Most of us are aware of recent high profile cases where highly confidential information made it into the public domain as a result of sloppy laptop security. These cases led to significant public embarrassment for the companies (or governments) involved and called into question a lack of internal procedures for operating a secure environment.
This problem of security (especially on laptops and removable media) is not just confined to the realm of commercial enterprise and anyone who travels with a personal laptop or netbook will be exposed to the same dangers.
Can you afford to have your confidential information make it into the hands of some anonymous third-party. What is the risk to you if your personal information is posted on an ID Theft sites for public consumption?
The consequences of such a scenario should be chilling for most people, but the good news is that there are things you can do to avoid this, just in case your data makes it into the hands of someone else.
In protecting your data there are three main options available to you;
[1]. Do not keep confidential information on your laptop.
[2]. Encrypt your entire hard drive.
[3]. Use "encrypted volumes" to secure your data.
Let's take a closer look at these options and consider the Pros and Cons of each.
Option 1: Do not keep any confidential information on your laptop.
So, I am hoping that most readers have realised that, while this is a very secure option, in reality it is pretty limiting. You may be able to apply this approach to sub-sets of your confidential information but most of us need to have access to certain snippets of data, which we class as confidential, throughout the working day.
Option 2: Encrypt your entire hard drive.
In recent years this has become far easier to achieve, especially as operating systems have become more advanced. Ten years ago you would simply not have been able to do this without specialist (read: expensive) third-party software.
Fortunately with most modern systems the option to encrypt a volume is readily available and gives you a seismic increase in system security.
Whole hard drive encryption works by making your system accessible only to the person with the appropriate passphrase or password. Once encrypted your operating system will handle the job of taking the encrypted data from your hard drive, authenticating and then decrypting "on-the-fly" and for the most part you won't have to get involved with the ugly details of how that works (once the system has been set-up).
Unfortunately, there are a couple of notable reasons why whole drive encryption can be problematic and these should be given some serious consideration before you start the set-up process.
Performance:
While modern machines are quite well specified, the process of encryption and decryption comes at a price and results in a performance hit. You may notice your machine runs a little slower because the computational processes involved are not insignificant - your machine is having to decrypt everything (including your applications as well as your data) before you can use them and then reverse the process (re-encrypt) once you have finished.
Recoverability:
Much of the security provided by whole drive encryption comes from the way the hard drive is cryptographically 'tied' to your system. It may use the passphrase or password to validate your access to the system, but it may also add a check that the computer's hardware 'footprint' has not changed, thereby suggesting that the hard drive has been removed and reinstalled in a different computer.
This process raises the question of what you will to do should your laptop become irretrievably damaged.
For sake of example, let us imagine that you drop your laptop and the screen cracks. You are unable to get it repaired because the model has been discontinued and a replacement screen (with all the associated repair costs) are so high that you decide you would rather put the money towards the cost of a new machine.
From experimenting with the broken machine you know that your hard drive still works and you decide to remove it and place it into an external USB drive. This way you can still recover your data from the drive. This seems like a sensible approach until you try to access the data only to find that the drive is inaccessible.
When you removed the hard drive from your laptop you broke the cryptographic link between the hard drive and the machine it was initially set-up on, thereby triggering the security inherent in an encrypted drive. This was the whole point of encrypting your hard drive in the first place, so that if it was stolen (either with or without the attached laptop) your confidential information would remain secure.
So using whole hard drive encryption is a great way to secure your data, but it comes at a price and has some pretty important drawbacks.
My recommendation is to use an encrypted volume that can be mounted as an extra hard drive while being entirely portable (meaning it can be carried on a hard drive or external media - such as USB sticks).
There are a number of software applications that offer this ability, but as always I like to highlight cross-platform, non-bloatware solutions. My chosen solution is called 'Truecrypt' and can be found at www.truecrypt.org.
Option 3: Use "encrypted volumes" to secure your data.
Application of Choice - Truecrypt
Truecrypt is a great encryption solution and ticks all the boxes.
