-disk encryption only in MBR setups.
VeraCrypt is supposed to have been updated to support UEFI. However,
like Bitlocker, if you forget your login credentials, the entire volume
(partition) becomes unusable. You won't even be able to boot the OS
because it is within the encrypted volume. Some users are very paranoid
and use whole-disk encryption. You don't need to secrete the OS or app
code since it isn't your property anyway and anyone can get that code by
simply getting the same OS or app. You really only need to protect your
own data files (unless you're into programming and working on a new
project on your computer and want to make sure espionage can't be used
to get at your gem of new code).

Back in TrueCrypt's hey day, there were some alternative but not all
were free, like TrueCrypt (or provided source code for inspection and
instead were closed and proprietary). There have been 2 audits of
TrueCrypt's code: no backdoors were found and the defects were piddly.
BestCrypt had a free version but closed called Traveller. It was far
more basic than TrueCrypt but then not all users want all the features
of TrueCrypt.

Jo-Anne

2018-07-19 00:57:14 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

W7 (Windows 7) does not state which *edition* you have of that OS. The
Professional and Enterprise editions come with EFS (Encrypting File
System). If you use it, make damn sure to setup a recovery agent.
https://en.wikipedia.org/wiki/Encrypting_File_System
(Requires NTFS file system. You didn't say what you use.)
https://msdn.microsoft.com/en-us/library/cc875821.aspx
EFS is something you need to self-educate yourself before committing to
https://www.nextofwindows.com/things-you-need-to-know-about-using-efs-to-secure-and-protect-your-data-in-windows-7
and
https://www.google.com/search?q=windows+7+efs
As I recall, EFS was tied to your Windows logon - so you'll need one
(instead of blank credentials). That means no sharing of EFS-protected
folders with other Windows accounts under the same or different
instances of Windows. You can't dole out a shared password. With 3rd
party tools that utilize a password, anyone with it can get inside.
I've been twice burned by EFS. I went to TrueCrypt to secrete files
within a mountable container (becomes a drive letter when mounted). You
need to use version 7.1a since the latest version was deliberately
crippled for read-only mode when the authors scurried away (there is
speculation by their behavior that they got a National Security Letter
which legally bars them from revealing getting one, refused to add a
backdoor for the NSA or FBI, and left the last version crippled as a
warrant canary). There are variations of TrueCrypt since it used open
source code, like VeraCrypt.
Any superficial software that bans access to the file or folders using
permissions, ACLs, stacked file drivers, etc will not work when the OS
is not loaded along with that software/drivers. Booting using a
different OS, like from a CD or USB drive, or toting the drive to
another computer running a different instance of Windows will permit
access to all those files and folders. Permissions are enforced per
Windows instance, not across all of them. Using any other OS, whether
it be Windows or Linux, will let you get at the files. While the
container is mounted, you can immediate access to everything inside.
You need to unmount the container (drive) to re-protect its contents.
Logging out or shutting down Windows will also unmount the container.
There are some folder protect tools but they run as stacked file
drivers. That's why I mention they are easily avoided by using a
different OS to read the disk. In another instance of Windows or by
using Linux, the drivers and permissions won't be enforced. Only if
that 3rd party folder protect tool encrypts the folder would its
contents remain safe when using a different booted OS to access the
drive. No 3rd party software needed if you have the Pro or Enterprise
edition of Windows 7 where you can use EFS.
While TrueCrypt can also be used to encrypt an entire volume, like the
partition on the hard disk, even for the OS, I wouldn't suggest it.
Development on TrueCrypt ended before UEFI became ubiquitous in new PC
builds. Use TrueCrypt's whole-disk encryption only in MBR setups.
VeraCrypt is supposed to have been updated to support UEFI. However,
like Bitlocker, if you forget your login credentials, the entire volume
(partition) becomes unusable. You won't even be able to boot the OS
because it is within the encrypted volume. Some users are very paranoid
and use whole-disk encryption. You don't need to secrete the OS or app
code since it isn't your property anyway and anyone can get that code by
simply getting the same OS or app. You really only need to protect your
own data files (unless you're into programming and working on a new
project on your computer and want to make sure espionage can't be used
to get at your gem of new code).
Back in TrueCrypt's hey day, there were some alternative but not all
were free, like TrueCrypt (or provided source code for inspection and
instead were closed and proprietary). There have been 2 audits of
TrueCrypt's code: no backdoors were found and the defects were piddly.
BestCrypt had a free version but closed called Traveller. It was far
more basic than TrueCrypt but then not all users want all the features
of TrueCrypt.

