Each user has some of his own confidential data and he would not want this data to be seen by other users. In fact, it doesn't matter what kind of files they are, the main thing is that this is personal information that should be inaccessible to others. In this difficult task, the user will be helped by programs for encrypting and protecting files, which we will discuss below.
Some programs have integrated password protection tools such as Microsoft Office and WinRAR. But the disadvantage of their protection is that there are many hacking utilities for these programs, with the help of which it is quite possible to hack this protection. And if you need to hide a photo, audio recording or video ?!
So what can encryption software hide and encrypt? Usually, users hide individual files, folders, entire logical partitions hard disk, portable media (memory cards, flash drives, external hard disks), email and much more.
Note that hiding and encrypting files is not difficult, but rather easy operation, which is comparable in complexity to the usual editing of a text file.
In conclusion, we would like to draw your attention to the fact that programs for encryption and data protection can be dangerous due to the carelessness of the users themselves. A situation may arise that the user himself cannot access the encrypted data due to loss or forgetting of the password, any problems with the operating system and other situations. To the application of this kind software must be approached seriously and carefully.
Kaspersky Endpoint Security allows you to encrypt files and folders stored on local drives computer and removable drives, removable and hard drives entirely. Data encryption reduces the risk of information leakage in case of theft / loss laptop, removable disk or hard disk as well as when accessing outside users and data programs.
If the license has expired, the application does not encrypt new data, and the old encrypted data remains encrypted and available for work. In this case, to encrypt new data, you need to activate the program by new license which allows the use of encryption.
In case of expiration of the license, violation License Agreement, uninstalling the key, uninstalling the Kaspersky application Endpoint Security or encryption components from the user's computer is not guaranteed that files that were previously encrypted will remain encrypted. This is due to the fact that some programs, for example Microsoft Office Word, when editing files, create a temporary copy of them, which is replaced by original file while saving it. As a result, if encryption functionality is absent or unavailable on the computer, the file remains unencrypted.
Kaspersky Endpoint Security provides the following areas of data protection:
- Encrypting files on local drives of a computer... You can create lists of files by extension or groups of extensions and from folders located on local drives of the computer, as well as create encryption rules for files created by individual programs. After applying the Kaspersky Security Center policy Kaspersky program Endpoint Security encrypts and decrypts the following files:
- files separately added to the lists for encryption and decryption;
- files stored in folders added to the lists for encryption and decryption;
- files created individual programs.
You can read more about applying the Kaspersky Security Center policy in the Help for Kaspersky Security Center.
- Removable Disk Encryption... You can specify the default encryption rule, according to which the program performs the same action for all removable drives, and specify the encryption rules for individual removable drives.
The default encryption rule has a lower priority than the encryption rules created for individual removable drives. Encryption rules created for removable drives with the specified device model take precedence over encryption rules created for removable drives with the specified device ID.
To select a rule for encrypting files on a removable disk, Kaspersky Endpoint Security checks whether the device model and its identifier are known. Then the program does one of the following:
- If only the device model is known, the program applies the encryption rule created for removable drives with this device model, if such a rule exists.
- If only the device ID is known, the application applies the encryption rule created for removable drives with this device ID, if there is such a rule.
- If both the device model and the device ID are known, the application applies the encryption rule created for removable drives with this device ID, if there is such a rule. If there is no such rule, but there is an encryption rule created for removable drives with a given device model, the program applies it. If no encryption rules are specified for either this identifier device, nor for this device model, the program applies the default encryption rule.
- If neither the device model nor the device ID is known, the program applies the default encryption rule.
The program allows you to prepare a removable disk for working with files encrypted on it in portable mode. After turning on the portable mode, it becomes affordable work with encrypted files on removable drives connected to a computer with unavailable encryption functionality.
The application performs the action specified in the encryption rule when the Kaspersky Security Center policy is applied.
- Managing program access to encrypted files... For any program, you can create a rule for accessing encrypted files that prohibits access to encrypted files or allows access to encrypted files only in the form of ciphertext - a sequence of characters obtained as a result of encryption.
- Creation of encrypted archives... You can create encrypted archives and protect access to these archives with a password. Access to the contents of encrypted archives can be obtained only after entering the passwords with which you protected access to these archives. Such archives can be safely transferred over the network or on removable drives.
