Keeping Data Safe


AlGat

Member
Local time
12:04 AM
Posts
3
Visit site
OS
Windows 11 Home
I am trying to harden my defenses against the possibility of someone stealing my computer and then extracting data from it that will lead to identity theft. So I have come up with how I think I want to do it, but want to check the strategy by you more knowledgeable folks.

I have a Legion 5i Pro gaming laptop with:
- Windows 11 Home
- Local account with a password, but this might change to MS account if they continue to close the work arounds that users are finding.
- i7-12700H
- 16 GB DDR5 RAM
- CPU IRIS graphics running for normal apps
- RTX 3070 for higher demand apps such as gaming
-1 TB Samsung NVMe SSD C: drive with Windows OS
- 2 TB Western Digital NVMe SSD D: drive for data
I think I have provided more system info than you need, but if you need more then I can certainly provide them.

I use the laptop for all of my computer needs:
- My company: books, invoicing, financial statements, government reporting, and corporate income taxes
- My personal finances: banking, investments, financial statements, and personal income taxes.
- Gaming
- KeePass password database with a very strong password

I currently have about 1.4 TB of data. Of that data, about 50 GB has information that would be high risk of identity theft. This includes Google drive and DropBox cloud storage which I use both for different purposes. I also have OneDrive but the bugs and issues make it unreliable and useless to me.

I share data between my laptop and my Samsung Note 9 cell phone via cloud storage (mostly via Google Drive). All sensitive data is stored in internal storage, and other data such as music, is on the SD card. Samsung phones will wipe clean after 10 failed login attempts, and I have an unguessable and complex password. So the data is quite safe on the phone.

I have two Western Digital external HDD for monthly back up of my 1.4 TB data. I back up the full 1.4 TB monthly to an external HDD which is stored in a safety deposit box at my bank, and I take old back up from a month ago and put it into a lock box, which I use for the next month back up.

So that is what it looks like now. My concern is that if someone breaks into my house and steals the very portable laptop, then the data is easily extracted by many methods. So I want to shut all the possible doors, and this is what I came up with, and want feedback and advise on ....

Step 1:
- In BIOS, make a BIOS admin password. Now a password is required for getting into BIOS
- In BIOS, make a user password. Now a password is required before it will boot.
I need the admin password to prevent someone going into BIOS and turning off the user password.

This prevents the many ways of defeating the password to start windows, which I won't get into the numerous ways it can be done. I plan to use bitlocker, so it is important the would be hacker can't get into Windows and with the click of a button, turn off bitlocker and un-encrypt it.

I will keep the need for a password when logging into my Windows Local Account.

Step 2:
- In Disc Management, shrink my C: drive to 800 GB
- In Disc Management, create a 200 GB E: drive for my sensitive data

Step 3:
- Put all sensitive data (company and personal books, etc) on the 200 GB E: drive
- Move all Windows personal folders (documents, downloads, etc) to the 200 GB E: drive
- Direct scanner to create files on the 200 GB E: drive
- Move OneDrive, GDrive and DropBox cloud storage folders to 200 GB E: drive

Step 4:
- Upgrade Windows 11 Home to Windows 11 Pro
- Use bitlocker to encrypt the 200 GB E: drive, no password
- Store the bitlocker recovery key in KeePass (KeePass database is on my laptop, cloud storage, on back up HDDs, and on my phone)

Question: If I use bitlocker to encrypt a drive containing cloud storage folders, does that mean the files are encrypted on the cloud, and therefore unusable by any other devices such as my phone?

Step 5 (maybe):
Question: Can I use bitlocker to encrypt the external HDD with password or would I need to use a the recovery key each time I want to access the data? Again, the recovery key would be kept in KeePass.

So that is the plan. I think it is pretty robust. It can still be defeated by removing battery on laptop motherboard to reset BIOS which defeats the user password, but that is highly unlikely for someone to do on a laptop due to difficult access.

I think it is a good plan but mostly I am wondering about encrypting the cloud storage like that. And wondering how to make the encrypted external HDD back ups useable.

I have never used it, but Bitlocker looks ideal for this but maybe there is another product? I have WD drives, so maybe thier free software is a better choice?

I look forward to your feedback and advice.
 
Windows Build/Version
Windows 11 Home - 22H2 - 22621.1413

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion
    CPU
    i7-12700H
    Memory
    16 GB (2x8GB) DDR5 4800
    Graphics Card(s)
    RTX 3070
    Hard Drives
    1 TB Samsung NVMe SSD with Windows OS
    2 TB Western Digital NVMe SSD
    Internet Speed
    650 MB/s
    Browser
    Chrome

neemobeer

Active member
Member
VIP
Local time
12:04 AM
Posts
148
Visit site
OS
Windows 11
Steps 1-3 are a waste of time. Bitlocker is a good option and yes you can use Bitlocker 2 go on external drives (it would require a password to access the drive)

Bitlocker w/TPM will not require entering a code every time as the key is stored in the TPM. Be aware that nothing is 100% secure including Bitlocker. I have seen attacks on the TPM since data is not encrypted from the TPM to Windows the key can technically be read literally on the wire but the skill set is pretty high for this attack.

