Adverts I have posted, and statistics

Interested in Mallorquian accomodation? My in-laws own a property to rent in the Cala Murada area of Mallorca, click here for details.

This page has been visited 356 times, as of Thu Jul 24 18:29:07 BST 2008 . Your IP Address is given as 38.103.63.17; this appears to be page number 11 for you today.

Disclaimer


The Encrypted Windows XP 64 bit howto

A PDF version of my encryption guides (with referenced links for convinience etc), which you may find much easier to read is available here.

Overview

This howto is for people using both 64 bit Windows XP. This can (I hope) be easily adapted to Vista 64 bit.

The final system

Note: 32 bit XP users should use Compusec. Once completed the 64 bit user will have:

Will my system be fully secure?

When switched off/ not logged in then yes, however you will still be vulnerable to Viruses, Trojans, Root Kits, internet hackers etc whilst the system is running, and so you should still install all the usual software (virus checker etc) and take all the usual precautions that you would for an unencrypted system.

How could information leak onto the unencrypted Windows Partition?

If the software you are using was written for Windows XP or later then it is very unlikely that any information will leak out using the system described in this howto.

All user data in newer software saved to the hard disk will goes into the users 'Documents and Settings' folder, which will be encrypted. Temporary information will be kept in RAM (and so be wiped at shutdown), or in the encrypted pagefile.

However software written for Dos/ Windows 95/ 98 etc may save temporary data to its own folder on the C drive, so when using legacy software check on temporary file settings, check to see what it saves to disk (maybe it won't be secure data) and see if you can install it on the encrypted drive.

Getting started

As it is likely that the system you are reading this on is the one you want to work on it's best to download all the required software now whilst the system is still working. Also print off a paper copy of this howto.

You will need

Checking the downloads

If you've had to make your own Windows XP install disk its best that you check it before formatting your current system. All I can suggest though is that you try it out on a spare HDD, computer or virtual machine (e.g. VMWare).

For all the other software extract and install it on your current system, if any errors occur download fresh copies.

Burn all the software and any personal files you want to keep to CD (or place on any other generic medium).

Determine C drive required size

Take a look at how much space has been used on your Windows C drive minus the documents and settings folder (which will go on a separate partition), this will help determine the appropriate size for the new C partition.

Also take a look at the size of your pagefile, you will want to create an encryption specially for it later.

Make sure you have saved everything you want to keep; once the next step has been completed it will be very difficult to ever recover your data.

Wiping all data from the HDD

As everyone knows data on a hard drive isn't deleted until it is overwritten.

Even if you have an encrypted file system now it may be possible to look past that at what used to be on the drive, so if there is anything currently on your system you want secure its time to overwrite the whole hard disk.

There are several commercial and free packages to do this (Eraser for one) and I would recommend following the Eraser instructions to make a Boot Nuke Disk.

The erase will probably take an hour or more for an 80 GB drive, and will destroy not only all data but the partition table too.

Installing Windows

The installation of Windows is the same as the default installation, but when you get to the section selecting partitions should you create a new one (NTFS full format not the quick one), and make it the minimum necessary size you need (this is a necessary step even if you are installing a single OS Windows system).

As there will be no pagefile on the partition you should make the new partition two or three GB larger than the pagefile size you determined earlier.

As an example; an XP 32 bit installation with office 2003 (full plus Visio) and other standard packages like Acrobat Pro, requires a 10GB partition (I'm afraid I have only ever done this on an XP 64 system with a 400GB drive, where I set asside an arbitrary 50GB), of which 3.5GB will left over after installation of all packages.

User accounts

If you have to only install one user account (XP Pro users should really just stick with the default Administrator account), remembering that this account will never be used so do not use your favourite account name.

At this time this account should NOT be password protected until we have disabled LM hashing (unless you fancy setting a 2nd password later on) and a computer administrator. If you do set a password it should not be the password you intend to use to unlock your encrypted partitions.

Disable LM Hashing

Once the system has been installed log in and disable LM Hashing to secure your XP user passwords. For an explanation of why you should do this go to one of the following sites (or do a Google search):

Click Start, click Run, type regedit, and then click OK. Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

On the Edit menu, point to New, and then click DWORD Value. Type 'NoLMHash', and then press ENTER (note this DWORD may already exist). On the Edit menu, click Modify, set the value to 1 and then click OK.

Next find 'LMCompatibilityLevel' and set to one of the following, depending on your system (if you don't need to log into a Windows network server just set it to 5):

Restart your computer and then change/ set your passwords.

Get system up and running

Now install all your Windows drivers to get the system up and running. If you do go online or open any files make sure none of them are sensitive as the account you have made will never be secure and you don't want to risk fragments of sensitive data ending up on this drive.

Check the pagefile size

Once you have installed Windows you need to know the size of the pagefile it is using, this will help to determine the size of the openSuSE swap partition, that both Windows and Linux will use.

To find the pagefile size go to 'Control Panel => System' and select the advanced tab.

Click on the settings button at the top, the one inside the 'Performance' box. Now select the advanced tab on the 'Performance Options' window, and then select the 'Change' button within the 'Virtual Memory' box at the base of the window.

At the top of the 'Virtual Memory' window you will see a white box in which is listed the C: drive and its Paging File Size. Make a note of the maximum size.

Install Software

Finally install Truecrypt, WinRAR, Ext2fs and Eraser, you will need them later.

If you intend to use bootpart install that now too, however please note that using the Windows XP boot loader can cause issues with the advanced encryption techniques described later.

Final Partitions

As you are not going to install Linux you should now also make a 2nd and 3rd partition. The first partition will be for the pagefile, and should be a little larger than the pagefile size you determined earlier.

