You are here

Encryption without admin rights.

21 posts / 0 new
Last post
weringpeter
Offline
Last seen: 6 years 9 months ago
Joined: 2010-06-14 08:48
Encryption without admin rights.

I was reading on flash encryption that alows use without admin rights.
Is truecrypt with autorun file still the best way to go?

I found this tutorial, but it's pretty old:
http://glosoli.blogspot.com/2005/09/encrypted-thumb-drive-and-autoplay.html

If there is a better solution to this please let me know.

John T. Haller
John T. Haller's picture
Online
Last seen: 1 min 34 sec ago
AdminDeveloperModerator
Joined: 2005-11-28 22:21
Admin Required

All encryption software that's doing whole-drive encryption or virtual folder encryption requires admin rights. Period. There's no way around that.

The way to do encryption without admin is to buy a drive that supports it at the hardware layer.

Sometimes, the impossible can become possible, if you're awesome!

Ibiscus
Ibiscus's picture
Offline
Last seen: 8 years 3 months ago
Joined: 2010-07-05 11:26
Encryption on flash drive doesn't necessary require admin rights

FreeOTFE Explorer provide a very strong and efficient encryption on a virtual folder without any need of admin rights. I've no doubt that "impossible can become possible" Wink

FreeOTFE and FreeOTFE Explorer are free, open source and both existe in Portableapps.com Format.

Why then aren't they proposed here?

I've heard that masters teaching novices will certainly access paradise once in their life. (true!)

John T. Haller
John T. Haller's picture
Online
Last seen: 1 min 34 sec ago
AdminDeveloperModerator
Joined: 2005-11-28 22:21
Not The Same

You can encrypt individual files on and off. But to use and access them in any program, you need to copy them out into the unencrypted area.

So, while FreeOTFE Explorer is great for getting at your individual documents, for example, when you don't have admin rights, it can't be used for your apps, app settings, etc. Basically, it's a nice backup for use with FreeOTFE when you don't have admin rights, but it's severely limited compared to whole drive encryption you can achieve with a drive with hardware support (or software encryption with admin rights which gives you the same access).

Sometimes, the impossible can become possible, if you're awesome!

GaryDZ
Offline
Last seen: 7 years 6 months ago
Joined: 2011-03-09 23:31
encryption without admin

I know this is an OLD topic, but I figured I'd respond in case someone searches this out.

I have tried every thumb drive encryption program I could find.... They all either require Admin Rights or you can only work in a Shell, which is not able to run Portable Apps.

I agree with the above comment....

I finally found a great work-around.... that does not require Admin Rights.

I have been a BIG fan of U3 drives for years.... I know they are not popular here. I was educated about the limitations when I first joined here.

I realize that they are no longer supported by SanDisk and that they had potential Security risks of leaving some traces of the apps behind.

The PortableApps here are far better....and Modern versions!!!!

My solution---- Install and run the PortableApp suite off of a U3 drive with the Password security enabled. It does not require Admin Rights to run...The password protection may not be fort knox, but it is enough for the level of security I need.

Ok... looking for U3 drives on E-bay and Amazon... they are crazy expensive.

BUT, I just found out that any SanDisk Cruzer Micro and Extreme Contour can have the U3 software installed. It has to be CRUZER MICRO... not just Cruzer. I just picked up a 16gig SDCZ6-016G-A11 for $15 and installed the U3 software.

You can still get the U3 software off of San Disks web site.... NOTE: you need to install it from either a Windows XP computer or in a Virtual XP.

Gary

John T. Haller
John T. Haller's picture
Online
Last seen: 1 min 34 sec ago
AdminDeveloperModerator
Joined: 2005-11-28 22:21
No Need

There's no need to buy an old U3 drive, just buy any drive with hardware encryption. Better security, it'll still work and be supported. And you won't get the deader-than-a-doornail U3 on it.

Sometimes, the impossible can become possible, if you're awesome!

weringpeter
Offline
Last seen: 6 years 9 months ago
Joined: 2010-06-14 08:48
Safest way of access.

What is the safest way (way that lives the smallest footprint) of accessing your already encrypted files on a flash drive used on a company or cyber caffe computer without admin rights?
With autorun file on the flash drive or something else?
Is there any way of protecting truecrypt password when using your flash drive on a company or cyber caffe computer without admin rights?

Which flash drives support encryption at the hardware level?
And why would this way be any safer than a simple truecrypt encoded flash drive?

Whatever is good, is not bad.

