Keeping Data Safe

[AlGat]

I am trying to harden my defenses against the possibility of someone stealing my computer and then extracting data from it that will lead to identity theft. So I have come up with how I think I want to do it, but want to check the strategy by you more knowledgeable folks.

I have a Legion 5i Pro gaming laptop with:
- Windows 11 Home
- Local account with a password, but this might change to MS account if they continue to close the work arounds that users are finding.
- i7-12700H
- 16 GB DDR5 RAM
- CPU IRIS graphics running for normal apps
- RTX 3070 for higher demand apps such as gaming
-1 TB Samsung NVMe SSD C: drive with Windows OS
- 2 TB Western Digital NVMe SSD D: drive for data
I think I have provided more system info than you need, but if you need more then I can certainly provide them.

I use the laptop for all of my computer needs:
- My company: books, invoicing, financial statements, government reporting, and corporate income taxes
- My personal finances: banking, investments, financial statements, and personal income taxes.
- Gaming
- KeePass password database with a very strong password

I currently have about 1.4 TB of data. Of that data, about 50 GB has information that would be high risk of identity theft. This includes Google drive and DropBox cloud storage which I use both for different purposes. I also have OneDrive but the bugs and issues make it unreliable and useless to me.

I share data between my laptop and my Samsung Note 9 cell phone via cloud storage (mostly via Google Drive). All sensitive data is stored in internal storage, and other data such as music, is on the SD card. Samsung phones will wipe clean after 10 failed login attempts, and I have an unguessable and complex password. So the data is quite safe on the phone.

I have two Western Digital external HDD for monthly back up of my 1.4 TB data. I back up the full 1.4 TB monthly to an external HDD which is stored in a safety deposit box at my bank, and I take old back up from a month ago and put it into a lock box, which I use for the next month back up.

So that is what it looks like now. My concern is that if someone breaks into my house and steals the very portable laptop, then the data is easily extracted by many methods. So I want to shut all the possible doors, and this is what I came up with, and want feedback and advise on ....

Step 1:
- In BIOS, make a BIOS admin password. Now a password is required for getting into BIOS
- In BIOS, make a user password. Now a password is required before it will boot.
I need the admin password to prevent someone going into BIOS and turning off the user password.

This prevents the many ways of defeating the password to start windows, which I won't get into the numerous ways it can be done. I plan to use bitlocker, so it is important the would be hacker can't get into Windows and with the click of a button, turn off bitlocker and un-encrypt it.

I will keep the need for a password when logging into my Windows Local Account.

Step 2:
- In Disc Management, shrink my C: drive to 800 GB
- In Disc Management, create a 200 GB E: drive for my sensitive data

Step 3:
- Put all sensitive data (company and personal books, etc) on the 200 GB E: drive
- Move all Windows personal folders (documents, downloads, etc) to the 200 GB E: drive
- Direct scanner to create files on the 200 GB E: drive
- Move OneDrive, GDrive and DropBox cloud storage folders to 200 GB E: drive

Step 4:
- Upgrade Windows 11 Home to Windows 11 Pro
- Use bitlocker to encrypt the 200 GB E: drive, no password
- Store the bitlocker recovery key in KeePass (KeePass database is on my laptop, cloud storage, on back up HDDs, and on my phone)

Question: If I use bitlocker to encrypt a drive containing cloud storage folders, does that mean the files are encrypted on the cloud, and therefore unusable by any other devices such as my phone?

Step 5 (maybe):
Question: Can I use bitlocker to encrypt the external HDD with password or would I need to use a the recovery key each time I want to access the data? Again, the recovery key would be kept in KeePass.

So that is the plan. I think it is pretty robust. It can still be defeated by removing battery on laptop motherboard to reset BIOS which defeats the user password, but that is highly unlikely for someone to do on a laptop due to difficult access.

I think it is a good plan but mostly I am wondering about encrypting the cloud storage like that. And wondering how to make the encrypted external HDD back ups useable.

I have never used it, but Bitlocker looks ideal for this but maybe there is another product? I have WD drives, so maybe thier free software is a better choice?

I look forward to your feedback and advice.

EDIT:
Ouch, I just realized that this is Windows 10 forum, and I am on Windows 11. Very sorry for my mistake. But I think the question is still valid because really, the same identical question can be asked if I was on Windows 10. So I will leave this question up and look forward to any advice or comments you might have.

 

[Bill Shannon]

I am trying to harden my defenses against the possibility of someone stealing my computer and then extracting data from it that will lead to identity theft. So I have come up with how I think I want to do it, but want to check the strategy by you more knowledgeable folks.

I have a Legion 5i Pro gaming laptop with:
- Windows 11 Home
- Local account with a password, but this might change to MS account if they continue to close the work arounds that users are finding.
- i7-12700H
- 16 GB DDR5 RAM
- CPU IRIS graphics running for normal apps
- RTX 3070 for higher demand apps such as gaming
-1 TB Samsung NVMe SSD C: drive with Windows OS
- 2 TB Western Digital NVMe SSD D: drive for data
I think I have provided more system info than you need, but if you need more then I can certainly provide them.