Truecrypt is cross-platform so it will work on your PC, your Macintosh or your Linux distribution. It is an 'Open Source' product, so it is free to use and it has the most comprehensive functionality of any volume encryption solution I have worked with. The application does not care where you want to create your volume file so it is completely portable and (as it works on all popular operating systems) can be created on one system and then moved to another without any problems, your data will still be safe and secure.
Here is a very basic overview of how Truecrypt works.
The first stage in making a secure volume is to create the encrypted container. This is a single file that will act as the volume once mounted (all the parts needed to work this puzzle are included in the Truecrypt application).
Before making the encrypted container it is important to think about the password you will use each time you need to access your data. It will need to be complex in nature (i.e. a combination of alpha and numeric, it is also a good idea to include wildcard symbols), above all else, make sure you can remember your password because without it your data will be forever lost.
The other thing to decide in advance is the required size of your container. Too big and you will have long (very frustrating) periods while you wait for it to be copied from one place to another, too small and you will keep running out of space. I find the most likely deciding factor in the "How big?" question is how often I expect to move the container and what type of media I will use.
Like many people I tend to move data around on a USB stick and this is what governs the overall size of my container.
Once you have decided on the size of the container you next provide it with a name and then choose the "Encryption Algorithm" - this basically means "choose how secure you want it to be". What you choose for your Encryption Algorithm may be determined by legal requirements where you live and I can not advise you on that in this article. If in doubt leave it on the default setting of "AES".
You will have already decided how big your container should be and you will specify this next before preceding to enter your complex password. Remember, this is the password you will enter each time you want to access your encrypted volume. If you are worried about fumbling the password you can always check the "Display Password" option and check that you have it right before proceeding.
Before you can use your new container it must be formatted so it can be recognised by the operating system. If you do not format the container you will not be able to write or copy data. You need to be a little careful in choosing your format option if you want to ensure cross-platform operability. If you are in any doubt about which format option to use just leave the setting at the default "FAT" setting.
In the final format screen (Volume Format) you will be presented with a screen showing a series of random numbers, this is called the "Random Pool" and ensures that you are using a strong encryption key. Just move your mouse around in this screen for a while before formatting your volume, the longer you spend doing this the better your encryption keys will be.
One thing to note about this creation process is that, once complete, the creation screens will try to start the whole process over again. If you only need one container this may be a little confusing, but exiting the creation screen will put you back in the main Truecrypt screen. You are ready to mount your new container for the first time.
Use the "Select File" option to locate your new file and then highlight a free drive letter from the screen above. This is where your new volume will be mounted. Enter your password and click on "Mount" to complete the process, your new volume will now appear in the file browser (Windows Explorer, Macintosh Finder or the Linux equivalent) as a new local drive (look for the drive letter you selected earlier).
There are a few additional things about Truecrypt that make it a great application. Among these my favourites include the ability to have your file browser display the newly mounted volume, thereby saving you the trouble of going looking for it. I also like the ability to have Truecrypt auto shut down once there are no encrypted volumes mounted. This is important because it covers another important aspect of safeguarding your confidential data, that of visibility.
Out of sight, out of mind.
In 1984 David Lynch brought us his take on Frank Herbert's Sci-Fi novel "Dune". One of the most memorable lines for me was "knowing there is a trap is the first step in evading it."
Turn this on it's head and you get a basic premise of security - "if you are unaware a thing exists, you do not know to go looking for it".
If you make it obvious that something is important (or valuable) by calling it "private", or "important files", or perhaps "bank details" then it becomes a red flag to anyone looking for things of value on your computer.
TrueCrypt encrypted containers do not include a file extension so there is no default application association. Double-clicking on the file will simply generate confusion in your system while it tries to decide how to open the file. If you match this by giving the file a vague name then no casual review of your system is going to uncover your valuable data!
I hope that this article has highlighted how security does not have to be complicated and it can be extremely portable across different operating systems. You can further extend this by applying the same rules to USB sticks, CDROM and DVD data.
