BitLocker and Encrypting File System (EFS) are both features being made available to Windows 8 Pro users. They each allow you to secure your data by way of encryption, and are both baked right in to the operating system. Their differences, however, make each program individually useful with its own set of pros and cons.
In this article, we’ll take a look at how these features differ and why one may be more useful than the other, depending on your needs.
Whole Drive Vs. File/Folder Encryption
What BitLocker Does
BitLocker (and BitLocker To Go) is designed to encrypt the entire drive, even if that drive holds your operating system. It basically gives you complete encryption from stem to stern, improving the overall security. If your computer were to fall into the wrong hands, you wouldn’t necessarily worry yourself about your personal bits and pieces being accessed.
BitLocker (and BitLocker To Go) is designed to encrypt the entire drive, even if that drive holds your operating system. It basically gives you complete encryption from stem to stern, improving the overall security. If your computer were to fall into the wrong hands, you wouldn’t necessarily worry yourself about your personal bits and pieces being accessed.
Once turned on, BitLocker goes to work encrypting any file added to the drive. Without the password, you have no access to that data. It’s pretty clear and simple.
BitLocker relies on an unencrypted (and untampered with) boot partition in order to encrypt the primary OS. This is an automatic process when BitLocker is turned on, creating a 200 MB boot partition that does not appear in Windows Explorer and is not assigned a drive letter. The encrypted disks themselves are secured using AES at either 128 or 256 (choice) bit encryption.
What EFS Does
EFS allows the user to be a bit more picky about what is and isn’t encrypted. For example, you wouldn’t necessarily encrypt the operating system files, though you can encrypt your personal directories and individual files to prevent unwanted access.
EFS allows the user to be a bit more picky about what is and isn’t encrypted. For example, you wouldn’t necessarily encrypt the operating system files, though you can encrypt your personal directories and individual files to prevent unwanted access.
EFS uses symmetric (one key is used to encrypt the files) and asymmetric (two keys are used to protect the encryption key) cryptography.
Hardware Requirements
What BitLocker Does
According to Microsoft, BitLocker requires a Trusted Platform Module (TPM) in order to function. The TPM is a microchip included with most modern computer systems which enables advanced security measures including full-drive encryption. The encryption key is stored on this chip, making it more difficult to access than by way of keeping it somewhere on the drive itself. Alternatively, you can use a flash drive to store the encryption key if you do not have TPM version 1.2 or above available.
According to Microsoft, BitLocker requires a Trusted Platform Module (TPM) in order to function. The TPM is a microchip included with most modern computer systems which enables advanced security measures including full-drive encryption. The encryption key is stored on this chip, making it more difficult to access than by way of keeping it somewhere on the drive itself. Alternatively, you can use a flash drive to store the encryption key if you do not have TPM version 1.2 or above available.
What EFS Does
EFS requires no specific hardware, and can even be employed on portable drives. By today’s standards, EFS is old hat and has been an included feature of professional Windows versions since Windows 2000.
EFS requires no specific hardware, and can even be employed on portable drives. By today’s standards, EFS is old hat and has been an included feature of professional Windows versions since Windows 2000.
EFS does require that a drive be formatted in NTFS. FAT-32 drives are not supported. That means that if you copy an encrypted file from NTFS to FAT-32, the file’s encryption will be stripped, leaving the unprotected data on the FAT-32 drive.
Performance Decrease
Encryption requires extra steps for a system to access data. It must be first decrypted before it can be utilized, meaning that a speed up resulting from encryption is pretty much unheard of, as is an encryption process that has no measurable decrease.
So, how do these two encryption methods impact performance?
What BitLocker Does
According to Microsoft, BitLocker imposes a single-digit percentage performance overhead. That means your overall data send/receive speeds may see a 1-9% decrease as data is encrypted and decrypted.
According to Microsoft, BitLocker imposes a single-digit percentage performance overhead. That means your overall data send/receive speeds may see a 1-9% decrease as data is encrypted and decrypted.
Benchmark tests comparing BitLocker to a non-encrypted drive or one managed via TrueCrypt are all over the Web. In some cases, BitLocker has had as little impact as a 4.5% decrease in write speeds over a non-encrypted drive while others have placed this percentage at over 30%.
What EFS Does
EFS only impacts specific files, and thus doesn’t decrease overall system performance during read/write operations unless those operations require encryption/decryption. Should you be performing that type of operation, the hit to performance can range from negligible to obvious.
EFS only impacts specific files, and thus doesn’t decrease overall system performance during read/write operations unless those operations require encryption/decryption. Should you be performing that type of operation, the hit to performance can range from negligible to obvious.
There are reports online of EFS causing severe slowdowns when copying and pasting encrypted files, though these issues appear to be related to network sharing and virus scanning as opposed to localized performance decrease.
User Permissions
What BitLocker Does
BitLocker requires an administrator to activate/deactivate while EFS can be used by anyone, unless permissions are specifically restricted by a group policy or some other administrative barrier.
BitLocker requires an administrator to activate/deactivate while EFS can be used by anyone, unless permissions are specifically restricted by a group policy or some other administrative barrier.
What EFS Does
EFS allows users to encrypt and decrypt personal files as needed. You don’t have to be an administrator to benefit from a little added security.
EFS allows users to encrypt and decrypt personal files as needed. You don’t have to be an administrator to benefit from a little added security.
Final Thoughts
If BitLocker is the commercial powerhouse, EFS is the solution most suited for the small business or home user. The flexibility of EFS is an important factor when deciding between the two technologies, though BitLocker does offer whole-drive encryption and mobile drive security through BitLocker To Go.
In the end, the choice is up to the user. When Windows 8 comes out, will either of these features be enough to encourage you to upgrade, or will you stick to third-party encryption options?
Post a Comment