Encryption software or password protection software

[umbra]

Hi ,

 I had an external hard drive and i want to encrypt only a part of it, lets say only one folder and all its sub folders or if this is not possible to put a password on a folder so that i can stop access to that folder and all its sub folders. This should work regardless any pc (operating system) the external hard disk will be plugged in.

 Please if you got an idea about this let me know.

 Thanks !

[jason2074]

Try reading here http://www.labnol.org/software/password-protect-folders-files/14323/

[ninjatex]

I would strongly suggest against using an "encryption" program that isn't open source. For your encryption needs, check out Truecrypt (truecrypt.org). You can encrypt a flash drive or make a "encrypted container" which is basically a glorified folder.

[umbra]

Hi ,

 Thank you for yours suggestions.

 I choose to use the TrueCrypt tool it seems more mature than previous one to me.

[Rob Pomeroy]

I would strongly suggest against using an "encryption" program that isn't open source.

Interesting point.  There are a couple of different schools of thought here.  A closed source solution could theoretically make use of a private encryption key, layering encryption over the top of the user-level encryption.  This could provide certain cryptographic advantages.  But as we've seen in the the BluRay world, these private keys have a habit of being leaked eventually.

Again in favour of the closed source model is the security-by-obscurity argument.  As any security professional will tell you, that's not true security, but when combined with other security approaches, it can enhance the security of a particular product.  A software company selling its encryption product has a vested interest in protecting its reputation by producing good quality (reasonably unbreakable) security products.

On the other hand, experience has tended to back up claims that TrueCrypt is one of the best products of its type on the market.  The fact that the code is open source, although it makes it possible for crackers to attempt to detect code vulnerabilities (e.g. the volatile memory problem), also makes it possible for other interested parties to audit and improve the code.

Personally, I would always use TrueCrypt, but that's only because it is not currently known to be seriously vulnerable in any meaningful way.  This product, like any of its type, will continually come under threat from crackers, security professionals, governments, etc., and you should always assume that eventually any security model will be defeated.  (TrueCrypt provides a plausible deniability feature to somewhat alleviate this problem.)  Unless TrueCrypt continues to be developed and improved, it will almost inevitably become obsolete eventually.  Where's the incentive for TrueCrypt development to continue, if there is no commercial reward for its production?  Altruism can come to an end, or the lead developer could go AWOL or worse.

For the above reasons, I would recommend keeping all security options open, including closed source solutions - they may well overtake the open source field at some point.  Never place a philosophical commitment over a practical reality.

[ninjatex]

Interesting point.  There are a couple of different schools of thought here.  A closed source solution could theoretically make use of a private encryption key, layering encryption over the top of the user-level encryption.  This could provide certain cryptographic advantages.  But as we've seen in the the BluRay world, these private keys have a habit of being leaked eventually.

Again in favour of the closed source model is the security-by-obscurity argument.  As any security professional will tell you, that's not true security, but when combined with other security approaches, it can enhance the security of a particular product.  A software company selling its encryption product has a vested interest in protecting its reputation by producing good quality (reasonably unbreakable) security products.

On the other hand, experience has tended to back up claims that TrueCrypt is one of the best products of its type on the market.  The fact that the code is open source, although it makes it possible for crackers to attempt to detect code vulnerabilities (e.g. the volatile memory problem), also makes it possible for other interested parties to audit and improve the code.

Personally, I would always use TrueCrypt, but that's only because it is not currently known to be seriously vulnerable in any meaningful way.  This product, like any of its type, will continually come under threat from crackers, security professionals, governments, etc., and you should always assume that eventually any security model will be defeated.  (TrueCrypt provides a plausible deniability feature to somewhat alleviate this problem.)  Unless TrueCrypt continues to be developed and improved, it will almost inevitably become obsolete eventually.  Where's the incentive for TrueCrypt development to continue, if there is no commercial reward for its production?  Altruism can come to an end, or the lead developer could go AWOL or worse.

For the above reasons, I would recommend keeping all security options open, including closed source solutions - they may well overtake the open source field at some point.  Never place a philosophical commitment over a practical reality.

Sure, it all depends on the situation. For the *average* user, doing *average* encryption, open-source is the way to go. If you're a large corporation or a government agency that can afford internal R&D and security audits then you can buy a little "security through obscurity" assuming you have a determined adversary who is targeting you specifically. So, unless you're the CIA, FBI, NSA then security through obscurity is nothing more than a fancy phrase you apply to something that isn't designed well or tested.
 
I'd like to note that "security through obscurity" does nothing unless you're doing the obscuring. If some third party company is doing it, you're weakest link is the third party not the encryption system.

"Security through obscurity" is a last-ditch security effort you add-on to actual security, not actual security. Anybody who has worked for the telephone companies in the 1970s-1980s can tell you the dangers of such an approach. Everybody needs good encryption and privacy from government agencies to journalists and whistleblowers. Open-source software and peer-review benefits all the parties.