Win 8.1 encryption options

[DELTAprime]

I want to encrypt the drives on my new Alienware X51 to protect me in the event of theft like I do on all my Mac's using Filevault. I decided not to go with 8.1 Pro for the moment because I'm hoping there might be a deal to get Windows 10 Pro cheaper than 8.1 Pro currently is at the launch of Windows 10. So till Windows 10 comes out and I get Bitlocker what would be the best option to encrypt the drives?

 

[popatim]

Win 10 is going to be free for for the 1st year for just about everyone owning a valid copy of windows7 and up you know...

 

[Tom Tancredi]

Encryption is MUCH riskier on Windows platforms UNLESS you use a hardware encryption layer. Normally software based (as in this case the OS) has a even MINOR glitch the whole hard drive is LOST PERMANENTLY. There is no way to recover from a encrypted drive (unless it is worth serious money to you that you would be willing to front the 100K to over 1M cost and time to professional - law enforcement / military / RSA grade decryptors to attempt it) .

Honestly if someone stole your computer (very unlikely unless you take ALOT of plane flights) there is much easier and LARGER NET profitability when they instead target ... well Target, Home Depot, etc. and get the CCs EN MASSE that way( assuiming that is your main concern). Honestly when you file the police report, then contact all your bank accounts, credit cards, etc. within 72 hours if someone attempts anything they will be traced and reported instantly to the police to be immediately arrested. Where as it takes Target / etc. how long to admit there was a breech then not saying 'WHO' singularly was breeched, so they have a LARGE NET of names, CC# etc. to pick and 'collectivly' make a lots more profit then just you individually, with a lot less risk of capture / setting off alarms.

 

[DELTAprime]

Encryption is MUCH riskier on Windows platforms UNLESS you use a hardware encryption layer.

When you say hardware encryption layer is that Intel's TPM chip or something else?

 

[Tom Tancredi]

TPM is the 'key' in your hand not actually the 'door lock and mechanism' of Encryption.
See http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary for more ont he whole platform.

Hardware layer encryption would involve either a I/O device itself on your motherboard - PCI Card (as done for servers back when) or more commonly included on the HDD itself either as the case (external) itself has the 'card' I mention built into it and the interface to the HDD itself (example here http://www.amazon.com/StarTech-com-2-5-Inch-Encrypted-Drive-Enclosure/dp/B0086OGOGQ) or as noted by Lenovo as a FE Drive itself (http://support.lenovo.com/us/en/documents/migr-69621) and as explained in detailed here :
http://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-best-kept-secret-in-hard-drive-encryption-security

Now due to the HIGH overhead Encrypting and Deencrypting of every single BIT causes, the impact to the user experience is about the same as the experience of watching grass grow, and as exciting. To compensate the original solution (as noted in the last article) was to increase the Spindle speed to 10K RPM then finally 15K RPM. This causes a HUGE heat increase output as well as larger amount of electrical usage and serious costs increases. But then again the target audience is to business with at least 1M in revenue, more likely large organizations and government / military related would have 1B+ business dealing that the costs would easily be a 'drop' in the pocket (aka $10K per drive or more + the cost of the rest of the computer).

With the advent of SSDs, the costs can be mitigated lower, but your still not going to get a encrpted drive for $99 or such, your still talking $500-$1000 drive none the less (which is a big 'savings' for businesses as I mentioned).

 

[popatim]

Did you get that backwards Tom?

As I recall, with software encryption if you forget the password you format the drive and you're back to like brand new. There's no encryption going on at the drive level.

With TPM/SED you either reset the drive if you can or throw it out and buy a new one.

In both case, important files had better be backed up.

 

[DELTAprime]

OK, so since I just want to make it hard for someone to read my personal data should they steal my PC (which is a possibility since we have had neighbours broken into) and I have offsite backups (which I already do) then I should just go with software and if a drive corrupts just format and start over?

 

[Tom Tancredi]

OK, so since I just want to make it hard for someone to read my personal data should they steal my PC (which is a possibility since we have had neighbours broken into) and I have offsite backups (which I already do) then I should just go with software and if a drive corrupts just format and start over?