It's Windows 7 Professional 64-bit NTFS. All this sounds, however, like
more than I want to get involved in. Maybe I should forget the whole
thing...

--
Jo-Anne

VanguardLH

2018-07-19 01:58:29 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

W7 (Windows 7) does not state which *edition* you have of that OS. The
Professional and Enterprise editions come with EFS (Encrypting File
System). If you use it, make damn sure to setup a recovery agent.
https://en.wikipedia.org/wiki/Encrypting_File_System
(Requires NTFS file system. You didn't say what you use.)
https://msdn.microsoft.com/en-us/library/cc875821.aspx
EFS is something you need to self-educate yourself before committing to
https://www.nextofwindows.com/things-you-need-to-know-about-using-efs-to-secure-and-protect-your-data-in-windows-7
and
https://www.google.com/search?q=windows+7+efs
As I recall, EFS was tied to your Windows logon - so you'll need one
(instead of blank credentials). That means no sharing of EFS-protected
folders with other Windows accounts under the same or different
instances of Windows. You can't dole out a shared password. With 3rd
party tools that utilize a password, anyone with it can get inside.
I've been twice burned by EFS. I went to TrueCrypt to secrete files
within a mountable container (becomes a drive letter when mounted). You
need to use version 7.1a since the latest version was deliberately
crippled for read-only mode when the authors scurried away (there is
speculation by their behavior that they got a National Security Letter
which legally bars them from revealing getting one, refused to add a
backdoor for the NSA or FBI, and left the last version crippled as a
warrant canary). There are variations of TrueCrypt since it used open
source code, like VeraCrypt.
Any superficial software that bans access to the file or folders using
permissions, ACLs, stacked file drivers, etc will not work when the OS
is not loaded along with that software/drivers. Booting using a
different OS, like from a CD or USB drive, or toting the drive to
another computer running a different instance of Windows will permit
access to all those files and folders. Permissions are enforced per
Windows instance, not across all of them. Using any other OS, whether
it be Windows or Linux, will let you get at the files. While the
container is mounted, you can immediate access to everything inside.
You need to unmount the container (drive) to re-protect its contents.
Logging out or shutting down Windows will also unmount the container.
There are some folder protect tools but they run as stacked file
drivers. That's why I mention they are easily avoided by using a
different OS to read the disk. In another instance of Windows or by
using Linux, the drivers and permissions won't be enforced. Only if
that 3rd party folder protect tool encrypts the folder would its
contents remain safe when using a different booted OS to access the
drive. No 3rd party software needed if you have the Pro or Enterprise
edition of Windows 7 where you can use EFS.
While TrueCrypt can also be used to encrypt an entire volume, like the
partition on the hard disk, even for the OS, I wouldn't suggest it.
Development on TrueCrypt ended before UEFI became ubiquitous in new PC
builds. Use TrueCrypt's whole-disk encryption only in MBR setups.
VeraCrypt is supposed to have been updated to support UEFI. However,
like Bitlocker, if you forget your login credentials, the entire volume
(partition) becomes unusable. You won't even be able to boot the OS
because it is within the encrypted volume. Some users are very paranoid
and use whole-disk encryption. You don't need to secrete the OS or app
code since it isn't your property anyway and anyone can get that code by
simply getting the same OS or app. You really only need to protect your
own data files (unless you're into programming and working on a new
project on your computer and want to make sure espionage can't be used
to get at your gem of new code).
Back in TrueCrypt's hey day, there were some alternative but not all
were free, like TrueCrypt (or provided source code for inspection and
instead were closed and proprietary). There have been 2 audits of
TrueCrypt's code: no backdoors were found and the defects were piddly.
BestCrypt had a free version but closed called Traveller. It was far
more basic than TrueCrypt but then not all users want all the features
of TrueCrypt.