An alternative to bitlocker would be veracrypt which allows you to create encrypted containers (you would then want to move all your sensitive data in that container.


You also want to make sure you have reliable EPP (endpoint protection) and a firewall. Since a device is basically not encrypted in use you could more easily have someone steal your data with malware while the device is in use.
 

My Computer

System One

  • OS
    Windows 11

AlGat

Member
Thread Starter
Local time
12:04 AM
Posts
3
Visit site
OS
Windows 11 Home
Steps 1-3 are a waste of time.
Thank you for the feedback.

I am just a user with no experience in this. So this is just my ideas of how to do it after researching options. But my research says that password on BIOS would prevent the computer from booting up at all, and that it is actually pretty hard to defeat? The idea is that the only way to get the data is to take the back off the laptop and physically remove the SSD.

I guess that is wrong?

From what I read, bitlocker reduces drive speed by about 20% so to keep the system fast, I didn't want to encrypt the entire C drive. That is why I was creating a smaller drive with only sensitive data to encrypt.
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion
    CPU
    i7-12700H
    Memory
    16 GB (2x8GB) DDR5 4800
    Graphics Card(s)
    RTX 3070
    Hard Drives
    1 TB Samsung NVMe SSD with Windows OS
    2 TB Western Digital NVMe SSD
    Internet Speed
    650 MB/s
    Browser
    Chrome

neemobeer

Active member
Member
VIP
Local time
12:04 AM
Posts
148
Visit site
OS
Windows 11
Most firmware passwords are trivial to defeat.

Drive performance takes a hit of between 1-5% especially if you're using XTSAES encryption.

My disk performance is only down 4% both read and write with Bitlocker.
 

My Computer

System One

  • OS
    Windows 11

AlGat

Member
Thread Starter
Local time
12:04 AM
Posts
3
Visit site
OS
Windows 11 Home
Thank you neemobeer.

5% is not too bad, and it would certainly simplify things if I can just encrypt it all with either bitlocker or veracrypt.

I assume you are suggesting that when encrypted, I should also have a password. That way no matter if they break into the computer or if they physically remove the drive, then the data is protected. I was hoping to avoid multiple passwords but I guess that was an unrealistic hope in light of my goals.

Clearly I need to do more research and modify my plan accordingly.
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion
    CPU
    i7-12700H
    Memory
    16 GB (2x8GB) DDR5 4800
    Graphics Card(s)
    RTX 3070
    Hard Drives
    1 TB Samsung NVMe SSD with Windows OS
    2 TB Western Digital NVMe SSD
    Internet Speed
    650 MB/s
    Browser
    Chrome

neemobeer

Active member
Member
VIP
Local time
12:04 AM
Posts
148
Visit site
OS
Windows 11
I would just use the TPM protector and add the recovery password protector. The recovery password can be saved in a secure place in case you need to gain access to the drive offline or something trips the TPM.

Powershell:
Enable-BitLocker -MountPoint C: -EncryptionMethod XtsAes256 -UsedSpaceOnly:$false -TpmProtector
Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector

The recovery password will output to the screen so you can copy and paste it somewhere to save
 

My Computer

System One

  • OS
    Windows 11

glasskuter

Well-known member
Pro User
VIP
Local time
1:04 AM
Posts
3,698
Location
Paris in the Lone Star State of Texas
Visit site
OS
Windows 11 Pro 22H2 22621.1413
That's just...Wow... Pretty extreme security measures.

Question: If I use bitlocker to encrypt a drive containing cloud storage folders, does that mean the files are encrypted on the cloud, and therefore unusable by any other devices such as my phone?
Anything in the cloud is encrypted at the server level automatically whether your drive is encrypted with bitlocker or not. Only files you have selected in your onedrive settings to also have a presence on your hard drive would also be encrypted at the drive level. Screenshots #1 and #2 show my examples.

Onedrive also has an area called your personal vault for storing sensitive data. Protect your OneDrive files in Personal Vault - Microsoft Support

All the security measures in the world will not protect you 100%. Be aware that password managers can and have been hacked. In 2022 over 30 million Lastpass users were breached, including their vaults. They're not the only one as other major password managers have reported breaches in the past. In 2023 researchers have found a vulnerability in Keepass that could be exploited that Keepass is denying and seem to be unwilling to fix. This huge password manager exploit may never get fixed | Digital Trends

If you choose to use bitlocker with a local account, know that Microsoft is unable to provide a lost bitlocker key. Each drive will have its own 48 digit recovery key. It will be up to you to save the keys on a flash drive, memory card, or to a printed copy. If one uses a MS account, record of the key is automatically saved in your account in case it is lost, but with a local account you're on your own. I suppose saving record of bitlocker recovery keys in one's Onedrive personal vault could also be an option in this case.












 

Attachments

  • #1.png
    #1.png
    30.6 KB · Views: 2
  • #2.png
    #2.png
    141 KB · Views: 2

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2 22621.1413
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

Latest Support Threads

Top Bottom