There have been some discussions about Bitlocker disk encryption in the past
year or two so when I ran across this command, I thought I'd post it in case
anyone isn't sure if they're using Bitlocker or not.

From an administrator command prompt:
manage-bde -status

Sample output:

C:\WINDOWS\system32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [OS]
[OS Volume]

Size: 463.30 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Key Protectors: None Found

<snip>
(Output continues with each additional partition)

Char Jackson wrote:

> There have been some discussions about Bitlocker disk encryption in the past
> year or two so when I ran across this command, I thought I'd post it in case
> anyone isn't sure if they're using Bitlocker or not.
>
> From an administrator command prompt:
> manage-bde -status
>

While you're at it, if bitlocker is enabled make sure you have a copy of
the recovery key for each volume

manage-bde -protectors -get C:

Char Jackson <none@none.invalid> wrote:

> There have been some discussions about Bitlocker disk encryption in the past
> year or two so when I ran across this command, I thought I'd post it in case
> anyone isn't sure if they're using Bitlocker or not.
>
> From an administrator command prompt:
> manage-bde -status
>
> Sample output:
>
> C:\WINDOWS\system32>manage-bde -status
> BitLocker Drive Encryption: Configuration Tool version 6.3.9600
> Copyright (C) 2013 Microsoft Corporation. All rights reserved.
>
> Disk volumes that can be protected with
> BitLocker Drive Encryption:
> Volume C: [OS]
> [OS Volume]
>
> Size: 463.30 GB
> BitLocker Version: None
> Conversion Status: Fully Decrypted
> Percentage Encrypted: 0.0%
> Encryption Method: None
> Protection Status: Protection Off
> Lock Status: Unlocked
> Identification Field: None
> Key Protectors: None Found
>
> <snip>
> (Output continues with each additional partition)

Those using Home editions of Windows, like me, don't get Bitlocker. As
a result, running "manage-bde -status" (which has to interrogate all
storage media currently mounted, so it takes a while) shows "fully
decrypted" on every one of my volumes.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/

To prevent Windows Update client from ever proposing that I upgrade from
Windows 10 to Windows 11, I have to TPM support. I have no TPM module
on my motherboard (there is a slot to add one). The BIOS has firmware
support for Intel PTT (Platform Trust Technology) to emulate a TPM
module, so I deliberately disabled it. WU won't offer me Windows 11.
It means, if I had a non-Home edition of Windows, that I still could not
use Bitlocker.

Wonder which is better for full partition encryption (aka whole disk
encryption): Bitlocker or TrueCrypt? TrueCrypt (now VeraCrypt) is safe
by default. To be safe, Bitlocker requires careful configuration.
TrueCrypt's code has been independently audited (and why VeraCrypt made
some efficiency changes). Microsoft's code is proprietary hence never
audited. Bitlocker supports AES encryption. VeraCrypt supports it, and
a slew of other options, and you can combine them to exponentially
increase protection. Bitlocker can only support partitions (mounted as
volumes) for encryption. VeraCrypt can support both partitions and
containers (files that mount as volumes). VeraCrypt does not require
TPM, nor does VeraCrypt require Secure Boot.

ATTO benchmark
https://www.reddit.com/media?url=https%3A%2F%2Fpreview.redd.it%2F65w1cw0glq061.png%3Fwidth%3D560%26format%3Dpng%26auto%3Dwebp%26s%3D8a57848663e0bcacb483024a4675daa70e18ae93
One person's benchmark on ThinkPad X230t, WD Blue 3D NAND 1TB, Win10.

Veracrypt whole disk encryption writes (dotted blue) was higher than
Bitlocker's (dotted green), but Bitlocker's reads (solid orange) was
higher than for VeraCrypt (solid yellow). Regardless of which whole
disk encryption you use, it will have an impact on performance, because
it takes CPU cycles to decrypt and encrypt.