It's Windows 7 Professional 64-bit NTFS. All this sounds, however, like
more than I want to get involved in. Maybe I should forget the whole
thing...

Learning a word processor takes effort, too, as does just about any
software you install.

John B. Smith

2018-07-19 11:30:52 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

W7 (Windows 7) does not state which *edition* you have of that OS. The
Professional and Enterprise editions come with EFS (Encrypting File
System). If you use it, make damn sure to setup a recovery agent.
https://en.wikipedia.org/wiki/Encrypting_File_System
(Requires NTFS file system. You didn't say what you use.)
https://msdn.microsoft.com/en-us/library/cc875821.aspx
EFS is something you need to self-educate yourself before committing to
https://www.nextofwindows.com/things-you-need-to-know-about-using-efs-to-secure-and-protect-your-data-in-windows-7
and
https://www.google.com/search?q=windows+7+efs
As I recall, EFS was tied to your Windows logon - so you'll need one
(instead of blank credentials). That means no sharing of EFS-protected
folders with other Windows accounts under the same or different
instances of Windows. You can't dole out a shared password. With 3rd
party tools that utilize a password, anyone with it can get inside.
I've been twice burned by EFS. I went to TrueCrypt to secrete files
within a mountable container (becomes a drive letter when mounted). You
need to use version 7.1a since the latest version was deliberately
crippled for read-only mode when the authors scurried away (there is
speculation by their behavior that they got a National Security Letter
which legally bars them from revealing getting one, refused to add a
backdoor for the NSA or FBI, and left the last version crippled as a
warrant canary). There are variations of TrueCrypt since it used open
source code, like VeraCrypt.
Any superficial software that bans access to the file or folders using
permissions, ACLs, stacked file drivers, etc will not work when the OS
is not loaded along with that software/drivers. Booting using a
different OS, like from a CD or USB drive, or toting the drive to
another computer running a different instance of Windows will permit
access to all those files and folders. Permissions are enforced per
Windows instance, not across all of them. Using any other OS, whether
it be Windows or Linux, will let you get at the files. While the
container is mounted, you can immediate access to everything inside.
You need to unmount the container (drive) to re-protect its contents.
Logging out or shutting down Windows will also unmount the container.
There are some folder protect tools but they run as stacked file
drivers. That's why I mention they are easily avoided by using a
different OS to read the disk. In another instance of Windows or by
using Linux, the drivers and permissions won't be enforced. Only if
that 3rd party folder protect tool encrypts the folder would its
contents remain safe when using a different booted OS to access the
drive. No 3rd party software needed if you have the Pro or Enterprise
edition of Windows 7 where you can use EFS.
While TrueCrypt can also be used to encrypt an entire volume, like the
partition on the hard disk, even for the OS, I wouldn't suggest it.
Development on TrueCrypt ended before UEFI became ubiquitous in new PC
builds. Use TrueCrypt's whole-disk encryption only in MBR setups.
VeraCrypt is supposed to have been updated to support UEFI. However,
like Bitlocker, if you forget your login credentials, the entire volume
(partition) becomes unusable. You won't even be able to boot the OS
because it is within the encrypted volume. Some users are very paranoid
and use whole-disk encryption. You don't need to secrete the OS or app
code since it isn't your property anyway and anyone can get that code by
simply getting the same OS or app. You really only need to protect your
own data files (unless you're into programming and working on a new
project on your computer and want to make sure espionage can't be used
to get at your gem of new code).
Back in TrueCrypt's hey day, there were some alternative but not all
were free, like TrueCrypt (or provided source code for inspection and
instead were closed and proprietary). There have been 2 audits of
TrueCrypt's code: no backdoors were found and the defects were piddly.
BestCrypt had a free version but closed called Traveller. It was far
more basic than TrueCrypt but then not all users want all the features
of TrueCrypt.