Jimbo
Offline
Last seen: 5 years 5 months ago
Joined: 2007-12-17 05:43
I think you're getting some of the techniques confused

There are basically three ways to encrypt data on a flash drive and access it.

1) On The Fly Encryption (OTFE). This makes the data-set visible as if it were unencrypted, usually as a drive letter, after you enter the password. Any application can therefore work with the files normally. It can be done in hardware or in software, but the software versions (e.g. FreeOTFE, TrueCrypt) need admin rights. This is a Windows limitation and will never be possible to work around.

2) using a non-admin tool to access data from a container used by OTFE software, such as TCExplorer or FreeOTFE Explorer. This also pertains to using password-protected zip (or other archive format) files. This has the major disadvantage that for apps to work with the file data, you need to manually decrypt the file and place a clear-text copy of it somewhere for the app to load. Even if you use a secure eraser, you can't be sure that the file wasn't re-saved into a different place on disk if you edited it, thus leaving a clear-text version somewhere on the host machine.

3) apps that natively support encryption, such as KeePass. These are safe to use since they manage the on-disk encryption internally, meaning that the clear-text data never needs to be written.

So, to answer your questions, as best I can

weringpeter
What is the safest way (way that lives the smallest footprint) of accessing your already encrypted files on a flash drive used on a company or cyber caffe computer without admin rights?

None of them - All the software-only methods will require you to make a clear-text copy of the files you are working with, and unless you secure-erase the entire free-space of the machine after you finish, you can't be sure to have deleted it completely. You can mitigate this by only saving the working copy to your flash drive, but secure-erasing that every time would seriously reduce its lifespan.

weringpeter
With autorun file on the flash drive or something else?

This is a meaningless question. Using autorun, which is only supported on certain versions of windows anyway, makes no differece whatsoever to the level of security compared to manually running the encryption system yourself.

weringpeter
Is there any way of protecting truecrypt password when using your flash drive on a company or cyber caffe computer without admin rights?

No and yes. You are at risk from software and hardware keyloggers, and the usual methods will help there, but you can also use a keyfile, which would mean that unless the attacker had both the drive, and the password, and the knowledge of what the keyfile was (which could even be on a second flash drive), they could not access your data.

weringpeter
Which flash drives support encryption at the hardware level?

Sorry, can't help, I have no direct experience of hardware-encrypted drives. Do be aware though, that some such drives need to have admin access anyway for the password entry app.

weringpeter
And why would this way be any safer than a simple truecrypt encoded flash drive?

Because in the case that you do not have admin access, then you would need to make a clear-text copy of the TrueCrypt protected data, which would not be necessary with a non-admin-requiring hardware encrypted drive.

Darkbee
Darkbee's picture
Offline
Last seen: 2 weeks 2 days ago
Joined: 2008-04-14 09:41
why?

I know that IronKey is a secure flash drive that has cropped up a number of times on here.

As always, I have to ask what people are doing that the feel the need for such uber secrecy. If you're doing something that is so highly secretive and requires such extensive security measures then you probably shouldn't be doing it on public computers.

You best defense against hackers/sensitive data loss is common sense. Always is and always will be, since ANY procedure or process that involves human contact is by its very nature insecure.

I think there are software solutions available that should cover a vast percentage of most peoples' basic security needs. No need for retina scans and DNA analysis yet.

ottosykora
Offline
Last seen: 23 hours 30 min ago
Joined: 2007-10-11 17:48
right, very right

people sometimes think, that products like ironkey etc are somehow total security.
Apparently advertising has bigger power then common sense.
OK, if you loose such stick, it is lost, the data on it too, but nobody can retrieve the data when he just finds the stick somewhere. This is the only secure part of it. This is offered by many manufacturers now, sandisk, kingstone, disk2go, etc.

During the actual use of the ironkey (or other similar product) the data s not more not less safe then when you use floppy disk, any other stick or what ever.
Same is valid for any solution like truecrypt etc, once the file is open , it is open, fullstop.

One small snag is, that when the stick is still encrypted, it is not easy to communicate with it, to send the password to it requires communication to periphery device and this needs admin rights.
But there are workaround for that, so products like ironkey do not need admin rights to send the pw to the controller, they even can be contected under linux if needed.

Special solutions might be the entry of th password not via the usb port. I own such gadget myslef: http://www.corsair.com/products/padlock2/default.aspx
There are some with fingerprint module on it, but some of those also need windows machine to calculate the fingerprint number.

But all have one thing in common: when in use, content is open to everybody.

