Keeping Data Safe


AlGat

Member
Local time
3:50 AM
Posts
5
OS
Windows 11 Pro
I am trying to harden my defenses against the possibility of someone stealing my computer and then extracting data from it that will lead to identity theft. So I have come up with how I think I want to do it, but want to check the strategy by you more knowledgeable folks.

I have a Legion 5i Pro gaming laptop with:
- Windows 11 Home
- Local account with a password, but this might change to MS account if they continue to close the work arounds that users are finding.
- i7-12700H
- 16 GB DDR5 RAM
- CPU IRIS graphics running for normal apps
- RTX 3070 for higher demand apps such as gaming
-1 TB Samsung NVMe SSD C: drive with Windows OS
- 2 TB Western Digital NVMe SSD D: drive for data
I think I have provided more system info than you need, but if you need more then I can certainly provide them.

I use the laptop for all of my computer needs:
- My company: books, invoicing, financial statements, government reporting, and corporate income taxes
- My personal finances: banking, investments, financial statements, and personal income taxes.
- Gaming
- KeePass password database with a very strong password

I currently have about 1.4 TB of data. Of that data, about 50 GB has information that would be high risk of identity theft. This includes Google drive and DropBox cloud storage which I use both for different purposes. I also have OneDrive but the bugs and issues make it unreliable and useless to me.

I share data between my laptop and my Samsung Note 9 cell phone via cloud storage (mostly via Google Drive). All sensitive data is stored in internal storage, and other data such as music, is on the SD card. Samsung phones will wipe clean after 10 failed login attempts, and I have an unguessable and complex password. So the data is quite safe on the phone.

I have two Western Digital external HDD for monthly back up of my 1.4 TB data. I back up the full 1.4 TB monthly to an external HDD which is stored in a safety deposit box at my bank, and I take old back up from a month ago and put it into a lock box, which I use for the next month back up.

So that is what it looks like now. My concern is that if someone breaks into my house and steals the very portable laptop, then the data is easily extracted by many methods. So I want to shut all the possible doors, and this is what I came up with, and want feedback and advise on ....

Step 1:
- In BIOS, make a BIOS admin password. Now a password is required for getting into BIOS
- In BIOS, make a user password. Now a password is required before it will boot.
I need the admin password to prevent someone going into BIOS and turning off the user password.

This prevents the many ways of defeating the password to start windows, which I won't get into the numerous ways it can be done. I plan to use bitlocker, so it is important the would be hacker can't get into Windows and with the click of a button, turn off bitlocker and un-encrypt it.

I will keep the need for a password when logging into my Windows Local Account.

Step 2:
- In Disc Management, shrink my C: drive to 800 GB
- In Disc Management, create a 200 GB E: drive for my sensitive data

Step 3:
- Put all sensitive data (company and personal books, etc) on the 200 GB E: drive
- Move all Windows personal folders (documents, downloads, etc) to the 200 GB E: drive
- Direct scanner to create files on the 200 GB E: drive
- Move OneDrive, GDrive and DropBox cloud storage folders to 200 GB E: drive

Step 4:
- Upgrade Windows 11 Home to Windows 11 Pro
- Use bitlocker to encrypt the 200 GB E: drive, no password
- Store the bitlocker recovery key in KeePass (KeePass database is on my laptop, cloud storage, on back up HDDs, and on my phone)

Question: If I use bitlocker to encrypt a drive containing cloud storage folders, does that mean the files are encrypted on the cloud, and therefore unusable by any other devices such as my phone?

Step 5 (maybe):
Question: Can I use bitlocker to encrypt the external HDD with password or would I need to use a the recovery key each time I want to access the data? Again, the recovery key would be kept in KeePass.

So that is the plan. I think it is pretty robust. It can still be defeated by removing battery on laptop motherboard to reset BIOS which defeats the user password, but that is highly unlikely for someone to do on a laptop due to difficult access.

I think it is a good plan but mostly I am wondering about encrypting the cloud storage like that. And wondering how to make the encrypted external HDD back ups useable.

I have never used it, but Bitlocker looks ideal for this but maybe there is another product? I have WD drives, so maybe thier free software is a better choice?

I look forward to your feedback and advice.
 
