Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Recommendation for encryption software solution without these issues


  • Please log in to reply
6 replies to this topic

#1 califauna

califauna

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 01 August 2023 - 01:33 PM

Hello,

 

I have found the following major security issues with all the encryption software I have tried thus far:

 

1.

The original encrypted file is decrypted when using the software by entering the encryption password, and when shutting down the app the file is re-encrypted. However,  in the event of an unexpected termination of the software (power loss, battery failure, app crash, etc.) the app does not re-encrypt the decrypted file (and cannot re-encrypt it, as it has terminated unexpectedly), and it thus sits there on your hard drive in unencrypted form until you hopefully notice that it didn't get re-encrypted.

 

2.

Upon entering the decryption password, the software creates a temporary file copy of the decrypted file and stores it in AppData or Temp or some other place, leaving the original file safely encrypted.  However, in the event of an unexpected termination of the software (power loss, battery failure, app crash, etc.) the app does not delete this temporary file (and cannot delete it, since it has terminated unexpectedly), and it thus the temp file sits there on your hard drive in unencrypted form until you hopefully notice that it didn't get deleted.

 

Additionally, almost all apps seem to require an online sign-in, which I don't want either.

 

In summary, I'm looking for encryption software which meets the following requirements:

 

 

1. Can encrypt selected files//folders, and does not require entire partitions/drives to be encrypted.

2. Does not suffer the above problems from unexpected shutdowns. Veracrypt solves this for example by only opening files in RAM in unencrypted form. No temp files etc. The problem with Veracypt, as I understand it, is that you can't encrypt selected files and folders around your hard drive. You have to encrypt a whole drive.

3. Encrypts and decrypts locally. No internet connection or sign-in to company servers required.

4. Open source.

5. Available on Windows.

 

Preferably the following if possible:

5. Automatically re-encrypts open files if lockscreen is shown, or is PC goes to sleep or hibernates.

6. Re-encrypts automatically after optional time period eg. 5 hours.

7. Portable version available.

 

Thanks for any suggestions.



BC AdBot (Login to Remove)

 


#2 1PW

1PW

  •  Avatar image
  • Members
  • 462 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:North of the 38th parallel.
  • Local time:01:48 PM

Posted 01 August 2023 - 02:11 PM

Hello @califauna

 

Except for validating the GPG/PGP signed files of others, I have not looked into GnuPG in a long time.

 

https://gnupg.org/

 

HTH


All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus. https://forums.malwarebytes.com/profile/17252-1pw/


#3 califauna

califauna
  • Topic Starter

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 03 August 2023 - 03:27 AM

Bump.

Any suggestions appreciated.



#4 cryptodan

cryptodan

    Bleepin Madman


  •  Avatar image
  • Members
  • 35,304 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 PM

Posted 03 August 2023 - 08:20 AM

Gnupgp is about as close as you can get to your requirements

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra


#5 Xecrets

Xecrets

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 06 August 2023 - 12:24 PM

Hi,

 

Xecrets File Ez is *almost* there... It does indeed decrypt to a temporary location, but, in the event of an unexpected crash or termination it will still remember the fact that it's in need of re-encryption/wipe if unchanged. So you don't have situation you describe of it sitting there "there on your hard drive in unencrypted form until you hopefully notice that it didn't get deleted". As soon as you re-open Ez, it'll inform you that you have an open file, and it'll wipe/re-encrypt it when you exit or close it with a single click.

 

 

1. Can encrypt selected files//folders, and does not require entire partitions/drives to be encrypted.

2. Does not suffer the above problems from unexpected shutdowns. Veracrypt solves this for example by only opening files in RAM in unencrypted form. No temp files etc. The problem with Veracypt, as I understand it, is that you can't encrypt selected files and folders around your hard drive. You have to encrypt a whole drive.

3. Encrypts and decrypts locally. No internet connection or sign-in to company servers required.

4. Open source.

5. Available on Windows.

 1 - Yes.

 2 - Partially, as described above. We could probably add features with auto-start and auto-check of this case if there's enough demand. But it's really hard to 100% handle the case of someone pulling the power for example. Something will likely be left somewhere. You can improve the situation by EFS-encrypting the temporary location, and/or assign %TEMP% to a RAM-drive.

 3 - Yes. Absolutely no Internet is needed or used. No server sign in. 100% local. No Internet connection used under any circumstance.

 4 - All the actual encryption is done with an open source CLI, that you're welcome to inspect, recompile or modify. Then there's a GUI frontend, that's the "Ez" part.

 5 - Available on Windows, Linux and macOS. It's entirely portable, no installation, just unzip and run from wherever.

 

Check it out at https://www.axantum.com/ and https://github.com/xecrets/xecrets-file-cli .

 

Full disclosure - I am the author of said software .



#6 califauna

califauna
  • Topic Starter

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 06 August 2023 - 02:03 PM

Sounds good, except the files leftover on the drive bit after an unexpected shutdown.  The automatic check feature is good, but this assumes one runs the software again, which might not happen for a while (or potential ever).  It means one has to remember to open the app instead of remembering to delete files. Better perhaps, but still very insecure (in my opinion) when you're talking about very sensitive/private/important information.

 

I'll bear your software in mind, and good luck with the development. However, I've read that Veracrypt gets around this somehow (opening files in RAM I believe) and if that turns out to be correct I would have to go with veracrypt.



#7 Xecrets

Xecrets

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 08 August 2023 - 02:29 AM

Hi! Yes, indeed, there's always the case of the left overs after a crash and no restart. Regardless of the software you use, I do believe you'll get very close to your goal if you either use EFS encryption on the temporary folder (i.e. %TEMP% or a subdirectory thereof), and/or if you create a RAM-drive and set %TEMP% to use it. If you're interested, we could perhaps find a way to facilitate this with Xecrets File. If so, sign up for the current beta at https://www.axantum.com/ and we can continue from there. As for RAM-drive, although I've not personally tried it, https://sourceforge.net/projects/imdisk-toolkit/ seems like a good candidate.

 

Veracrypt violates your requirement #1, it does not allow encrypting file-by-file, but since it's a virtual encrypted drive it will not by itself place data in temporary locations.

 

Then again, your data may still end up on the hard drive in various ways - for example by the OS paging memory to disk, or by the application itself writing temporary files to the temporary location. You would need to disable paging and map %TEMP% and %TMP% to a RAM drive to ensure no plain text gets written to disk. EFS-encrypting %TEMP% does not prevent the data from being written to disk, but does keep it encrypted, albeit by a different mechanism, and in the end it will depend on the strength of your Windows login password. You could also consider encrypting the entire hard disk with BitLocker to add another layer of protection locally.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users