domingo, julho 16, 2017

How to Perform Full-Disk Encryption in Windows 10

How to Perform Full-Disk Encryption in Windows 10 - Make Tech Easier





Full-disk encryption in Windows 10 protects your data from prying eyes. It’s easy to implement and invaluable for just about any user, especially those that travel with important data.



Full-disk encryption means that without your user password, the data on your hard drive is completely inaccessible. If a disk is not encrypted, it’s possible to remove the disk from your computer, mount it to the attacker’s computer, and access all your files with no restrictions. Encrypted disks don’t suffer from this security hole. Because their data is hopelessly scrambled without the key, it’s totally unintelligible to a key-less attacker.
Yes, especially so if you have a laptop or have files you want to keep secure. Desktop computers are less of a security risk since they don’t travel. However, the downsides of full-disk encryption are so few that there isn’t much reason not to. Modern computers are fast enough to handle the computational overhead of encryption without even pausing. The major downside is that if you forget your password and lose your recovery key, your files are toast. It might also limit your ability to use third-party backup solutions, but we haven’t been able to test that ourselves.
BitLocker is Microsoft’s proprietary disk encryption software for Windows 10. Because it’s designed by a large, for-profit company, and because the U.S. government approached Microsoft about adding a “back door” to its encryption scheme, BitLocker hasn’t enjoyed the greatest reputation. However, well-respected security researcher Bruce Schneier still recommends it, and it’s perfectly adequate for average Windows users. If using software produced by a giant corporation with ambiguous intent and potential backroom dealings with the U.S. government, that’s reasonable. VeraCrypt is a good, open-source option.
1. Locate the hard drive you want to encrypt under “This PC” in Windows Explorer. We’ll be encrypting my boot disk for this tutorial.
bitlocker-locate-boot-drive
2. Right-click the target drive and choose “Turn on BitLocker.”
bitlocker-choose-target-drive
3. If you see an error message about needing a “Trusted Platform Module” or TPM, you’ll need to add a Group Policy Exception to allow BitLocker to run anyway. If you don’t see this error message, proceed to step 10.
bitlocker-tpm-error

Running BitLocker without a TPM

4. Type gpedit.msc into the Run menu (accessible by the “Win +R” shortcut) and press “Enter” to open the Local Group Policy Editor.
run-gpedit
local-group-policy-editor-master-view
5. Navigate to “Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives” in the side bar.
local-group-policy-editor-sidebar
6. Double-click on “Require additional authentication at startup” in the main window.
local-group-policy-editor-additional-auth
7. Click the radio button next to “Enabled.”
local-group-policy-editor-enabled
8. Also make sure that “Allow BitLocker without a compatible TPM” is checked, then click “OK.”
local-group-policy-editor-allow
9. Finally, we can turn on BitLocker. Right-click the target drive again and choose “Turn on BitLocker.”
bitlocker-choose-target-drive

Finishing the BitLocker Setup

10. Choose “Enter a password.”
bitlocker-enter-a-password
11. Enter a secure password.
bitlocker-set-password
12. Choose how to enable your recovery key which you’ll use to access your drive if you lose your password. I like to print mine, but it’s your choice. If you don’t have a printer, you can also save a file to your hard drive, save a file to a USB drive, or save the key to your Microsoft account.
bitlocker-recovery-key
13. Choose “Encrypt entire drive,” which is the more-secure option that encrypts files that have been marked for deletion but haven’t yet been overwritten.
bitlocker-encrypt-entire-drive
14. Unless you need your drive to be compatible with older Windows machines, choose “New encryption mode.”
bitlocker-new-encryption-method

15. Click “Start Encrypting” to begin the encryption process. Note that this will require a computer restart if you’re encrypting your boot drive. The encryption will take some time, but it will run in the background, and you’ll still be able to use your computer while it runs.
bitlocker-start-encrypting
BitLocker is powerful and easy to enable. Turning it on should be a no-brainer for anyone with a portable computer or secure data to protect.

sexta-feira, julho 07, 2017

OpenVPN ignore default route Ignore Redirect Gateway


OpenVPN ignore default route IgnoreRedirectGateway

IgnoreRedirectGateway – OpenVPN Community

Ignoring redirect-gateway

If you are running OpenVPN as a client, and the server you use is using push "redirect-gateway" then your client redirects all internet traffic over the VPN. Sometimes clients do not want this, but they can not change the server's configuration. This page explains how to override redirect-gateway so the client does not need to redirect internet even though the server says to.
Method 1: ignore

There are 2 options that can be used to ignore routes pushed by the server:--route-noexec
Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.

--route-nopull
When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers.
When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.


Method 2: override

Here we will simply add routes that override --redirect-gateway. This will work much like the def1 flag to --redirect-gateway works. This can be different if the server uses the def1 flag to the --redirect-gateway option or not (by checking the log while connecting). Note that net_gateway is an internal variable to openvpn and does not need to be changed to anything. If you do not know if your server uses def1 and do not want to check the logs to figure it out, just assume they DO use def1 and use the 4 routes. That will work no matter what.def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.



If the server DOES NOT use def1 add the following options to the clients config:route 0.0.0.0 128.0.0.0 net_gateway
route 128.0.0.0 128.0.0.0 net_gateway



If the server DOES use def1 or if you do not know, add the following options to the clients config:route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway