Helping people with computers... one answer at a time.

Laptops are portable, convenient and easily lost. When lost, all the data could easily be available to the finder. Encryption is the answer.

I travel a lot, and have sensitive data on the laptop I take with me that I need as part of my job. But I'm in fear of losing the laptop and that this data will fall into the wrong hands. What do you suggest?

I know how you feel. I also have sensitive information on my laptop that I would prefer not to fall into the wrong hands. I can handle losing the laptop, but thinking about the data in the wrong hands ... well ... that would be bad.

I do have a solution that I've been using for several years now, and it turns out to be fairly easy, secure, and free.

Now, naturally, you can encrypt your data using various archiving tools that allow you to assign the resulting file a password. The problem is that many are easy to crack, and to be honest, it's a hassle; in order to encrypt a file you have to take care to place it in the archive and erase unencrypted copies, and in order to use a file you need to extract it from the archive.

For some time now, I've been using TrueCrypt. TrueCrypt is free, open source, on-the-fly encryption software. It provides serious industrial-strength encryption while still being fairly easy to use.

"Data encryption is an important part of an overall security strategy."

TrueCrypt can be used in several ways, the two most common:

  • it can encrypt an entire disk volume - such as a USB thumb drive, floppy disk, or an entire hard disk

  • it can create an encrypted virtual disk "volume" or container

It's the later approach that I like to use, as it makes it easy to copy entire containers from machine to machine.

An encrypted virtual disk is simply a file that TrueCrypt "mounts" as an additional drive letter on your machine. You specify the pass phrase when the virtual drive is mounted and thereafter everything you access from there is automatically DEcrypted and anything you place there is ENcrypted.

For example, you might have TrueCrypt create an encrypted drive as c:\windows\secritstuf. If someone were to look at the contents of that file directly, they would see only random gibberish - the result of encryption. When using TrueCrypt to mount that file as a virtual drive, (for example selecting the drive letter "P:") then P: would look and operate like any other disk, and would contain the contents of the encrypted drive. Encryption is as simple as moving a file to the drive.

While the encrypted volume is mounted, its contents are visible in their unencrypted form, and can be accessed by any program you might want to run.

The trick is to never mount the drive automatically. When your machine boots up, "P:", for example, would be nowhere to be found. The file c:\windows\secritstuf would be present but only visible as encrypted gibberish. If someone stole your machine that's all they would find.

Only after you've used the TrueCrypt program to select the file (c:\windows\secritstuf), choose the drive to mount it as (P:) and supply the correct pass phrase, would the virtual drive be "mounted" and the encrypted data become accessible.

TrueCrypt supports a number of different high-powered encryption algorithms. The documentation for TrueCrypt is clearly targeting at the seriously paranoid, including instructions on how to maintain "plausible deniability" should a thief ever force you to supply a password. Let's hope that'll only be of passing interest to any of us.

Now, a couple of caveats:

  • The password or passphrase you choose is the weakest link. Encryption does not make a bad password any more secure. If you choose an obvious passphrase, a dictionary attack can certainly be mounted that could unlock your encrypted volume.

  • An encrypted volume does you no good if the files you care about are also elsewhere on your machine in some unencrypted form.

  • That being said, make sure you have secure backups, updated regularly. Preferably keep them UNencrypted, but secure in some other way, in case you lose your encrypted volume or forget your password. Without the password, the data is not recoverable.

  • That last statement is technically inaccurate. You should always be aware that things are never 100% secure. All encryption can, theoretically, be hacked. The purpose of encryption is to make the cost of that hacking so astronomical as to be impractical. For example, spending a calendar year on a brute force hacking attempt is kinda pointless to discover next month's sales forecasts. Similarly hiring the expertise required to attempt such a recovery might also be astronomically costly.

Data encryption is an important part of an overall security strategy. Keeping your sensitive data secure requires a little forethought and planning. With viruses and spyware running amok, not to mention the theft scenario that I started this article with, there's no excuse not to take that time, and save yourself some serious grief later if the unthinkable happens.

(This is an update to an article originally published in April, 2005.)

Article C2343 - December 12, 2009 « »

A version of this article that can be republished without cost is available at ArticlesByLeo.com terms).

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

49 Comments
whhatener
May 6, 2005 2:05 AM

really bad

alex b
May 16, 2005 8:48 PM

why no mention of PGP? is TrueCrypt better?

