Are you ready for Windows 10 encryption strategies that you can implement in your organization to secure your data?
If so, you’ll love this article.
It’s a complete guide to encryption methodologies.
Everything you need to know to drastically improve the security of your computers.
Let’s get started:
Using Full Disk Encryption
The Trusted Platform Module (TPM)
File & Folder Encryption
Corporate Encryption Strategies
Third Party Encryption Tools
When you hear about encryption or cryptography, you probably immediately think about mathemeticians working complex math problems, right?
So, while that’s one component of encryption, the secret sharing of information isn’t so complex.
Men have been doing it for millenia.
Let’s take a look at the basic concepts of encryption.
Windows 10 encryption techniques are not the first people have seen of encryption.
People have been practicing secret writing and communication methodologies for thousands of years.
Brief encryption history
While we know that encryption has probably existed since the beginning of time, one of the earliest historical proofs we have of encryption technology is the skytale.
This was a secret communication used by the Spartans around 600BC.
In this case, the “key” was the diameter of the rod and a marked starting point.
Then, around 60BC, the Romans began using substitution ciphers, where letters are substituted based on a key.
A becomes D, B becomes E, etc.
Substitution is the most basic concept of cryptography algorithms that we use today.
Finally, around 1945, Claude Shannon invented the “mathematical theory of cryptography” in which he explained that the only thing that had to be secret in secure algorithms was the key.
This, among other aspects of his theory, became the basis for the DES algorithm, and all of the encryption algorithms that we still use today.
Protect encryption keys like your life
When you are planning and building a Windows 10 encryption plan for your business, you need to keep one thing in mind:
Protect encryption keys with your life!
If they are compromised, all of your encrypting labor is in vain.
What’s so valuable about encryption keys?
They are literally the “keys to the kingdom” when it comes to encryption.
Modern encryption algorithms
As computer processing power is constantly improving, encryption algorithms that were once considered secure eventually are broken and retired.
Because of this, the accepted encryption algorithms change.
The algorithms that Windows 10 Encryption tools and processes use usually stay up with industry standards pretty well and you don’t even have to worry about them.
However, because you can select different key lengths and other options, it’s important that you understand the algorithms at least partially.
Windows 10 encryption with AES
AES is probably the most common encryption algorithm in use today.
Back in the 70s, computers didn’t have near the computing power that they do today.
IBM developed an encryption algorithm they called Data Encryption Standards (DES).
With some modifications that were the industry standard for nearly two decades.
During the 90s, after DES was broken, AES was developed and since then has remained the standard.
The native Windows 10 encryption tool – BitLocker – uses the AES standard.
Users are able to choose between 128 and 256-bit key length.
If you are using a third-party encryption software tool, you may have additional options.
Some of the most common and trusted are 3DES, Skipjack and a few foreign created ones.
Full Disk Encryption
Do you want to be certain that the data on your hard drive is actually protected?
Maybe because you have confidential information on there that you don’t want to be exposed?
Then one of your best options for securing that data is full disk encryption.
And that is what this section is all about.
We’re going to show you how Full Disk Encryption works
And how you can use it to secure your Windows 10 computer.
How full disk encryption works
So, there are a couple of Windows 10 encryption approaches that you can take.
You can either encrypt the entire hard drive, or you can encrypt files, folders and shares.
Right now, let’s look at the first method – full disk encryption.
So, how does Windows 10 full disk encryption work?
Basically, everything of the hard drive is encrypted – including the operating system. When the OS is booted, a pointer sends the OS to the decryption prompt. Once the user enters the key, the key is used to decrypt the drive and load the operating system. The decryption key stays in memory.
That’s the short version.
Now, let’s make sure you have a thorough understanding of what is happening.
Windows 10 encryption problems can be a deal to resolve if you don’t.
The operating system on your hard drive is stored in parts.
This is to enable safe booting and the ability to recover if something goes wrong.
Basically, there are four components of this process
BIOS which handles the initial start up, the Master Boot Record (MBR), the active storage partition, and the Boot-loader.
On an unencrypted computer, when BIOS starts, it calls the Master Boot Record and the operating system is loaded.
The process is different on an encrypted drive.
Making all of the data on the hard drive unable to be read is the whole point in encryption, right?
If you took an encrypted hard drive out of a computer and tried to read it, it would be worthless.
Then, how does the operating system work?
At that initial boot, the encryption process tells BIOS to decrypt before it loads anything else.
So, instead of loading the MBR, the user is prompted for a decryption key.
Once entered, the drive is decrypted and the operating system is able to be loaded.