I don't need everything encrypted. I don't encrypt Windows' files,
because anyone can get those. I don't encrypt programs, because anyone
can get those programs (whether free or paid). I only need to secrete
my data files, and only very sensitive files, and for that I certainly
don't need whole disk encryption, just encryption containers which I
mount when I need to get at that data.

Whole disk encryption is for the scenario where the data is unknown
where it gets stored on the volume, users don't know (mostly don't care
or are ignorant), and there are programs that may be proprietary to a
company that it doesn't want accessed by non-employees.

For personal use, Bitlocker or VeraCrypt for whole disk encryption
doesn't make sense. It is superfluous protection at the cost of
performance.

VanguardLH wrote:

> Those using Home editions of Windows, like me, don't get Bitlocker.

You were saying?

C:\Windows\System32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows-SSD]
[OS Volume]

Size: 474.72 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password

C:\Windows\System32>systeminfo | find "OS Name"
OS Name: Microsoft Windows 11 Home

"VanguardLH" <V@nguard.LH> wrote

| For personal use, Bitlocker or VeraCrypt for whole disk encryption
| doesn't make sense. It is superfluous protection at the cost of
| performance.

Obviously you've never been a double spy. Those people
probably need it. :)

I'm guessing that Char is probably referring to this:

https://www.tomshardware.com/news/windows-software-bitlocker-slows-performance

Win11 Pro has it turned on by default and it turns out
to be a pig with resources, slowing SSDs to about half
speed. Whether that really matters is questionable, since
disks are so fast now. Still, few people have any practical
use for BitLocker, so it's also questionable to turn it on
by default.

On Sat, 28 Oct 2023 22:36:04 -0500, VanguardLH wrote:
> Veracrypt whole disk encryption writes (dotted blue) was higher than
> Bitlocker's (dotted green), but Bitlocker's reads (solid orange) was
> higher than for VeraCrypt (solid yellow). Regardless of which whole
> disk encryption you use, it will have an impact on performance, because
> it takes CPU cycles to decrypt and encrypt.

That's undeniable, but it misses an important point: will the impact
on performance be great enough to notice?

At least in my case, it is not. My financials are in a VeraCrypt
volume, and other documents are not. It seems to take Excel no more
time to open a spreadsheet in one than the other, and similarly for
Word, my PDF viewer, and so on.

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

Char Jackson wrote on 28-Oct-23 12:15 AM:
> There have been some discussions about Bitlocker disk encryption in the past
> year or two so when I ran across this command, I thought I'd post it in case
> anyone isn't sure if they're using Bitlocker or not.
>
> From an administrator command prompt:
> manage-bde -status
>
> Sample output:
>
> C:\WINDOWS\system32>manage-bde -status
> BitLocker Drive Encryption: Configuration Tool version 6.3.9600
> Copyright (C) 2013 Microsoft Corporation. All rights reserved.
>
> Disk volumes that can be protected with
> BitLocker Drive Encryption:
> Volume C: [OS]
> [OS Volume]
>
> Size: 463.30 GB
> BitLocker Version: None
> Conversion Status: Fully Decrypted
> Percentage Encrypted: 0.0%
> Encryption Method: None
> Protection Status: Protection Off
> Lock Status: Unlocked
> Identification Field: None
> Key Protectors: None Found
>
> <snip>
> (Output continues with each additional partition)
>

Optionally for a quick check
Click/touch the Start button
Enter/type Bitlocker
Click/touch 'Manage BitLocker'

This(above) route is much easier than navigating via the multi-level
nesting using Win11's Settings feature

--
....w¡ñ§±¤ñ

Newyana2 wrote on 29-Oct-23 6:05 AM:
> "VanguardLH" <V@nguard.LH> wrote
>
> | For personal use, Bitlocker or VeraCrypt for whole disk encryption
> | doesn't make sense. It is superfluous protection at the cost of
> | performance.
>
> Obviously you've never been a double spy. Those people
> probably need it. :)
>
> I'm guessing that Char is probably referring to this:
>
> https://www.tomshardware.com/news/windows-software-bitlocker-slows-performance
>
> Win11 Pro has it turned on by default and it turns out
> to be a pig with resources, slowing SSDs to about half
> speed. Whether that really matters is questionable, since
> disks are so fast now. Still, few people have any practical
> use for BitLocker, so it's also questionable to turn it on
> by default.
>
>

On by default?
Not necessarily.