It's Windows 7 Professional 64-bit NTFS. All this sounds, however, like
more than I want to get involved in. Maybe I should forget the whole
thing...

Learning a word processor takes effort, too, as does just about any
software you install.

I've used BestCript for many years. They advertise 'no back doors',
but who knows if this is true. It's pricey at $100 now. I was shocked
when I put Win7 on that my copy no longer works. You have to 'renew'
it every so often or it ages out. I wasn't aware. Since I've used
image backup for years I've managed to keep a working copy. It's a
fairly easy learning curve. It creates 'containers' that are encrypted
throughout and open as drives. A password lets you in.

Jo-Anne

2018-07-19 19:13:43 UTC

Post by John B. Smith

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

W7 (Windows 7) does not state which *edition* you have of that OS. The
Professional and Enterprise editions come with EFS (Encrypting File
System). If you use it, make damn sure to setup a recovery agent.
https://en.wikipedia.org/wiki/Encrypting_File_System
(Requires NTFS file system. You didn't say what you use.)
https://msdn.microsoft.com/en-us/library/cc875821.aspx
EFS is something you need to self-educate yourself before committing to
https://www.nextofwindows.com/things-you-need-to-know-about-using-efs-to-secure-and-protect-your-data-in-windows-7
and
https://www.google.com/search?q=windows+7+efs
As I recall, EFS was tied to your Windows logon - so you'll need one
(instead of blank credentials). That means no sharing of EFS-protected
folders with other Windows accounts under the same or different
instances of Windows. You can't dole out a shared password. With 3rd
party tools that utilize a password, anyone with it can get inside.
I've been twice burned by EFS. I went to TrueCrypt to secrete files
within a mountable container (becomes a drive letter when mounted). You
need to use version 7.1a since the latest version was deliberately
crippled for read-only mode when the authors scurried away (there is
speculation by their behavior that they got a National Security Letter
which legally bars them from revealing getting one, refused to add a
backdoor for the NSA or FBI, and left the last version crippled as a
warrant canary). There are variations of TrueCrypt since it used open
source code, like VeraCrypt.
Any superficial software that bans access to the file or folders using
permissions, ACLs, stacked file drivers, etc will not work when the OS
is not loaded along with that software/drivers. Booting using a
different OS, like from a CD or USB drive, or toting the drive to
another computer running a different instance of Windows will permit
access to all those files and folders. Permissions are enforced per
Windows instance, not across all of them. Using any other OS, whether
it be Windows or Linux, will let you get at the files. While the
container is mounted, you can immediate access to everything inside.
You need to unmount the container (drive) to re-protect its contents.
Logging out or shutting down Windows will also unmount the container.
There are some folder protect tools but they run as stacked file
drivers. That's why I mention they are easily avoided by using a
different OS to read the disk. In another instance of Windows or by
using Linux, the drivers and permissions won't be enforced. Only if
that 3rd party folder protect tool encrypts the folder would its
contents remain safe when using a different booted OS to access the
drive. No 3rd party software needed if you have the Pro or Enterprise
edition of Windows 7 where you can use EFS.
While TrueCrypt can also be used to encrypt an entire volume, like the
partition on the hard disk, even for the OS, I wouldn't suggest it.
Development on TrueCrypt ended before UEFI became ubiquitous in new PC
builds. Use TrueCrypt's whole-disk encryption only in MBR setups.
VeraCrypt is supposed to have been updated to support UEFI. However,
like Bitlocker, if you forget your login credentials, the entire volume
(partition) becomes unusable. You won't even be able to boot the OS
because it is within the encrypted volume. Some users are very paranoid
and use whole-disk encryption. You don't need to secrete the OS or app
code since it isn't your property anyway and anyone can get that code by
simply getting the same OS or app. You really only need to protect your
own data files (unless you're into programming and working on a new
project on your computer and want to make sure espionage can't be used
to get at your gem of new code).
Back in TrueCrypt's hey day, there were some alternative but not all
were free, like TrueCrypt (or provided source code for inspection and
instead were closed and proprietary). There have been 2 audits of
TrueCrypt's code: no backdoors were found and the defects were piddly.
BestCrypt had a free version but closed called Traveller. It was far
more basic than TrueCrypt but then not all users want all the features
of TrueCrypt.

