Mo-Fr: 10am-8pm
Sat: 11am-7pm
Sun: 12pm-5pm

What If…: Data Security in a Worst Case Scenario

at 2011.07.21

Hard Drive Encryption is a vital part of laptop securityWe’ve talked a little about security in this blog, since it’s an essential part of owning a computer. From running the right antivirus software to making sure you don’t reuse passwords, there are a number of things you can do to keep yourself at least somewhat safe (never mind that something like 50% of computers imported to the US from China come pre-packaged with malware. Remember to always wipe and do a clean windows install on new machines). But what do you do if the worst-case scenario happens? How do you protect your laptop if it gets lost or stolen?

Well, to be honest, that’s not an accurate statement. If your laptop gets lost or is stolen, chances are the hardware is gone. Unless it’s found by a good samaritan or unless the thieves are clumsy and don’t know what they are doing, nothing will get your laptop back to you. This is because most protection schemes rely on some sort of broadcast signal from the laptop, requiring a network connection, in order to work, and any smart thief will remove the hard drive before turning on a stolen laptop and load it into a clean and secured machine.

On the other hand, the data on that computer is usually worth far more than the hardware itself. You can always replace a lost notebook, and it doesn’t much matter if a competitor gets one of your physical computers, but imagine if a competitor got their hands on notebook with all of your detailed business information on it? Or if anyone got their hands on your personal laptop that contained sensitive personal files such as credit card numbers or social security number or all of your passwords? That’s the issue we’re looking at, and rest assured, there are ways to protect yourself.

The most common security used for these types of situations are either standard windows passwords, or file-level encryption like password-protected .zip or .rar files. This is good enough to stop your kids messing with your work files or a snoopy coworker trying to read your email (unless you work with Bruce Schneier, in which case you may as well tell him everything up front since you stand no chance). These methods, however, are woefully inadequate against someone who is bound and determined to get to your data. A windows password will only work so long as the hard-drive isn’t transplanted to another computer or you don’t have alternate means of interfacing with the computer like USB or ethernet. A password protected zip file, on the other hand, doesn’t use strong encryption and can be broken relatively easily. What you need, if you want to be truly secure, is disk-level encryption, and lucky for you there are two easy-to-use and commonly available methods. We’ll try to break this down for you as simply as possible, so you too can jump into the exciting world of secure data.

BitLocker

This little handy utility comes standard on Windows Vista and Windows 7 Enterprise and Ultimate editions. Since the version changed between Vista and 7, we’ll only be focusing on the latter. With the launch of Win 7, Microsoft has drastically reduced the complexity of using BitLocker. What used to be a process requiring wading through a 100 page manual and manually configuring all of your vital setting is now handled through an encryption-wizard interface. The premise is simple: You want to keep your data secure and encrypted, so you go into Control Panel, and click on BitLocker Drive Encryption. The wizard takes you through the setup process, and before you know it (well, in a couple of hours, depending on your system and the size of your hard drive, you have a fully encrypted hard drive. Without going into too much technical detail, the system works with special secondary processors called TPMs(Trusted Platform Modules) built into most modern computers to ensure that things are not being hacked, and also makes use of a PIN. The one great thing about BitLocker is that it allows you to create a Recovery Key that you can store either on the computer or in Active Directory that will allow you to recover your files if you lose your PIN.

TrueCrypt

TrueCrypt has been the open-source standard for the last several years. It allows you to either encrypt your entire drive, or to create an encrypted partition, or if you want to get really tricky, create a hidden encrypted block inside a visible encrypted partition. Sounds confusing? Let me explain. The first option is self-explanatory: everyone has to enter a password before the system will even boot up. Done and done, this is the exact same functionally as what BitLocker does. The second option involves making a seperate partition, lets call it drive Z:, that you can mount like a virtual hard drive and have to decrypt in order to use. This is usefull if you only have a small amount of files in your computer that need to be encrypted, and you don’t want anyone to know what those files are or what they may contain. TrueCrypt will take a chunk of hard drive space, and encrypt the whole thing, so that no matter how any or what files you stick in there, it looks the same, making the contents unguessable. Sneaky, right? But it gets better. The most highly-lauded feature of TrueCrypt is the ability to take that encrypted partition and sneak a completely hidden and encrypted partition inside it. So even if for whatever reason a thief or hacker got your drive password, he would not be able to access, or even be aware of, the hidden volume. It’s a spiffy feature, though unnecessary unless your boss answers to “Don” or you regularly go on secret missions for the NSA. And best of all, the entire package is free.

Conclusion?

Both methods have been greatly simplified and are (relatively) quick and easy to implement, requiring no specialized knowledge. Each one has some technical ups and downs, though we at LaptopMD prefer TrueCrypt, in large part because it’s available freely, but also because Microsoft has a long history of bungling their security efforts. For the common user, though, the two are completely interchangeable, and will make sure that even if your computer is stolen, your business secrets, credit cards, and collection of poetry that you write but swear no one will ever see, will be completely safe from intruders.