For pre-built devices, good chance the OEM builder deployed factory image
has BitLocker enabled.

For a clean install Win11 or upgrade install(from Win10) variation exists.

This device meeting all Win11 specs is currently running Win11 Pro was
upgraded from Win10 Pro(about 6 months after Win11 release; Bitlocker was
not enabled on Win10 Pro) then a few months ago the SSD was replaced and
Win11 Pro clean installed.
- in both cases Bitlocker was not enabled for the upgrade or clean install.

Variation, though(enabled or disabled) has occurred on Win11 Insider
Builds before and after Win11 release. That same variation continues
today on Win10 upgrades on OEM or BYO devices.

--
....w¡ñ§±¤ñ

Stan Brown <the_stan_brown@fastmail.fm> wrote:

> VanguardLH wrote:
>
>> Veracrypt whole disk encryption writes (dotted blue) was higher than
>> Bitlocker's (dotted green), but Bitlocker's reads (solid orange) was
>> higher than for VeraCrypt (solid yellow). Regardless of which whole
>> disk encryption you use, it will have an impact on performance,
>> because it takes CPU cycles to decrypt and encrypt.
>
> That's undeniable, but it misses an important point: will the impact
> on performance be great enough to notice?
>
> At least in my case, it is not. My financials are in a VeraCrypt
> volume, and other documents are not. It seems to take Excel no more
> time to open a spreadsheet in one than the other, and similarly for
> Word, my PDF viewer, and so on.

My understanding is that the compression level is nowhere as high when
doing whole-disk encryption as with container encryption. Of course,
with Veracrypt, the more encryption schemes you combine, the slower to
read, and even more so to write.

I suspect Bitlocker is better than Veracrypt on the reads due to the
hardware-implementd AES-NI instructions of the TPM modules (or Intel PTT
in the BIOS firmware).

Here's one person benchmarking the effect on his SSD performance both
before and after enabling Bitlocker using CrystalDiskMark:

Before
https://www.reddit.com/media?url=https%3A%2F%2Fpreview.redd.it%2Fsbsv4f1fyrj51.jpg%3Fwidth%3D1087%26format%3Dpjpg%26auto%3Dwebp%26s%3D4ccfc031c2e272403b64b83253ef24c0ae336a5d
(https://tinyurl.com/4cavn476)

After
https://www.reddit.com/media?url=https%3A%2F%2Fpreview.redd.it%2Fqaxg5mwhyrj51.jpg%3Fwidth%3D1024%26format%3Dpjpg%26auto%3Dwebp%26s%3Dd41c61e9a3219456b64bdca24185135de15df0ce
(https://tinyurl.com/yez8f9yz)

Sorry, I had to leave the URLs as long since Reddit doesn't allow direct
links to their content. I also gave shortened URL redirects. I didn't
bother to hunt for Veracrypt whole-disk benchmarking, especially since
it probably does not rely on nor require a TPM module (or Intel PTT
emulating the TPM), so I suspect Veracrypt whole-disk encryption would
be slower than for Bitlocker; however, Veracrypt does not mandate you
have TPM nor does it require you employ Secure Boot.

For Bitlocker, there is some impact, but not likely a person would
notice. What can be measured for benchmarking does not necessarily
correlate to user experiences.

Note that Bitlocker requires TPM only on the boot partition. You can
use Bitlocker on another non-OS partition to just encrypt your data
there, and that doesn't require TPM. However, I suspect performance
would suffer without the hardware-implement encryption of TPM.
Presumably hardware-based encryption is faster than software-based
encryption.