Brian McClue is an IT Professional with a special interest cross-platform functionality and a keen dislike of bloat-ware (software that takes up huge computer resource for very little tangible benefit).
This problem of security (especially on laptops and removable media) is not just confined to the realm of commercial enterprise and anyone who travels with a personal laptop or netbook will be exposed to the same dangers.
Can you afford to have your confidential information make it into the hands of some anonymous third-party. What is the risk to you if your personal information is posted on an ID Theft sites for public consumption?
The consequences of such a scenario should be chilling for most people, but the good news is that there are things you can do to avoid this, just in case your data makes it into the hands of someone else.
In protecting your data there are three main options available to you;
[1]. Do not keep confidential information on your laptop.
[2]. Encrypt your entire hard drive.
[3]. Use "encrypted volumes" to secure your data.
Let's take a closer look at these options and consider the Pros and Cons of each.
Option 1: Do not keep any confidential information on your laptop.
So, I am hoping that most readers have realised that, while this is a very secure option, in reality it is pretty limiting. You may be able to apply this approach to sub-sets of your confidential information but most of us need to have access to certain snippets of data, which we class as confidential, throughout the working day.
Option 2: Encrypt your entire hard drive.
In recent years this has become far easier to achieve, especially as operating systems have become more advanced. Ten years ago you would simply not have been able to do this without specialist (read: expensive) third-party software.
Fortunately with most modern systems the option to encrypt a volume is readily available and gives you a seismic increase in system security.
Whole hard drive encryption works by making your system accessible only to the person with the appropriate passphrase or password. Once encrypted your operating system will handle the job of taking the encrypted data from your hard drive, authenticating and then decrypting "on-the-fly" and for the most part you won't have to get involved with the ugly details of how that works (once the system has been set-up).
Unfortunately, there are a couple of notable reasons why whole drive encryption can be problematic and these should be given some serious consideration before you start the set-up process.
Performance:
While modern machines are quite well specified, the process of encryption and decryption comes at a price and results in a performance hit. You may notice your machine runs a little slower because the computational processes involved are not insignificant - your machine is having to decrypt everything (including your applications as well as your data) before you can use them and then reverse the process (re-encrypt) once you have finished.
Recoverability:
Much of the security provided by whole drive encryption comes from the way the hard drive is cryptographically 'tied' to your system. It may use the passphrase or password to validate your access to the system, but it may also add a check that the computer's hardware 'footprint' has not changed, thereby suggesting that the hard drive has been removed and reinstalled in a different computer.
This process raises the question of what you will to do should your laptop become irretrievably damaged.
For sake of example, let us imagine that you drop your laptop and the screen cracks. You are unable to get it repaired because the model has been discontinued and a replacement screen (with all the associated repair costs) are so high that you decide you would rather put the money towards the cost of a new machine.
From experimenting with the broken machine you know that your hard drive still works and you decide to remove it and place it into an external USB drive. This way you can still recover your data from the drive. This seems like a sensible approach until you try to access the data only to find that the drive is inaccessible.
When you removed the hard drive from your laptop you broke the cryptographic link between the hard drive and the machine it was initially set-up on, thereby triggering the security inherent in an encrypted drive. This was the whole point of encrypting your hard drive in the first place, so that if it was stolen (either with or without the attached laptop) your confidential information would remain secure.
So using whole hard drive encryption is a great way to secure your data, but it comes at a price and has some pretty important drawbacks.
My recommendation is to use an encrypted volume that can be mounted as an extra hard drive while being entirely portable (meaning it can be carried on a hard drive or external media - such as USB sticks).
There are a number of software applications that offer this ability, but as always I like to highlight cross-platform, non-bloatware solutions. My chosen solution is called 'Truecrypt' and can be found at www.truecrypt.org.
Option 3: Use "encrypted volumes" to secure your data.
Application of Choice - Truecrypt
Truecrypt is a great encryption solution and ticks all the boxes.
