Free Encryption Software for X64 needed

Hey guys,
I'm looking for a free and simple encryption program to use on my new machine. I was using Kruptos 2 on my XP machine, but it doesn't work in Vista X64. Is there ANTYHING good our there? I've looked for about an hour and a half without success. I don't want a trial offer. ANY help you could provide would be GREATLY appreciated.


Thank you,
-Rich

Ummm,

Have you tried EFS encryption? Its part of Vista. You can encrypt entire folders and external drive folders with it, and Use Vista's file backup utility to back up the encrypted folders/files to an NFTS formated drive or disk.

I have Bitlocker, but I just use EFS to encrypt my "Documents" folder. Since this is where I keep sensitive data (in event computer is lost or stolen. I recommend Using a strong Alpha/Numeric Password for your User acct too. EFS is useless If they can access the User account that set the encryption.

If you want to secure your User data, just encrypt the Users folder (click your C: drive that Windows is on), and whatever you do, do not leave the EFS Recovery certificate on your computer. Store it on a password protected usb thumbdrive. If you suffer hard drive failure, data corruption, and that certificate is lost so is all the data encrypted with it.

I think EFS is insecure...does the Build-in admin account not have an override encryption key? Even if he doesn't they could still crack the password hash and get the password to access the data. If you need protection against people who actually know what they are doing use truecrypt.

I usually use a 60-200 character password. I have highly sensitive data on my hard disks though. Usernames and passwords for most of my friends and family so my encryption is nessecary.

   Warning

There is no point in encrypting data is you do not have a strong password.

www.truecrypt.org/

Rive0108's EFS method is good...but it will not keep out a hacker. It will most likely stop a noob but a pro hacker would crack it in minutes, hours tops.

Good Luck

Why do you think EFS is insecure?

H2SO4 said:

Why do you think EFS is insecure?

Click to expand...

I have accessed "secure" files before that were protected by it. Its a joke.

I do try to break computer security as a hobby but EFS is not supposed to keep out a hacker, a theft maybe but not a pro. If it was...it needs to be redesigned.

Im not saying im a pro but if I can break it then a pro could do it with ease.

How exactly did you break it? Where is the "vuln"?

H2SO4 said:

How exactly did you break it? Where is the "vuln"?

Click to expand...

I PMed you what i wrote here, I don't want to be giving thieves any ideas...

H2SO4 said:

How exactly did you break it? Where is the "vuln"?

Click to expand...

Fmjc001 said:

H2SO4 said:

How exactly did you break it? Where is the "vuln"?

Click to expand...

Well it encrypts it with the users password. All you have to do is boot to a linux disk, make yourself an admin account, crack the accounts password hash and logon. Its not hard.

Click to expand...

EFS in Vista Uses AES encryption
In Windows Vista and in Windows Server 2008, EFS uses the AES algorithm with 256-bit keys. If you enable this setting, AES-256 will be used.
http://support.microsoft.com/kb/811833

You are really not cracking the encryption, just a weak user password that uses a transparent EFS key layer for the log-in Amin account that created it. This can be addressed with a stronger password being used.

EFS is designed to protect the privacy of sensitive data. Besides the user who encrypts a file, only designated recovery agent personnel can decrypt it. Other system accounts that have permissions for that file — even the Take Ownership permission — cannot open the file without the encryptor's private key.

EFS is especially useful for securing sensitive data on computers shared by several users and on portable computers. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs) In a shared system, access can be gained by starting up a different operating system. With a portable computer, a thief might take only a moment to steal it. The thief can then remove the hard disk drive, plug the hard disk drive into another computer, and read the files. EFS files, however, appear as unintelligible characters when the thief does not have the decryption key.

If the account that created the encryption has a weak password, then it can be circumvented by simply logging into the account. that why a strong alpha/numeric password ir required (i.e., 0b319SReQQCx84bv)

rive0108 said:

Fmjc001 said:

H2SO4 said:

How exactly did you break it? Where is the "vuln"?

Click to expand...

Well it encrypts it with the users password. All you have to do is boot to a linux disk, make yourself an admin account, crack the accounts password hash and logon. Its not hard.

Click to expand...

EFS in Vista Uses AES encyrption
In Windows Vista and in Windows Server 2008, EFS uses the AES algorithm with 256-bit keys. If you enable this setting, AES-256 will be used.

If the account that created the encryption has a weak password, then it can be circumvented by simply logging into the account. that why a strong alpha/numeric password ir required (i.e., 0b319SReQQCx)

Click to expand...

Thats well and good, but cracking the users password hash and logging on without changing their password will allow you to access the file.

And when you can crack hashs pretty fast i dont see a problem.

However!

Using a smart card to store the encryption cert and making it require your PIN each time would definitely slow down the cracking process if not stop it completely.

All im saying is...if your protecting something that is very important you should not use EFS. In my personal opinion its not secure enough. Maybe im wrong, but i wouldn't use it for protecting usernames, passwords or credit card details etc.

Although chances are, anyone who steals your laptop wont have the skills to access the files

You search the web and learn quickly

Also, even a moderately strong password will put off casual cracking attempts. If you actually managed to brute force someone's password, it's because they used an unacceptably weak password. Good luck with the password complexity enforced by knowledgeable corporate domain admins.