Leo
May 16, 2005 8:55 PM

When I last looked at PGP it wasn't as clear to use and didn't provide the virtual disk drive functionality. If that's changed, it could be a good alternative as well.

peter
May 24, 2005 12:57 AM

What about stuff like Srcusrar's DriveCrypt Plus Pack DCPP? Encryption of the whole operating system at the kernell level...

peter
May 24, 2005 12:59 AM

What about stuff like Secustar's DriveCrypt Plus Pack DCPP? Encryption of the whole volume and operating system at the kernel level...

ruby
August 7, 2005 7:52 AM

Thank you for making this information available. It has been extremely helpful to me. I plan to do a lot of traveling and I needed a place to start the search for making my laptop secure. THANKS :o)

Pedro Camargo
August 12, 2005 9:43 AM

You can use an anti-theft laptop tracking service like: http://www.stealthsignal.com

anonymous
January 27, 2006 1:39 PM

I used pgp 7.0 which offered the same functionality, and more. The Truecrypt virtual disk looks to be just as good AND they added a nice new feature: the "hidden" volume. If forced to unveil a password you can mount the volume with a second password that only gives away part of the data, not your truly secret stuff. I started to use Truecrypt in the 1st place because I could not find a pgp (or gpg) version that supports XP anymore...

Kody Rodgers
February 10, 2006 11:09 PM

I totally agree with what you're saying. I wish more people felt this way and took the time to express themselves.
Keep up the great work.


Kody Rodgers
http://www.vaiosonylaptopcheap.com

Kyle
February 13, 2006 8:31 AM

For real top level data security take a look at www.datazap.co.uk
it had nothing to do with encryption but looks really good. basicly it deletes selected files if someone logs on to your system without the correct code.

what do you think?

kyle

altman
February 24, 2006 9:35 PM

Great article. Some other physical, logical, and integrated laptop security choices can be found at http://www.ilinktechnology.com

anonymous
April 14, 2006 8:13 PM

use truecrypt instead of pgp because its a lot cheaper, but its a bitch to get started, i had to read the readme.

--
Proxys get around bess

Daniel Arthur
April 19, 2006 2:29 AM

I`ve enjoyed reading it but please next time make it brief and concise.

Mike
June 19, 2006 7:41 AM

I use Private Disk (http://www.dekart.com/ ) - quite satisfied - and the support these guys provide is extraordinary - not the least thing when you trust your data to this kind of software.

Tim
September 15, 2006 11:00 PM

Easy as pie

Chuck the hard drive all togeather
Set CDROM drive as master in bios
boot up in slax linux,surf as usual
keep a little usb thumbdrive handy for backing up stuff.
Oh and a little knowledge in linux would help.

But hey no body can get your data cause you don't have a hard drive on that IDE cable inside the unit its self ...lol

Tim
September 17, 2006 3:42 PM

Knoppix
Slax
Puppy linux
Pc linux OS
D@m small linux

They all work on CD as a read only OS.
You really DON'T need a hard drive!!!!.
just use a small thumbdrive to store stuff.
Make sure your on a router that has PPOE or auto DHCP selected so your linux CD knows you want to surf the WWW.

Learn linux it's the ultimate in privacy.
Don't count on payware that bloats your OS to the size of the hindenburg.
Right now this message is being typed in Slax Linux 5.1.7 LIVE CD no HD
Pentium 4 2.4 Ghx
2 gig ddr
4 gig Gigabyte I-ram pseudo drive____ ((((IDE CARD with 4 sticks of 1 gig each on it))))
Nvidia 128 meg graphics.
Linksys 10/100 ethernet card.
1 dvd read drive
2 cdrw burner drives.

Not meant to impress just to show the configuration.
Gigabyte motherboard

Vladimir
June 8, 2007 7:26 AM

Some time I used PGP disk to protect my private data, but now I am using Eterlogic SecretDrive, it supports many encryption algorithms, RAM disk, and hidden volumes. It is fully compatible with Windows Vista, so I recommend it to anyone.
You can get it at http://www.eterlogic.com

Ran
September 17, 2007 5:51 AM

I wonder what about keyloggin programs for Windows XP? If a potential intruder would like to get to the encrypted volume, he could install keyloggin software considering he has the access.
Is TrueCrypt offers any protection for such scenario?