Although CPU tests on benchmarking Bitlocker show some degradation when
it is enabled, another measure is latency. Apparently DPC (Deferred
Procedure Call) latency accrues when the encrypted disk gets very busy.
DPC latency can cause inconsitent performance of peripherals (mouse,
keyboard), video playback stuttering or audio dropouts, clicks, or
popping. One tool to check on DPC latency is latencymon by Resplendence
(https://www.resplendence.com/latencymon). I've used other tools by
them, like to check stacking of driver hooks which, I think, disappeared
and SanityCheck replaced it. That let me see the order of hooking which
was important when different programs hooking into the same driver
resulted in conflicts, like 2 AVs stuck in a loop rechecking the same
file thousands of times (yes, I know about not have 2 AV running their
on-demand scanners at the same time). They said they were compatible
with each other, but only if they loaded (stacked) in a particular
order. It also let me see when uninstalling an AV did not remove its
driver (sorry, forgot which one that was).

https://www.isunshare.com/computer/impact-of-bitlocker-encryption-on-performance.html

I thought Bitlocker only used AES 256. Looks like other encryption
schemes can be selected. However, the longer the key for better
security, the longer to decrypt on read and encrypt on write. Which
encryption method is selected makes a difference on performance impact.
Read isn't much impacted, but scroll down the article to the bar charts
to see how much write speed is affected.

Notice in the above article that both reads and writes get slower when
Bitlocker is enabled with writes particularly suffering. Reads are
slowed, but only slightly, so if whatever you're doing is mostly reads
then you probably won't notice the performance impact. A better CPU
also lessens impact.

If what you do is mostly reads, you probably won't notice any
performance impact with Bitlocker enabled. If you mostly write, yeah,
there will be a significant impact. Also depends on how you use your
computer. If your video editing, your CPU stays busy and there is a lot
of data traffic on the bus to the drive. If you're web browsing, in an
editor, or where the app has a lot of user interaction, the computer is
waiting eons between those keystrokes and mouse clicks, so it has lots
of idle time to catch up.

On Sun, 29 Oct 2023 16:33:40 -0500, VanguardLH wrote:
> Stan Brown <the_stan_brown@fastmail.fm> wrote:
>
> > [quoted text muted]
> > At least in my case, it is not. My financials are in a VeraCrypt
> > volume, and other documents are not. It seems to take Excel no more
> > time to open a spreadsheet in one than the other, and similarly for
> > Word, my PDF viewer, and so on.
>
> My understanding is that the compression level is nowhere as high when
> doing whole-disk encryption as with container encryption. Of course,
> with Veracrypt, the more encryption schemes you combine, the slower to
> read, and even more so to write.
>
> I suspect Bitlocker is better than Veracrypt on the reads due to the
> hardware-implementd AES-NI instructions of the TPM modules (or Intel PTT
> in the BIOS firmware).

Just to clarify ...

I wasn't comparing VeraCrypt to Bitlocker; I was comparing VeraCrypt
to _no_ encryption. And though logic tells us there must be a
performance hit from VeraCrypt, it's not enough that I can notice it.

BTW, I have a whole partition under VeraCrypt, as well as a file set
up as a VeraCrypt container. With neither of those could I see any
performance difference from my unencrypted E: partition.

Again, I'm not saying there _is_ no difference, just that it's not
enough for me to notice.

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

Andy Burns <usenet@andyburns.uk> wrote:

> VanguardLH wrote:
>
>> Those using Home editions of Windows, like me, don't get Bitlocker.
>
> You were saying?
>
> C:\Windows\System32>manage-bde -status
> BitLocker Drive Encryption: Configuration Tool version 10.0.22621
> Copyright (C) 2013 Microsoft Corporation. All rights reserved.
>
> Disk volumes that can be protected with
> BitLocker Drive Encryption:
> Volume C: [Windows-SSD]
> [OS Volume]
>
> Size: 474.72 GB
> BitLocker Version: 2.0
> Conversion Status: Used Space Only Encrypted
> Percentage Encrypted: 100.0%
> Encryption Method: XTS-AES 128
> Protection Status: Protection On
> Lock Status: Unlocked
> Identification Field: Unknown
> Key Protectors:
> TPM
> Numerical Password
>
> C:\Windows\System32>systeminfo | find "OS Name"
> OS Name: Microsoft Windows 11 Home

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/
Section: Windows edition and licensing requirements

I went by what Microsoft stated for requirements. Home edition is not
listed.

