In this article learn how to:
- Set up full disk encryption on ephemeral and persistent storage using TrueCrypt.
- Set up simple volume encryption using Microsoft® BitLocker.
- Set up file-system-level file and folder encryption using EFS (Encrypting File System).
- Back up and restore your EFS data encryption certificates.
- Enable swap file encryption using fsutil.
- Delete data securely and wipe free disk space using SysInternals SDelete.
Setup the environment
First, a look at the tools and technologies, then notations and conventions used for setting up your environment.
Table 1. Tools and technologies
|Name||Description||Required base OS image|
|TrueCrypt||Third-party full disk encryption.||Windows 2003, 2008 R1, 2008 R2, 2012|
|Microsoft BitLocker drive encryption||Windows logical volume encryption||Windows Server 2008 R1, 2008 R2, 2012|
|Microsoft Windows Encrypting File System (EFS)||NTFS file-system-level encryption||Windows 2003 R2, 2008 R1, 2008 R2, 2012|
|Windows swap file encryption||Page-file encryption (configured using fsutil)||Windows Server 2008 R1, 2008 R2, 2012|
|SysInternals SDelete||Secure delete and free space wipe tool||Windows 2003, 2008 R1, 2008 R2, 2012|
Notations and conventions
Following are notations and conventions to follow:
- Commands are usually prefixed with a prompt. This serves a dual purposes:
- Shows you the privilege required to execute the command.
- Deters you from copying/pasting the command in a console without understanding what it does.
- Commands executed on the system as root are prefixed with
- Commands executed on the system as a regular user are prefixed with
- Command output is delimited by a new line from the commands and indented by one tab to the right (as
in the following code):
C:\Users\Administrator> 1st command - to be run as Administrator C:\Users\Administrator> 2nd command - (previous command has no output)
output from 2nd command
C:\Users\user > 3rd command - to be run as a regular user. Since ^ this is a long command we split on multiple lines using ^ the caret character (^)
output from 3rd command
When setting up disk or volume encryption, use additional ephemeral or persistent storage. Before using those disks, you need to bring them online.
- Select Start > Run > diskmgmt.msc.
- For each offline disk, right-click and select Online.
Encrypt disk using TrueCrypt
To encrypt a partition instead of a whole disk, use
diskmgmt.msc to create the
partition before running TrueCrypt. This task is optional.
- Download the latest version of TrueCrypt for Windows from the TrueCrypt web site.
- Run the product installer.
- Install the product
- Optional: Read the provided tutorial.
Encrypt your hard drive
- Start TrueCrypt by double-clicking the TrueCrypt icon on your desktop.
- Select Volumes > Create New Volume... > Encrypt a non-system partition / drive > Standard TrueCrypt Volume.
- Click Select Device... and choose one of your non-boot ephemeral or persistent volumes, for example, "Harddisk 1".
- Select an Encryption Algorithm and a Hash Algorithm and click Next.
- Accept the volume size and click Next.
- Set up a password or a keyfile. When using keyfiles, make sure you store them in a secure location.
- Select YES to enable support for large files (NTFS).
- Click Format. Note that a non-quick format will take a considerable amount of time to encrypt, depending on your disk size.
- Close the TrueCrypt Volume Creation Wizard.
Mount your encrypted volume
- Start TrueCrypt if not already started.
- Select a drive letter.
- Click Select Device and select your encrypted drive or partition from the list.
- Click Mount and enter your password.
- Access your encrypted drive.
Encrypt volume using BitLocker
BitLocker is available on Windows 2008 R1 and R2 instances and allows you to encrypt volumes residing on your ephemeral or persistent storage. Note that you can not encrypt the system drive (C:) at this time.
Encrypt your volumes using BitLocker
- Enable BitLocker:
- Start Server Manager. Click Start and then right-click Computer > Manage.
- In Server Manager, click Features > Add Features. Check "BitLocker Drive Encryption".
- Click Next, then Install to install BitLocker.
- Click Close and confirm to restart your server and finish the installation.
- Initialize and configure your disks. Note that BitLocker does NOT support dynamic disks. You
need to set up a simple volume on a basic disk.
- Click Start > Run > diskmgmt.msc.
- If your additional disks are offline, right-click each disk and select Online.
- Initialize your disks. Right-click the disk and select Initialize Disk. You can select either option for disks smaller than 2TB and GPT for disks greater than 2TB (persistent storage).
- Create a new simple volume by right-clicking Unallocated > New Simple Volume.
- Go through the wizard to select the size, assign a drive letter, and format your volume using NTFS (this is required).
- Encrypt your volumes using BitLocker. Note: Do NOT encrypt your C: drive.
- Go to Control Panel > System and Security > BitLocker Drive Encryption.
- Click Turn on BitLocker next to one of the additional simple volumes you've set up. Do NOT select the C: drive.
- Confirm that you want to enable BitLocker.
- Select Use a password to unlock this drive.
- Recommended: Save the recovery key to your RDP mapped drive.
- Start encrypting.
- Click Close.
- If you later need to perform maintenance on this encrypted volume, you can always click Manage BitLocker.
- Place some test data on your encrypted volume.
- Restart Windows and test your new encrypted volume.
- Open your encrypted drive. BitLocker Drive Encryption should pop up and ask you for your password to unlock the drive.
- Type your password and click Unlock.
Figure 1. Disk management: BitLocker Drive Encryption
- Check that your test data is still there.
- Optional: Test image capture support (capture a private image and provision child instances).
- Image capture consideration. If you provision instances based on captured private images
your storage is provisioned
as offline. You need to run
diskmgmt.mscand set your disk to Online before your BitLocker volumes show up.