The drawback to this is that the key must be kept in memory to decrypt items as they are needed.
If your computer were to be stolen while it is on, the key can be obtained.
Especially if the user is logged in.
Enabling full disk encryption with Bitlocker on Windows 10
The Windows encryption tool – BitLocker – comes natively with the operating system.
In this section, we’ll look at a guide on setting it up for disk encryption.
Pre setup checklist
- To use Bitlocker, you must have Windows 10 Pro or Windows 10 Enterprise installed.
- The encryption process works better if your device has a Trusted Platform Module (TPM) chip.
- If your PC doesn’t have a TPM, you will need to use software based encryption
- Check that your computer’s BIOS support TPM and/or USB devices during setup. If not, you may need to upgrade the BIOS firmware first.
- The hard drive in your computer will need two partitions: the system partition and the operating system partition. The drive also needs to be formatted in the NTFS file structure.
- Keep your computer connected to a power supply during the encryption process as it can take a while depending on how much data you have.
Turning on BitLocker on the operating system drive
Open Control Panel
Select the Systems and Security Category option
Choose BitLocker Drive Encryption
Choose Turn on BitLocker
You need to choose how you want to unlock your computer during startup. There are two options. You can insert a USB flash drive (Something like a Yubikey with access codes on it) or you can enter a password. While using a Yubikey or other USB drive is definitely a more secure option, we will choose the password method for this demo.
Now, enter the password that you want to use to unlock Windows 10 when you start it. This password becomes the encryption key. So, choose a strong one. Select next
You will be presented will several options for backing up your recovery keys. They are:
Saving to your Microsoft Account
Saving to a USB Flash Drive
Saving to a File
Choose the option that you are most comfortable with. (I like to save to a file and then put that file into my password manager. Something like LastPass). Select Next
Now, you will be asked to choose how to encrypt your drive – encrypting used space only or encrypting the entire drive.
People sometimes ask:
How secure is encrypting used space only?
That really depends on your particular scenario. If you have previously deleted confidential files from the device that could potentially be recovered by other tools, then you’ll want to choose to encrypt the entire drive. If it’s a new PC, encrypting used space only will be sufficient.
Similarly, you’ll be presented with the options of new encryption mode or compatible mode.
What’s the difference in BitLocker new encryption mode and compatible encryption mode?
The new encryption mode was introduced in Windows 10 version 1511 and uses the XTS-AES algorithm that has some additional integrity measures. Compatible encryption mode uses the traditional AES-CBC encryption mode.
Run the Bitlocker System Check
Restart your computer to begin encrypting the drive.
You will be prompted for your BitLocker passcode (or USB key) at boot.
The encryption process will take some time.
If you go to Control Panel > System and Security > Bitlocker Drive Encryption, you can check the status.
The Icon will show BitLocker on when the encryption process is complete.
And there you have a fully encrypted Windows 10 hard drive.
The Trusted Platform Module (TPM)
You have heard of multi-factor authentication, right?
If you’re a security-conscious person, you probably enable it everywhere you can.
But did you know you can add MFA to your Windows 10 Encrytpion strategy?
By using the Trusted Platform Module
Let’s look at how you can make your device really secure.
Using TPM technology in your Windows 10 encryption strategy
Most modern laptops and computers have the ability to use Trusted Platform Module (TMP) technology in the encryption process.
One of the initiatives for Windows 10 encryption capabilities is to enable the component globally.
What exactly does the TPM chip do?
The TPM (Trusted Platform Module) chip is a cryptographic module on computer motherboards that adds security capabilities. It can be used to store encryption keys securely and provide them to the user or application when needed. One big benefit is that it’s storage is inaccessible by the rest of the computer and constantly verifies integrity.
There are two basic methods for the encryption of data – hardware encryption and software.
TPM is a hardware component that can be useful for securely using software encryption tools.
It can be used to store cryptographic keys.
One of the benefits of using TPM actually is that you can store multiple keys – unlike USB keys where you can only store one.
This eliminates the need to keep multiple keys.
The stored cryptographic keys will be encrypted by the TPM.
Part of the key used to encrypt them will be stored in a special component of the TPM that is not accessible by any part of the computer.
TPM chips also have integrity checks that check whether someone is attempting to tamper with it.
If it senses a dictionary attack, for example, the chip will go into a secure “lock-down” mode.
How Windows 10 encryption processes use the TPM
A couple of years ago, Microsoft made sweeping changes to the security in Windows 10.
One of those changes was an increased ability to use TPM chips.
Windows has a special cryptography framework called the Cryptographic API: Next Generation (CNG).
