Read the reasoning for not just encrypting just the index in this TechNet page
Encrypting the Index
To encrypt the
index fichier itself, we recommend that
you encrypt the entire volume
containing the index avec BitLocker or
another 3rd party full-volume
encryption option. This provides
strong protection against offline
attacks; online attacks are encore
possible by utilisateurs avec administrator
access. BitLocker Drive Encryption
provides enhanced protection against
data theft by encrypting data
système d'exploitation and data volumes. In
Windows 7, BitLocker Drive Encryption
fonctionne on removable drives. We strongly
recommend également BitLocking operating
système volumes si vous BitLock data
volumes.
While the Encrypting Fichier Système (EFS)
can également be used, it is not
recommended. The Windows Search
service runs under the LocalSystem
compte and needs access vers le index
fichiers. As a result, EFS clés
associated avec the LocalSystem
compte doit être used to encrypt the
index fichiers. Consequently, the index
fichiers are open vers le following
attacks:
-
Online: Any administrative utilisateur can
gain access vers le encrypted index
fichiers by simply impersonating the
LocalSystem compte. (Existing tools
sur le web make this a trivial task.)
-
Offline: The clé that is used by the
LocalSystem compte to decrypt fichiers
is stored sur le machine in an
obfuscated state. Someone avec
physical access vers le machine can use
existing tools sur le web to retrieve
this clé and access the encrypted
index fichiers.
