> >

BitLocker - Drive Encryption. Create a backup key

According to experts, it is the theft of a laptop that is one of the main problems in the field of information security(IB).


Unlike other cybersecurity threats, the nature of the “stolen laptop” or “stolen flash drive” problems is rather primitive. And if the cost of disappeared devices rarely exceeds a few thousand US dollars, then the value of the information stored on them is often measured in millions.


According to Dell and the Ponemon Institute, 637,000 laptops are lost annually at US airports alone. And imagine how many flash drives disappear, because they are much smaller, and dropping a flash drive by accident is as easy as shelling pears.


When a laptop belonging to a top manager of a large company goes missing, the damage from one such theft can amount to tens of millions of dollars.



How to protect yourself and your company?

We continue the series of articles about Windows security domain. In the first article in the series, we talked about setting up secure entry to the domain, and in the second - about setting up secure data transfer to mail client:

  1. How to use a token to make a Windows domain more secure? Part 1 .
  2. How to use a token to make a Windows domain more secure? Part 2 .

In this article, we will talk about setting up encryption of information stored on a hard drive. You will understand how to make sure that no one but you can read the information stored on your computer.


Few people know that Windows has built-in tools that help you store information securely. Let's consider one of them.


Surely, some of you have heard the word "BitLocker". Let's see what it is.

What is BitLocker?

BitLocker (the exact name is BitLocker Drive Encryption) is a technology for encrypting the contents of computer drives, developed by Microsoft. She first appeared in Windows Vista.


BitLocker could encrypt volumes hard drives, but later, already in Windows 7, a similar BitLocker To Go technology appeared, which is designed to encrypt removable drives and flash drives.


BitLocker is standard Windows component Professional and server versions of Windows, which means that in most cases of corporate use it is already available. Otherwise, you will need to upgrade your Windows license to Professional.

How does BitLocker work?

This technology is based on full volume encryption performed using the AES (Advanced Encryption Standard) algorithm. Encryption keys must be stored securely, and there are several mechanisms in BitLocker for this.


The simplest, but at the same time the most insecure method is a password. The key is obtained from the password in the same way every time, and accordingly, if someone finds out your password, then the encryption key will become known.


In order not to store the key in clear text, it can be encrypted either in a TPM (Trusted Platform Module) or on a cryptographic token or smart card that supports the RSA 2048 algorithm.


TPM is a chip designed to implement basic security-related functions, mainly using encryption keys.


The TPM is usually installed on motherboard computer, however, it is very difficult to purchase a computer with a built-in TPM module in Russia, since the import of devices without FSB notification into our country is prohibited.


Using a smart card or token to unlock a drive is one of the most safe ways, allowing you to control who performed the process and when. To unlock in this case, both the smart card itself and the PIN code for it are required.


How BitLocker works:

  1. When BitLocker is activated using a pseudo-random number generator, a master bit sequence is generated. This is the volume encryption key - FVEK (full volume encryption key). It encrypts the contents of each sector. The FVEK key is kept in the strictest secrecy.
  2. FVEK is encrypted using the VMK (volume master key) key. The FVEK key (encrypted with the VMK key) is stored on disk in the volume's metadata. However, it should never end up on the disk in decrypted form.
  3. The VMK itself is also encrypted. The encryption method is chosen by the user.
  4. The VMK is encrypted by default with the SRK (storage root key), which is stored on a cryptographic smart card or token. Similarly, this happens with TPM.
    By the way, the encryption key system disk BitLocker cannot be secured with a smart card or token. This is due to the fact that libraries from the vendor are used to access smart cards and tokens, and, of course, they are not available before the OS is loaded.
    If there is no TPM, then BitLocker suggests saving the system partition key on a USB flash drive, and this, of course, is not the most best idea. If your system does not have a TPM, then we do not recommend encrypting system drives.
    In general, encrypting the system drive is a bad idea. At correct setting all important data is stored separately from system data. This is at least more convenient from the point of view of their Reserve copy. Plus encryption system files reduces the performance of the system as a whole, and the operation of an unencrypted system disk with encrypted files occurs without loss of speed.
  5. Encryption keys for other non-system and removable drives can be protected using a smart card or token, as well as TPM.
    If there is no TPM or smart card, then instead of SRK, a key generated based on the password you entered is used to encrypt the VMK key.

