The Backup Blog

I had the pleasure of writing the lead article for the 10/23 issue of ComputorEdge magazine.  The theme this week is preventing data loss through such options as hard drive scrubbing before a computer is disposed.  My article discusses proactively protecting one’s data by encrypting it.  This helps cover your bases – encrypted data is only good to someone with the key to decrypt it:
———————————————————————————–
Proactive Protection by Encrypting Your Data
“A powerful option for securing your data.”
by Tim McGuire

The other articles in this issue of ComputorEdgefocus on protecting your privacy and important information by wiping the hard drive. But what if a team of highly trained and cleverly named sexy female assassins boards your commuter train one morning and steals your laptop? Or, in a possibly more likely scenario, tired from a long day of work, in a rush to get off the train at the right station, you leave your laptop behind. Whether accidental or malicious, a significant number of laptops are lost or stolen each year. A Ponemon Institute report places the number at more than 10,000 per week in U.S. airports alone. When your computer is gone, how can you possibly feel safe and secure, confident that your personal or company information won’t be misused? One answer is: encryption!

Yes, More Secrets

Evidence suggests that since the invention of writing, most cultures have also invented codes to mask the apparent meaning of some of that writing. Sneaky. Read a Dan Brown novel, and you’ll feel like it happens pretty frequently. In the computer world, this code-making is called encryption, which is basically taking information and using a key and an algorithm, translating it into what seems like garbage, and later the garbage is decrypted using the key and algorithm. The key is like a secret decoder ring, and the algorithm would be the instructions for using the ring.

Most computer users run into encryption every day. Bank Web sites, and most e-commerce sites, for example, will encrypt your transactions before they are transmitted across the open Internet. That way, without the bank’s key, if the information is intercepted, it is not very useful to anyone. Additionally, there are programs and options for encrypting e-mails (so that only someone with a shared key can read the e-mail that is sent), single files, folders, or entire drive volumes. Encrypting an entire volume would provide reasonable insurance that, if your laptop did fall into the “wrong” hands, the data on it would be pretty useless. Without encryption, anyone with a screwdriver or a boot disk can circumvent normal password protection. Encrypting specific folders or files may be more appropriate if there is a very limited amount of confidential information, and it is very well organized.

To Encrypt or Not to Encrypt

There are some drawbacks to encryption. There is a slight performance impact. Instead of simply reading data, your computer is now doing a little extra work of encoding or decoding the info in order to write or read anything on your drive. With modern processors and with a machine oriented toward business activities, this may be less of a concern, but on a gaming rig or a Web server, where speed is very important, it could impede performance.

There is also the factor of complication. If your file system is encrypted, then to access it, you must have the key, which is like a passphrase. If you forget that passphrase, you have no chance of recovering your information. The key could also be a special USB stick. If you lose that device, again, your data is lost. There are other options for the key, as well, including fingerprints, and hopefully those won’t be lost either. If properly configured, some encryption programs have options for “Escrow” keys, which you can store safely and separately, which can either be used to recover or generate a new key. Data recovery can also be more difficult, although with proper backups, this shouldn’t be an issue. Since the data is scrambled before being saved, if your hard drive fails and pieces of the scrambled data are missing, it becomes more difficult to reconstruct. Still, if the information on your computer is confidential, encryption might be a good option despite these obstacles.

How to Encrypt

Most recent releases of major operating systems include options for file, folder, or volume encryption. There are also numerous third-party options, ranging from free, open-source projects, to commercial applications.

Windows BitLocker

The Enterprise and Ultimate versions of Windows Vista and Windows 7, and all versions of Windows Server 2008, have a feature built-in called BitLocker. BitLocker allows the encryption of a full disk volume. If the computer has a Trusted Platform Module (TPM) chip and the right BIOS version, then BitLocker can operate in transparent mode. As long as BitLocker does not detect unregistered changes to the boot process, nothing beyond the user’s password is required to access the system, so it is pretty unobtrusive. If a change is detected, then the user is prompted for their encryption key, which they could have on a USB memory card, or they may have printed it out and filed it away.

There is also a user-authentication mode, in which the user is prompted for a PIN or the USB memory stick right away when the machine is powered on, and before the OS boots. In the case of hardware that does not have TPM, BitLocker can be configured in USB key mode, in which the USB memory stick is required to boot up. There are additional options and key storage methods available when BitLocker is deployed in a domain with Group Policy governing the configuration. In any case, if the hard drive is removed and placed into a different computer, the encrypted volume is useless without the key.

Configuration of BitLocker on an already-in-use computer can be a bit tricky, as a small separate disk volume must be created. However, there is a Windows BitLocker Drive Preparation Toolto help with this. Once complete, to turn on BitLocker click Start/Control Panel/Security, and then click BitLocker Drive Encryption. On the page that comes up, choose Turn on BitLocker, and then you will be prompted to create a passphrase. After completing the rest of the wizard, you will reboot, and your drives will go through the encryption process.

In Windows 7, there is also a BitLocker To Go option, which allows you to encrypt the data on a removable storage device (external hard drive, USB Stick, SD card, etc.). This is a great option for transporting important information. The memory device is readable only when accessed with the correct passphrase.

Microsoft’s site can be a big help. For assistance use the BitLocker setup guide. Microsoft also offers a Secure Online Key Backup, which can cover you in the case of a lost key. Lastly, Microsoft has a repair tool to help recover data from an encrypted volume.

FileVault for the Mac

On the Mac OS X, 10.3 and later, there is a option to encrypt entire home directories using the built-in FileVault. While not full disk encryption, this is a very safe option if you save all of your confidential information within your home folder. Setup is typically Mac-easy. On the Security Control Panel, on the FileVault tab, you must set a master password, and then you can enable FileVault.

Some drawbacks to FileVault are that you must have free space equal to the size of your User folders before it can be enabled. Additionally, there are some concerns about the strength of the cryptography. TimeMachine also functions differently with FileVault enabled. It will back up only after a user has logged out, and it backs up the entire home folder, so individual file recovery becomes difficult. Lastly, because the whole disk is not encrypted, a malicious user could still access the non-user folders of the drive.

TrueCrypt for Linux

Disk encryption options in Linux are related to the particular build in use. Most will come with some encryption options built-in, but the options and implementation can widely vary. TrueCrypt, which I’ll explain in a moment, is an excellent option for Linux.

There are many third-party options for disk encryption. Despite the many commercial options, I would recommend the free, open-source TrueCrypt. It has builds available for Windows (including XP and 2000), Mac OS 10.4 and above, and several flavors of Linux. The options are very robust, ranging from a FileVault-esqe folder or mounted volume (they even have a hidden volume option for the super secretive among you) to an entire disk.

No matter what encryption method you try, one strong suggestion is to back up your data before you implement the encryption. By the very nature of it, encryption scrambles up your data. This does mean, that if something goes wrong during the encryption process, you could lose data. It isn’t likely, but as always, there really isn’t a good reason not to back up first.

Disk encryption is a powerful option for securing your data. If deployed properly, it can protect your information from unapproved access. With the number of computers stolen and lost each year, this can be a very important tool to protect your vital personal or company information.