Let’s talk about smart card and file encryption. Only your company or you got a smart card. I would like to use it in a standalone computer scheme (domain infrastructure provides more functionality). From my point of view, there are two best solutions for this purpose.
As a first step, you need to point TrueCrypt to your PKCS 11 library (usually obtained from your vendor).
Note: On 64 platforms, it should point to x86 dll.
You will be asked for a smart card PIN (must have already been inserted)
If you do not already have this key file (usually if you are using your smart card for the first time), you will need to generate it as the next step to press “Import New Key File”.
Then-change some settings to improve security.-Launch TrueCrypt in the background
-Enable all auto-unmount options and set the idle timeout to 20 minutes.
-Enable wipe cache option for added security
Note: Do not enable the automount option. A password is required even when using a key file.
For your convenience, add the encrypted disk to your favorites and assign hotkeys to mount and unmount this disk.
Everything seems great, except for a few security issues:1. TrueCrypt creates a key file and saves it as a PIN-protected file in the smart card file system. This means that spyware can retrieve this key file from the smart in-background card when the user enters the PIN. (I haven’t seen such a program yet, but it is possible to make such a key and pin “phishing” attack)
2. The user must mount the disk before use and unmount it after use.
3. If the user loses the smart card, the data cannot be recovered. However, there is a solution to this. Security personnel can use a second smart card to store a copy of the user encryption key file and keep this backup card (such as the miniHSM) in a safe place.
2nd place The solution is provided free of charge by Microsoft on Windows Vista and Windows 7 (no free lunch etc :-)).
Both of these operating systems support the use of smart cards to encrypt EFS files.
(Such features may be available on Windows XP, but only in domain configurations with smart card logon.)
Before you can activate it, you need to somehow generate a certificate and import it into your smart card.
For this purpose, we use a good CA based on open-ssl. (This CA with many features was developed by a friend of mine Gorthaur And I hope he will write a great article about it soon)
The first step is to choose a certificate for future file encryption
Next, you need to create a folder to enable encryption.
At first glance that’s enough and everything works perfectly, but it’s not completely safe.Displayed when the card is removed from the reader. You can decrypt and encrypt files without a smart card, even after locking / unlocking your PC. I’m sure it’s absolutely unsafe!
Let’s strengthen security! Type gpedit.msc and go to Encrypting File System Properties.
There are two main options here.
-Use non-cached mode. You should always keep your smart card in the reader.
I prefer a short cache (5 minutes) (Windows defaults to 480 minutes !!!!) and a cache mode that clears the cache when the user locks the station. I think it’s a good compromise between performance and security.
Don’t forget to run gpupdate / force and have fun.If you try to write to the encrypted area without inserting a smart card (and at the end of the key cache period), you will see the following message:
If you try to read a file in the encrypted area after the cached key has expired without using a smart card, you will see the following message:
Remember to enter your PIN when inserting your smart card. The PIN request window is in the system notification area and is very small. Don’t miss it!
It’s all newcomers. Please be safe!
The post File encryption with smart card for newcomers appeared first on WHYcredi.