When starting from an encrypted boot disk the system polls all possible keystores - checks for a TPM, checks for USB ports, or, if necessary, prompts the user (which is called a restore). Keystore discovery allows Windows to decrypt the VMK, which decrypts the FVEK, which already decrypts data on disk.



Each sector of the volume is encrypted separately, with part of the encryption key determined by the sector number. As a result, two sectors containing the same unencrypted data will look different in encrypted form, which will greatly complicate the process of determining encryption keys by writing and decrypting previously known data.


In addition to FVEK, VMK, and SRK, BitLocker uses another type of key that is generated "just in case". These are the recovery keys.


For emergencies (the user lost the token, forgot their PIN, etc.), BitLocker offers to create a recovery key in the last step. Refusal to create it in the system is not provided.

How to enable data encryption on a hard drive?

Before proceeding with the process of encrypting volumes on a hard drive, it is important to consider that this procedure will take some time. Its duration will depend on the amount of information on the hard drive.


If your computer shuts down or hibernates while encrypting or decrypting, these processes will pick up where they left off the next time you start Windows.


Even during the encryption process, the Windows system can be used, but it is unlikely that it will be able to please you with its performance. As a result, after encryption, disk performance decreases by about 10%.


If BitLocker is available on your system, then when you right-click on the name of the drive that you want to encrypt, the item will appear in the menu that opens. Turn on BitLocker.


On server versions of Windows, you need to add a role BitLocker Drive Encryption.


Let's start configuring non-system volume encryption and protect the encryption key with a cryptographic token.


We will use the token produced by the Aktiv company. In particular, the token Rutoken EDS PKI.



I. Prepare Rutoken EDS PKI for work.


In most normally configured Windows systems, after the first connection of Rutoken EDS PKI, a special library for working with tokens manufactured by Aktiv - Aktiv Rutoken minidriver is automatically downloaded and installed.


The installation process for such a library is as follows.



The presence of the Aktiv Rutoken minidriver library can be checked via Device Manager.



If for some reason the download and installation of the library did not happen, then you should install the Rutoken Drivers for Windows kit.


II. Encrypt the data on the drive using BitLocker.


Click on the name of the disk and select the item Turn on BitLocker.



As we said earlier, we will use a token to protect the disk encryption key.
It is important to understand that in order to use a token or smart card in BitLocker, they must have RSA keys 2048 and certificate.


If you use the Certificate Authority service in a Windows domain, then the certificate template must contain the “Disk Encryption” certificate scope (more about setting up Certificate Authority in the first part of our series of articles on Windows domain security).


If you don’t have a domain or you can’t change the certificate issuance policy, then you can use the alternate path, using a self-signed certificate, details on how to issue a self-signed certificate to yourself are described.
Now let's check the corresponding box.



In the next step, we will choose a method for saving the recovery key (we recommend choosing Print the recovery key).



A piece of paper with a printed recovery key must be kept in a safe place, preferably in a safe.





The next step is to start the disk encryption process. After completing this process, you may need to reboot your system.


When encryption is enabled, the icon of the encrypted disk will change.



And now, when we try to open this drive, the system will ask you to insert a token and enter its PIN.



Deployment and configuration of BitLocker and TPM can be automated using the WMI tool or Windows PowerShell scripts. How the scripts are implemented will depend on the environment. The commands for BitLocker in Windows PowerShell are described in the article.

How to recover data encrypted by BitLocker if the token is lost?

If you want to open encrypted data on Windows


To do this, you will need the recovery key that we printed out earlier. Just enter it in the appropriate field and the encrypted section will open.



If you want to open encrypted data on GNU/Linux and Mac OS X systems


This requires the DisLocker utility and a recovery key.


The DisLocker utility works in two modes:

  • FILE - the entire BitLocker-encrypted partition is decrypted to a file.
  • FUSE - only the block accessed by the system is decrypted.

For example, we will use operating system Linux and FUSE utility mode.


AT latest versions common Linux distributions, the dislocker package is already included in the distribution, for example, in Ubuntu, starting from version 16.10.