Leo A. Notenboom
September 17, 2007 5:06 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If your system has been compromised with a keylogger, then absolutely, all bets
are off as they could easily sniff anything you type including your TrueCrypt
password.

Basically if your system has been compromised in any way, you must assume the
worse.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFG7xaYCMEe9B/8oqERAmzhAJ46vhyOKUANsQMxKizN3H+SPof7JwCgi/DW
egxssENxomLOCleB5seo3NM=
=Dal0
-----END PGP SIGNATURE-----

Blaze
November 4, 2007 8:36 PM

Hey I was wondering about Lojack on my Dell. It seems like a great way to protect sensitive data. My Dell Laptop has Absolute's Computrace Module on the BIOS but I disabled it b/c I read about how the company is able to see private files on my compute, although i now don't know how much more important this is compared to tracking down my computer if it were stolen. I was wondering if i could still install the software and it work without the hardware side of the service working, and if so i have another question. Couldn't someone then just wipe the harddrive or reinstall windows or i heard it doesn't work on non-windows OS's, so then install say ubuntu or something and connect to the internet no problem. Cool, that's all for now, Hey great work, much appreciated. Thanks, Blaze

Alexandere Lancy
April 27, 2008 5:04 PM

I think Truecrypt has limitations - not above 100 MB. I find deslock easy to use, without any limitations and is free.

Leo
April 28, 2008 7:08 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It may have limitations, but that's not one of them. I have
a 16 gigabyte TryeCrypt volume on my 32gig thumbdrive.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIFoMYCMEe9B/8oqERAvXsAJ9vkHbfk7E6QR/bcHUddleD/TvSwQCfVCGu
FdP4MOj5s8DALpFilaeC71I=
=7ZJV
-----END PGP SIGNATURE-----

Soundwash
June 3, 2008 10:32 PM


while the suggestions others made are good ones (using "live CD's" etc) I have to go with Leo on this one..

Truecrypt is practically the industry standard for any pc techs in the know.. it being Open Source *to me* means it is more trustworthy as far any possible "backdoors or backdoor keys" being built in or handed over to the NSA or Big Brother, seeing as how you can check the code yourself..(or anyone else) its offers very fast on the fly encryption in various forms as well as multifactor authentication.. ie, you can set it up so it needs both a password and a keyfile (or as many keyfiles as you wish) to unlock its goodies)

the keyfile can be any file you choose, anything, even an mp3..or let truecrpt randomly generate one.. -on the laptop itself or on separate media (USB key, CD etc) for added protection..

you can encrypt the whole drive or create an "opaque" file that is mounted as another drive letter, -which can easily be burned/copied to external media.. it also allows you to combine encryption algorythms if want to go crazy. although you will take a little more of performance hit doing that.

Trucrypt limits the volume size to a max of 1 Petabyte. -which i'm sure is all you'll need for the time being. -so no worries there.

personally, i'd just keep sensitive data on two USB keys (or smart cards such as those used in cameras and the like) and leave the rest of the laptop unencrypted. -thats your call.

Trucrypt also has "Traveler Mode" for USB keys so you can carry any important data on just a the key itself.

what this mode does is allow the USB key to be a become a fully self-contained, plug-in, on the fly encrypt/decrypt hardware device. -that leaves no foot prints. -you could combine this with a say, a "Live CD" Ubuntu distro on a bootable high-speed USB key for the ultimate easy "ready to boot" secure "traveling O/S" that you can plug into any USB 2.0 port..

lastly, Truecrypt volumes contain no volume headers of any kind and truly look like a bunch of random noise (gibberish).. cant prove there is anything there..for those who need a bit more discretion than the average joe..

Research it for yourself. you'll find many industry heavyweights using it. -combine it with a virtual machine for added fun.. :)

btw: if you want to learn more about PC security, give steve gibson's Security Now podcasts a listen. -over at grc.com.

if you cant make an informed decision after getting schooled by him, well..

-soundwash

Steve
July 24, 2008 9:51 AM

TrueCrypt doesn't work from a usb drive unless you have admin access to the PC. This rules it out for me as most corporate PCs I use (and public ones) don't allow admin access.
Any decent alternatives?

There are two issues:

Yes, the device driver either requires administrator privileges or an administrator must have already installed TrueCrypt making it accessible to all users.

But are you really saying you want to open your sensitive encrypted data on a system where you don't know who the administrator is? A system that might have been compromised with spyware or what not before you even got to it?

