SVS and Encryption

If protecting confidential data is your bag (isn't it everyone's?) then you can thank Juice contributor rajat for doing a ton of research into encryption technologies that can be used to protect SVS layers.

He loaded up just about every tool on the planet that can be used to protect your privacy and he came up with some pretty fine solutions. Read on.

Introduction:

The idea behind SVS is to make the host system stable (by getting rid of DLL Hell) and attain much improved system administration with greater control over software installations and maintenance. The way SVS achieves this ideal state is by adding/removing software installations to the operating system instantaneously as layers.

This also has the added benefit of a kind of security, in the way that if you want to restrict a user's access to a particular software, you just deactivate the layer.

But if data security is actually a concern in any particular case, then the current options leave some desires unattended. For instance, if on a particular workstation, even if a user doesn't know about SVS or doesn't know that it's installed there, he can still access SVS's File System folder (typically fslrdr on the system drive) and access files that are supposed to be restricted. Probably the only thing keeping him from accessing it is the hidden status of the folder -- which isn't much.

For example, if I choose to keep my investment-related information in an Excel file, the Excel file isn't secure if I deactivate the layer. So I'd need some sort of encryption solution, along with SVS, to make sure that my data is safe, just like my OS.

And since there is no built-in encryption option in SVS, we'll have to look at outside options. By means of this article, I'd walk you through various encryption/data security options available to us, and how they stand up to our requirements.

Outside Options:

As we think of data encryption, several solutions are available.

• Disk-wide Encryption
• Container Encryption
• Folder Encryption
• File Encryption

We'll look at the feasibility of each as a possible SVS Layer data encryption solution.

Disk-wide Encryption

SafeBoot (http://www.safeboot.com/)

Otherwise known as hard disk encryption, this is arguably the strongest encryption tool on the list. It is a solution for mobile computers, laptops/notebook PCs where there is a high chance that the hardware itself, that holds the software, might get into the wrong hands. They encrypt all sectors of the entire hard disk or a partition of it. Only on pre-boot authentication can the data be accessed. Therefore, hard disk encryption is good for protecting yourself in the case of the theft or loss of the computer. However, as soon as the user has logged on to the computer with his password, the data can be read -- also by other users accessing the computer via the network, or by malware.

Now if I'm working on a workstation and I have to prevent access to certain files from certain specific users, this doesn't serve the purpose, as once the system boots up, everything is accessible.

So we take it that disk-wide encryption isn't right for our purpose.

Container Encryption

TrueCrypt (http://www.truecrypt.org/)
DriveCrypt (http://www.securstar.com/home.php)

Container encryptions create a virtual drive on which all data is automatically encrypted. The virtual drive appears when the correct password is entered, otherwise the container file remains on the host disk just like any other file. This is a very strong encryption and probably as secure as disk-wide encryption (for selected data).

This seems ideal too, in a way that we could just put the fslrdr folder on an encrypted drive and store all our layers there (or maybe only a few layers that should not be available to all).

Lets try TrueCrypt -- it's a very good open-source data security application with features on par with commercial alternatives. I myself use it and can recommend it to anyone. Below are two screen shots that give an idea of its interface.

Click to view.

Click to view.

Now I'll use CondorMan's 'Move Layer' tool to move this layer to a virtual drive that's actually a TrueCrypt container.

(I first used SVSCmd to get the GUID of the layer, and ran MoveLayer.exe as 'MoveLayer.exe <GUID>'

Click to view.

The layer is moved without a problem.

Now we run SVS Admin and activate the layer.

Click to view.

Oh! There's a problem. Was there a problem in moving the layer?

Click to view.

I'll move the layer back and try to activate it.

Click to view.

This time it works without a problem!

Click to view.

(I'll not go into another tool of the same cadre (Container Encryption) but I had same results with similar tools that I tried).

So what is going wrong here? SVS accepts its layers on my C/D/E drives, then why not X drive? Actually, it's because SVS (by design) doesn't work with mounted drives.

So Container Encryption isn't a solution for us either!

Folder Encryption:

Folder Password Expert (http://www.folder-password-expert.com/)
Lock Folder XP (http://www.everstrike.com/lock_folder.htm)
My Lockbox (http://www.fspro.net/folder-lock-box/)
AB Hide Folder (http://www.doshare.com/)

Ideally this would work so that you encrypt a folder that contains either the whole layer, or the specific files that need to be encrypted (eg. In my example earlier, I'd like to encrypt only certain .xls files and not the whole folder where MS Office is installed).

But (and its a big but, with no pun intended), there are a few things going against the utilities under this category:

• Most utilities of this type work like a black box, they don't tell you (or at least don't tell up front, the information may be hidden somewhere deep in their disclaimer) how exactly they work and what type of encryption they use. I mean, if you're selling a data security software, you ought to at least tell what algorithm is.
• Another grievance I've got with these tools is that many (not all) of them work by fooling the file system / operating system into believing that the files don't exist until the password is provided. That's all the security they offer. They install a driver that uses system-wide hooks and other API tricks (like rootkits) to hide the folder from OS. And they're quite easy to circumvent by either uninstalling them, disabling the driver/service, booting in safe-mode etc. As the files are in original form, once the hiding is not there, they're completely unprotected.
• Interface isn't friendly. This is another big reason I'm biased against these tools. If I'm looking for an easy way to make sure that the data in my layers is safe, what I'd like is that while I'm activating my layer - it asks for a password, and do the regular stuff if the password is fine. But with most of these tools, you'd have to learn to go through their interface for all encryption/decryption tasks.