If for some reason there was no dislocker package, then you need to download the utility and compile it:


tar -xvjf dislocker.tar.gz

Let's open the INSTALL.TXT file and check which packages we need to install.


In our case, we need to install the libfuse-dev package:


sudo apt-get install libfuse-dev

Let's start building the package. Let's go to the src folder and use the make and make install:


cd src/ make make install

When everything has compiled (or you have installed the package), let's start setting it up.


Let's go to the mnt folder and create two folders in it:

  • Encrypted-partition- for an encrypted partition;
  • Decrypted-partition - for the decrypted partition.
cd /mnt mkdir Encrypted-partition mkdir Decrypted-partition

Let's find the encrypted partition. Let's decrypt it using the utility and move it to the Encrypted-partition folder:


dislocker -r -V /dev/sda5 -p recovery_key /mnt/Encrypted-partition(replace recovery_key with your recovery key)

Let's display a list of files in the Encrypted-partition folder:


ls Encrypted-partition/

Enter the command to mount the partition:


mount -o loop Driveq/dislocker-file Decrypted-partition/

To view the decrypted partition, let's go to the Encrypted-partition folder.

Summarizing

Enabling volume encryption with BitLocker is very simple. All this is done without much effort and for free (subject to the availability of a professional or server Windows versions, certainly).


To protect the encryption key that encrypts the drive, you can use a cryptographic token or smart card, which significantly increases the level of security.

Bitlocker Drive Encryption

Bitlocker - BitLocker (full name BitLockerDrive Encryption) is a built-in operating system Windows Vista Ultimate / Enterprise, Windows 7 Ultimate, Windows Server 2008 R2, Windows Server 2012 and Windows 8.

Using BitLocker, you can encrypt the entire storage medium (logical drive, SD card, USB stick). At the same time, AES 128 and AES 256 encryption algorithms are supported.

You may also be interested in the article "", in which we tried to figure out whether cracking Windows disk encryption is possible.

The recovery key to the cipher can be stored on a computer, on a USB device, or on a TPM (Trusted Platform Module) hardware chip. You can also save a copy of the key to your Microsoft account (but why?).

EXPLANATION You can store the key in the TPM chip only on those computers where the TPM chip is built into the motherboard. If the computer motherboard is equipped with a TPM chip, then the key can be read from it either after authentication with a USB key/smart card or after entering a PIN code.

In the very simple case You can also authenticate the user with a normal password. Of course, this method will not work for James Bond, but for most ordinary users who want to hide some of their data from colleagues or relatives, it will be enough.

Using BitLocker, you can encrypt any volume, including the boot volume - the one from which the Windows boot. Then the password will need to be entered at boot (or use other means of authentication, such as TPM).

ADVICE I strongly discourage you from encrypting your boot volume. First, performance is degraded. The technet.microsoft website says that the performance degradation is typically 10%, but in your particular case, you can expect more "slowdown" of the computer - it all depends on its configuration. And, in fact, not all data needs to be encrypted. Why encrypt the same program files? There is nothing confidential about them. Secondly, if something happens to Windows, I'm afraid everything can end badly - formatting the volume and losing data.

Therefore, it is best to encrypt one volume - a separate logical drive, external USB disk etc. And then put all your secret files on this encrypted disk. You can also install programs that require protection on an encrypted disk, for example, the same 1C Accounting.

You will connect such a disk only when necessary - double-click on the disk icon, enter the password and get access to the data.

What can be encrypted with BitLocker?

You can encrypt any drive except network and optical. Here is a list of supported drive connection types: USB, Firewire, SATA, SAS, ATA, IDE, SCSI, eSATA, iSCSI, Fiber Channel.

Encryption of volumes connected via Bluetooth is not supported. And though the memory card mobile phone connected to a computer via Bluetooth looks like a separate storage medium, it cannot be encrypted.

Supported file NTFS systems, FAT32, FAT16, ExFAT. Other file systems are not supported, including CDFS, NFS, DFS, LFS, software RAID arrays (hardware RAID arrays are supported).

Can be encrypted solid state drives: (SSD drives, flash drives, SD cards), hard drives(including those connected via USB). Encryption of other types of drives is not supported.