The message is cross-posted to Windows 10 where I saw it. According to:

https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838
(with Windows 10 selected)

on how to get to Manage Bitlocker does not exist on my Windows 10 Home
x64 22H2. I click on the Start menu button and enter "bitlocker" or
"encrypt", but find nothing. The manage-bde tool exists, and can be
run, but shows Bitlocker is disabled for all volumes.

However, remember that I do not have a TPM module on the mobo or in the
slot on the mobo. Intel PTT (Platform Trust Technology) is disable in
the BIOS. So, perhaps I don't see Bitlocker options in Windows 10 Home
because I don't have the means of hardware-implementing the AES
functions.

The above article on how to turn on encryption says:

(Note that BitLocker isn't available on Windows 10 Home edition.)

Could be different on Windows 11 for Home edition. When the Windows 11
is selected, that Microsoft article says:

You'll only see this option if BitLocker is available for your device.
It isn't available on Windows 11 Home edition.

I don't have a Windows 11 Home box on which to test. That's why I went
with what Microsoft declares.

Windows 10 Home does not come with Bitlocker, but you can still encrypt
your volumes.

https://www.windowscentral.com/how-enable-device-encryption-windows-10-home
"The biggest difference between the two is that device encryption is
available on all the editions of Windows 10, while BitLocker is only
available for Windows 10 Pro, Enterprise, or Education, and offers some
additional management tools."

For me, running the System Information tool (GUI version) shows:

Device Encryption Support:
Reasons for failed automatic device encryption:
TPM is not usable,
PCR7 binding is not supported,
Hardware Security Test interface failed and device is not Modern
Standby,
Un-allowed DMS capable bus/device(s) detected,
TPM is not usable.

Yeah, it repeats TPM is not usable -- because there isn't a TPM module
on the mobo and Intel PTT is disabled in the BIOS.

If I enabled Intel PTT in the BIOS, I'd probably get the green flag on
Device Encryption Support. But that is not using Bitlocker.

https://iboysoft.com/questions/what-is-the-difference-between-bitlocker-encryption-and-device-encryption.html

From what I can find, manage-bde is falsely reporting your volume is
Bitlocker protected, but, in fact, you're just using device encryption
under a Home edition of Windows. While you can configure which
encryptions schemes, and if single or combo scheme (e.g., XTS+AES which
is 128-bit minimum for XTS plus 256 bits for AES for 384 bits total), I
haven't checked if you can select the encryption scheme with device
encryption.

On 10/29/2023 1:05 PM, Stan Brown wrote:
> On Sat, 28 Oct 2023 22:36:04 -0500, VanguardLH wrote:
>> Veracrypt whole disk encryption writes (dotted blue) was higher than
>> Bitlocker's (dotted green), but Bitlocker's reads (solid orange) was
>> higher than for VeraCrypt (solid yellow). Regardless of which whole
>> disk encryption you use, it will have an impact on performance, because
>> it takes CPU cycles to decrypt and encrypt.
>
> That's undeniable, but it misses an important point: will the impact
> on performance be great enough to notice?
>
> At least in my case, it is not. My financials are in a VeraCrypt
> volume, and other documents are not. It seems to take Excel no more
> time to open a spreadsheet in one than the other, and similarly for
> Word, my PDF viewer, and so on.
>

There was a claim, that Office docs, also had 50000 or 100000 passes
of some crypto, to hide the contents of the file, from your hex editor.
So there is already a price to be paid for having Office documents,
even without Bitlocker or FDE at another level.