It's Windows 7 Professional 64-bit NTFS. All this sounds, however, like
more than I want to get involved in. Maybe I should forget the whole
thing...

Learning a word processor takes effort, too, as does just about any
software you install.

Sounds interesting, John. I'll check it out. Thank you.

--
Jo-Anne

VanguardLH

2018-07-19 20:49:02 UTC

Post by John B. Smith
I've used BestCript for many years. They advertise 'no back doors',
but who knows if this is true. It's pricey at $100 now. I was shocked
when I put Win7 on that my copy no longer works. You have to 'renew'
it every so often or it ages out. I wasn't aware. Since I've used
image backup for years I've managed to keep a working copy. It's a
fairly easy learning curve. It creates 'containers' that are encrypted
throughout and open as drives. A password lets you in.

BestCript? Or BestCrypt? I've only heard about the latter.

It's has been many years since I went looking for an alternative to
TrueCrypt, and back then BestCrypt Traveller was free. They still list
it on their "Free Security Tools" page at:

https://www.jetico.com/free-security-tools

Clicking on Traveller takes you to:

https://www.jetico.com/free-security-tools/access-encrypted-files-bestcrypt-traveller

It doesn't have all the features of their full-blown payware version but
then some folks actually prefer a simpler tool. For example, Traveller
won't do volume (drive) encryption; however, that can be dangerous to
folks that don't understand how it works. I stuck with TrueCrypt.

John B. Smith

2018-07-20 13:30:33 UTC

BestCript? Or BestCrypt? I've only heard about the latter.
It's has been many years since I went looking for an alternative to
TrueCrypt, and back then BestCrypt Traveller was free. They still list
https://www.jetico.com/free-security-tools
https://www.jetico.com/free-security-tools/access-encrypted-files-bestcrypt-traveller
It doesn't have all the features of their full-blown payware version but
then some folks actually prefer a simpler tool. For example, Traveller
won't do volume (drive) encryption; however, that can be dangerous to
folks that don't understand how it works. I stuck with TrueCrypt.

Sorry mis-spelling it is BestCrypt. My excuse is I took a header on
my bike and am existing on pills.

As another poster said, if any govt agency wants your password all
they have to do is threaten huge fines etc till you cave.

VanguardLH

2018-07-20 17:36:39 UTC

Post by John B. Smith
As another poster said, if any govt agency wants your password all
they have to do is threaten huge fines etc till you cave.

And why having a special container with TrueCrypt (I'm assuming
VeraCrypt has it, too) lets you divulge a password under duress that
lets them into one part of the container that has inocuous files within
without giving them the password to the real goodies in the other part
of the container. You have an exposed volume with one password that you
can secrete non-damaging files, even those you still want to secrete
from casual users and a different password to access a hidden volume
within the container where are the damaging or highly sensitive files
that you want to secrete from everyone else.

https://www.howtogeek.com/109210/the-htg-guide-to-hiding-your-data-in-a-truecrypt-hidden-volume/

The law (here in the US) cannot legally force you to self-incriminate.
They can attempt to lure by saying they will drop or lessen the charges
but that doesn't force you to divulge the password. They're even
allowed to lie during interrogation. Tell them you want to talk to your
lawyer before you divulge anything to them. Shutup until you speak with
your lawyer. That's the only response you give them. Yeah, you might
end up charged and go to jail and court but they'll have no evidence.