File system encryption using EFS
EFS is a file system encryption mechanism that is supported on all Windows Server versions and allows you to encrypt files and folders.
Encrypting folders using EFS
EFS can be used to encrypt files and folders. To encrypt the content of a folder:
- Optional: If a folder does not already exist, create it.
- Right-click the folder you want to encrypt and select Properties.
- Click Advanced and select Encrypt contents to secure data. This encrypts the content of the folder and creates an EFS certificate if you don't already have one.
- Click OK > Apply > OK.
- Your folder and its content should now be encrypted. Encrypted files and folders are marked in green text in Explorer.
Using the cipher tool
The cipher tool can be used to encrypt individual files. It can also be used to overwrite deleted data.
To list help, type:
C:\Users\user > cipher /?
To list encryption status of files and folders, run cipher without any parameters.
C:\CRYPTO > cipher
Listing c:\CRYPTO\ New files added to this directory will be encrypted. E confidential.txt E secrets.xml
To overwrite deleted data:
- Start a command prompt as Administrator.
- Delete the data residing under the drive letter and/or folder you
specify. For example:
C:\Users\Administrator > cipher /W:C:\
To remove as much data as possible, close all other applications while running CIPHER /W. Writing 0x00 ...
Note: This will overwrite only delete data. It's somewhat similar to the SDelete free disk space wipe.
Backup and restore EFS certificates
Using SYSPREP image capture generates a new set of certificates. If you do not have certificates backed-up, you will lose access to your data.
To backup your EFS certificates:
- Click Start > Run > certmgr.msc.
- Expand Personal > Certificates.
- Right-click any certificate with the Intended Purpose field as Encrypting File System.
- Select All Tasks > Export.
- Click Next and select Yes, export the private key.
- Click Next and ensure Personal Information Exchange - PKCS #12 (.PFX) is selected..
- Select Export all extended properties.
- Click Next and set a password for your private key. You will need this when importing your certificate.
- Select a file name in a secure location, then click Next.
- Review the settings then click Finish to export your certificate.
- Click OK, then ensure the certificate was exported correctly to your chosen location.
To restore certificates:
- Double-click your exported certificate PFX file.
- Click Next. File name should point at the certificate you want to import.
- Click Next and type your private key password.
- Check Include all extended properties and click Next.
- Select Automatically select the certificate store based on the type of certificate and click Next.
- Review the settings, click Finish, then OK.
- Verify that your certificate was added to the Current User > Personal > Certificates store and that you can now access your encrypted files and folders.
Swap file encryption using fsutil
Native swap file encryption is supported on Windows Server 2008 or higher. Windows generates a random key each boot and uses it to encrypt the swap file(s).
Encrypt your swap file
- Start an administrative command prompt. Click Start and right-click CMD > Run as Administrator.
- Test if the swap is already encrypted. By default, this is set to 0
fsutil behavior query encryptpagingfile
EncryptPagingFile = 0
- Enable swap file encryption:
fsutil behavior set encryptpagingfile 1
NOTE: Changes to this setting require a reboot to take effect. EncryptPagingFile = 1
- Query your swap file encryption status in an administrative command
prompt. Click Start and right-click MD > Run as
fsutil behavior query encryptpagingfile
EncryptPagingFile = 1
Secure deletion using SDelete
To ensure that delete files (including files encrypted with EFS) are safe from recovery, you should use a secure delete tool such as Mark Russinovich's SysInternals SDelete. This tool also allows you to perform a free disk space wipe. Note: at the time of this article, SDelete no longer seems to support recursive delete (version 1.6). This worked in previous versions of the product and will most likely get fixed in a future version.
You can download SDelete from the Microsoft SysInternals page.
Delete files using SDelete
- To delete a single file:
sdelete -p 1 secrets.txt
SDelete - Secure Delete v1.6 Copyright (C) 1999-2010 Mark Russinovich Sysinternals - www.sysinternals.com SDelete is set for 1 pass. c:\Users\cmihai\Desktop\secrets.txt...deleted. 1 files found
- To wipe free space, use the following
Warning: This expands a file called %TEMP%\SDELTEMP until it fills all your free space. Use with caution.
SDelete - Secure Delete v1.6 Copyright (C) 1999-2010 Mark Russinovich Sysinternals - www.sysinternals.com SDelete is set for 1 pass. Cleaning free space on C:\: 4%
- You can test that everything went well by running an undelete program, such as Recuva. Deleted files should show up as unrecoverable.
- Encrypt data in customer images on SmartCloud Enterprise - Securing storage units and user's home directories.
- Protecting Data by Using EFS to Encrypt Hard Drives
- For more on how to perform tasks in the IBM Cloud, visit these
- Up and download files from a Windows instance.
- Install IIS web server on Windows 2008 R2.
- Create an IBM Cloud instance with the Linux command line.
- Create an IBM Cloud instance with the Windows command line.
- Extend your corporate network with the IBM Cloud.
- High availability apps in the IBM Cloud.
- Parameterize cloud images for custom instances on the fly.
- Windows-targeted approaches to IBM Cloud provisioning.
- Deploy products using rapid deployment service.
- Integrate your authentication policy using a proxy.
- In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
- The next steps: Find out how to access IBM SmartCloud Enterprise.
Get products and technologies
- See the product images available on IBM SmartCloud Enterprise.
- SDelete By Mark Russinovich
- Truecrypt - Disk Encryption Software
- Join a developerWorks community cloud computing group.
- Read all the great cloud blogs on developerWorks.
- Join the developerWorks community, a professional network and unified set of community tools for connecting, sharing, and collaborating.