I use the laptop for all of my computer needs:
- My company: books, invoicing, financial statements, government reporting, and corporate income taxes
- My personal finances: banking, investments, financial statements, and personal income taxes.
- Gaming
- KeePass password database with a very strong password

I currently have about 1.4 TB of data. Of that data, about 50 GB has information that would be high risk of identity theft. This includes Google drive and DropBox cloud storage which I use both for different purposes. I also have OneDrive but the bugs and issues make it unreliable and useless to me.

I share data between my laptop and my Samsung Note 9 cell phone via cloud storage (mostly via Google Drive). All sensitive data is stored in internal storage, and other data such as music, is on the SD card. Samsung phones will wipe clean after 10 failed login attempts, and I have an unguessable and complex password. So the data is quite safe on the phone.

I have two Western Digital external HDD for monthly back up of my 1.4 TB data. I back up the full 1.4 TB monthly to an external HDD which is stored in a safety deposit box at my bank, and I take old back up from a month ago and put it into a lock box, which I use for the next month back up.

So that is what it looks like now. My concern is that if someone breaks into my house and steals the very portable laptop, then the data is easily extracted by many methods. So I want to shut all the possible doors, and this is what I came up with, and want feedback and advise on ....

Step 1:
- In BIOS, make a BIOS admin password. Now a password is required for getting into BIOS
- In BIOS, make a user password. Now a password is required before it will boot.
I need the admin password to prevent someone going into BIOS and turning off the user password.

This prevents the many ways of defeating the password to start windows, which I won't get into the numerous ways it can be done. I plan to use bitlocker, so it is important the would be hacker can't get into Windows and with the click of a button, turn off bitlocker and un-encrypt it.

I will keep the need for a password when logging into my Windows Local Account.

Step 2:
- In Disc Management, shrink my C: drive to 800 GB
- In Disc Management, create a 200 GB E: drive for my sensitive data

Step 3:
- Put all sensitive data (company and personal books, etc) on the 200 GB E: drive
- Move all Windows personal folders (documents, downloads, etc) to the 200 GB E: drive
- Direct scanner to create files on the 200 GB E: drive
- Move OneDrive, GDrive and DropBox cloud storage folders to 200 GB E: drive

Step 4:
- Upgrade Windows 11 Home to Windows 11 Pro
- Use bitlocker to encrypt the 200 GB E: drive, no password
- Store the bitlocker recovery key in KeePass (KeePass database is on my laptop, cloud storage, on back up HDDs, and on my phone)

Question: If I use bitlocker to encrypt a drive containing cloud storage folders, does that mean the files are encrypted on the cloud, and therefore unusable by any other devices such as my phone?

Step 5 (maybe):
Question: Can I use bitlocker to encrypt the external HDD with password or would I need to use a the recovery key each time I want to access the data? Again, the recovery key would be kept in KeePass.

So that is the plan. I think it is pretty robust. It can still be defeated by removing battery on laptop motherboard to reset BIOS which defeats the user password, but that is highly unlikely for someone to do on a laptop due to difficult access.

I think it is a good plan but mostly I am wondering about encrypting the cloud storage like that. And wondering how to make the encrypted external HDD back ups useable.

I have never used it, but Bitlocker looks ideal for this but maybe there is another product? I have WD drives, so maybe thier free software is a better choice?

I look forward to your feedback and advice.

EDIT:
Ouch, I just realized that this is Windows 10 forum, and I am on Windows 11. Very sorry for my mistake. But I think the question is still valid because really, the same identical question can be asked if I was on Windows 10. So I will leave this question up and look forward to any advice or comments you might have.

well I could just remove your HDD connect it to another computer copy your pasword folders and any other folder I want then if they don't work sync them to another puter and I should be in buisness. your best option is spending $250 on a high speed micro SD card best money can buy and keep your sensitive info on it and remove the card when your not using it. Also I could sync another puter to yours and make the necessary changes on my computer and sync to yours and I would have a bit of access to some sensitive areas. like bookmarks passwords history etc

 

[Bill Shannon]

well I could just remove your HDD connect it to another computer copy your pasword folders and any other folder I want then if they don't work sync them to another puter and I should be in buisness. your best option is spending $250 on a high speed micro SD card best money can buy and keep your sensitive info on it and remove the card when your not using it. Also I could sync another puter to yours and make the necessary changes on my computer and sync to yours and I would have a bit of access to some sensitive areas. like bookmarks passwords history etc

Flashing the bios isn't hard to do.

 

[Bighorn]

Flashing the BIOS wouldn't always be necessary, just clearing the CMOS would set it back to default. It's done by removing the CMOS battery and let set awhile and/or using jumper pins on the motherboard [if provided], biggest issue with a Notebook is getting to the motherboard to do the procedure/s.

 

[AlGat]

Thank you everyone for your replies. The reason for my long silence is that I have researched all of the answers, and tried to determine which of the options suggested will fit what I am trying to accomplish.

First observation is that no matter what I do, if someone is knowledgeable enough, and willing to put in the effort, then it probably can be defeated. So my goal is to make it difficult enough to defeat the vast majority of people, and hopefully hard enough that even the knowledgeable ones will not think it worth the time and effort.

