Safety File encryption

I'm looking for an alternative for a group of small laptop users and encryption for Windows XP. Vista isn't an option so BitLocker won't be available. Whole disk encryption seems overly expensive to implement and is a performance hit.

Assuming I set certain parameters such as:Limiting users to regular users (not admins) and limiting folder write permissions so their files only go to Documents and Settings. Also setting a strong and long password for the local Administrator and enforcing strong user passwords. Would Windows file encryption for the Documents and Settings folder be sufficient to keep data safe in case the laptop were stolen?

My understanding is encryption files via folder encryption remain encryption and unable to open even if a hacker resets a user's password or the admin password.

Users are also part of a Windows 2003 domain. There are no local users other than the built-in admin password.

 

True Crypt is nice. I suggest you backup before you start encrypting your HD tho.

http://www.truecrypt.org/

 

you beat me to it

 

I think using an independent encryption programme will always be better.

There is one problem however:

An article form the New York Times.

Encryption keys reside in the RAM memory of a laptop - thus, if you can read the RAM once you logged on, the encryption key can be extracted.

Problem 1: You can't read RAM on the laptop with the encryption - thus you need to transfer the RAM module after boot-up from one computer to another.

How do you retain the data?
You freeze the RAM module - the colder the longer it retains the data it was supposed to loose after the power supply was cut...

What does this mean:
If someone is desperate it is impossible to truly secure data on a laptop.

 

Windows EFS is available for Win XPpro which is OK in a corporate environment, but TrueCrypt is probably the way to go. Read up on its documentation and see if it's right for you; based on what you wrote I think it is.

Just make sure you have a good backup policy, particularly for encryption keys.

 

I already looked into TrueCrypt, it has it's limitations with integration and it really won't work for me.
Bottomline, if I keep a rule that all data that needs to be safe is encrypted with EFS and assume the thief doesn't do the RAM trick, is EFS enough?

 

If you make a rule, your users will break it. Especially for a small group of laptop users, you should just upgrade them to encrypted drives. It's going to be much less of your time spent getting it done, it won't get in the way of your users, and you won't have to remind them of where to put sensitive data because everything is encrypted (and there's no speed penalty. I'm using one now).

 

AxCrypt is a good one.

 

As far as I know, EFS is secure enough, though not as secure/versatile as TrueCrypt. It has other limitations; when the machine is on, the data is available, data is encrypted by account, problems with backups and keys.