- Full disk encryption... You can select the encryption technology: Kaspersky Disk Encryption or Encryption BitLocker drive(hereinafter also referred to as "BitLocker").
BitLocker is a technology that is part of the operating Windows systems... If your computer is equipped with a Trusted Platform Module (TPM), BitLocker uses it to store recovery keys that allow you to access an encrypted hard disk... While loading BitLocker computer asks the trusted platform module the keys rebuilding hard disk and unlocks it. You can configure the use of a password and / or PIN code to access recovery keys.
You can specify the default full-disk encryption rule and generate a list hard drives to exclude from encryption. Kaspersky Endpoint Security performs full-disk encryption by sector after applying the Kaspersky Security Center policy. The program encrypts all logical partitions of hard drives at once. You can read more about applying the Kaspersky Security Center policy in the Help for Kaspersky Security Center .
After encryption systemic hard disks the next time you turn on the computer access to them, as well as loading operating system are possible only after passing the authentication procedure using. To do this, you need to enter the password of the token or smart card connected to the computer, or the name and password account Authentication agent created system administrator local network organizations using the account management tasks of the Authentication Agent. These accounts are based on accounts Microsoft users Windows under which users log on to the operating system. You can manage the accounts of the Authentication Agent and use the technology single sign-on(SSO, Single Sign-On), which allows you to automatic login to the operating system using the name and password of the Authentication Agent account.
An interface that allows, after encryption of the boot hard disk, to pass the authentication procedure to access encrypted hard drives and to boot the operating system.
If a backup copy was created for the computer, then the computer data was encrypted, after which the backup copy of the computer was restored and the computer data was encrypted again, Kaspersky Endpoint Security creates duplicate accounts of the Authentication Agent. To remove duplicates, you need to use the klmover utility with the dupfix key. The klmover utility is shipped with a build of Kaspersky Security Center. You can read more about its operation in the Help for Kaspersky Security Center.
When upgrading the application version to Kaspersky Endpoint Security 11 for Windows list Authentication Agent accounts are not saved.
Access to encrypted hard drives is possible only from computers on which Kaspersky Endpoint Security with available full-disk encryption functionality is installed. This condition minimizes the possibility of information stored on the encrypted hard drive leaking when the encrypted hard drive is used outside the organization's local network.
For encryption hard and removable drives you can use the function. It is recommended to use this function only for new, previously unused devices. If you are using encryption on a device you are already using, we recommend that you encrypt the entire device. This ensures that all data is protected - even deleted data that still contain recoverable information.
Before starting encryption, Kaspersky Endpoint Security receives a sector map of the file system. In the first stream, sectors are encrypted, occupied by files at the time of encryption start. The second stream encrypts the sectors that were written to after the start of encryption. After encryption is complete, all sectors containing data are encrypted.
If, after the encryption is completed, the user deletes the file, then the sectors in which this file was stored become free for further recording of information at the file system level, but remain encrypted. Thus, as files are written to a new device, when encryption is regularly started with the function enabled Encrypt only occupied space all sectors will be encrypted on the computer after a while.
The data required for decrypting objects is provided by the Server Administration of Kaspersky The Security Center that the computer was under control at the time of encryption. If for some reason a computer with encrypted objects has come under the control of another Administration Server and access to encrypted objects has never been performed, then you can get it in one of the following ways:
- request access to encrypted objects from the administrator of the organization's local network;
- recover data on encrypted devices using the recovery utility;
- restore the configuration of the Kaspersky Security Center Administration Server, which was under control of the computer at the time of encryption, from backup and use this configuration on the Administration Server, which controls the computer with encrypted objects.
During the encryption process, the program creates service files. Their storage requires about 0.5% unfragmented free space on your computer hard drive. If there is not enough unfragmented free space on the hard disk, then encryption is not started until this condition is met.
Compatibility between the encryption functionality of Kaspersky Endpoint Security and Kaspersky Anti-Virus for UEFI is not supported. Encrypting drives of computers on which Kaspersky Anti-Virus for UEFI is installed makes Kaspersky Anti-Virus for UEFI inoperable.
On our media in huge numbers stored personal and important information, documents and media files. They need to be protected. Such cryptographic techniques, how AES and Twofish that are standardly offered in encryption programs belong to about one generation and provide relatively high level security.
