Hard Disk Encryption, No Excuses
In today's society, with laptops and portable devices easily available and easily stolen, hard disk encryption is no longer optional.
This should be something that everyone with a laptop has installed. For most people, there is a lot more personally identifiable information on your laptop than one might think.
Information that is not even stored on your laptop, but is accessed through websites that require a login, is easily accessible to any common thug if you save your login information in your browser. If you use Windows and think your Windows password will save you, think again. Using a Trinity Rescue Kit CD, a Windows password can be hacked in less then five minutes. Almost every day, it seems we are hearing about another staggering amount of customer information that was lost and compromised due to a laptop theft that could have been prevented by the simple use of disk encryption. While losing your laptop sucks, and will cost you several hundred dollars, having your identity stolen really sucks and can cost you even more.
At my work, I was recently handed the project of devising a solution to encrypt the hard disks of all our portable users. Since being introduced to 2600 a few years ago by a close friend, I've become very interested in security and related matters, so you can imagine how thrilled I was when this project was handed to me. I started out not knowing much about hard disk encryption, but this changed very quickly. My research took me down several different paths and, interfacing with different software vendors, eventually lead me to choose PGP's Whole Disk Encryption. Their corporate products are very good and they also offer a personal version for $120. However, I'd like to focus on another piece of software called TrueCrypt.
TrueCrypt is a 100% free, open-source disk encryption application from www.truecrypt.org. It is easy to use and is capable of encrypting your entire hard disk from start to finish using several standardized encryption algorithms including AES, Serpent, and Twofish. It essentially wraps each block of data on your hard drive using an encryption algorithm which is virtually unbreakable. The only real change you will see is a pre-boot environment that will appear after the BIOS screen, asking you to key in your password and unlock the disk. Once this is done, your computer will boot as normal.
I know some of you will say that hard disk encryption really kills your system's performance. Contrary to that, system performance is almost unaffected. Some users even report a slight increase in performance, due to a pipelining effect that happens to the read and write operations. TrueCrypt stores the encryption keys in RAM and decrypts the data on the fly. Data is unencrypted as it comes off the disk and then encrypted again before it ever touches the disk. And best of all, its free! The complete source code is available for download from www.truecrypt.org/downloads2.php, which means no worries of hidden back doors for Big Brother. The install is very simple and, once your drive is encrypted, your data is safe from almost any attack method.
To begin, download the installer from www.truecrypt.org/downloads.php, choose your flavor of operating system, Microsoft, Linux, or OS X, then download and install the package. The website has complete documentation on many other features, including portable USB drive encryption, but for this article I will just show you how easy it is to encrypt your hard disk.
After installing, launch TrueCrypt, select the "Edit" menu, and then select "Encrypt System Partition/Drive". At the first screen, you can choose a "Normal" or "Hidden" encrypted partition, the difference being that a hidden encrypted partition, simply put, will be indistinguishable from random data. An extra layer of protection, if you think you need it. For now let's go with "Normal".
Next, you can choose to either encrypt just the Windows boot partition or the entire physical disk. Choose the entire disk if you have two or more partitions and want to encrypt everything. Next, choose whether you want to encrypt the host protected area. Depending on your computer setup, select the option you think will work best. At the next screen choose whether or not you have multiple operating systems installed and move forward.
Now you should be at the "Encryption Options" window. This is where you can choose which algorithm(s) you want to use. AES is the default and is very secure. However, if you're feeling paranoid, TrueCrypt will allow you to use up to three different algorithms together, essentially wrapping each block of data with three different layers of encryption. Keep in mind, the more layers you use, the higher the impact on system performance. Using one layer should be sufficient for most. For the hash algorithm, RIPEMD-160 (default) will do.
Next, choose a password that you will use to unlock the disk before the operating system loads. The software will recommend using a 20-character password, which is not necessary, but be sure to use common sense when choosing a password. At the next prompt, move your mouse around to help randomize the encryption keys. Click "Next" to see the encryption keys and then move on to create a rescue CD. TrueCrypt will not allow you to continue without creating a rescue CD. If the TrueCrypt boot loader ever gets damaged after you have encrypted your disk, it can be restored using the CD. Once you've burned the rescue CD and verified it with TrueCrypt, click "Next". Select which level of "Wipe Mode" you prefer. The default "None" will be suitable for most, but depending on how sensitive the information you store on your laptop is, you may want to choose a more secure method. To test the system before it encrypts the disk, TrueCrypt will reboot your system to ensure everything works correctly with the pre-boot authentication. Upon reboot, key in the password you specified during setup and boot into your OS. At this point, the test will complete and the encryption process will begin.
The time it takes to fully encrypt your hard disk will depend on the size of your disk and the system specs. A 40 GB drive on a Pentium 4, 3 GHz, was about 35 minutes. Once this is complete, your data will be secured and your entire hard disk will be encrypted. Remember that no single security method is 100% secure and security is best applied in layers. With that in mind, laptop anti-theft devices are still a good idea, including cable locks, tracking software, and even laptop lockers.
Shouts to Rob for getting me hooked on 2600 and making this possible! See you back on The Rock!