It just doesn't seem like a good thing do to, in my opinion.

All that being said, perhaps http://sourceforge.net/projects/tcexplorer/ might be an option.

-Leo

Steve
July 26, 2008 4:56 AM

>> But are you really saying you want to open your sensitive encrypted data on a system where you don't know who the administrator is? A system that might have been compromised with spyware or what not before you even got to it?

Fair comment, but I work in a variety of universities & companies, I need access to my data while there and very few allow admin access!
I'll look at tcexplorer - thanks
S

mitch
August 26, 2008 12:00 AM

you can keep it secure by installing a security software.


you can get it from http://www.inspice.com

Aillen
December 4, 2008 9:43 AM

The best way is to install winsesame :
the address is http://www.winsesame.com
It is very safe and easy to use.

Rick
December 11, 2008 9:14 AM

Rick,
I have a need for serious data security. Is there a program that would automaticly wipe clean my hard drive if say..I dint log in every 2 hours. Is there something that will allow me to call from a cellphone and activate the program that would WIPE my hard drive. By wipe I mean NEVER be able to recover the data or for that matter use the laptop again at all.

WIPE? No. But you can get just as secure, I believe, by keeping your data in a TrueCrypt volume with an appropriately strong passphrase, and configuring it to auto-dismount on inactivity.
- Leo
12-Dec-2008

Dr. PC
January 28, 2009 8:26 AM

You can also use the BIOS option of providing a password to your hard drive - this keeps honest but nosy people out and is much more difficult to "break" than a Windows password.

akshay
February 28, 2009 6:05 AM

I am working in a company which makes website for health, fitness, mini roulette, IT, shopping etc and I was in a great need of buying a laptop. So I finally bought a Dell Latitude D530, laptop last week.
Most of the people adviced me that it would not be a good deal to buy a laptop, instead they advised me to buy a desktop. I don't know why people have so much misconception regarding buying a laptop.

Bill
March 9, 2009 2:24 PM

I'm 99% ready to set up TrueCrypt. I travel and do not want anyone to steal my data - if they steal my laptop. What setting should I select? BB

Larry Schumaker
March 19, 2009 7:05 AM

File protection is great with passwords for access and editing. But it doesn't stop somone from accidently deleting the file.

How do I stop an accidental deletion?

georges
April 2, 2009 2:29 PM

See the winsesame faq about the deleting of a protected file there :
http://www.aragonsoft.com/en/winsesame/faq20.php

David Lawrence
April 12, 2009 6:01 PM

This is a great article and discussion. One of the things I have been pleased by is services services like Alertsec which offer hard disk encryption as a fully managed service. It uses the Full Disk Encryption (former Pointsec) software but is a web based encryption service that radically simplifies deployment and management of PC encryption. It is a heck of a lot easier for an enterprise than trying to manage all those laptop encryption on your own! We put off encryption for way too long (and got burned once) and this managed approach made it possible for us to afford it from a money and more importantly staff resource perspective.

Martin
April 14, 2009 1:30 AM

I run Alertsec and it sure is easy. The good thing is that they have a great telephone support which help you unlock your laptop when you forget or type your password in wrongly (Which I have done twice in the last 16 months..) so it is worth that little extra you pay - compared to installing it yourself. It is encryption we are talk about here - so if you b-gger it up you are really and truly lost.

Bererker
April 28, 2009 2:20 AM

I´m using this discryptor.net software. I think that really makes ma data secure.

Luis
October 11, 2009 9:12 AM

Hi, when installing TrueCrypt what is the best option to use: Install or Extract (for travel) ... BTW I run Windows 7 and there is a message saying is not supported ... any risk on using it despite of this !?

I just install. (Extract is useful for some cases, but if you're not sure, just install.) From what I've seen it works fine in Win 7, but I'd expect an update very quickly after 7 releases.
Leo
11-Oct-2009

Mark
December 13, 2009 11:55 AM

The best and only way to protect against accidentally deleting a file is...BACKUP!!!

nick
December 15, 2009 9:52 AM

I personally use SecureDoc (by WinMagic) to encrypt, from BOOT level, the whole hard drive.
Power down, drive off, no one can access that drive, even by ripping it out to take files (understood, some espionage hacker might....)

this way, I can have home, personal, finance, etc, with me at all times, .;

I do NOT do STANDBY/sleep modes ever

I ALSO use TrueCrypt for usb drives, even other containers ON the encrypted hard drive itself.