On practice regular user will not be able to make a big mistake in the choice. Instead, it's worth deciding on specialized program depending on intent: often, hard disk encryption uses a different operating mode than encrypting files.
For a long time the best choice there was a utility TrueCrypt if it was about full encryption hard drive or storing data in an encrypted container. This project is now closed. Its worthy successor is the open source program source code VeraCrypt... It was based on the TrueCrypt code, but it has been modified to improve the encryption quality.
For example, in VeraCrypt improved key generation from password... Hard drives are encrypted using a mode that is not as common as CBC, a XTS... V this mode blocks are encrypted by type ECB, however, this adds the sector number and intra-segment displacement.
Random numbers and strong passwords
For guard individual files enough free program with simple interface, For example, MAXA Crypt Portable or AxCrypt... We recommend AxCrypt as it is an open source project. However, when installing it, you should pay attention to the fact that the package with the application contains unnecessary add-ons, so you must uncheck the boxes from them.
Click to launch the utility right click mouse over a file or folder and enter a password (for example, when opening an encrypted file). This program uses the AES algorithm 128 bit with CBC mode... Ax-Crypt embeds a pseudo-random number generator to create a robust initialization vector (IV).
If IV is not real random number, then the CBC mode weakens it. MAXA Crypt Portable works in a similar way, but encryption is done using a key 256 bit long... If you upload personal information to cloud storage, you need to assume that their owners, for example, Google and Dropbox, scan the content.
Boxcryptor is integrated into the process as virtual hard disk and right-click encrypts all files located there before uploading to the cloud. That being said, it is important to get a password manager such as Password depot... It creates complex passwords that no one can remember. Need to just don't lose master password for this program.
We use encrypted disks
Similar to TrueCrypt, Utility Wizard VeraCrypt guides the user through all the stages of creating an encrypted disk. You can also protect an existing section.
One click encryption
Free software Maxa Crypt Portable offers all the options you need to quickly encrypt individual files using the AES algorithm. By pressing the button, you start generating a secure password.
Linking the Cloud to Privacy
Boxcryptor encrypts one click important files before loading into Dropbox storage or google. The default is AES encryption with 256 bit key.
The cornerstone is a password manager
Long passwords increase security. Program Password depot generates and uses them, including for encrypting files and working with web services, to which it transfers data to access the account.
Photo: manufacturing companies
Encryption is the process of encrypting information in such a way that it cannot be accessed by other people unless they have the required key to decode. Encryption is usually used to protect important documents but it is also good way stop people trying to steal your personal data.
Why use categories? To break down a huge variety of information encryption programs into simpler and more understandable sets of programs, i.e. structure. This article is limited to a set of utilities for encrypting files and folders.
- File and folder encryption utilities - These utilities are covered in this article. These encryption utilities work directly with files and folders, unlike utilities that encrypt and store files in volumes (archives, that is, in file containers). These encryption utilities can operate on demand or on the fly.
- Virtual disk encryption utilities. Such utilities work by means of creating volumes (encrypted containers / archives), which are presented in the file system as virtual disks that have their own letter, for example, "L:". These discs can contain both files and folders. The file system of a computer can read, write and create documents in real time, i.e. v open form... Such utilities work on the fly.
- Full-drive encryption utilities - encrypt all storage devices such as hard drives themselves, disk partitions and USB devices... Some of the utilities in this category can also encrypt the drive on which the operating system is installed.
- Client-side encryption utilities in the "cloud": new category encryption utilities. These file encryption utilities are used prior to downloading or syncing to the cloud. Files are encrypted during transmission and during storage in the cloud. Cloud encryption utilities use various forms of virtualization to provide access to original text on the client side. In this case, all work takes place on the fly.
Caveats
- The fact that the encryption program "works" does not mean that it is secure. New encryption utilities often emerge after "someone" reads the applied cryptography, chooses an algorithm, and starts development. Maybe even "someone" is using the verified open source code. Implements user interface... Make sure it works. And he will think that this is all over. But this is not the case. Such a program is likely full of fatal bugs. "Functionality does not mean quality, and no beta testing will reveal security issues. Most products are beautiful word"observed". They use cryptographic algorithms, but are not secure themselves. "(Free translation) - Bruce Schneier, from Security Pitfalls in Cryptography. (original phrase: "Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw. Too many products are merely buzzword compliant; they use secure cryptography, but they are not secure. ").
