password-protecting a file or folder

John B. Smith wrote:

As another poster said, if any govt agency wants your password all
they have to do is threaten huge fines etc till you cave.

And why having a special container with TrueCrypt (I'm assuming
VeraCrypt has it, too) lets you divulge a password under duress that
lets them into one part of the container that has inocuous files within
without giving them the password to the real goodies in the other part
of the container. You have an exposed volume with one password that you
can secrete non-damaging files, even those you still want to secrete
from casual users and a different password to access a hidden volume
within the container where are the damaging or highly sensitive files
that you want to secrete from everyone else.

https://www.howtogeek.com/109210/the...hidden-volume/

The law (here in the US) cannot legally force you to self-incriminate.
They can attempt to lure by saying they will drop or lessen the charges
but that doesn't force you to divulge the password. They're even
allowed to lie during interrogation. Tell them you want to talk to your
lawyer before you divulge anything to them. Shutup until you speak with
your lawyer. That's the only response you give them. Yeah, you might
end up charged and go to jail and court but they'll have no evidence.

I couldn't find a video on it but remember watching a TV show about
stupid crooks. In one episode, they had captured a purse snatcher and
drove back to the scene of the crime where the victim was still waiting.
The idea was to have the victim identify the thief. The police car
parked on the other side of the street from the victim and had the
accused stand alongside the police car while cuffed. Before the victim
could say anything, the accused said, "Yes, officer. That's the woman
that I stole the purse." The cop holding the cuffed accused turned
around laughing loudly barely maintaining a grip on the accused. The
second officer bent over and laid atop the hood while roaring with
laughter. The accused has no idea how identification worked.

Tell them you forgot the password because you have not accessed that
container for way too long to remember. The datestamp on the container
file does not change when you make changes to the files inside (create,
write, delete, rename, move) because all those changes are recorded
within the file system that gets mounted when you access the container.
The external file system with the container file sees no changes to the
size or datestamp of that file. If you created a container, say, 2
years ago then that is the datestamp it still has even if you just
created a new file within the container's file system. If you create a
fixed-sized container then its size never changes, too, no matter how
may files you create or delete within that container. To outsiders, it
looks like you haven't touched the container for 2 years, so it is
plausible you forgot the password.

dave61430 wrote:

On Thu, 19 Jul 2018 20:44:43 -0500, Jo-Anne wrote:

On 7/19/2018 4:30 PM, VanguardLH wrote:
Jo-Anne wrote:

I like the idea of zipping the files and either password-protecting or
encrypting the zipped files.

Password protection of .zip files is easily hacked. That is why I did
not mention using passworded compressed archive files (.zip, .7z, etc).
If the zip tool offers legacy Zip and AES encryption, choose AES.
WinZip (payware) offers AES (128 and 256 bit) encryption. Other zip
tools usually only offer the weak legacy Zip encryption. There are
many password recovery tools that will hack the weak legacy Zip
password.

Many users like 7-zip (freeware). I use Peazip (also freeware) because
it supports most of the compression algorithms along with 7-zip's own
(Peazip got the library from 7-zip); however, Peazip has a more modern
UI than for 7-zip whose UI harkens back to the Windows 3.x era.
However, neither one supports AES encryption, just the weak encryption.

http://www.peazip.org/encrypt-files.html

While a hacker might try decrypting the AES-based content, they would
have to also have to separately try Serpent or TwoFish which would
dramatically add to the time to decrypt successfully. 7-Zip just has
AES encryption. Peazip has AES, TwoFish, and Serpent; however, since I
haven't used encryption with Peazip, I don't know how to select which
encryption algorithm to use (and didn't see an option when creating a
new archive). Couple be, per the above article, a combined AES +
Serpent + TwoFish encryption requires using the .pea archive format.

