Helping people with computers... one answer at a time.
Laptops are portable, convenient and easily lost. When lost, all the data could easily be available to the finder. Encryption is the answer.
I travel a lot, and have sensitive data on the laptop I take with me that I need as part of my job. But I'm in fear of losing the laptop and that this data will fall into the wrong hands. What do you suggest?
•
I know how you feel. I also have sensitive information on my laptop that I would prefer not to fall into the wrong hands. I can handle losing the laptop, but thinking about the data in the wrong hands ... well ... that would be bad.
I do have a solution that I've been using for several years now, and it turns out to be fairly easy, secure, and free.
•
Now, naturally, you can encrypt your data using various archiving tools that allow you to assign the resulting file a password. The problem is that many are easy to crack, and to be honest, it's a hassle; in order to encrypt a file you have to take care to place it in the archive and erase unencrypted copies, and in order to use a file you need to extract it from the archive.
For some time now, I've been using TrueCrypt. TrueCrypt is free, open source, on-the-fly encryption software. It provides serious industrial-strength encryption while still being fairly easy to use.
TrueCrypt can be used in several ways, the two most common:
-
it can encrypt an entire disk volume - such as a USB thumb drive, floppy disk, or an entire hard disk
-
it can create an encrypted virtual disk "volume" or container
It's the later approach that I like to use, as it makes it easy to copy entire containers from machine to machine.
An encrypted virtual disk is simply a file that TrueCrypt "mounts" as an additional drive letter on your machine. You specify the pass phrase when the virtual drive is mounted and thereafter everything you access from there is automatically DEcrypted and anything you place there is ENcrypted.
For example, you might have TrueCrypt create an encrypted drive as c:\windows\secritstuf. If someone were to look at the contents of that file directly, they would see only random gibberish - the result of encryption. When using TrueCrypt to mount that file as a virtual drive, (for example selecting the drive letter "P:") then P: would look and operate like any other disk, and would contain the contents of the encrypted drive. Encryption is as simple as moving a file to the drive.
While the encrypted volume is mounted, its contents are visible in their unencrypted form, and can be accessed by any program you might want to run.
The trick is to never mount the drive automatically. When your machine boots up, "P:", for example, would be nowhere to be found. The file c:\windows\secritstuf would be present but only visible as encrypted gibberish. If someone stole your machine that's all they would find.
Only after you've used the TrueCrypt program to select the file (c:\windows\secritstuf), choose the drive to mount it as (P:) and supply the correct pass phrase, would the virtual drive be "mounted" and the encrypted data become accessible.
TrueCrypt supports a number of different high-powered encryption algorithms. The documentation for TrueCrypt is clearly targeting at the seriously paranoid, including instructions on how to maintain "plausible deniability" should a thief ever force you to supply a password. Let's hope that'll only be of passing interest to any of us.
Now, a couple of caveats:
-
The password or passphrase you choose is the weakest link. Encryption does not make a bad password any more secure. If you choose an obvious passphrase, a dictionary attack can certainly be mounted that could unlock your encrypted volume.
-
An encrypted volume does you no good if the files you care about are also elsewhere on your machine in some unencrypted form.
-
That being said, make sure you have secure backups, updated regularly. Preferably keep them UNencrypted, but secure in some other way, in case you lose your encrypted volume or forget your password. Without the password, the data is not recoverable.
-
That last statement is technically inaccurate. You should always be aware that things are never 100% secure. All encryption can, theoretically, be hacked. The purpose of encryption is to make the cost of that hacking so astronomical as to be impractical. For example, spending a calendar year on a brute force hacking attempt is kinda pointless to discover next month's sales forecasts. Similarly hiring the expertise required to attempt such a recovery might also be astronomically costly.
Data encryption is an important part of an overall security strategy. Keeping your sensitive data secure requires a little forethought and planning. With viruses and spyware running amok, not to mention the theft scenario that I started this article with, there's no excuse not to take that time, and save yourself some serious grief later if the unthinkable happens.
(This is an update to an article originally published in April, 2005.)
Article C2343 - December 12, 2009
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Laptop Security is a massive issue, I do what Ray Rodden said. Have different passwords for everything. Use alphanumeric characters to maximise your security.
Posted by: Mike at February 16, 2010 2:27 AMAn important consideration for travelers using encryption software such as TrueCrypt is that they should never put anything inside an encrypted volume that might get them in trouble with the authorities. When crossing international borders, authorities do have the right to examine your computer and media and to demand that you unlock any encrypted volumes. If you refuse then you run the risk of having your computer impounded.
Posted by: Jim de Graff at April 9, 2010 9:11 PMHave you seen Datacastle's free white paper on best practices for encrypting laptop data? You can get it at http://get.datacastlecorp.com/encryption/index.php.
Posted by: Annie at May 25, 2010 12:16 PMCan you encrypt the information you want saved from the laptop to a high capcity thumb drive then completely erase the harddrive of the encrypted informaiton?
Posted by: Ernest Takeuchi at April 21, 2011 10:26 PM@ Ernest You can do this, but be aware of two things. 1. Thumb drives are easy to lose and subject to data loss. Keep a few backups. 2. When you say completely erase the file, you should use a file shredder to permanently erase your file. Personally, I'd keep the encrypted file on my computer or at least on a removable hard drive. Thumb drives are good for transporting data but not so good for permanent storage.
Posted by: Mark J at April 22, 2011 12:49 AM