I couldn't find a video on it but remember watching a TV show about
stupid crooks. In one episode, they had captured a purse snatcher and
drove back to the scene of the crime where the victim was still waiting.
The idea was to have the victim identify the thief. The police car
parked on the other side of the street from the victim and had the
accused stand alongside the police car while cuffed. Before the victim
could say anything, the accused said, "Yes, officer. That's the woman
that I stole the purse." The cop holding the cuffed accused turned
around laughing loudly barely maintaining a grip on the accused. The
second officer bent over and laid atop the hood while roaring with
laughter. The accused has no idea how identification worked.

Tell them you forgot the password because you have not accessed that
container for way too long to remember. The datestamp on the container
file does not change when you make changes to the files inside (create,
write, delete, rename, move) because all those changes are recorded
within the file system that gets mounted when you access the container.
The external file system with the container file sees no changes to the
size or datestamp of that file. If you created a container, say, 2
years ago then that is the datestamp it still has even if you just
created a new file within the container's file system. If you create a
fixed-sized container then its size never changes, too, no matter how
may files you create or delete within that container. To outsiders, it
looks like you haven't touched the container for 2 years, so it is
plausible you forgot the password.

dave61430

2018-07-19 13:17:28 UTC

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

Yes, I started off using TrueCrypt then VeraCrypt. Both were good and
cross platform, but VeraCrypt for some reason started opening the
encrypted container as read only and googling this it turned out others
were having the same problem. Both of these use an encrypted container,
which is essentially a single file the the program opens as a directory
when you enter the password. For single files, I use AESCrypt for Linux/
Windows compatibility. For windows only, AXCrypt is better since it
removes the target file once encrypted, whereas AEScrypt leaves both the
encrypted and original file in place. Obviously you then have to delete
the original file yourself.
I am now using SiriKali which again runs in both Linux and Windows. It's
quite good and again creates a container file. A nice feature is the size
of the file (container) grows as needed (but never shrinks). It's simpler
to use than the alternatives I mentioned.
There are others, particularly for windows. For archiving, I use a
regular zip file and encrypt it with AESCrypt.
As far as security, any of the above are very secure as long as you use a
decent password.

Jo-Anne

2018-07-19 19:21:43 UTC

Post by dave61430

Post by Jo-Anne
I've Googled password-protecting files and folders; and according to
what I've read, one needs third-party software to do this in W7; or one
can encrypt the files/folders instead.
Any suggestions for third-party software?

Thank you, Dave. I like the idea of zipping the files and either
password-protecting or encrypting the zipped files.

--
Jo-Anne

VanguardLH

2018-07-19 21:30:13 UTC

Post by Jo-Anne
I like the idea of zipping the files and either
password-protecting or encrypting the zipped files.

Password protection of .zip files is easily hacked. That is why I did
not mention using passworded compressed archive files (.zip, .7z, etc).
If the zip tool offers legacy Zip and AES encryption, choose AES.
WinZip (payware) offers AES (128 and 256 bit) encryption. Other zip
tools usually only offer the weak legacy Zip encryption. There are many
password recovery tools that will hack the weak legacy Zip password.

Many users like 7-zip (freeware). I use Peazip (also freeware) because
it supports most of the compression algorithms along with 7-zip's own
(Peazip got the library from 7-zip); however, Peazip has a more modern
UI than for 7-zip whose UI harkens back to the Windows 3.x era.
However, neither one supports AES encryption, just the weak encryption.

http://www.peazip.org/encrypt-files.html

While a hacker might try decrypting the AES-based content, they would
have to also have to separately try Serpent or TwoFish which would
dramatically add to the time to decrypt successfully. 7-Zip just has
AES encryption. Peazip has AES, TwoFish, and Serpent; however, since I
haven't used encryption with Peazip, I don't know how to select which
encryption algorithm to use (and didn't see an option when creating a
new archive). Couple be, per the above article, a combined AES +
Serpent + TwoFish encryption requires using the .pea archive format.