Windows Build/Version
Windows 11 Home - 22H2 - 22621.1413

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion
    CPU
    i7-12700H
    Memory
    16 GB (2x8GB) DDR5 4800
    Graphics Card(s)
    RTX 3070
    Hard Drives
    1 TB Samsung NVMe SSD with Windows OS
    2 TB Western Digital NVMe SSD
    Internet Speed
    650 MB/s
    Browser
    Chrome
Steps 1-3 are a waste of time. Bitlocker is a good option and yes you can use Bitlocker 2 go on external drives (it would require a password to access the drive)

Bitlocker w/TPM will not require entering a code every time as the key is stored in the TPM. Be aware that nothing is 100% secure including Bitlocker. I have seen attacks on the TPM since data is not encrypted from the TPM to Windows the key can technically be read literally on the wire but the skill set is pretty high for this attack.

An alternative to bitlocker would be veracrypt which allows you to create encrypted containers (you would then want to move all your sensitive data in that container.


You also want to make sure you have reliable EPP (endpoint protection) and a firewall. Since a device is basically not encrypted in use you could more easily have someone steal your data with malware while the device is in use.
 

My Computer

System One

  • OS
    Windows 11
Steps 1-3 are a waste of time.
Thank you for the feedback.

I am just a user with no experience in this. So this is just my ideas of how to do it after researching options. But my research says that password on BIOS would prevent the computer from booting up at all, and that it is actually pretty hard to defeat? The idea is that the only way to get the data is to take the back off the laptop and physically remove the SSD.

I guess that is wrong?

From what I read, bitlocker reduces drive speed by about 20% so to keep the system fast, I didn't want to encrypt the entire C drive. That is why I was creating a smaller drive with only sensitive data to encrypt.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion
    CPU
    i7-12700H
    Memory
    16 GB (2x8GB) DDR5 4800
    Graphics Card(s)
    RTX 3070
    Hard Drives
    1 TB Samsung NVMe SSD with Windows OS
    2 TB Western Digital NVMe SSD
    Internet Speed
    650 MB/s
    Browser
    Chrome
Most firmware passwords are trivial to defeat.

Drive performance takes a hit of between 1-5% especially if you're using XTSAES encryption.

My disk performance is only down 4% both read and write with Bitlocker.
 

My Computer

System One

  • OS
    Windows 11
Thank you neemobeer.

5% is not too bad, and it would certainly simplify things if I can just encrypt it all with either bitlocker or veracrypt.

I assume you are suggesting that when encrypted, I should also have a password. That way no matter if they break into the computer or if they physically remove the drive, then the data is protected. I was hoping to avoid multiple passwords but I guess that was an unrealistic hope in light of my goals.

Clearly I need to do more research and modify my plan accordingly.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion
    CPU
    i7-12700H
    Memory
    16 GB (2x8GB) DDR5 4800
    Graphics Card(s)
    RTX 3070
    Hard Drives
    1 TB Samsung NVMe SSD with Windows OS
    2 TB Western Digital NVMe SSD
    Internet Speed
    650 MB/s
    Browser
    Chrome
I would just use the TPM protector and add the recovery password protector. The recovery password can be saved in a secure place in case you need to gain access to the drive offline or something trips the TPM.

Powershell:
Enable-BitLocker -MountPoint C: -EncryptionMethod XtsAes256 -UsedSpaceOnly:$false -TpmProtector
Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector

The recovery password will output to the screen so you can copy and paste it somewhere to save
 

My Computer

System One

  • OS
    Windows 11
That's just...Wow... Pretty extreme security measures.

Question: If I use bitlocker to encrypt a drive containing cloud storage folders, does that mean the files are encrypted on the cloud, and therefore unusable by any other devices such as my phone?
Anything in the cloud is encrypted at the server level automatically whether your drive is encrypted with bitlocker or not. Only files you have selected in your onedrive settings to also have a presence on your hard drive would also be encrypted at the drive level. Screenshots #1 and #2 show my examples.