The reason for the large number of passes, is to slow down brute-force
attempts to decrypt documents that have a user-provided password.

The password on the crypto you can't see, is "velvetsweatshop". For
documents where the user did not request encryption, the "velvetsweatshop"
password is tried first, as the defacto password. But you don't see
this going on. This is covered in some documents that the LibreOffice
people used when developing their stuff.

Modern office documents (.xlsx) are a ZIP container, with component parts.
This could mean the text storage part, you could read that with
a hex editor (or Wordpad, if they hadn't removed it). But with a defacto
encryption in place, examination with a hex editor, would not work.

You could use 7ZIP, to take apart a modern Office document, and
make the separate internal parts available. Then, if they hadn't encrypted it,
you could use your hex editor to read the textual container.

If you specifically request Office to encrypt a document, the only
change to the workflow, is the password is no longer "velvetsweatshop"
and Office should then ask for a password, when it cannot get the
protected part open.

Using that keyword, you can learn all sorts of unrelated stuff. It is
part of trying to hide malware :-)

https://blogs.vmware.com/security/2020/11/velvetsweatshop-when-default-passwords-can-still-make-a-difference.html

Paul

VanguardLH wrote:

> Could be different on Windows 11 for Home edition. When the Windows 11
> is selected, that Microsoft article says:
>
> You'll only see this option if BitLocker is available for your device.
> It isn't available on Windows 11 Home edition.

I don't think the difference is due to Win10 vs Win11, I think it's just
that major OEMs enable bitlocker by default for both Home and Pro.

On Sun, 29 Oct 2023 18:12:52 -0400, Paul wrote:
> Modern office documents (.xlsx) are a ZIP container, with component parts.
> This could mean the text storage part, you could read that with
> a hex editor (or Wordpad, if they hadn't removed it). But with a defacto
> encryption in place, examination with a hex editor, would not work.

I just tried unzipping a .docx file, and did not need
to enter a password. The components displayed just fine
in my text editor; no need for hex.

I should mention that I still use Office 2010. Are you
describing what some later version of Office does?

--
Stan Brown, Tehachapi, California, USA
https://BrownMath.com/
Shikata ga nai...

On 10/30/2023 9:56 AM, Stan Brown wrote:
> On Sun, 29 Oct 2023 18:12:52 -0400, Paul wrote:
>> Modern office documents (.xlsx) are a ZIP container, with component parts.
>> This could mean the text storage part, you could read that with
>> a hex editor (or Wordpad, if they hadn't removed it). But with a defacto
>> encryption in place, examination with a hex editor, would not work.
>
> I just tried unzipping a .docx file, and did not need
> to enter a password. The components displayed just fine
> in my text editor; no need for hex.
>
> I should mention that I still use Office 2010. Are you
> describing what some later version of Office does?
>

I just finished installing on the other machine, and put a LibreOffice
over there to test.

Testing by making a .docx and a .pptx, showed no encryption.

*******

It appears in this article, the key was stretched 50000 times.
As part of specifying a slow method to reduce the progress a brute force
attack could make.

https://en.wikipedia.org/wiki/Microsoft_Office_password_protection

I could swear I had looked at some document in the past and found
a section that was binary noise.

Paul

On Mon, 30 Oct 2023 12:43:53 -0400, Paul wrote:
> I could swear I had looked at some document in the past and found
> a section that was binary noise.

It is possible to _create_ a binary file, at least in Excel:
File » Save As » Excel Binart Workbook (*.xlsb)

I suspect that's what used to be the standard .xls format created by
Excels through Excel 2003, but I haven't bothered to verify my guess.
If I'm right, maybe you wer looking at an old .xls or .doc file?

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

Stan Brown <the_stan_brown@fastmail.fm> wrote:

> Paul wrote:
>
>> Modern office documents (.xlsx) are a ZIP container, with component
>> parts. This could mean the text storage part, you could read that
>> with a hex editor (or Wordpad, if they hadn't removed it). But with
>> a defacto encryption in place, examination with a hex editor, would
>> not work.
>
> I just tried unzipping a .docx file, and did not need
> to enter a password. The components displayed just fine
> in my text editor; no need for hex.
>
> I should mention that I still use Office 2010. Are you
> describing what some later version of Office does?