My other goal is to make it easy to use. I am the only user, so I want a password to get into the laptop. I want the data encrypted so if they remove the drive then the data is protected. Those are the two avenues to get at the data blocked. I do not want a bunch of long complex passwords for every drive, folder and / or file that I open - once in the computer, I want it to be efficient.

So I am in the process of setting it up now:

I switched to log in with MS Account. I strengthened the password and turned on two step verification. That advice was given to ensure bitlocker codes are available in the account data.

In BIOS I set the admin password, and turned on "ask for password on power up" , which is also the admin password. When I turn it on, or reboot, the first thing it does is ask the password - it will not boot into any device without the password.
According to Lenovo, if I lose the password then the only option is to replace the motherboard. I have found no instructions for flashing BIOS on the Legion 5i Pro laptop. If it can be defeated, then it requires a lot of knowledge and time.

So I have to give password at power up, and then password to get into windows.

All of my sensitive data is on the second 2 TB SSD, which is D: drive.

I am going to upgrade to Windows 11 Pro for bitlocker. Unfortunately, my laptop does not have "modern standby" so device encryption in my Windows 11 Home is not available. So I will just do the upgrade and then I will have the full bitlocker capabilities.

I plan to use bitlocker to encrypt the entire D: drive. No password to access because I am assuming it is very hard to defeat the power on password protection. I might also encrypt the User Folder as well --- I am still thinking about that but I probably won't unless there is a compelling reason.

I looked at using OneDrive Vault, and other encryption software but they all require passwords to access the data, and I don't want to be constantly typing passwords. I think bitlocker is tailor made for what I am trying to do. I just want it encrypted in the event that someone removes the drive and tries to read it on another computer.

It is simplified thanks to all of your advice. I understand that it is not invincible, and that nothing can be, but I think this is pretty robust.

 

[Bill Shannon]

One thing I came across once was I didn't have permissions open on system files and folders and when a virus got in deep it took me too long to get to the folder to stop the damage been done so I feel open access inside important. I also avoid companies that sell repair software as some one has to create the viruses they fix.

 

[AlGat]

One thing I came across once was I didn't have permissions open on system files and folders and when a virus got in deep it took me too long to get to the folder to stop the damage been done so I feel open access inside important. I also avoid companies that sell repair software as some one has to create the viruses they fix.

OK, that confirms leaving the user files open. I don't use the User folders anyway. And I have used Norton for years which will hopefully continue to keep the malware at bay.

 

[Bill Shannon]

One thing I came across once was I didn't have permissions open on system files and folders and when a virus got in deep it took me too long to get to the folder to stop the damage been done so I feel open access inside important. I also avoid companies that sell repair software as some one has to create the viruses they fix.

OK, that confirms leaving the user files open. I don't use the User folders anyway. And I have used Norton for years which will hopefully continue to keep the malware at bay.

I never use Nortons except some of their old software but not the antivirus.

 

[Bill Shannon]

I once lost 20,000 photo's to partition magic but thats a thing of the past.

 

[Bighorn]

I like to remind users that there's a possible 3 choices for passwords, 1 is to enter the BIOS Setup itself, 2 is when the BIOS has finished loading and need to enter a password to continue the booting to the OS and 3 is a password for the OS Log-in for its loading. I haven't seen the first BIOS password requirement itself in quite awhile and occasionally see the second choice and more frequently the OS password. The 3 should never be the same, the first 2 are set in the BIOS.

 

[AlGat]

I like to remind users that there's a possible 3 choices for passwords, 1 is to enter the BIOS Setup itself, 2 is when the BIOS has finished loading and need to enter a password to continue the booting to the OS and 3 is a password for the OS Log-in for its loading. I haven't seen the first BIOS password requirement itself in quite awhile and occasionally see the second choice and more frequently the OS password. The 3 should never be the same, the first 2 are set in the BIOS.

In the case of my Lenovo Legion 5i Pro (2022 version), the admin password is must be set first, and then you just check a box to enable the power-on password, which is the admin password. So same password for both entering BIOS and for start up.

I did it on mine after reading the user manual, and can confirm it is the same password for both. There is no option for separate passwords for entering BIOS or starting up the computer.

 

[Bighorn]

Yep, Lenovo's are different, have inherited 2 different models of Lenovo Notebooks and they have different keyboard arrangements and different Fx keys functions between the two of them.

 

[AlGat]

I finished setting it up. So this is my last post to let you know how it went.

I found out that I cannot use Auto Unlock on the data drive unless I encrypt the OS drive. So I encrypted both drives and set the data drive to Auto Unlock. Now that I see it all went so smoothly, I actually like that better because now I don't have to worry about keeping sensitive data on just one drive.

I was a bit afraid of it, but it all went smoothly once I figured out why the Auto Unlock wasn't working on the data drive.

So I have two passwords: BIOS power-on password and Windows login PIN, and then once in Windows it acts the same as it did.

The encryption was really fast for a SSD. I did the full 2 TB drive (encrypted un-used space) and expected it to take days. It took about 20 minutes and Task Manager said data transfer was at 1.8 GB/s. So even that went better than expected - wow, the SSD's are fast.