Securing Files in Windows

[Neo]

Is there any way I can protect text/doc's.. files from being read by other people who may be able to access my system.
I use Windows XP with FAT32. If this was NTFS is there any way of doing this?

[Solar]

It should be easy enough to restrict other user's access to your files. Under "Properties" / "Security" / "Permissions" (or similar, I only have NT4 for reference ATM), you can set which user / user group has which rights.

If someone has access to your user account (why should anyone have that?), or is Administrator on your machine, that doesn't work, obviously. In that case, you would have to use something like PGP or GnuPG to encrypt your files.

[mystran]

Given the lovely security model of Windows APIs, if someone has an account on the computer (at least if they can run unknown .EXEs) then they can become LOCAL SYSTEM which happens to have more priviledges than Administrators. This without physical access.

Also, if one has physical to the machine, then they can get around the Administrator-password anyway, or read the file using some other operating system. So, well... encryption is good. Even then, one can use a keyboard logger (or something) to get your password. For really sensitive material you should also be afraid of connecting your computer to internet: someone might hack into your box and steal your files.

In real life, if you simply want to protect stuff from trusted people's accidental access, then simply password protect your account, and either remove priviledges from the directory (from the directorys properties tab in XP Pro) or set your My Documents to in-accessible by others (from account properties in XP Home). Last I checked, even Administrators needed to manually force an override on those settings (in XP Pro atleast) and (in Pro) you should be able to enabled auditing (if not enabled by default) so that one can see if somebody else has fooled with the permissions.

[mystran]

Oh, and a DISCLAIMER:

I don't have a Windows box here (except my GF's XP Home) so I didn't actually verify what I claimed.

[AR]

On an NTFS partition you can actually go into the file properties and click Advanced in the "Attributes" section to get a window with a checkbox that will allow you to encrypt the file. (I think from memory the file is encrypted symmetrically then the symmetric key is encrypted using a private/public key pair based on the account password).

FAT32 doesn't offer this, I suggest you use the partition conversion tool to convert it to NTFS since NTFS offers better performance as well. Otherwise you'll have to use a third party encryption tool since file permissions don't hold up against someone with physical access to the computer.

[Stranger]

There's a useful program called AxCrypt (google it), for encrypting files in Windows with a passphrase. It works with a shell extension, so you can right-click->AxCrypt->Encrypt something, and then later open it as you normally would, at which point it will prompt you for your passphrase, decrypt it temporarily, and open the file. When you change the file, it is re-encrypted and saved.

[rich_m]

There's a useful program called AxCrypt

what happens to the file if Ax is uninstalled after securin

[Solar]

Usually you need the app to de-encrypt.

But when you're looking for that kind of security - encripting files with third-party tools - the de-facto standard is PGP / GnuPG. I wouldn't trust any other software in that department.

[Stranger]

AxCrypt is open source and implements the AES and SHA algorithms. PGP and GnuPG are also implementations of standard algorithms, and GnuPG is open source. PGP is propietary. I miss this trust concept.

Second, any encryption on a computer is very iffy anyway, considering the myriad of other ways to get your data.

And yes, if you uninstall it, naturally you can't use it to decrypt anything. Of course, there's an easy solution to this. Decrypt the files, which you can do too, before uninstalling.

[ark]

Yeah...depends on how sensitive the material you're trying to protect is. If you're simply trying to prevent a naive computer user from reading something that you don't want them to read (like a journal or a story or whatever) then you may want to go a simpler route and roll your own encryption program that translates a password into an encryption/decryption key and then stores the key in the file. When decrypting, the program should ask for the password to verify against the stored key. The benefit of this is that you can easily retrieve the data by writing code that ignores the password check. This is also the drawback. It is incredibly simple to defeat and is absolutely inappropriate for truly sensitive data.

[Candy]

Yeah...depends on how sensitive the material you're trying to protect is. If you're simply trying to prevent a naive computer user from reading something that you don't want them to read (like a journal or a story or whatever) then you may want to go a simpler route and roll your own encryption program that translates a password into an encryption/decryption key and then stores the key in the file. It is incredibly simple to defeat and is absolutely inappropriate for truly sensitive data.

XOR the password thingy on the file? It's damn easy to break but still not overly simple.

[Neo]

And yes, if you uninstall it, naturally you can't use it to decrypt anything. Of course, there's an easy solution to this. Decrypt the files, which you can do too, before uninstalling.

What if you re-install it again and try to decrypt?

[Schol-R-LEA]

Realistically, the whole concept of 'computer security' is at best a polite fiction. Regardless of the operating system you have, the only safe assumption is that if it is on a computer, then the people you would want to keep it from already have it.

In fact, that's the only safe assumption for information, period, even if the only place it is 'stored' is your own head. Trust me, social engineering can get unwary targets to slip almost anything, often without them realizing it; more sophisticated techniques of intelligence gathering are limited only by what those using them are looking for (a major limitation actually, as many times the most important information is out in the open, unnoticed, but that's besides the point). This may sound paranoid, but it's actually a lot less so than the cypherpunk fantasy.

Pragmatically this means that, like with most other forms of security, the goal should be to first avoid attention - if no one knows that there is something to look for, then they probably won't; and second to make accessing the information more trouble than it's worth (though you want to be careful, here, as doing so may draw attention itself; after all, a single encrypted file in a disk full of unencrypted files is obviously hiding something). What this requires depends on the circumstances; the actually techniques are less important than the overall approach of knowing who is likely to want the information, how likely they are to find it, and what they are likely to do to extract it once they know it's there. A static, one-size-fits-all approach is at least as bad as no security at all.

That having been said, I personally don't bother with any security at all to speak of, except for a firewall and anti-malware programs. Life is too short, and I don't really have anything to hide that can't be found more easily elsewhere.

[Stranger]

And yes, if you uninstall it, naturally you can't use it to decrypt anything. Of course, there's an easy solution to this. Decrypt the files, which you can do too, before uninstalling.

What if you re-install it again and try to decrypt?

It'll work. Encrypted files are just ciphertext, so provided the passphrase, it'll decrypt any file encrypted with it. Try it out.