He was probably referring to password-protected Office docs. Just like
..zip files that can be passworded (use a zip tool that doesn't use the
ancient ZipCrypto scheme as that is easy to crack), Office doc files can
be passworded.

https://support.microsoft.com/en-us/office/protect-a-document-with-a-password-05084cc3-300d-4c1a-8416-38d3e37d6826

Passwording of Office docs has been available for so long that I don't
remember the feature not being present, even back to Office XP (probably
the earliest version I've used; before that was WordPerfect, and before
that was StarOffice, and before that was Wordstar under DOS).

http://www.humanservices.alberta.ca/AWOnline/documents/How%20to%20password%20protect%202010%20word%20docs.pdf

That discusses how to password protect Word 2010 docs. I think I
passworded a .doc file only once which was transported to another user
via Dropbox using sharing to just 1 other Dropbox user, and I sent the
password via e-mail. The e-mail was not encrypted, but then only the
other Dropbox users with whom I shared the file could get at the file,
anyway.

On 10/30/2023 5:28 PM, VanguardLH wrote:
> Stan Brown <the_stan_brown@fastmail.fm> wrote:
>
>> Paul wrote:
>>
>>> Modern office documents (.xlsx) are a ZIP container, with component
>>> parts. This could mean the text storage part, you could read that
>>> with a hex editor (or Wordpad, if they hadn't removed it). But with
>>> a defacto encryption in place, examination with a hex editor, would
>>> not work.
>>
>> I just tried unzipping a .docx file, and did not need
>> to enter a password. The components displayed just fine
>> in my text editor; no need for hex.
>>
>> I should mention that I still use Office 2010. Are you
>> describing what some later version of Office does?
>
> He was probably referring to password-protected Office docs. Just like
> .zip files that can be passworded (use a zip tool that doesn't use the
> ancient ZipCrypto scheme as that is easy to crack), Office doc files can
> be passworded.
>
> https://support.microsoft.com/en-us/office/protect-a-document-with-a-password-05084cc3-300d-4c1a-8416-38d3e37d6826
>
> Passwording of Office docs has been available for so long that I don't
> remember the feature not being present, even back to Office XP (probably
> the earliest version I've used; before that was WordPerfect, and before
> that was StarOffice, and before that was Wordstar under DOS).
>
> http://www.humanservices.alberta.ca/AWOnline/documents/How%20to%20password%20protect%202010%20word%20docs.pdf
>
> That discusses how to password protect Word 2010 docs. I think I
> passworded a .doc file only once which was transported to another user
> via Dropbox using sharing to just 1 other Dropbox user, and I sent the
> password via e-mail. The e-mail was not encrypted, but then only the
> other Dropbox users with whom I shared the file could get at the file,
> anyway.
>

But you have to work "VelvetSweatshop" into the explanation.
There is a default password. When is the default password engaged ?
Under what circumstances ? You don't have to ever enter that
password while you are working in Office. The tool tries that
password, and only if that password fails, does Office then
prompt for the user-supplied password.

Some Microsoft humor, is when they released a document with information
about file formats, the existence of a default password was admitted,
but, the string in their document was released in hex format,
as if the password consisted of "0x20" instead of a space character.
They did not want the embarrassing employee choice of a default
password, to appear in the spec so people could easily see it :-)
You have to convert the text back to ASCII your own self, to see it.