When putting files into a compressed archive with a password, remember
that the original file sticks around. You would have to delete it.
Whether you or the archiver deletes the file, the file's contents still
occupies the file system's clusters until those clusters are
reallocated to another file AND until those clusters get overwritten by
some other program writing to that file. Peazip comes with a secure
file eraser (which can optionally be added to the Windows Explorer
context menu). There are lots of file recovery tools. If you don't
want to leave behind any trace of a file's content that you put into a
passworded archive file then you need to securely erase the original
file, not just delete it. I have Peazip configured to do 2 passes to
securely erase the clusters occupied by a file. That is more than
sufficient with drive manufactured for over two decades. Only on
ancient RLL-encoded hard drives might the 35-pass Gutmann method.

Note when using encryption within a .zip file that normally just the
*contents* of the files stored within the archive file are encrypted.
The filenames listed as records within the archive will still have the
original names. If you need to ensure that no one can deduce what
might be within a file, use an archiver that also encrypts the
filenames. Peazip has that option. I'd have to research to find out if
7-zip does.

Peazip also offers a two-factor algorithm: not only do you need to know
the password but must also supply a keyfile. You generate a keyfile
for the .zip archive and store it somewhere, like on a USB flash drive
to which only you have physical access (because you don't want someone
else copying the keyfile off the USB drive). I've never bothered with
2-factor authentication but then I don't bother using encryption in
archivers since I use TrueCrypt (or you could use BestCrypt Traveller
or VeraCrypt or other alternatives).

I haven't used Traveller or VeraCrypt. In TrueCrypt, you can even
compound the encryption algorithms. You could just use AES, or you
could use AES + TwoFish or AES + TwoFish + Serpent. The added layers
make decryption much more difficult; however, the extra encryptions
also make decryption slower, so the access to the mounted container
will be slower (not a problem with doc files but perhaps with videos).
In addition, you can create an encrypted container (file) that has 2
passwords: one which allows access to one part of the container and
another that allows access to a more secret part of the container. If
someone forces you to reveal your password, like pointing a gun at your
kids or wife or you or to satisfy FBI investigators applying legal
action, you could give them the first password. That lets them into
the first part of the container where you deposited inocuous files
(something to appease the intruder but nothing sensitive or hurtful to
you). They cannot get into the second part of the container where is
the real files you want to hide. They cannot determine there is a
second password and a second portion of the container because all that
data is always randomized by TrueCrypt (rather than being unallocated).

Again, these are advanced features that some users don't care about, so
they want something simpler, like BestCrypt Traveller. If you go with
a compressed archiver (.zip files), many use weak legacy Zip encryption
that password recovery tools can hack.

So choose wisely.
https://www.youtube.com/watch?v=0H3rdfI28s0

And remember that when you read any file whether from an encrypted
container or zip file that there could be [temporary] copies left
behind outside the container or zip file. The files are secure only
when in situ inside the container. Editing a file means creating a
temporary copy of it or buffers (which might be in memory but could be
on th disk)
within the program with portions of the file. You might copy the file
out of the container. Once you close the container, you need to
securely wipe any remnants of the file when it was outside the
container.


Thank you, Vanguard. You've been very clear. The situation is more
complex than I had anticipated.

No he isn't very clear, what is clear is he doesn't read too well. I said
encrypt the zip file with something like AESCrypt, not at all the same as
using the built in crackable scheme in some zip iterations.
If you are paranoid about deleting the original file, there are a number
of secure delete utilities available. Note, AXCrypt deletes and scrubs
the original but is windows only. I'm on Linux, but want to be able to
recover in windows in need be.

Your inclusion of using an archiver was irrelevant to using AESCrypt to
encrypt the *file*. After encryption, doesn't matter if the file is
left in the file system or moved into an archive file: it's encrypted
either way. You just compounded the solutions as though both were
necessary.

The OP never asked how to reduce the disk footprint of an encrypted
file. Because you misled the OP is why she said, "I like the idea of
zipping the files ...". She was looking at using archiving with
passwords. She could encrypt the file and be done. No archiving
(zipping) needed. She could shove the file into an archive and then
encrypt the archive file but that is unnecessary to her original
intention of encrypting the original file.