Question Best way to encrypt/secure HDD?

[Merk35]

Hi,

Got a standard PC using Win10 that's a few years old being used in an office. They have several dozen word, excel and access files with sensitive customer data. These files are password protected.

They want to encrypt their whole drive, but is this the best way to go about things? I can imagine with their crappy 6 year old HP that it would take a long time and might be risky.

My question is, what's the best way to secure these files? they're also backed up to onedrive as part of office365.

Thanks.

 

[justin.m.beauvais]

The easiest way is to enable BitLocker within Windows. It has very little performance impact as well, so it should be a reasonable solution.

 

[Merk35]

Thanks for the response. I looked it up and it started going on about creating a partition and something about a TPM chip?

A few more questions if I may:

Is it time consuming? I've read some say it's taken 8 hours etc.

Once set up, is it simply a password that needs entered on boot?

Will the encrypted drive upload encrypted files to the cloud? if so, are they just opened with the same password?

Thanks.

 

[justin.m.beauvais]

BitLocker is linked to your Windows login, so you can still use the PC like normal. However, if you were to remove the hard drive it wouldn't work in another computer. It is time consuming, but it isn't anything you can't just run overnight. As for things stored on the cloud, I don't think those are encrypted. BitLocker secures your hard drive, not the individual files. If you have to encrypt individual files there is an option within Office or Adobe to password protect them. Otherwise there are third party applications that can encrypt individual files.

 

[Merk35]

Great, thanks for the info. One last question before I make a decision. Does password protecting office documents (word, excel, access) encrypt them? might sound an obvious question, but is password protecting the files individually the same level of security as encryption of the drive? because I'm only really concerned with security of a few office files. The rest of the drive is just windows installation and applications.

 

[digitalgriffin]

Hi,

Got a standard PC using Win10 that's a few years old being used in an office. They have several dozen word, excel and access files with sensitive customer data. These files are password protected.

They want to encrypt their whole drive, but is this the best way to go about things? I can imagine with their crappy 6 year old HP that it would take a long time and might be risky.

My question is, what's the best way to secure these files? they're also backed up to onedrive as part of office365.

Thanks.

Windows 7 Professional or Windows 10 Professional and get a SSD with Opal encryption. It's transparent and invokes no slow downs.

HOWEVER it will not protect them if their PC's are hacked. Security has multiple layers.

Layer 1: Education
Layer 2: Good virus protection & patch + password schedule
Layer 3: Non admin accounts. Even our IT support people have non-admin accounts. Only developers and upper level IT get this privilege.
Layer 4: Run a domain tree where new machines have to be authenticated by IT.
Layer 5: Store documents on a password protected SharePoint site. It will also log who tries to download the file locally, giving them a copy that might go home with them.
Layer 6: Honey pots that trip security firewalls.
Layer 8: Conformance checks via Group privs.
Layer 9: Azure documentation protection. https://docs.microsoft.com/en-us/azure/information-protection/
Layer 10: Backups Backups Backups.
Layer 11: Root Certs that record everything your employees do on the web.

I know it's a big list, but if it's extremely sensitive information, then yes it's worth it.

 

[Solandri]

Great, thanks for the info. One last question before I make a decision. Does password protecting office documents (word, excel, access) encrypt them? might sound an obvious question, but is password protecting the files individually the same level of security as encryption of the drive? because I'm only really concerned with security of a few office files. The rest of the drive is just windows installation and applications.

Putting a password on your Office files encrypts them with 128-bit or 256-bit AES (depending on which version of Office you have).

https://en.wikipedia.org/wiki/Microsoft_Office_password_protection

Encrypting the drive is still advisable because someone with the password to those Office docs could still do something stupid like copy the contents of the doc and paste it into a new document file without a password. When you encrypt the entire drive, you know everything written to it is encrypted even if you do something stupid.

One note about enabling Bitlocker. During the setup, you'll get a message about setting up a recovery key in case you should forget your password. Most people skip this step. It is absolutely crucial that you do this. Otherwise if you forget the password, everything encrypted is GONE. If you reinstall the OS and forget you had a Bitlocker partition, everything is GONE (I lost all my pre-2007 tax returns because of this). If your Windows installation becomes corrupted to the point where it can't be booted, everything is GONE. You need that recovery key to recover from these possible disaster cases. From what I've seen, it's much more common to lose data due to using Bitlocker without a recovery key, than due to the drive or computer being stolen.