- Using encryption is not sufficient to ensure the security of your data. There are many ways to bypass protection, so if your data is "very secret", then you need to think about other ways of protection as well. How to "start" for additional searches you can use the article risks of using cryptographic software.
Operating systems are vicious: echoes of your personal data - swap files, temporary files, power saving ("system sleep") files, deleted files, browser artifacts, etc. - will likely remain on whatever computer you use to access your data. This non-trivial task- highlight this echo of your personal data. If you need protection data hard disk during their movement or arrival from the outside, then this is enough difficult task... For example, when you create an encrypted file archive or unzip such an archive, then, respectively, the original versions of the files or copies original files from this archive remain on the hard disk. They can also remain in storage locations. temporary files(aka Temp folders etc.). And it turns out that the task of removing these original versions becomes not a task. simple removal these files using the "delete" command.
An overview of file and folder encryption programs
TrueCrypt once was the most the best program in this category. And it is still one of the best, but it no longer corresponds to this category, since it is based on work using virtual disks.
Most, if not all of the programs described below expose the user to non-obvious threats, which are described above in point # 1 from the list of p.cautions ... TrueCrypt, which is based on working with partitions rather than working with files and folders, does not expose users to this vulnerability.
Sophos Free Encryption- is no longer available.
Related products and links
Related Products:
Alternative products:
- SafeHouse Explorer is simple, free program, which is light enough that it can be easily used on USB drives... You can also find well-prepared videos and user manuals on their website.
- Rohos Mini Drive is a portable program that creates a hidden, encrypted partition on a USB drive.
- FreeOTFE (from a review of virtual disk encryption utilities) is a program for performing disk encryption on the fly. It can be adapted for portable use.
- FreeOTFE Explorer is more simple option FreeOTFE. It does not require administrator rights.
- Pismo File Mount Audit Package is a file system extension that provides access to special encrypted files (via the context menu Windows explorer), which in turn provide access to encrypted folders. Applications can write directly to these folders to ensure that text copies of the original document do not remain on the hard drive.
- 7-Zip is powerful utility to create file archives, which provides 256-bit AES encryption for * .7z and *. zip formats... However, the Pismo program is more the best solution because it avoids the problem of storing unencrypted versions of files.
Quick Selection Guide (download programs for encrypting files and folders)
AxCrypt
| Integration with context menu Windows Explorer. AxCrypt makes it as easy to open, edit and save encrypted files as if you were working with unencrypted files. Use this product if you need to work with encrypted files frequently. | ||
| The program uses Open Candy (installed in a bundle of additional third-party software). If you want, you can not install it, but then you need to register on the site. |
The principle of modern cryptoprotection is not to create encryption that cannot be read (this is almost impossible), but to increase the costs of cryptanalysis.
That is, knowing the encryption algorithm itself, but not knowing the key, an attacker must spend millions of years decrypting it. Well, or as much as necessary (as you know, information ceases to be important after the death of your loved ones and yourself), until the x-files lose their relevance. In this case, complexity conflicts with ease of use: data must be encrypted and decrypted quickly enough when using a key. The programs that were included in today's review, on the whole, satisfy the two named criteria: they are quite simple to operate, while using reasonably robust algorithms.
We'll start with a program, which in itself is worthy of a separate article or a series of articles. Already during installation, I was surprised additional opportunity creating a false operating system. Immediately after completing the dialogue with the installation wizard, DriveCrypt suggested creating a key store. Any file can be selected as a repository: file, drawing, mp3. After the path to the storage is specified, we drive in passwords, of which we have two whole types: master & user. They differ in access to DCPP settings - the user does not have the ability to change something, he can only view preset settings... Each type can contain two or more passwords. The actual access to the protection setting can be provided both by the master password and by the user password.
Before encrypting any disks, you need to check that the boot protection is installed correctly. Be careful, if you do not check the correctness of the boot protection and immediately encrypt the disk, then it will be impossible to restore its contents. After verification, you can proceed to encrypting the disk or partition. To encrypt a disk or partition, you must
select Disk Drives and click Encrypt. The Disk Encryption Wizard will open a window in which you will be asked to select a key from the storage. The disk will be encrypted with this key and the same key will be required to further work with a disc. After the key is selected, the disk encryption process will start. The process is quite long: depending on the size of the disk or partition to be encrypted, it can take up to several hours.