LM Hash

Windows Vista and Windows Server 2008 still include support for the LM hash, although it is now disabled by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting to domain controllers. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.[4]

Users can also prevent a LM hash from being generated for their password by using a password at least 15 characters in length.

a strong alpha/numeric password ir required (i.e., 0b319SReQQCx84bv)

H2SO4 said:

You search the web and learn quickly

Click to expand...

What do you mean?

And also with enough time and the right resources any password can be cracked.

rive0108 said:

LM Hash

Windows Vista and Windows Server 2008 still include support for the LM hash, although it is now disabled by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting to domain controllers. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.[4]

Users can also prevent a LM hash from being generated for their password by using a password at least 15 characters in length.

Click to expand...

And what about cracking the password hash from the cache?

Fmjc001 said:

H2SO4 said:

You search the web and learn quickly

Click to expand...

What do you mean?

And also with enough time and the right resources any password can be cracked.

rive0108 said:

LM Hash

Windows Vista and Windows Server 2008 still include support for the LM hash, although it is now disabled by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting to domain controllers. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.[4]

Users can also prevent a LM hash from being generated for their password by using a password at least 15 characters in length.

Click to expand...

And what about cracking the password hash from the cache?

Click to expand...

Are you refering to EFS or User Password cache?

Oh sure, there are any number of ways to lower the level of security on a domain, including re-enabling LM hash, specifying the use of NTLMv1 (instead of v2), configuring the use of NTLM instead of Kerberos for services like intranet HTTPDs, or even enabling the storage of reversibly-encrypted passwords on DCs through policy, commonly necessitated by the use of CHAP somewhere on the edges.

Any of those will significantly lower domain security. Putting "Everyone" in the Enterprise Admins group, activating the Guest account, and setting RestrictAnonymous=0 would complete the slide into anarchy

The point is that these things simply do not happen on properly managed domains. To paraphrase Fmjc001's description of the "EFS vuln": "if you use a weak password I can crack your system." Nothing new there.

rive0108 said:

Fmjc001 said:

H2SO4 said:

You search the web and learn quickly

Click to expand...

What do you mean?

And also with enough time and the right resources any password can be cracked.

rive0108 said:

LM Hash

Windows Vista and Windows Server 2008 still include support for the LM hash, although it is now disabled by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting to domain controllers. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.[4]

Users can also prevent a LM hash from being generated for their password by using a password at least 15 characters in length.

Click to expand...

And what about cracking the password hash from the cache?

Click to expand...

Are you refering to EFS or User Password cache?

Click to expand...

As far as i know...when a user logs on it caches their pass incase it cannot connect the DC for authentication. Getting that cache and cracking it would give you their password and access to their files...or am i mistaken?

H2SO4 said:

Oh sure, there are any number of ways to lower the level of security on a domain, including re-enabling LM hash, specifying the use of NTLMv1 (instead of v2), configuring the use of NTLM instead of Kerberos for services like intranet HTTPDs, or even enabling the storage of reversibly-encrypted passwords on DCs through policy, commonly necessitated by the use of CHAP somewhere on the edges.

Any of those will significantly lower domain security. Putting "Everyone" in the Enterprise Admins group, activating the Guest account, and setting RestrictAnonymous=0 would complete the slide into anarchy

The point is that these things simply do not happen on properly managed domains. To paraphrase Fmjc001's description of the "EFS vuln": "if you use a weak password I can crack your system." Nothing new there.

Click to expand...

Very funny

But all i am saying is, there are lots of ways to get a users windows password to use to access their files. Personally I would never use EFS.

You wouldn't be cracking any strong passwords. That's in no way a dig at you or your hardware, merely a statement of confidence in the current encryption standards. If you do know of a way to crack strong passwords, then you've found a vuln in the algorithm and you should report it to the relevant authorities. Seriously.

And if you can crack certs and assymmetric crypto in general, then the RSA stock price will plummet and Fmjc001.com will likely take their place

The issue with a good User passsword and Linux-

Files encrypted with EFS can only be decrypted by using the RSA private key(s) matching the previously-used public key(s). The stored copy of the user's private key is ultimately protected by the user's logon password. Accessing encrypted files from outside Windows with other operating systems (Linux, for example, or even another instance of Windows) is not possible — not least of which because there is currently no third party EFS component driver. Further, using special tools to reset the user's login password will render it impossible to decrypt the user's private key and thus useless for gaining access to the user's encrypted files. The significance of this is occasionally lost on users, resulting in data loss if a user forgets his or her password, or fails to back up the encryption key. This led to coining of the term "delayed recycle bin", to describe the seeming inevitability of data loss if an inexperienced user encrypts his or her files.

And as for the cache- Using bitlocker with a tpm chip, effectively counters any such vulnerability.

H2SO4 said:

You wouldn't be cracking any strong passwords. That's in no way a dig at you or your hardware, merely a statement of confidence in the current encryption standards. If you do know of a way to crack strong passwords, then you've found a vuln in the algorithm and you should report it to the relevant authorities. Seriously.

And if you can crack certs and assymmetric crypto in general, then the RSA stock price will plummet and Fmjc001.com will likely take their place

Click to expand...

Well I managed to crack a 36 character passphrase, upper case, lowercase, numbers and symbols in a few days. I dont know if thats good to you but I was rather happy with myself lol.

Can I also just add, we are talking about EFS...no TPM and no BitLocker because then its not just EFS anymore. Ok, so maybe its not as easy as I make out to access the EFS encrypted files. But I think its that hard. That might just be me. Maybe one day i wont be able to do it but who knows...