Bitlocker Drive Encryption

Go to your desktop, launch File Explorer and click right click on disk, which you want to encrypt. Remind me what it could be logical volume, SD card, flash drive, USB disk, SSD drive. From the menu that appears, select Turn on BitLocker.

Enable BitLocker encryption command

First of all, you will be asked how you will be from the encrypted disk: using a password or a smart card. You must select one of the options (or both: then both the password and the smart card will be involved), otherwise the Next button will not become active.


How will we remove the Bitlocker lock?

The next step will ask you to create backup key
recovery.


Backup the recovery key

EXPLANATION The recovery key is used to unlock the drive in case you forgot your password or lost your smart card. You cannot opt ​​out of creating a recovery key. And this is correct, because, having returned from vacation, I forgot my password to the encrypted disk. The same situation can happen to you. Therefore, we select one of the proposed methods for archiving the recovery key.

  • Save the key to a Microsoft account. I do not recommend this method: there is no Internet connection - you will not be able to get your key.
  • Saving to a file is the best way. The file with the recovery key will be written to the desktop.

Save the recovery key to the desktop
  • You understand, it should be transferred from there to a more reliable place, for example, to a USB flash drive. It is also desirable to rename it so that it is not immediately clear from the file name that this is exactly the same key. You can open this file (you'll see what it looks like later) and copy the recovery key itself into some file so that only you know what the string is and what file it's in. It is better to delete the original file with the recovery key later. So it will be more reliable.
  • Printing out the recovery key is a pretty wild idea, unless you then put this piece of paper in a safe and lock it with seven locks.

Now you need to determine which part of the disk you want to encrypt.


What part of the disk should be encrypted?

You can encrypt only the occupied space, or you can encrypt the entire disk at once. If your disk is almost empty, then it is much faster to encrypt only the used space. Consider the options:

  • Let there be only 10 MB of data on a 16 GB flash drive. Choose the first option and the drive will be encrypted instantly. New files written to the flash drive will be encrypted on the fly, i.e. automatically;
  • the second option is suitable if there are a lot of files on the disk and it is almost completely full. However, for the same 16 GB flash drive, but filled up to 15 GB, the difference in encryption time for the first or second option will be practically indistinguishable (which is 15 GB, which is 16 - will be encrypted
    almost the same time).
  • however, if there is little data on the disk, and you choose the second option, then encryption will take an agonizingly long time compared to the first method.

So all you have to do is press the button. Start encryption.


Disk encryption with Bitlocker

Wait until the disk is encrypted. Do not turn off the power of the computer or restart it until the encryption is completed - you will receive a corresponding message about this.

If a power failure occurs, Windows startup encryption will continue from where it left off. That's what it says on the Microsoft website. Whether this is true for the system disk, I did not check - I did not want to take risks.

Article continued on next page. To go to the next page, click on the button 2, which is located under the buttons of social networks.

Nobody is surprised at all by the fact that personal computer may contain purely personal information or corporate data of increased value. It is undesirable if such information falls into the hands of third parties who can use it, causing serious problems for the former owner of the PC.

Depending on the circumstances, Bitlocker can be activated and deactivated.

It is for this reason that many users express a desire to take some kind of action aimed at restricting access to all files stored on the computer. Such a procedure does indeed exist. Having done certain manipulations, none of the outsiders, not knowing the password or the key to its recovery, will be able to access the documents.

Protect important information from familiarization by third parties is possible if you encrypt the Bitlocker drive. Such actions help ensure complete confidentiality of documents not only on a specific PC, but also in the case when someone HDD removed and inserted into another personal computer.

Algorithm for enabling and disabling the function

Bitlocker drive encryption works on Windows 7, 8 and 10, but not all versions. It is assumed that on the motherboard, which is equipped with a particular computer on which the user wants to encrypt, there must be a TPM module.

ADVICE. Do not be discouraged if you know for sure that there is no such special module on your motherboard. There are some tricks that allow you to "ignore" such a requirement, respectively, to install without such a module.