Otto Sykora
Basel, Switzerland

crux
Offline
Last seen: 8 years 2 months ago
Joined: 2008-06-13 18:10
Some things should be kept secret.

As always, I have to ask what people are doing that the feel the need for such uber secrecy.

I am sure that people would answer you if it weren't a secret. It may have something to do with the fact that some people always have to ask what other people are doing.

It could be love letters, a chili recipe or something involving money. I don't see anything wrong with trying to raise the bar for people who would like to read somebody else's personal data.

Darkbee
Darkbee's picture
Offline
Last seen: 2 weeks 2 days ago
Joined: 2008-04-14 09:41
Individual Encryption

But then you're talking about one or two files, which can be encrypted individually (or use note-taking software that utilizes encryption). You don't need a military-grade encrypted super-computer placed in a nuclear bunker to protect those files. I understand that people want to keep their stuff™ private, which is fine, I just don't understand the panic and hysteria that surrounds it sometimes. Simple software solutions will be adequate in most day-to-day scenarios.

And just to be clear, this isn't directed necessarily at the OP, just in general.

Jimbo
Offline
Last seen: 5 years 5 months ago
Joined: 2007-12-17 05:43
As someone who does encrypt

the key things that I encrypt include

my email (in Thunderbird Portable), which would involve manually decrypting/working with /re-encrypting 327MB, in 872 files

my web browsing - mainly cookies, but history, form history etc. are nice, which is about 8 files embedded somewhere within the FFP profile

my IM chatlogs etc, which are scattered around my IM client, but total 63MB in 234 files.

my personal banking accounts transaction data (GNUCash portable), only 34 MB in 43 files, that time.

It would be extremely inconvenient, and slow for me to, say, use a file-by-file encryption system for these, and little better if I were to use password protected zips.

Since I do have admin access at the places that I need access to this data, then all it take is a double click to mount up the truecrypt container, then entry of a single password, and it all just works.

There may not be anything on the partition that needs such high security, but the level of convenience that goes with it is fantastic.

weringpeter
Offline
Last seen: 6 years 9 months ago
Joined: 2010-06-14 08:48
Truecrypt portable

I found this text about portable truecrypt.

Portable Mode

TrueCrypt can run in so-called portable mode, which means that it does not have to be installed on the operating system under which it is run. However, there are two things to keep in mind:

* You need administrator privileges in order to able to run TrueCrypt in portable mode (for reasons, see the chapter Using TrueCrypt Without Administrator Privileges).

Also note that, as regards personal privacy, in most cases, it is not safe to work with sensitive data under systems where you do not have administrator privileges, because the administrator can easily capture and copy the sensitive data, including the passwords and keys.

* After examining the registry file, it may be possible to tell that TrueCrypt was run (and that a TrueCrypt volume was mounted) on a Windows system even if it had been run in portable mode.

If you need to solve these problems, we recommend using BartPE for this purpose. For further information on BartPE, see the question "Is it possible to use TrueCrypt without leaving any 'traces' on Windows?" in the section Frequently Asked Questions.

There are two ways to run TrueCrypt in portable mode:

* After you extract files from the TrueCrypt self-extracting package, you can directly run TrueCrypt.exe.

Note: To extract files from the TrueCrypt self-extracting package, run it, and then select Extract (instead of Install) on the second page of the TrueCrypt Setup wizard.

* You can use the Traveler Disk Setup facility to prepare a special traveler disk and launch TrueCrypt from there.

The second option has several advantages, which are described in the following sections in this chapter.

Note: When running in portable mode, the TrueCrypt driver is unloaded when it is no longer needed (e.g., when all instances of the main application and/or of the Volume Creation Wizard are closed and no TrueCrypt volumes are mounted). However, if you force dismount on a TrueCrypt volume when TrueCrypt runs in portable mode, or mount a writable NTFS-formatted volume on Windows Vista or later, the TrueCrypt driver will not be unloaded when you exit TrueCrypt (it will be unloaded only when you shut down or restart the system). This prevents various problems caused by a bug in Windows (for instance, it would be impossible to start TrueCrypt again as long as there are applications using the dismounted volume).

