PPRuNe Forums - View Single Post - Isolation from LAN
Thread: Isolation from LAN
View Single Post
Old 25th December 2004 | 16:31
  #5 (permalink)  
Tuba Mirum
Guest
 
Posts: n/a
An alternative approach is to encrypt the confidential data, so that it can only be meaningfully accessed by someone in possession of a password or passphrase. If you're using Windows 2000 or XP (not home edition) encryption facilities are built in.

I assume firstly that your company has no policy regarding data encryption, since it sounds like they have no policy regarding network security . Given that, you presumably have a free hand to play with this on your PC, but BEWARE: you run the risk of ending up with encrypted data which cannot be decrypted, resulting in an information loss to your company.

The easiest approach under XP (and I think it's essentially the same in Windows 2000) is to mark the relevant folder as encrypted. Right-click folder, Properties, on "General" tab click Advanced. click "Encrypt contents..". Any files stored in that folder will now be encrypted using an encryption key specific to your login ID, and accessible only by use of your login password. Check this by defining another user on your PC, and confirming that they cannot access the data.

An alternative approach for the paranoid is to purchase a package such as DriveCrypt , which enables you to define an encrypted pseudo-drive or partition on 32-bit Windows systems, and provides (a) control of what encryption algorithm is used, and (b) the ability to define a passphrase, rather than just a shortish password.

In any case, it's vital to consider what happens to the data (be it on your PC or on backup media) if the encryption key is lost. With XP encryption, the best approach may be to define a certificate for yourself using the "Certificates" snap-in to the management console, and make a copy of it on diskette or some other external media. With DriveCrypt, you can use what it calls a "keyfile" in very much the same way as an exported certificate.

This is a tricky area, with pitfalls for the unwary - for instance, under some circumstances you may find that data you thought was encrypted, isn't.
If others here have come across significant "gotchas" which I ought to have mentioned, or if I've got any of the details wrong, I hope they'll mention it.

Note that I've carefully restricted myself to considering your PC as constituting a standalone security environment. If any question arises of implementing encryption across your company network, I would advise getting consultancy in to achieve it, as there are not only technical but also management issues involved.