Truecrypt is cross-platform so it will work on your PC, your Macintosh or your Linux distribution. It is an 'Open Source' product, so it is free to use and it has the most comprehensive functionality of any volume encryption solution I have worked with. The application does not care where you want to create your volume file so it is completely portable and (as it works on all popular operating systems) can be created on one system and then moved to another without any problems, your data will still be safe and secure.
Here is a very basic overview of how Truecrypt works.
The first stage in making a secure volume is to create the encrypted container. This is a single file that will act as the volume once mounted (all the parts needed to work this puzzle are included in the Truecrypt application).
Before making the encrypted container it is important to think about the password you will use each time you need to access your data. It will need to be complex in nature (i.e. a combination of alpha and numeric, it is also a good idea to include wildcard symbols), above all else, make sure you can remember your password because without it your data will be forever lost.
The other thing to decide in advance is the required size of your container. Too big and you will have long (very frustrating) periods while you wait for it to be copied from one place to another, too small and you will keep running out of space. I find the most likely deciding factor in the "How big?" question is how often I expect to move the container and what type of media I will use.
Like many people I tend to move data around on a USB stick and this is what governs the overall size of my container.
Once you have decided on the size of the container you next provide it with a name and then choose the "Encryption Algorithm" - this basically means "choose how secure you want it to be". What you choose for your Encryption Algorithm may be determined by legal requirements where you live and I can not advise you on that in this article. If in doubt leave it on the default setting of "AES".
You will have already decided how big your container should be and you will specify this next before preceding to enter your complex password. Remember, this is the password you will enter each time you want to access your encrypted volume. If you are worried about fumbling the password you can always check the "Display Password" option and check that you have it right before proceeding.
Before you can use your new container it must be formatted so it can be recognised by the operating system. If you do not format the container you will not be able to write or copy data. You need to be a little careful in choosing your format option if you want to ensure cross-platform operability. If you are in any doubt about which format option to use just leave the setting at the default "FAT" setting.
In the final format screen (Volume Format) you will be presented with a screen showing a series of random numbers, this is called the "Random Pool" and ensures that you are using a strong encryption key. Just move your mouse around in this screen for a while before formatting your volume, the longer you spend doing this the better your encryption keys will be.
One thing to note about this creation process is that, once complete, the creation screens will try to start the whole process over again. If you only need one container this may be a little confusing, but exiting the creation screen will put you back in the main Truecrypt screen. You are ready to mount your new container for the first time.
Use the "Select File" option to locate your new file and then highlight a free drive letter from the screen above. This is where your new volume will be mounted. Enter your password and click on "Mount" to complete the process, your new volume will now appear in the file browser (Windows Explorer, Macintosh Finder or the Linux equivalent) as a new local drive (look for the drive letter you selected earlier).
There are a few additional things about Truecrypt that make it a great application. Among these my favourites include the ability to have your file browser display the newly mounted volume, thereby saving you the trouble of going looking for it. I also like the ability to have Truecrypt auto shut down once there are no encrypted volumes mounted. This is important because it covers another important aspect of safeguarding your confidential data, that of visibility.
Out of sight, out of mind.
In 1984 David Lynch brought us his take on Frank Herbert's Sci-Fi novel "Dune". One of the most memorable lines for me was "knowing there is a trap is the first step in evading it."
Turn this on it's head and you get a basic premise of security - "if you are unaware a thing exists, you do not know to go looking for it".
If you make it obvious that something is important (or valuable) by calling it "private", or "important files", or perhaps "bank details" then it becomes a red flag to anyone looking for things of value on your computer.
TrueCrypt encrypted containers do not include a file extension so there is no default application association. Double-clicking on the file will simply generate confusion in your system while it tries to decide how to open the file. If you match this by giving the file a vague name then no casual review of your system is going to uncover your valuable data!
I hope that this article has highlighted how security does not have to be complicated and it can be extremely portable across different operating systems. You can further extend this by applying the same rules to USB sticks, CDROM and DVD data.
Brian McClue is an IT Professional with a special interest cross-platform functionality and a keen dislike of bloat-ware (software that takes up huge computer resource for very little tangible benefit).