Before proceeding with the process of encrypting all files, it is important to consider that this procedure is quite lengthy. It is difficult to give an exact amount of time. It all depends on how much information is available on the hard drive. During the encryption process, Windows 10 will continue to work, but it is unlikely that it will be able to please you with its performance, since the performance indicator will be significantly reduced.

Enable the function

If you have Windows 10 installed on your computer, and you have an active desire to enable data encryption, use our tips so that you not only succeed, but also the path to fulfilling such a desire is not difficult. Initially, find the "Win" key on your keyboard, sometimes it is accompanied by Windows icon, hold it, simultaneously with it, hold down the "R" key. Pressing these two keys at the same time opens the Run window.

In the window that opens, you will find an empty line in which you will need to enter "gpedit.msc". After clicking on the “OK” button, a new window “Local Editor” will open. group policy". In this window, we have to go a little way.

On the left side of the window, find and immediately click on the line "Computer Configuration", in the submenu that opens, find "Administrative Templates", and then in the next submenu that opens, go to the parameter located in the first place in the list and called "Windows Components".

Now move your eyes to the right side of the window, find "Bitlocker Drive Encryption" in it, double-click to activate it. Now open new list, in which your next goal should be the line "Disks of the operating system". Click on this line as well, you just have to make one more transition to get closer to the window where Bitlocker will be directly configured, allowing you to turn it on, which is exactly what you want.

Find the line "This policy setting allows you to configure the requirement for additional authentication at startup", expand this setting by double-clicking. In the open window, you will find the desired word "Enable", next to which you will find a checkbox next to it, in which you need to put a specific checkmark in the form of a tick of your consent.

A little lower in this window is the "Platforms" subsection, in which you need to check the checkbox next to the suggestion of using BitLocker without a special module. This is very important, especially if your Windows 10 does not have a TPM module.

The setting of the desired function in this window is completed, so you can close it. Now move the mouse cursor over the Windows icon, just right-click on it, which will allow an additional submenu to appear. In it you will find the line "Control Panel", go to it, and then to the next line "Bitlocker Drive Encryption".

Don't forget to indicate where you want to encrypt. This can be done on both hard and removable drives. After selecting the desired object, click on the "Enable Bitlocker" button.

Now Windows 10 will start an automatic process, occasionally drawing your attention, prompting you to specify your desires. Of course, it is best to make a backup before performing such a process. Otherwise, if the password and the key to it are lost, even the owner of the PC will not be able to recover the information.

Next, the process of preparing the disk for subsequent encryption will begin. During this process, it is not allowed to turn off the computer, as this action can cause serious damage to the operating system. After such a failure, you simply will not be able to start your Windows 10, respectively, instead of encryption, you have to install a new operating system, spending extra time.

As soon as the preparation of the disk is successfully completed, the actual configuration of the disk for encryption begins. You will be prompted to enter a password that provides access to encrypted files later. You will also be prompted to come up with and enter a recovery key. Both of these important components are best kept in a safe place, best printed out. It is very stupid to store the password and recovery key on the PC itself.

During the encryption process, the system may ask you which part you specifically want to encrypt. It is best to subject the entire disk space to this procedure, although there is an option to encrypt only the occupied space.

It remains to select such an option as "New Encryption Mode", and then run an automatic check of the BitLocker operating system. Next, the system will safely continue the process, after which you will be prompted to restart your PC. Of course, fulfill this requirement, reboot.

After another Windows startup 10 you will be convinced that access to documents without entering a password will be impossible. The encryption process will continue, you can control it by clicking on the BitLocker icon located on the notification panel.

Disabling the function

If for some reason the files on your computer are no longer of high importance, and you don’t really like to enter a password every time to access them, then we suggest that you simply turn off the encryption function.

To perform such actions, go to the notification panel, find the BitLocker icon there, click on it. In the lower part open window you will find the line "Manage BitLocker", click on it.

Now the system will prompt you to choose which action is preferable for you:

  • back up the recovery key;
  • change the password for access to encrypted files;
  • remove the previously set password;
  • disable BitLocker.

Of course, if you decide to disable BitLocker, you should choose the last option offered. A new window will immediately appear on the screen in which the system wants to make sure that you really want to disable the encryption function.