But they definitely have one thing going for them -- they're definitely the easiest to set up.

Let's try one of these tools (most are more-or-less similar):

I launch and select Lock Folders.

Click to view.

I select the 2 folders belonging to the same layer (WinUHA in my case).

Click to view.

Enter password screen

Click to view.

I try activating the layer and it activates even though the folders are locked.

Click to view.

Now please don't misunderstand, the tool works fine and this isn't a problem. Though the layer is activated in SVS Admin, the actual files are not available, nor is the WinUHA icon added to Start Menu. So that's good.

Click to view.

Now I deactivate the layer, and Unlock the folders.

Click to view.

Click to view.

I again activated the layer and the application was available normally.

Now, this particular application (Folder Password Expert) has a downside that most other similar tools don't have. It forgets the unlocked folders in subsequent sessions. So when I launched this app next time, it was like this:

Click to view.

Now about the review -- well, honestly, I'd not recommend it for the particular use we're after. The interface requires too many recurring steps (Locking Folders initially, Unlocking Folders for every run manually, remembering to Lock them back etc.). Also, the encryption (if there is one) isn't made clear. That much is enough for me to look elsewhere, but the next method I'm about to discuss requires a little more than pure basic knowledge of files/folders etc. So if ease-of-use and point-and-click is of importance, Folder Encryption tools can't be easily beaten, and there can, of course, be better Folder Encryption tools in this category which are more secure or easier to use.

File Encryption

MySecret (http://www.di-mgt.com.au/mysecret.html)
DLOCK2 (http://ebible.org/mpj/software.htm)
JvCrypt (http://www.vandaveer.com/crypt/)

Ok, the tools mentioned above are CLI (Command Line Interface). These give us the benefit of using them in a script or batch file. You can even use RAR.exe from WinRAR's installation for encryption (it provides good compression as an additional benefit).

There are several benefits of using this category:

• Only the file to be protected is encrypted and not the whole folder or disk, thus saving time, disk wear-n-tear and CPU cycles.
• The interface will be whatever we want it to be, so we'll not have to do with the interface somebody else thought to be the best.
• The batch file can just ask for the password and encrypt/decrypt the files and activate/deactivate the layer. So minimum per-run input is required.

I'll be a bit more elaborate on this method as after going through all the available choices, I've found this to be the best for the purpose IMO.

I'll continue with the earlier example where my MS Office installation is on a virtual layer and I want to secure an Excel file. I'm choosing MySecret for encryption as it's free and uses blowfish encryption. For writing the script I'm using AutoHotkey (http://www.autohotkey.com), my scripting language of choice. To run the script you need AutoHotkey installed on your system. But AutoHotkey need not be installed on any other system you wish to run this script, as the script can be compiled into a small standalone .exe file.

First we'll encrypt the original file as this is to be done just once, we'll do it manually.

Lets say the actual location of my excel file is this:
E:\fslrdr\16\[_B_]PROGRAMFILES[_E_]\MyFiles\Finances.xls

So I'll encrypt it using MySecret (assuming mysecret.exe is in path) as:

MySecret -p 123456 -i "E:\fslrdr\16\[_B_]PROGRAMFILES[_E_]\MyFiles\Finances.xls" -o "E:\fslrdr\16\[_B_]PROGRAMFILES[_E_]\MyFiles\Finances.xls"

Here 123456 is the password and the output file is the same as the input file.

Now that the file is initially encrypted, this is what I want my script to do:

• Ask me for password
• Decrypt the file
• Activate the layer
• Run the application and open that file for me
• Wait to close the application
• Deactivate the layer automatically
• Encrypt the file automatically using the same password

The below script does all the above steps in just about 10 lines of actual code

;AutoHotkey Script Begin

;put the actual file path below
File = E:\fslrdr\16\[_B_]PROGRAMFILES[_E_]\MyFiles\Finances.xls

;put the layer Name or GUID below
Layer = MS Office 2003

;put the virtual path to file or application to run on activation of layer
ToRun = C:\Program Files\MyFiles\Finances.xls


;if MySecret is in path, you don't need to change anything below this line
;---------------------------------------------------------------------------------

;the following command asks for password and exits on a blank password
InputBox, PWD, Enter Password, Enter Password to decrypt data:, Hide
IfEqual, PWD,, ExitApp

;the next command decrypts the excel file
MySecret -p %PASS% -i "%File%" -o "%File%"

;the next command activates the layer
RunWait, %comspec% /c svscmd.exe "%LAYER%" A,, Hide

;the next command runs the file/application
RunWait, %ToRun%

;the next command deactivates the layer once the above application is closed
RunWait, %comspec% /c svscmd.exe "%LAYER%" D,, Hide

;the next command encrypts the file back
MySecret -p %PASS% -i "%File%" -o "%File%"

;AutoHotkey Script End

The only window we see while running the above script is this:

Click to view.

This script is easily modifiable (the Green lines are to be edited).

So this category of tools seems to be easiest and most eligible solution to our needs.

Final Thoughts

With Disk and Container encryption being inapplicable to our requirements, and Folder Encryption having certain downsides, I've finally decided upon using the File Encryption as the mode of choice. CLI File Encryption tools discussed above can be used the way we want them to. If we wish, we can construct a GUI (Graphical User Interface) around them or run them via batch or script files.

I hope this article served its purpose to act as a reference and starting point for using encryption and SVS together.