TrueCrypt has a bootable protection feature also, but I have not tried it.

Look up Blue Cross laptop theft. YOUR INSURANCE companies can't even get it right; 850,000 physicnan names/social security numbers/provider numbers on that stolen laptop, couple months ago. Laptop was NOT encrypted.

anyway, hope this helps
nick

Ray Rodden
December 15, 2009 2:45 PM

Have different passwords for different things (banking, websites, blogs) was always forgetting which password went where.

Installed truecrypt as a container file with a really strong letters and number password.

Now, if i am uncertain which password goes where just mount the virtual disk and they are all there.

excellent program

Sharad Aggarwal
December 15, 2009 7:04 PM

I understand that without the password the data cannot be hacked - yes maybe NASA can break it . But these days there are several professional agencies with a lot of fancy software who recover such data from computers. If someone took my laptop to such a professional agency specialising in recovering/ hacking such data could the agency recover this data without the password in say one or two weeks of attempt.

This point is especially important as it will help determine the the level of confidential info i can store on my laptop.

Sandy Smith
December 15, 2009 10:10 PM

I make encrypted vaults which are on my Laptop and external drive using Dekart. I selected them because you can run the Dekart application from the external drive. So if you want to access your data from your external drive the computer you access it from doesn't need Dekart installed.

AllanW
December 22, 2009 5:17 PM

About weather to use Install versus Extract...

If the TrueCrypt volume is (or is on) a removable disk, and you want to be able to plug that drive into a friend's computer and access your encrypted files… well, that's what Extract is for. You probably don't want to install software on your friend's computer, but you don't have to. You just make sure that the extracted files are available somewhere that isn't encrypted(*), then you can run them from whatever computer you're sitting at.

(*) I hope it's obvious, but... if you copy the TrueCrypt install files onto your TrueCrypt-protected volume, you won't be able to see that copy until AFTER you've mounted the drive. So the copy won't do you any good.

If you normally use the TrueCrypt volume only on one computer, then installing it is the more convenient way to go… Unless you want to deny that you ever use TrueCrypt, of course. (Like Leo says, the TrueCrypt documentation goes out of it's way to allow you to deny that you have encrypted data; the idea is that if someone KNOWS you have encrypted files, they can hold a gun to your head and say "decrypt it." But if they can't be sure, you can just say "What encrypted files?")

(Bear in mind that if you don't trust the computer you're at, you shouldn't type your password… even if the computer owner isn't watching, he might have installed a key logger. Or he might have malware and not know it. Or. Or. Or.)

Besides convenience, the other "downside" of using the "extract" files is that you have to have System Administration rights to use it. (You don't actually have to log in with SysAdmin rights, if you know how to "run as" Administrator and know the password). I haven't used the full-Install version yet, but if I remember correctly, you only need SysAdmin rights while you're installing it; after that, you can use it from any account.

John Bilton
January 5, 2010 1:37 PM

Is using a BIOS password safer than Windows password?

Mike
February 16, 2010 2:27 AM

Laptop Security is a massive issue, I do what Ray Rodden said. Have different passwords for everything. Use alphanumeric characters to maximise your security.

Jim de Graff
April 9, 2010 9:11 PM

An important consideration for travelers using encryption software such as TrueCrypt is that they should never put anything inside an encrypted volume that might get them in trouble with the authorities. When crossing international borders, authorities do have the right to examine your computer and media and to demand that you unlock any encrypted volumes. If you refuse then you run the risk of having your computer impounded.

Annie
May 25, 2010 12:16 PM

Have you seen Datacastle's free white paper on best practices for encrypting laptop data? You can get it at http://get.datacastlecorp.com/encryption/index.php.

Ernest Takeuchi
April 21, 2011 10:26 PM

Can you encrypt the information you want saved from the laptop to a high capcity thumb drive then completely erase the harddrive of the encrypted informaiton?

Mark J
April 22, 2011 12:49 AM

@ Ernest You can do this, but be aware of two things. 1. Thumb drives are easy to lose and subject to data loss. Keep a few backups. 2. When you say completely erase the file, you should use a file shredder to permanently erase your file. Personally, I'd keep the encrypted file on my computer or at least on a removable hard drive. Thumb drives are good for transporting data but not so good for permanent storage.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.