Yeah you could. Those thefts would be for the sale of the laptop "hey buddy want a nice Mac? Only $200!" not actually to steal your data. Even if you had a basic 'password' login, would be enough for those "my neighbor got broken into" to stop them, they aren't even mildly interested in your personal information, they would have no use for it.

Now if your CC was laying out that would MUCH more valuable as they 'burgle' your home, and easier to deal with. So while I understand what your trying to do, your over paranoid on the security (encryption) you need. Normally the encryption software wise is for businesses where your talking Million Dollar contracts / negotiations and you dont' want someone undercutting your offer / business. Plus you have a IT Team 24x7 you pay for to that "if (Windows) corrupts just format and start over" without too many productivity hours lost in the mean time.

For consumer your talking DAYS and DAYS of rebuilding the image, updates, etc. because once you encrypt the drive you can't 'back up the image', especially since Vista was released this has made it impossible (no more Symantec Ghost quick like solutions) to just build a 'backup' image then encrypt and go back to if things 'go bad' so to save yourself days and days of download and installs patches etc. then finally full encryption.

Is why the hardware solution while costly is a real time saver and much less risk of 'OS' screwing up the entire drive to start all over again. Up to you which path you want, but personally (as I suggested) I wouldn't and don't do either at all for PERSONAL use, too much risk, not enough gain.

Oh and one big 'POP" to your bubble. IF you use the default autologin, and your saving your cookies / PW for all your using Paypal, Bank Acct, Credit Card, Bills, etc. once they get past the LOGIN PW (especially if it autologs in) encrypting the drive doesn't do anything, they are 'in' by just logging in. The encryptions is best for those trying to remove the drive and hook it up to a secondary system preventing them from 'reading' the drive.

 

[FALC0N]

Once you encrypt the drive, you can't back up the image? Since when? You can back up the image.

 

[Tom Tancredi]

Once you encrypt the drive, you can't back up the image? Since when? You can back up the image.

http://pureinfotech.com/2013/07/22/microsoft-removing-windows-easy-transfer-in-windows-8-1/
http://windows.microsoft.com/en-us/windows-8/what-happened-to-backup-restore

Not for consumers ' let me just buy this and it will do it' full solution as they expect NO, not since Vista's release. Since Vista's release, you can't just grab (as I mentioned) Symantec's Ghost or similiar tool, due to the way the security was removed from even the Administrator account now to the Trusted Installer as the real 'God' of the computer. As this is a INCODE account (aka not accessible but is part of the actual Windows OS code) it has demonstrated issues with all backup methods EXCEPT BIT LEVEL Images (very very slow and impractical on a 1TB drive common in PCs today) and fails to restore usually with the cases of extensive BSODs, errors and such due to the 'intrusion' of how Trusted Installer perceives how the computer should be setup.

The current Windows 8.1 model is based on "TABLETS AND SMARTPHONES", which is to say
that the hard-saved image of Windows will 'never be corrupted' on the drive and using any of the 'Windows 8 restore' options all will work because you will never need to 'reimage' the drive again (Yeah right M$! Your sooooo dreaming!). Then with Windows 8.1 having Microsoft's OneDrive restore the 'Data' back to the computer once the user logins reregistering the 'Live Account'. You are aware WET (Windows Easy Transfer) is disabled in Windows 8+ now so you can't even 'cheat' with a nice clean backup of your data, desktop, favorites, etc. like you were since XP.

The BUSINESS LEVEL solution (which I am Microsoft Certified to do) is to create a Sysprep image for DISM and so on, but then your talking Site Licensing, servers, and the like. Much more complicated to setup, but very EASY to do mass deployments of new images. This is not common for the consumer and damn hell of a headache to 'develop' for specific personal use / setup / desired settings.

 

[FALC0N]

All you have to do to image the drive is to do it from outside the encrypted volume. A boot disk or separate boot partition. If data is all your after, backup from within the OS. That's all most users do anyways. Well, at least those that do backups.