ATTENTION. As soon as you click on the "Turn off BitLocker" button, the decryption process will immediately begin. Unfortunately, this process is not characterized by high speed, so you definitely have to tune in for a while, during which you just have to wait.

Of course, if you need to use a computer at this moment, you can afford it, there is no categorical prohibition on this. However, you should set yourself up for the fact that PC performance at this moment can be extremely low. Understanding the reason for this slowness is not difficult, because the operating system has to unlock a huge amount of information.

So, having a desire to encrypt or decrypt files on a computer, it is enough to familiarize yourself with our recommendations, after that, without haste, perform each step of the indicated algorithm, and upon completion, rejoice at the achieved result.

BitLocker is a small application released by Microsoft to add support for BitLocker encryption technology to older versions of Windows. The program is distributed in two versions: for 32-bit and 64-bit systems. Note that you need to install it only on older versions of the OS - XP and Vista. In modern Windows 7 and Windows 10, the aforementioned encryption technology is natively supported.

About appointment

The program is intended for those who use external media protected with BitLocker and formatted in the FAT file system. When unblocking them, they should be automatically recognized by the computer and ask for data entry for authorization. The problem is that this does not happen on older versions of the operating system from Microsoft. We have already indicated the reason for this earlier: in Windows XP and Vista, there is no support for the "proprietary" encryption algorithm. For some reason, it was not added even in the latest released Service Packs. So an update that allows older OSes to work with "protected" USB drives and SD cards, users have to install "manually". Yes, this is not very convenient, but the installation takes a matter of seconds, and the installation files themselves weigh several kilobytes and are available for download for free. Upon completion of the installation, you do not need to perform any additional actions and settings.

About the encryption method

BitLocker is a proprietary technology created by Microsoft to protect data on removable drives. It allows you to use external device as access keys (tokens), and also supports advanced volume encryption algorithms: AES 128 and AES 256. This protection system was first introduced in Windows 7. Subsequently, each new version popular operating system from the Redmond giant.

Key Features

  • access to data stored on media protected using the technology of the same name;
  • fast installation;
  • separate versions for 32-bit and 64-bit systems;
  • automatic integration with the necessary services;
  • The update is available completely free of charge.

Almost all of us have thought about the security of our data, the privacy of information stored on a computer and other information carriers. Data protection is very relevant in a competitive environment, in the financial sector of enterprises and even for personal use. There are many methods to secure your data, but the most reliable and proven method is data encryption. Such giants of the IT industry as Microsoft, Apple in their latest versions of Windows OS, Mac OS have built-in encryption by default. Advanced users and even beginners use software to encrypt data, to protect this data with a password, such as Rohos Mini Drive/Rohos Disk, TrueCrypt and others.

These programs are based on the principle of data encryption using the AES 256-bit algorithm. A robust algorithm implemented by the National Institute of Standards and Technology (USA).

We will describe in more detail how to use BitLocker Drive Encryption, built into Windows 7 and a free encryption utility, you will be able to see the benefits of the described programs and the possibility of using them. The tests carried out have shown that they can be used simultaneously, for one usb flash drive or hard drive.

BitLocker Drive Encryption

This built-in function Windows 7. On the menu Start -> Control Panel -> BitLocker Drive Encryption.
In the control panel, BitLocker offers to encrypt any drives connected to the computer. We choose the 1GB removable USB flash drive we are interested in. We use it for testing.

Click Turn on BitLocker, in the window that appears you will be prompted to save the password to the disk or print it in case you forget the password. The password for the disk will also need to be hidden or encrypted, which makes the encryption process a bit more complicated.

Encrypted USB Key Password Entry Window

It took 11 minutes to encrypt a 1 GB USB drive, so if you decide to hide/protect more data, will have to be patient and time.
After encryption USB disk remains available, you can work with it like a normal flash drive. When you remove/disconnect the USB drive, the drive will turn off and ask you for the drive password the next time you use it. In case you use Sleep(Hibernate) when you turn off the computer, the disk will remain open after turning on the PC. The disk can be disconnected through the icon on the Taskbar, or by disconnecting from the USB connector.

Our verdict.