The final partition should take up the rest of the drive. Create an NTFS drive with the standard Windows tools (or whatever tools you prefer), and then format as NTFS with Truecrypt, this will become the documents and settings folder.

Installing TCGINA and encrypting the Windows user account

Now that Truecrypt and WinRAR have been installed (earlier) you can extract and install TCGINA. Once installed go to the start menu and run: 

'control userpasswords2'

Click on the advanced tab and then check the box 'Require users to press Ctrl+Alt+Delete', then click Ok and reboot the machine. This option is set to support TCGINA.

Once you have rebooted create a new user account ' the one you actually want to use, log off, log into the new account (to make XP create the default folders etc), log out and log back into the first account.

Whilst we have disabled LM hashing for extra security make sure the password you use for the new account isn't the same as the one you use for either the Truecrypt or Linux root partitions.

Run Truecrypt and mount the shared encrypted partition on a high drive number, I use Z. This is because this drive must not change if you are to log into it as a user, and if you map the Truecrypt drive to drive E, then boot with a USB stick in the computer you will be unable to log-in.

Now run the TCGINA install program again and you should be able to move your user account to the encrypted partition. Next time you log into your new account you will log-in first via the Windows login, and then you will be asked for the Truecrypt partition password (unless your Windows password is the same as the Truecrypt one, in which case it may log you in automatically).

Once all this is done reboot the computer and log into Linux, open the root user account and go to '/home'. A new folder will be there called 'Documents and Settings' change the permissions and group to match your Linux user account and set it to do this to all sub-folders and files.

Once done you can log back into Windows and move 'My Documents' to a convenient folder within your Linux home directory, I just use a folder called 'Documents' which is installed by default in the openSuSE system. Whenever you create a file in Windows now it will be saved with the permissions of your user account in Linux.

Moving the Windows pagefile to its own partition

Go to the pagefile settings window, select drive D: (or whatever partition you created for the pagefile) and set the pagefile size, then un-set the pagefile from the 'C:' drive.

As an additional security option you should set the minimum and maximum sizes of the pagefile to the same maximum value. This ensures that each new pagefile completely overwrites the last, rather than a growing/ shrinking file receding and leaving confidential data on the swap partition for months. More security options for the pagefile are discussed in later, including how to delete or encrypt it.

Wiping the free space on Windows

You now need to ensure that any old data on the Windows C: drive (before you started this whole process) is erased.

Open power properties from the control panel and disable hibernation (which will delete hiberfil.sys). Now run defragment on the C: drive; as can be seen now that the pagefile and hibernation files are gone there is no longer any unmoveable data on the drive.

Next run Eraser. You might want to reboot after the defragment as sometimes Eraser can cause errors when run on a recently defragmented drive. Set eraser to erase all free space on the C: drive and run, it will take 30 mins to several hours to run, depending on system and disk size.

Encrypting the system swap and hibernation space

The final part of this howto covers the system swap and hibernation spaces. There are several options here for system security, starting with the most basic and finishing with high level security options.

Swap Space

On Windows this is the pagefile.

Swap space is used when the computer runs out of physical memory (RAM), to free up physical memory information is swaped out of RAM into the swap space.

Therefore, even though you have encrypted all of your personal files, folders and personal settings there is still the risk that sensitive data will leak out into the swap space.

Of course if you are confident that your system has so much RAM it will never use swap space, then you can set Windows to have no pagefile, and delete the partition you set up for it; for the rest of you, you have to look at either deleting or encrypting this data (see below).

Hibernation

When a system hibernates it saves the contents of RAM into a file on the hard disk. In Windows this file is always on the C: drive (it cannot be moved) and is called hiberfil.sys.

As above there is a risk that sensitive data will be saved to the hard disk, in fact there is a greater risk as you will be deliberately dumping the entire contents of RAM to the disk.

On very secure systems its best to disable hibernation altogether; at the time of writing there were no free software packages that could encrypt the Windows hibernate file.

The hiberfil.sys file also cannot be moved from the C: drive so unless you purchase software to encrypt the C: drive there is no way to securely operate Windows hibernate, and if your system needs to be fully secure disable the feature (Control Panel=> Power=> Hibernate Tab).

If you do need to use hibernate then I recommend that you regularly disable hibernate (which will delete hiberfil.sys) defragment and run Eraser as described earlier and then re-enable hibernate.

Windows - Delete the pagefile on reboot

This is achieved by a simple registry change; it isn't necessary if you use CryptoSwap Guerilla (below).

Go to the start menu and run 'regedit' then navigate to the key: 

H_KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSIONMANAGER\MEMORYMANAGEMENT

Set the key 'ClearPageFileAtShutdown' to 1. This will add an extra delay to the Windows shutdown whilst the pagefile is deleted.

Encrypting the pagefile on the fly

For the person who wants an easy life there is the free software package CrytoSwap Guerrilla which will encrypt the Windows pagefile on the fly. It is recommended that you still use this package with a separate partition (such as the shared swap) rather than keeping your pagefile on the C: drive.

Note: by default CryptoSwap will enable the Windows option to delete the pagefile on shutdown/ reboot (section 7.3.2). This is not really necessary as the pagefile data is encrypted; it will just make shutting down take longer.

Luckily CryptoSwap contains a standard registry entry to disable this, which can be found in the directory you installed CryptoSwap to (e.g. 'C:Program FilesCryptoSwap Guerilla').

Bugs and issues to note

Now that you have done all that work I should mention a few of the bugs you may experience.

Spyware software doesn't work

At least one free spyware package, Spyware Doctor (free via Google Pack) may have errors when installing and loading on this system.

However AVG Anti-Spyware (free) and Windows Defender work fine with this system.


Page loading