In general, all this is quite simple and standard. It is much more interesting to work with a false axis. Let's format it on the hard drive in FAT32 (it looks like rumors about the death of this file system were greatly exaggerated
:)), install Windows, install DriveCrypt. The dummy operating system you create should look like a working system that is constantly in use. After the hidden operating system has been created, it is extremely dangerous to boot and operate with the fake operating system, as there is a possibility of corrupting the data of the hidden operating system. Having thrown any garbage into the system, we create a new storage,
log into DCPP, switch to the Drives tab, select the section where the fake operating system is installed and poke HiddenOS. The settings window will open. Everything is simple here: we indicate the path to the newly created storage, passwords, label hidden disk, his file system and quantity free space that will separate the fake operating system from the hidden one. After clicking the Create Hidden OS button, the creation process will be launched hidden section and all content system partition will be copied to the hidden partition. The program will create a hidden partition, the beginning of which will be located through the free space specified when creating the hidden partition from the end of the false partition. Reboot and
log in by entering the passwords that were specified when creating the hidden section. The contents of the fake operating system will not be visible when working in a hidden OS, and vice versa: when working in a fake operating system, the hidden OS will not be visible. Thus, only the entered password when turning on the computer determines which operating system will be loaded. After completing the creation of a hidden operating system, you need to enter it and encrypt the system partition.
With DriveCrypt, you can encrypt any HDD or removable storage(excluding CD and DVD) and use it to exchange data between users. A definite plus data exchange on a fully encrypted medium is the impossibility of detecting any files on it, the medium looks unformatted. Even with information that the medium is encrypted, in the absence of a key, the data will be impossible to read.
DriveCrypt encrypts an entire disk or partition, allowing you to hide not only important data, but also the entire contents of the disk or partition, including the operating system. Unfortunately, this level of security comes at the price of a significant drop in file system performance.
Here we meet a rather original encryption algorithm with private key length from 4 to 255 characters, developed by the authors of the program. Moreover, the key password is not stored inside the encrypted file, which reduces the possibility of breaking it. The principle of the program is simple: we indicate the files or folders that need to be encrypted, after which the program prompts you to enter the key. For greater reliability, the key can be selected not only on the keyboard, but also using a special panel. This panel, in the course of business, was impudently stolen from MS Word (inset
- symbol). After confirming the password, we will force the program to encrypt the file by assigning the * .shr extension to it.
Files Cipher is capable of compressing encrypted files using a built-in archiving algorithm. In addition, after encryption, the original file can be permanently deleted from the hard drive.
The program works with files of any type, and also supports files larger than 4 Gb (for NTFS). Wherein system requirements to the computer are very modest and resources, unlike the frontman, eats nothing at all.
PGP implements both open and proven symmetric encryption
keys: AES with encryption up to 256-bit, CAST, TripleDES, IDEA and Twofish2. To manage encryption keys, there is an option PGP Keys, which displays a window displaying user keys and added to the list public keys... Diagram of the module for encrypting PGP Disk disks ... mmmm ... how can I put it? A, elementary. Again, we create the Key Store file (I call it Keys to myself), enter the passwords. Moreover, when specifying a password, a special indicator of persistence (quality) is displayed, which, by the way, clearly demonstrates the relevance complex passwords: for example, the strength of a password consisting of eight digits is approximately equal to the strength of a six-letter or four-digit password, in which there is one special character ( Exclamation point) and three letters.
I liked very much that the creators thought about ICQ (who read the Stalker's logs after defacement of the motherfucker, he will understand ... or were they not in asi and am I confusing something?). After installation, a special icon appears in the ICQ window, with the help of which session protection is turned on.
As for the most painful topic - information leakage through a swap file - the authors themselves admitted that they could not tightly block this leakage channel due to the peculiarities of the functioning of the operating system. On the other hand, measures have been taken to reduce this threat - all important data is stored in memory no longer than necessary. After the operation completes, all critical information from memory is deleted. Thus, this vulnerability exists, and to eliminate it, you must either disable virtual memory(which can lead to a noticeable deterioration in the OS), or take additional measures for protection.