Pros:

  • BitLocker is built into Windows 7 by default and at no additional cost. You can open an encrypted USB flash drive on any Windows 7 PC (even under account user)
  • The size of the encrypted disk is not limited.
  • The disk access password can be changed.
  • A backup copy of the password is created here and will allow access to the disk in case the password is lost.

Minuses:

  • Explicit fact of encryption. At USB connection-Key immediately prompted to enter a password. The disc label is adorned with a yellow padlock. This fact will tell the attacker exactly which USB Key contains hidden personal information.
  • Can only be used on computers running Windows 7. On a computer running Windows XP/2000, you will not be able to access this drive.
  • An encrypted USB drive cannot be used for other purposes, such as connecting it to a Mac or DVD player to play music and video, or transferring data that does not need to be protected.
  • By default, a weak encryption key of 128 bits is used.

Rohos Mini Drive

it free utility designed to encrypt personal data on any external or built-in disk drive. Rohos Mini creates a password-protected hidden container on the USB Key. In this secret container, data is securely stored in encrypted form.
Install the encryption utility on your USB Key, run the program. To encrypt a drive. The flash drive is the same size as in the previous test (1GB).
In the main window of the program, select Encrypt USB Drive.

The program will automatically determine the disk size, assign a letter value and NTFS format. All these parameters can be changed independently.
Set a password for the disk and click Create Disk.

Encrypted USB Key Password Entry Window:

Encrypting 1 GB took approximately 6 minutes. After encryption, Explorer opens to the encrypted disk. The encrypted drive is assigned a separate letter (R:\ in our case).
Encryption happens on the fly, you just need to copy desired file to a disk or to a folder on a disk. When you finish working with a secret Rohos-disk, you can disable it from the main window of the program from the icon in the Rohos Mini Drive Taskbar. For convenience, the creation of a shortcut to an encrypted disk was provided. When connecting a USB flash drive, click on the shortcut to enter the password for the drive. The USB stick does not need to be removed to hide access to data. This makes it possible to continue working with the USB drive after disconnecting the Rohos drive.

Pros:

  • Free program. You can encrypt 8 GB of memory on a USB flash drive.
  • Hides the fact of encryption. The flash drive will look like a regular USB drive, only you will be aware of the hidden Rohos drive.
  • The disk can be accessed from any computer using any operating system. Windows system(even under a simple user account).
  • After encryption, it is possible to use the USB drive for other purposes and on other systems such as Linux, Mac. The USB flash drive is not completely blocked, as is the case with BitLocker.
  • You can change the disk access password, as well as create a password reset file.
  • A backup copy of the password is created separately and will allow access to the disk in case the password is lost.
  • The principle of "Encryption on the fly" is applied.
  • Anything can be stored on an encrypted drive, including programs.
  • It is also possible to create a hidden partition on a USB drive in addition to the main open partition. Encrypted Rohos data will not be damaged even if USB formatting drive.
  • You can place encrypted Rohos data in AVI file and this gives the user the opportunity to deny the existence of encrypted data.
  • Rohos Mini Drive Portable - allows you to open encrypted Rohos Mini Drive containers and work with your files with minimal risk of information leakage.
  • Built-in transfer function Skype applications, Firefox, Chrome, etc. to an encrypted disk - this way the profile folder with your most sensitive data is completely encrypted.
  • Independent implementation of the AES encryption algorithm using strong 256-bit keys and no "bookmarks" for special services.

Minuses:

  • Encrypted disk limit for free version Rohos Mini Drive 8 GB. But you can use ( paid version), where the size of the encrypted disk is unlimited.
  • Support for Windows OS only.

BitLocker + Rohos Mini = double security

To double the security of your data, as we mentioned above, it is possible to combine BitLocker and Rohos Mini Drive. Not only will you protect your data twice, but you will also have an additional, hidden partition on the USB drive, which also password protected. Double security - double security.
First, you need to create an encrypted partition using the Rohos Mini Drive utility, and then use BitLocker to install additional password to your USB flash drive.

In this case, your loved ones can know the password from BitLocker protection, and only you yourself can know the password from the Rohos drive.

BitLocker and Rohos Mini are free encryption alternatives.

Internet
The most interesting:
How to connect the printer via LAN
Instagram self-promotion tools
How to make money on Glopart