This component’s job is to handle different encryption algorithms while keeping a common API.
That way, processes within the operating system can use the encryption algorithm without knowing how they are implemented.
Do you know why?
It’s an extra layer of security.
Platform Crypto Provider is the official name for this capability.
There are a few really beneficial results of using the Platform Crypto Provider.
We’ll discuss this later, but one risk with using disk encryption is that the keys have to be in memory for the operating system to be able to decrypt files as they are needed.
Why is that such a risk?
Well, many varieties of malware are able to steal these encryption keys right from memory.
That is what the key protection capability of Platform Crypto Provider resolves.
The Platform Crypto Provider allows all of those processes to use the decryption keys from within the TPMs protected “environment.”
That way, the keys are never copied to memory.
Dictionary Attack Prevention
If you’ve ever done any pen testing or hacking you know that brute force and dictionary attacks are easy to carry out.
With enough time and computational power, a determined attacker can break just about anything.
Using the Platform Crypto Provider within TPM mitigates this risk for Windows 10 encryption keys.
When the TPM receives a bunch of guesses on an encryption key PIN, it will simply return an error message and not allow any more guesses.
You may be thinking:
Any software encryption tool can do that.
Because the TPM is handled completely separately from the OS disk, it will remember the locked out user even after a reboot.
There’s one more really important way that TPMs can strengthen Windows 10 encryption strategies, but we’ll have to wait until a later section.
For now, let’s see how to enable full disk encryption with BitLocker.
File and Folder Encryption
Handling the protection and encryption of a device can be hard when multiple people share it.
Maybe, there are files that you want some people to access and not others.
What’s the solution?
Use a file and folder encryption approach.
That way, you have much mroe control over the granularity of file access.
Let’s see how you can implement this today!
How file and folder encryption works in Windows 10
As we previously discussed, one Window 10 encryption method is to encrypt the entire dirve.
This works great in cases like when an employee forgets their laptop at the airport or in the back of the Uber.
However, once the computer is booted and the encryption keys are in memory, it is very easy for an attacker to gain access to files.
File and folder level encryption addresses this issue.
As the name states, File and folder encryption encrypt individual files and folders instead of the entire disk.
Traditionally, this has been more difficult to manage as it requires a unique encryption key for every file and folder.
Recent encryption tool improvements have made this easier.
One thing to keep in mind is that for the most part, the metadata of encrypted files and folders are not encrypted.
You can still see the name of an encrypted file in Windows, for an example.
There are advantages and disadvantages to file encryption.
Let’s look at some.
File encryption vs disk encryption
When choosing the right encryption approach for your organization or personal systems, there are considerations that you should take.
Encryption isn’t a simple process.
There are multiple ways of doing it.
While we mostly discuss file level encryption and full disk encryption in this article, there are a few other types of encryption – database encryption and application encryption.
If we think of all of these encryption methods like a stack, we can gain a unique understanding.
In the stack, the lowest level encryption is on the bottom.
The lower in the stack that an encryption method is, the less it will affect the end users.
At the same time, the encryption method can address a smaller range of threats.
So, when developing an encryption plan, you should carefully consider the data to be encrypted and the attack risks that you want to mitigate.
Then, you can choose the method of encryption that works best.
Sometimes, this includes a hybridization of methods.
Tutorial: Using the Native Windows 10 encryption tools for files and folders
The native Windows 10 encryption tools for files and folders is EFS – Encrypting File System.
EFS allows you to encrypt folders and files that already exist on your computer.
Nothing will be changed in the way that you access those files.
Simply boot as normal.
Here’s how to implement EFS:
1. Right-click on the file or folder that you want to encrypt and choose Properties
2. Choose the advanced tab
3. Choose Encrypt contents to secure data
4. Choose how you want to encrypt the folder. You can just encrypt the top folder, or you can encrypt all of the sub folders and files. The latter is obviously more secure.
5. Be sure to backup your encryption key while the popup message appears. Otherwise, you’ll have to start over.
Corporate Encryption Management Methodologies
If you have encrypted data, you know just how much of a headache it can be keeping up with all of your encryption keys.
Now, imagine handling encryption for an entire organization.
It is a challenge
But organizations can’t afford to not encrypt their private data.
So, let’s look at some strategies to make handling encryption in the enterprise much more simple.
Virtual smart cards with Windows TPM
You probably already know what a smart card is, right?
If not, they are secure physical devices that usually store a certificate and(or) the private key.
When you need to access something, you insert the key, and enter a PIN to unlock it.
Using a Yubikey with Windows’ 10 encryption tool – Bitlocker – is a good example.