Onedrive also has an area called your personal vault for storing sensitive data. Protect your OneDrive files in Personal Vault - Microsoft Support

All the security measures in the world will not protect you 100%. Be aware that password managers can and have been hacked. In 2022 over 30 million Lastpass users were breached, including their vaults. They're not the only one as other major password managers have reported breaches in the past. In 2023 researchers have found a vulnerability in Keepass that could be exploited that Keepass is denying and seem to be unwilling to fix. This huge password manager exploit may never get fixed | Digital Trends

If you choose to use bitlocker with a local account, know that Microsoft is unable to provide a lost bitlocker key. Each drive will have its own 48 digit recovery key. It will be up to you to save the keys on a flash drive, memory card, or to a printed copy. If one uses a MS account, record of the key is automatically saved in your account in case it is lost, but with a local account you're on your own. I suppose saving record of bitlocker recovery keys in one's Onedrive personal vault could also be an option in this case.












 

Attachments

  • #1.png
    #1.png
    30.6 KB · Views: 6
  • #2.png
    #2.png
    141 KB · Views: 6

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Thank you everyone for your replies. The reason for my long silence is that I have researched all of the answers, and tried to determine which of the options suggested will fit what I am trying to accomplish.

First observation is that no matter what I do, if someone is knowledgeable enough, and willing to put in the effort, then it probably can be defeated. So my goal is to make it difficult enough to defeat the vast majority of people, and hopefully hard enough that even the knowledgeable ones will not think it worth the time and effort.

My other goal is to make it easy to use. I am the only user, so I want a password to get into the laptop. I want the data encrypted so if they remove the drive then the data is protected. Those are the two avenues to get at the data blocked. I do not want a bunch of long complex passwords for every drive, folder and / or file that I open - once in the computer, I want it to be efficient.

So I am in the process of setting it up now:

I switched to log in with MS Account. I strengthened the password and turned on two step verification. That advice was given to ensure bitlocker codes are available in the account data.

In BIOS I set the admin password, and turned on "ask for password on power up" , which is also the admin password. When I turn it on, or reboot, the first thing it does is ask the password - it will not boot into any device without the password.
According to Lenovo, if I lose the password then the only option is to replace the motherboard.

So I have to give password at power up, and then password to get into windows.

All of my sensitive data is on the second 2 TB SSD, which is D: drive.

I am going to upgrade to Windows 11 Pro for bitlocker. Unfortunately, my laptop does not have "modern standby" so device encryption in my Windows 11 Home is not available. So I will just do the upgrade and then I will have the full bitlocker capabilities.

I plan to use bitlocker to encrypt the entire D: drive. No password to access because I am assuming it is very hard to defeat the power on password protection. I might also encrypt the User Folder as well --- I am still thinking about that but I probably won't unless there is a compelling reason.

I looked at using OneDrive Vault, and other encryption software but they all require passwords to access the data, and I don't want to be constantly typing passwords. I think bitlocker is tailor made for what I am trying to do. I just want it encrypted in the event that someone removes the drive and tries to read it on another computer.

It is simplified thanks to all of your advice. I understand that it is not invincible, and that nothing can be, but I think this is pretty robust.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion
    CPU
    i7-12700H
    Memory
    16 GB (2x8GB) DDR5 4800
    Graphics Card(s)
    RTX 3070
    Hard Drives
    1 TB Samsung NVMe SSD with Windows OS
    2 TB Western Digital NVMe SSD
    Internet Speed
    650 MB/s
    Browser
    Chrome
this is pretty robust
A bit more than robust, I would say. If it suits you, that's all that matters. I'm glad you worked everything out to your satisfaction.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
I finished setting it up. So this is my last post to let you know how it went.

I found out that I cannot use Auto Unlock on the data drive unless I encrypt the OS drive. So I encrypted both drives and set the data drive to Auto Unlock. I actually like that better because now I don't have to worry about keeping sensitive data on just one drive.

I was a bit afraid of it, but it all went smoothly once I figured out why the Auto Unlock wasn't working on the data drive.

So I have two passwords: BIOS power-on password and Windows login PIN, and then once in Windows it acts the same as it did.

The encryption was really fast for a SSD. I did the full 2 TB drive (encrypted un-used space) and expected it to take days. It took about 20 minutes and Task Manager said data transfer was at 1.8 GB/s. So even that went better than expected - wow, the SSD's are fast.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion
    CPU
    i7-12700H
    Memory
    16 GB (2x8GB) DDR5 4800
    Graphics Card(s)
    RTX 3070
    Hard Drives
    1 TB Samsung NVMe SSD with Windows OS
    2 TB Western Digital NVMe SSD
    Internet Speed
    650 MB/s
    Browser
    Chrome

Latest Support Threads

Back
Top Bottom