When putting files into a compressed archive with a password, remember
that the original file sticks around. You would have to delete it.
Whether you or the archiver deletes the file, the file's contents still
occupies the file system's clusters until those clusters are reallocated
to another file AND until those clusters get overwritten by some other
program writing to that file. Peazip comes with a secure file eraser
(which can optionally be added to the Windows Explorer context menu).
There are lots of file recovery tools. If you don't want to leave
behind any trace of a file's content that you put into a passworded
archive file then you need to securely erase the original file, not just
delete it. I have Peazip configured to do 2 passes to securely erase
the clusters occupied by a file. That is more than sufficient with
drive manufactured for over two decades. Only on ancient RLL-encoded
hard drives might the 35-pass Gutmann method.

Note when using encryption within a .zip file that normally just the
*contents* of the files stored within the archive file are encrypted.
The filenames listed as records within the archive will still have the
original names. If you need to ensure that no one can deduce what might
be within a file, use an archiver that also encrypts the filenames.
Peazip has that option. I'd have to research to find out if 7-zip does.

Peazip also offers a two-factor algorithm: not only do you need to know
the password but must also supply a keyfile. You generate a keyfile for
the .zip archive and store it somewhere, like on a USB flash drive to
which only you have physical access (because you don't want someone else
copying the keyfile off the USB drive). I've never bothered with
2-factor authentication but then I don't bother using encryption in
archivers since I use TrueCrypt (or you could use BestCrypt Traveller or
VeraCrypt or other alternatives).

I haven't used Traveller or VeraCrypt. In TrueCrypt, you can even
compound the encryption algorithms. You could just use AES, or you
could use AES + TwoFish or AES + TwoFish + Serpent. The added layers
make decryption much more difficult; however, the extra encryptions also
make decryption slower, so the access to the mounted container will be
slower (not a problem with doc files but perhaps with videos). In
addition, you can create an encrypted container (file) that has 2
passwords: one which allows access to one part of the container and
another that allows access to a more secret part of the container. If
someone forces you to reveal your password, like pointing a gun at your
kids or wife or you or to satisfy FBI investigators applying legal
action, you could give them the first password. That lets them into the
first part of the container where you deposited inocuous files
(something to appease the intruder but nothing sensitive or hurtful to
you). They cannot get into the second part of the container where is
the real files you want to hide. They cannot determine there is a
second password and a second portion of the container because all that
data is always randomized by TrueCrypt (rather than being unallocated).

Again, these are advanced features that some users don't care about, so
they want something simpler, like BestCrypt Traveller. If you go with a
compressed archiver (.zip files), many use weak legacy Zip encryption
that password recovery tools can hack.

So choose wisely.

And remember that when you read any file whether from an encrypted
container or zip file that there could be [temporary] copies left behind
outside the container or zip file. The files are secure only when in
situ inside the container. Editing a file means creating a temporary
copy of it or buffers (which might be in memory but could be on th disk)
within the program with portions of the file. You might copy the file
out of the container. Once you close the container, you need to
securely wipe any remnants of the file when it was outside the
container.

Jo-Anne

2018-07-20 01:44:43 UTC

Post by Jo-Anne
I like the idea of zipping the files and either
password-protecting or encrypting the zipped files.