The problem with these smart cards is that they usually only hold one key.
In Windows 10, you can use the TPM as a virtual smart card that can hold and protect numerous keys.
This is still two factor authentication.
It requires something the user has – the TPM – and something the user knows – the PIN.
And if someone is just guessing PINs, the TPMs dictionary attack protection will kick in and lock the user out.
This can be a great solution for the business environment because it eliminates the smart card key.
User don’t have to carry them around.
And security won’t get:
I forgot my security card at home. Is there another way I can access my computer?
And there is the cost reduction.
The organization won’t have to pay for a smart card system if the computers come with TPMs built in.
Encryption key management
Do you know what one of the most daunting tasks is when trying to implement a corporate encryption program?
Encryption key management.
Most organizations know that just password protecting files and folders does nothing to actually protect the data.
And encryption seems like the right option.
They handle key management completely wrong.
So, let’s talk about Windows 10 encryption key management in a corporate environment.
To recap the encryption process, what happens when you choose to encrypt data?
Say a Windows 10 computer that you want to apply disk encryption to.
After you select the device that you want encrypted, you select a key (aka password) and the algorithm uses that key to encrypt the data.
You then receive encrypted data, right?
That’s the process more or less.
Now imagine having to do this for all of the computers in a company.
It would be a bad idea to use a standard key.
But how do you remember 250 encryption keys?
This brings us to the first encryption key management tip.
Don’t store encryption keys in an excel sheet.
It will only be a matter of time before an attacker finds that list or the list is lost and you can’t access any of your devices.
Instead, you need to use a secure encryption key management solution.
There are a couple of approaches you can take.
Encryption key management solutions
These are systems that robust and built for enterprise level use.
For enterprises that have security teams that can manage them.
The drawback is that while they are great solutions, they are complex to setup and take security professionals to administer.
Unfortunately, most small and medium sized enterprises don’t have this capability.
That brings me to the second key management solution.
SaaS Password (Key) Managers
What can work a lot better for SMEs is to use a SaaS key management system.
Thycotic secret server is a great example.
It is a key management system that allows the organization to only allow access to keys to users who need it.
In security, we call this the principle of least privilege.
So, say Claire in accounting needs access to the accounts payable information but not accounts receivable, you can specify this in Thycotic.
It even has an on-prem version if you aren’t comfortable storing keys in the cloud.
Another favorite password manager is LastPass.
While it’s meant to be a password manager, it works great as a key management solution for SMEs.
The enterprise plan allows the organization to create shared groups.
Within those groups, credentials and keys can be shared to those with a need-to-know.
If that access need changes, it is simple to revoke access.
Third Party Encryption Tools
BitLocker – Native Windows 10 Encryption Tool
Bitlocker is the native Windows 10 encryption tool. Because it is native, it is probably one of the easiest to implement. You can use it to perform full disk encryption or file and folder level encryption. You can even use it to encrypt external drives. One benefit of using this native tool is that you can use it with TPM chips to get pretty strong encryption.
Check out the tool here:
Tool Documentation (No Download)
VeraCrypt is an open source (free) encryption software that works on all operating systems – Windows, Mac OSX, and Linux. It’s actually my go-to encryption tool for USBs, directories, files, etc. You can use it to encrypt files, folders, hard drives, and just about anything else.
Check out the tool here:
Symantec Drive Encryption
Symantec Drive Encryption is a pretty robust encryption tool. However, it is definitely a business environment tool. It is paid and work especially well if integrated with Symantec’s entire endpoint protection suite.
Check out the tool here:
SafeGuard Encryption by SOPHOS
SafeGuard Encryption is one of my favorite encryption tools for business environments. One thing that I really like about SafeGuard is that it is file level encryption. It encrypts every file and folder without the user having to manually specify them. You can also specify very granular controls over who can access files.
This video explains how SafeGuard works withing the SOPHOS ecosystem:
Check out the tool here:
DiskCrypt is another open source encryption tool. It is intended for the encryption of partitions though. It supports AES, Twofish, and serpent encryption algorithms.
Check out the tool here:
The last Windows 10 encryption software that we’ll look at is AxCrypt. There is a free option available, but the paid versions definitely have some of the more desirable options. According to their website, AxCrypt has been the PC Mag Editor’s choice for the last three years.
Check out the tool here:
Now It’s Your Turn
So those are the Windows 10 encryption strategis that we are using.
Now I want to turn it over to you: Which of the encryption methods from today’s post seems the best to you?
Full disk encryption, file encryption? Or using a third party tool?
Let me know by leaving a a quick comment below right now.