If you use Windows' Encrypted File System you can Encrypt your sensitive document folders, however BE SURE TO BACKUP THE DECRYPTION CERTIFICATE and store it on something outside of the computer (a USB key or other computer). There is a very good reason it is called the Delayed Recycling Bin, if you do not backup the certificate and your password is not changed using the normal change password methods (type in the old one, type in the new one twice) you will never be able to get to the files.
If you re-install windows (even if you use the same username and password) you will need the backup of the cert to get your files back, if you did not backup the cert before doing the re-install THERE WILL BE NO WAY FOR YOU TO GET YOUR FILES BACK).
I use the all caps-bold because I know you will think "I am careful, I will never need it" DO IT ANYWAY!!!
Fix for Hosts File Issue:
You can fix the Hosts file issue by using windows Automatic Proxy settings. Create a .pac file, encrypt it using EFS, then tell your web browser to use the auto-config settings from the file.
Here is a example of what to put in the file
function FindProxyForURL(url, host)
{
if (0
|| dnsDomainIs(host, ".cn")
|| dnsDomainIs(host, ".doubleclick.com")
|| dnsDomainIs(host, ".doubleclick.net")
|| shExpMatch(host, "205.180.85.*")
|| shExpMatch(host, "66.40.16.*")
|| (dnsDomainIs(host, ".overstock.com") && shExpMatch(url, "*/linkshare/*"))
|| (dnsDomainIs(host, ".amazonaws.com") && shExpMatch(url, "*/udm_img/mid*"))
|| dnsDomainIs(host, ".gator.com")
) {
return "PROXY 127.0.0.1:80";
}
else
{
return "DIRECT";
}
}
The example is fairly self explanatory. it will redirect all of those listed items to localhost port 80.
Original Answer, talking about TrueCrypt and TPM. No longer my recommended solution
What you want is possible through a TPM, but TrueCrypt does not support a TPM. If the hash was not stored in hardware tied to a computer how would the drive know that it was in a different computer and happily auto-decrypt the data?
Also you need to ask your self, what are you protecting your self against. Pre-boot encryption only protects you from some very specific things:
- someone waling up to your computer and start using it from a powered down state
- taking the drive out of the computer and using it on another computer, or copying the drive then replacing your drive back.
- A OS running on a non encrypted portion seeing the shutdown OS in the encrypted portion.
What it does not do is protect you from someone using seeing/copying your files if the OS is already running (think virus/sister snooping around).
Remember:Once you are inside the encrypted envelope everything looks like normal unencrypted data to the OS and anyone using the OS.
Explain what you are trying to protect, and who you are trying to protect it from and we may be able to give you a better solution.
EDIT: when you say I just want to make it a little harder to be able to browse through my files who are you trying to make it harder for and in what way are they going to be performing the browsing?
Your USB drive presents itself to the host computer with a logical sector size of 4096 bytes, and that's what enables it to be partitioned with an MBR partition table that can use more than 2 TB of the drive's space, even in Windows XP. MBR partition table entries are 32 bits and Windows XP uses 32-bit math to calculate sector addresses from the partition table, allowing only the first 2^32 sectors of a drive to be used. 2^32 sectors x 4096 bytes/sector = 16 TB. With 512 bytes/sector, only the first 2 TB of a drive could be used by an MBR partition table. (2^32 sectors x 512 bytes/sector = 2 TB)
However, your drive is not 4k native. There are two layers of translation:
- The USB enclosure contains a USB-to-SATA bridge that translates from 4096 bytes per logical sector at the USB interface with the host computer to 512 bytes per logical sector at the SATA interface with the drive inside.
- The drive inside internally translates from 512 bytes per logical sector on its SATA interface to 4096 bytes per physical sector. (That's 512 byte/sector emulation or "512e".)
A SMART query passed though the USB bridge to the SATA drive inside reveals the truth (run here on my own Western Digital My Book 3 TB external USB drive in Windows XP):
C:\Program Files\GSmartControl> smartctl -a -d sat pd11
smartctl 6.5 2016-05-07 r4318 [i686-w64-mingw32-xp-sp3] (sf-6.5-1)
Copyright (C) 2002-16, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION ===
Model Family: Western Digital Green
Device Model: WDC WD30EZRX-00MMMB0
Serial Number: WD-WCAWZ12xxxxx
LU WWN Device Id: 5 0014ee 2063xxxxx
Firmware Version: 80.00A80
User Capacity: 3,000,592,982,016 bytes [3.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
The internal SATA drive reports 512 bytes per logical sector and 4096 bytes per physical sector: that's 512 byte/sector emulation, or "512e".
However the drive as seen by the host computer connected by USB has a logical sector size of 4096 bytes:
C:\> wmic DISKDRIVE get bytespersector, caption
BytesPerSector Caption
4096 WD My Book 1140 USB Device
and that's how Windows XP is able to use all 3 TB of the drive's space.
If you need more proof than that, you could remove the drive from its enclosure and connect it directly to a motherboard's SATA connector: you'd then find that the drive has a logical sector size of 512 bytes, and the drive's partitions would all appear as 1/8 their previous size and be unreadable due to incorrect partition table entries caused by the sector size mismatch. Plenty of people have done this and then had to fix the problem by rewriting the partition table.
I've checked several different external USB drives and they are all 512e internally despite being configured for Windows XP compatibility with 4096 bytes per logical sector at the USB interface: WD My Book 3 TB, WD Elements 3 TB, HGST Touro 4 TB, WD Easystore 8 TB, WD Easystore 12 TB, WD Easystore 14 TB.
Your drive came with an MBR partition table (or someone changed it to MBR at some point) to make it compatible with Windows XP. Newer drives come with GPT partition tables, which require Windows Vista or later.
The WD Quick Formatter tool can be used to change a Western Digital external USB drive between 512 bytes/sector with a GPT partition table (for Vista and later) and 4096 bytes/sector with an MBR partition table (for Windows XP compatibility).
Best Answer
If "Data safety is more important", then I would create multiple TC volumes on top of the 2 TB NTFS file system and then only mount what you need when you need it. If one of these files somehow gets corrupted, then you have minimized the damage compared to encrypting the whole drive or creating one large TC file. Plus, it will be easier to make backups.
I have used this method for years for remote backups with both large & small TC volume sizes. I have never experienced any form of file system corruption when using TC.