Password protection of .zip files is easily hacked. That is why I did
not mention using passworded compressed archive files (.zip, .7z, etc).
If the zip tool offers legacy Zip and AES encryption, choose AES.
WinZip (payware) offers AES (128 and 256 bit) encryption. Other zip
tools usually only offer the weak legacy Zip encryption. There are many
password recovery tools that will hack the weak legacy Zip password.
Many users like 7-zip (freeware). I use Peazip (also freeware) because
it supports most of the compression algorithms along with 7-zip's own
(Peazip got the library from 7-zip); however, Peazip has a more modern
UI than for 7-zip whose UI harkens back to the Windows 3.x era.
However, neither one supports AES encryption, just the weak encryption.
http://www.peazip.org/encrypt-files.html
While a hacker might try decrypting the AES-based content, they would
have to also have to separately try Serpent or TwoFish which would
dramatically add to the time to decrypt successfully. 7-Zip just has
AES encryption. Peazip has AES, TwoFish, and Serpent; however, since I
haven't used encryption with Peazip, I don't know how to select which
encryption algorithm to use (and didn't see an option when creating a
new archive). Couple be, per the above article, a combined AES +
Serpent + TwoFish encryption requires using the .pea archive format.
When putting files into a compressed archive with a password, remember
that the original file sticks around. You would have to delete it.
Whether you or the archiver deletes the file, the file's contents still
occupies the file system's clusters until those clusters are reallocated
to another file AND until those clusters get overwritten by some other
program writing to that file. Peazip comes with a secure file eraser
(which can optionally be added to the Windows Explorer context menu).
There are lots of file recovery tools. If you don't want to leave
behind any trace of a file's content that you put into a passworded
archive file then you need to securely erase the original file, not just
delete it. I have Peazip configured to do 2 passes to securely erase
the clusters occupied by a file. That is more than sufficient with
drive manufactured for over two decades. Only on ancient RLL-encoded
hard drives might the 35-pass Gutmann method.
Note when using encryption within a .zip file that normally just the
*contents* of the files stored within the archive file are encrypted.
The filenames listed as records within the archive will still have the
original names. If you need to ensure that no one can deduce what might
be within a file, use an archiver that also encrypts the filenames.
Peazip has that option. I'd have to research to find out if 7-zip does.
Peazip also offers a two-factor algorithm: not only do you need to know
the password but must also supply a keyfile. You generate a keyfile for
the .zip archive and store it somewhere, like on a USB flash drive to
which only you have physical access (because you don't want someone else
copying the keyfile off the USB drive). I've never bothered with
2-factor authentication but then I don't bother using encryption in
archivers since I use TrueCrypt (or you could use BestCrypt Traveller or
VeraCrypt or other alternatives).
I haven't used Traveller or VeraCrypt. In TrueCrypt, you can even
compound the encryption algorithms. You could just use AES, or you
could use AES + TwoFish or AES + TwoFish + Serpent. The added layers
make decryption much more difficult; however, the extra encryptions also
make decryption slower, so the access to the mounted container will be
slower (not a problem with doc files but perhaps with videos). In
addition, you can create an encrypted container (file) that has 2
passwords: one which allows access to one part of the container and
another that allows access to a more secret part of the container. If
someone forces you to reveal your password, like pointing a gun at your
kids or wife or you or to satisfy FBI investigators applying legal
action, you could give them the first password. That lets them into the
first part of the container where you deposited inocuous files
(something to appease the intruder but nothing sensitive or hurtful to
you). They cannot get into the second part of the container where is
the real files you want to hide. They cannot determine there is a
second password and a second portion of the container because all that
data is always randomized by TrueCrypt (rather than being unallocated).
Again, these are advanced features that some users don't care about, so
they want something simpler, like BestCrypt Traveller. If you go with a
compressed archiver (.zip files), many use weak legacy Zip encryption
that password recovery tools can hack.
So choose wisely.
http://youtu.be/0H3rdfI28s0
And remember that when you read any file whether from an encrypted
container or zip file that there could be [temporary] copies left behind
outside the container or zip file. The files are secure only when in
situ inside the container. Editing a file means creating a temporary
copy of it or buffers (which might be in memory but could be on th disk)
within the program with portions of the file. You might copy the file
out of the container. Once you close the container, you need to
securely wipe any remnants of the file when it was outside the
container.

Thank you, Vanguard. You've been very clear. The situation is more
complex than I had anticipated.

--
Jo-Anne

dave61430

2018-07-20 12:01:57 UTC