Summary: Laptops are portable, convenient and easily lost. When lost, all the data could easily be available to the finder. Encryption is the answer.
I travel a lot, and have sensitive data on the laptop I take with me that I need as part of my job. But I'm in fear of losing the laptop and that this data will fall into the wrong hands. What do you suggest?
•
I know how you feel. I also have sensitive information on my laptop that I would prefer not to fall into the wrong hands. I can handle losing the laptop, but thinking about the data in the wrong hands ... well ... that would be bad.
I do have a solution that I've been using for several years now, and it turns out to be fairly easy, secure, and free.
•
Now, naturally, you can encrypt your data using various archiving tools that allow you to assign the resulting file a password. The problem is that many are easy to crack, and to be honest, it's a hassle; in order to encrypt a file you have to take care to place it in the archive and erase unencrypted copies, and in order to use a file you need to extract it from the archive.
For some time now, I've been using TrueCrypt. TrueCrypt is free, open source, on-the-fly encryption software. It provides serious industrial-strength encryption while still being fairly easy to use.
TrueCrypt can be used in several ways, the two most common:
-
it can encrypt an entire disk volume - such as a USB thumb drive, floppy disk, or an entire hard disk
-
it can create an encrypted virtual disk "volume" or container
It's the later approach that I like to use, as it makes it easy to copy entire containers from machine to machine.
An encrypted virtual disk is simply a file that TrueCrypt "mounts" as an additional drive letter on your machine. You specify the pass phrase when the virtual drive is mounted and thereafter everything you access from there is automatically DEcrypted and anything you place there is ENcrypted.
For example, you might have TrueCrypt create an encrypted drive as c:\windows\secritstuf. If someone were to look at the contents of that file directly, they would see only random gibberish - the result of encryption. When using TrueCrypt to mount that file as a virtual drive, (for example selecting the drive letter "P:") then P: would look and operate like any other disk, and would contain the contents of the encrypted drive. Encryption is as simple as moving a file to the drive.
While the encrypted volume is mounted, its contents are visible in their unencrypted form, and can be accessed by any program you might want to run.
The trick is to never mount the drive automatically. When your machine boots up, "P:", for example, would be nowhere to be found. The file c:\windows\secritstuf would be present but only visible as encrypted gibberish. If someone stole your machine that's all they would find.
Only after you've used the TrueCrypt program to select the file (c:\windows\secritstuf), choose the drive to mount it as (P:) and supply the correct pass phrase, would the virtual drive be "mounted" and the encrypted data become accessible.
TrueCrypt supports a number of different high-powered encryption algorithms. The documentation for TrueCrypt is clearly targeting at the seriously paranoid, including instructions on how to maintain "plausible deniability" should a thief ever force you to supply a password. Let's hope that'll only be of passing interest to any of us.
Now, a couple of caveats:
-
The password or passphrase you choose is the weakest link. Encryption does not make a bad password any more secure. If you choose an obvious passphrase, a dictionary attack can certainly be mounted that could unlock your encrypted volume.
-
An encrypted volume does you no good if the files you care about are also elsewhere on your machine in some unencrypted form.
-
That being said, make sure you have secure backups, updated regularly. Preferably keep them UNencrypted, but secure in some other way, in case you lose your encrypted volume or forget your password. Without the password, the data is not recoverable.
-
That last statement is technically inaccurate. You should always be aware that things are never 100% secure. All encryption can, theoretically, be hacked. The purpose of encryption is to make the cost of that hacking so astronomical as to be impractical. For example, spending a calendar year on a brute force hacking attempt is kinda pointless to discover next month's sales forecasts. Similarly hiring the expertise required to attempt such a recovery might also be astronomically costly.
Data encryption is an important part of an overall security strategy. Keeping your sensitive data secure requires a little forethought and planning. With viruses and spyware running amok, not to mention the theft scenario that I started this article with, there's no excuse not to take that time, and save yourself some serious grief later if the unthinkable happens.
(This is an update to an article originally published in April, 2005.)
Related:
-
TrueCrypt - Free Open Source Industrial Strength Encryption TrueCrypt provides a solution for encrypting sensitive data - everything from portable, mountable volumes to entire hard disks.
-
Can I password-protect a folder? Keeping data on your computer secure is important. Being able to password protect a folder seems an obvious approach. Unfortunately it's not that simple.
-
Ask Leo! - Internet Safety: How do I keep my computer safe on the internet? Internet Safety is difficult and yet critical. Here are the seven key steps to internet safety - steps to keep your computer safe on the internet.
Article C2343 - December 12, 2009
Have different passwords for different things (banking, websites, blogs) was always forgetting which password went where.
Installed truecrypt as a container file with a really strong letters and number password.
Now, if i am uncertain which password goes where just mount the virtual disk and they are all there.
excellent program
Posted by: Ray Rodden at December 15, 2009 2:45 PMI understand that without the password the data cannot be hacked - yes maybe NASA can break it . But these days there are several professional agencies with a lot of fancy software who recover such data from computers. If someone took my laptop to such a professional agency specialising in recovering/ hacking such data could the agency recover this data without the password in say one or two weeks of attempt.
This point is especially important as it will help determine the the level of confidential info i can store on my laptop.
Posted by: Sharad Aggarwal at December 15, 2009 7:04 PMI make encrypted vaults which are on my Laptop and external drive using Dekart. I selected them because you can run the Dekart application from the external drive. So if you want to access your data from your external drive the computer you access it from doesn't need Dekart installed.
Posted by: Sandy Smith at December 15, 2009 10:10 PMAbout weather to use Install versus Extract...
If the TrueCrypt volume is (or is on) a removable disk, and you want to be able to plug that drive into a friend's computer and access your encrypted files… well, that's what Extract is for. You probably don't want to install software on your friend's computer, but you don't have to. You just make sure that the extracted files are available somewhere that isn't encrypted(*), then you can run them from whatever computer you're sitting at.
(*) I hope it's obvious, but... if you copy the TrueCrypt install files onto your TrueCrypt-protected volume, you won't be able to see that copy until AFTER you've mounted the drive. So the copy won't do you any good.
If you normally use the TrueCrypt volume only on one computer, then installing it is the more convenient way to go… Unless you want to deny that you ever use TrueCrypt, of course. (Like Leo says, the TrueCrypt documentation goes out of it's way to allow you to deny that you have encrypted data; the idea is that if someone KNOWS you have encrypted files, they can hold a gun to your head and say "decrypt it." But if they can't be sure, you can just say "What encrypted files?")
(Bear in mind that if you don't trust the computer you're at, you shouldn't type your password… even if the computer owner isn't watching, he might have installed a key logger. Or he might have malware and not know it. Or. Or. Or.)
Besides convenience, the other "downside" of using the "extract" files is that you have to have System Administration rights to use it. (You don't actually have to log in with SysAdmin rights, if you know how to "run as" Administrator and know the password). I haven't used the full-Install version yet, but if I remember correctly, you only need SysAdmin rights while you're installing it; after that, you can use it from any account.
Posted by: AllanW at December 22, 2009 5:17 PMIs using a BIOS password safer than Windows password?
Posted by: John Bilton at January 5, 2010 1:37 PM