Tools -> Traveler Disk Setup

You can use this facility to prepare a special traveler disk and launch TrueCrypt from there. Note that TrueCrypt 'traveler disk' is not a TrueCrypt volume but an unencrypted volume. A 'traveler disk' contains TrueCrypt executable files and optionally the 'autorun.inf' script (see the section AutoRun Configuration below). After you select Tools -> Traveler Disk Setup, the Traveler Disk Setup dialog box should appear. Some of the parameters that can be set within the dialog deserve further explanation:

Include TrueCrypt Volume Creation Wizard

Check this option, if you need to create new TrueCrypt volumes using TrueCrypt run from the traveler disk you will create. Unchecking this option saves space on the traveler disk.

AutoRun Configuration (autorun.inf)

In this section, you can configure the 'traveler disk' to automatically start TrueCrypt or mount a specified TrueCrypt volume when the 'traveler disk' is inserted. This is accomplished by creating a special script file called 'autorun.inf' on the traveler disk. This file is automatically executed by the operating system each time the 'traveler disk' is inserted.

Note, however, that this feature only works for removable storage devices such as CD/DVD (Windows XP SP2, Windows Vista, or a later version of Windows is required for this feature to work on USB memory sticks) and only when it is enabled in the operating system. Depending on the operating system configuration, these auto-run and auto-mount features may work only when the traveler disk files are created on a non-writable CD/DVD-like medium (which is not a bug in TrueCrypt but a limitation of Windows).

Also note that the 'autorun.inf' file must be in the root directory (i.e., for example G:\, X:\, or Y:\ etc.) of an unencrypted disk in order for this feature to work.

Whatever is good, is not bad.

Jimbo
Offline
Last seen: 5 years 5 months ago
Joined: 2007-12-17 05:43
running TC is easy....

if you have admin rights. There are launchers on this site that will handle it all for you.

There is even a menu fork that integrates it, and will allow a mix of applications on the normal and encrypted container (see http://geek-menu.sourceforge.net/ ). And JTH has mentioned in the past that it may be considered for a future version of the PortableApps Platform as well, though due to the admin-required nature, and relatively low demand, it is lower down the list than many other features.

Darkbee
Darkbee's picture
Offline
Last seen: 2 weeks 2 days ago
Joined: 2008-04-14 09:41
or FreeOTFE

An alternative is FreeOTFE, which is an open source alternative to TrueCrypt. I've never used TrueCrypt but I'm lead to believe they offer essentially the same functionality. Furthermore, the author offers FreeOFTE available for download in the PortableApps format.

I think what Jimbo is describing (using TrueCrypt or something like it) is probably the best solution if you have admin rights, and if you really feel you need that much security.

Tixue
Offline
Last seen: 2 weeks 18 hours ago
Joined: 2009-04-04 14:10
Windows does not include on-the-fly-encryption by default

You can't do on-the-fly-encryption because windows does not include it by default on the kernel, so you need to run a driver that requires kernel-mode to use cyphering, and so you need admin rights for on-the-fly.

>> This is a Windows limitation and will never be possible to work around.

I hope Windows 8 look at this issue and allows non-admin users to use on-the-fly-encryption via a cyphering solution built-in into the operating system kernel, like the windows media player, that you can play wmv even if you are guest user.

Anyway, that could be a problem if the cyphering solution comes disabled "by default", and the administrator forgets to turn it on, so the best solution for the windows should be to come activated by default (as a service).

consul
consul's picture
Offline
Last seen: 2 weeks 3 days ago
Joined: 2007-05-02 13:47
win 7 enterprise

... has bitlocker installed on all the computers. It's not active on all my computers at work, but it can.
It encrypts the harddrive and also requires to encrypt usbs inserted if they want to save files to it.
When I use my encrypted usb on an older pc, like my friend's win xp, it allows me to decrypt ... I am blanking if it was just one file or the usb for that temporary time that I was at the computer.

Don't be an uberPr∅. They are stinky.

ottosykora
Offline
Last seen: 23 hours 30 min ago
Joined: 2007-10-11 17:48
not so sure

since this is function of the host windows, it needs number of things, like it has to have that separate 'system' partition and other things and is not included with xp . So what ever made you to read files from it I am not sure, but not bitlocker itself.

Otto Sykora
Basel, Switzerland

Ed_P
Offline
Last seen: 18 hours 19 min ago
Joined: 2007-02-19 09:09
Bitlocker To Go Reader works on XP.

Ed

ottosykora
Offline
Last seen: 23 hours 30 min ago
Joined: 2007-10-11 17:48
ok understand

did not know that they have now this sort of 'reader' for it too.
It is something like zip, 7zip or similar. Not on the fly encryption however.
Just softwae you can take with you and extract the parts to the local pc.

Otto Sykora
Basel, Switzerland

Log in or register to post comments