Paul

Paul <nospam@needed.invalid> wrote:

> VanguardLH wrote:
>
>> Stan Brown <the_stan_brown@fastmail.fm> wrote:
>>
>>> Paul wrote:
>>>
>>>> Modern office documents (.xlsx) are a ZIP container, with component
>>>> parts. This could mean the text storage part, you could read that
>>>> with a hex editor (or Wordpad, if they hadn't removed it). But with
>>>> a defacto encryption in place, examination with a hex editor, would
>>>> not work.
>>>
>>> I just tried unzipping a .docx file, and did not need
>>> to enter a password. The components displayed just fine
>>> in my text editor; no need for hex.
>>>
>>> I should mention that I still use Office 2010. Are you
>>> describing what some later version of Office does?
>>
>> He was probably referring to password-protected Office docs. Just like
>> .zip files that can be passworded (use a zip tool that doesn't use the
>> ancient ZipCrypto scheme as that is easy to crack), Office doc files can
>> be passworded.
>>
>> https://support.microsoft.com/en-us/office/protect-a-document-with-a-password-05084cc3-300d-4c1a-8416-38d3e37d6826
>
> But you have to work "VelvetSweatshop" into the explanation.
> There is a default password. When is the default password engaged ?
> Under what circumstances ? You don't have to ever enter that
> password while you are working in Office. The tool tries that
> password, and only if that password fails, does Office then
> prompt for the user-supplied password.

Ah, I thought VelvetSweatshop was some crypto component incorporate to
MS Office. Nope, it is a default password string. The following
article only discusses Excel will automatically open files password
protected using the "VelvetSweatshop" string, so it makes an infection
vector that malicious authors could use in encrypting their payload in
an Excel spreadsheet that can be delivered without the recipient ever
getting prompted for a password to open the malicious spreadsheet.

https://blogs.vmware.com/security/2020/11/velvetsweatshop-when-default-passwords-can-still-make-a-difference.html

Is the auto-open "feature" with a password of "VelvetSweatshop" just a
failing in Excel, or all Office components?

https://threatpost.com/velvetsweatshop-bug-resurrected-limerat/154310/

That also mentions only MS Excel.

I cannot remember ever getting an .xls[x] file attached to an e-mail. I
don't rememeber ever having an occasion of sending or receiving an Excel
file attached to an e-mail. Might be more common in business scenarios.

Seems implausible that Microsoft is ignorant of the misuse of a default
password string allowing malcontents from delivering malicious content
where the recipient won't get prompted for a password on opening the
file. The info articles mention CVE-2012-0158, so I did a search on
that string to find:

https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027

Notice the datestamp in the URL is 2012. Yet the VMware article testing
the vulnerability (and finding it still exists) is dated in 2020. For
Microsoft to not yet address this issue sure makes it look like
Microsoft has an intent to [ab]use this vulnerability themself.

If a user password protects an Office file, does it obliterate the
"VelvetSweatshop" password, so only the user-specified password can be
used to decrypt the file? Or is the user-specified password added to
the file (so now the file has 2 passwords), and the file can be
opened/decrypted using either password? If the latter is true, password
protecting Office docs is futile since the VelvetSweatshop password
could be used by anyone to peek inside any passworded file.

Since the malicious content uses macros in the Office documents,
wouldn't configuring Office to prompt or disable macros kill the
malicious VelvetSweatshop passworded files? I don't what is the default
setting in MS Office, but macros are disabled in my installation of MS
Office 2021 Pro Plus standalone (not MS 365). File -> Options -> Trust
Center -> Trust Center Settings: Macro Settings = Disable all macros
with notification. If I ever got an e-mail with an Office doc
attachment, and it squeaked by any AV checking by passwording the
attached document, and the password was VelvetSweatshop, Office would
alert me the macro(s) were disabled. Would I then enable the macro
because I got prompted? Highly unlikely. I don't send nor does anyone
send me any Office docs containing macros. Macros is really a corporate
environment thing. So tis possible employees would allow the macro to
run at which point the client-side AV would have to catch the malicious
events. I'll switch that setting to "Disable all macros without
notification". When I open an Office doc, if it has macros - good or
bad - those won't run.

If the default trust setting is "Disable macros with notification",
users will get prompted to allow them. The problem thereupon is users
make horrible decisions, and likely will allow macros to run.