Ask HN: Do you encrypt your laptop's hard disk?
I have a lot of personal and company information on 2 of my laptops (Windows 7 and a MacBook). This includes bank account information, private keys, passwords and proprietary source code. I'm always paranoid about my laptops being physically stolen while I'm traveling or if my office is robbed. To help put my mind at ease (somewhat), I've been looking into whole-drive encryption. Incase my laptop does get stolen, I can be sure the thief does not get my data.
It looks like there are 2 solutions out there for Windows - TrueCrypt and Microsoft's Bitlocker. I can't use Bitlocker because my laptop doesn't have a TPM chip, which I'm told is required to encrypt the boot volume. TrueCrypt looks like the only option available right now for Windows.
Also, it looks OS X does not have built-in whole-drive encryption like Window's Bitlocker. Luckily TrueCrypt also has support for OS X.
What do you use to protect your data? Are there any pitfalls that I need to be aware of (besides loosing your password)?
134 comments
[ 3.7 ms ] story [ 183 ms ] threaddon't get why you would encrypt your whole disk though. the home is all I need encrypted.
That's why I'm slowly moving from a general mysql/mongo/redis instance toward a per-folder instance that I run when I need it.
I've got no experience with Bitlocker, but I'm a huge fan of TrueCrypt.
Boot volume encryption/verification is designed to protect you against attackers who would replace your boot image with a one that contains a rootkit or keylogger. This threat model requires serious forethought and planning on the part of the attacker. He is likely targeting you or your company and he wants to do it steathily. Under this kind of threat, you really need the entire company to adopt an extremely high level of operational security. (Remember your security is only as strong as the weakest link in the chain.) Usually, this kind of paranoia is reserved for three letter agencies.
I should mention that Truecrypt doesn't protect against this threat either. At some point, there needs to be an unencrypted bootloader, which can be attacked. Hardware boot volume verification would verify that the bootloader has not been modified, which is what TPM tries to do.
Unless the encryption is implemented poorly (which in Truecrypt and Bitlocker is not) an attacker with access to your boot partition cannot attack your data partition without additional information (like your password).
On OS X, I've heard good things about PGP Whole Disk Encryption. I don't know if Truecrypt can handle Boot Camp (PGP WDE can), if you care about that at all. On Linux, I use dm-crypt + luks
If we're talking about Windows, it's not "boot volume encryption" but the "C: disk encryption" that you have to worry about even if the attack scenario is data at rest. If you don't encrypt C: disk every forensic worker will trivially recover a lot of material that you'd believe was encrypted on another partition.
If we're talking about Linux where you configured /boot unencrypted and everything else encrypted, only then it's about the attack scenario that parent mentions.
I'm not advocating against "full" disk encryption. That's what I use. I just wanted to say that the OP doesn't need boot volume verification and that Bitlocker is sufficient for his needs.
With most operating systems, I don't think that there is a way to ensure that no protected data will ever end up on a non-protected partition. Presumably - if there is any writable directory on an unencrypted partition, there is a reasonable chance that protected data will end up on that partition.
I'm not advocating against "full" disk encryption. That's what I use. I just wanted to say that the OP doesn't need boot volume verification and that Bitlocker is sufficient for his needs.
I'll have to respectfully disagree here. Windows has heaps of different ways of caching all kinds of information outside of your home folder. Individual applications can also cache stuff wherever permissions allow (and often do). Realistically with Windows if you're going to encrypt you want to encrypt your C: drive.
PGP WDE works, it's 'good enough' to be a PITA for any authorities and you can use the same software on PC and Mac, but be warned - PGP broke Snow Leopard upgrades from Leopard when it came out and every major PGP upgrade I've ever done on Windows has resulted in a reinstall (but then again, 9.x was really, really bad).
If you're using a non-administrator account for your day to day on OSX you can use FileVault - just watch your /tmp folder.
At some point, some partition somewhere will need to be unencrypted, otherwise the system cannot boot, since the decryption programs are typically too large for a single boot sector.
I'm not advocating against "full" disk encryption. That's what I use. I just wanted to say that the OP doesn't need boot volume verification and that Bitlocker is sufficient for his needs.
I have however ran into one problem: The licensing app somehow "forgot" that it was registered (something to do with changing active directory binding). I would not have noticed except I went looking for why the computer was so slow.
I opened the PGP app and it said it wasn't licensed and the disk was "decrypting" itself.
I had to wait for basically 3 hours for it to decrypt the disk, re-enter my registration information, and re-encrypt the disk.
There is no such thing as full disk encryption, at least in the "full" sense of the term. There will be some unencrypted partition somewhere that boots the OS. TPM is designed to verify that this partition has not changed from a trusted configuration. I wanted to say that OP does not need this level of security, which is why Bitlocker is a viable and free and fast solution for him to use. (And the security current implementations of TPM provide are questionable right now.)
Applications should not be allowed to write to this partition without elevated privileges. The OS shouldn't be writing to this during normal operation either. Sensitive data should not be put on this partition, and as far as I have heard, Windows has not done anything like this.
When I say "data", what I refer to is the C: drive. With Bitlocker and Truecrypt, the C: drive is encrypted. The Users folder should be encrypted. All the bazillions of temp directories should be encrypted. The hibernation file is encrypted. Even Program Files is encrypted.
Also it breaks the Time Machine browser. If you want to do a restore, you must mount the data backup manually and find the file(s) you want to restore through Finder. Definately not elegant or very user friendly.
Some apps do have minor glitches with FileVault. IIRC, Firefox wouldn't remember certain settings if you used it with a FileVault-enabled account (not sure if this has changed in recent versions).
http://windows.microsoft.com/en-US/windows-vista/BitLocker-D...
- http://agilewebsolutions.com/knox (one vault per client) on Mac OS X, including all db data if any
- http://agilewebsolutions.com/products/1Password for all small-sized sensitive data (eg: production access, passwords etc), with an automated crypted backup
I'm looking for a reliable and as seamless solution for Windows at my pace (not a big need).
Something I'm also looking at is a way to securely erase all the free space on Mac OS X (to remove past data), as well as something that really works to find sensitive data (where I could define what sensitive means).
dd if=/dev/zero of=/tmp/free_space_eater; rm /tmp/free_space_eater
This overwrites all unused space on the disk with zeroes. You'll temporarily run out of free diskspace with either option, so it's a good idea to do this when you're not working on your computer.
dd if=/dev/zero of=/tmp/free_space_eater; sync; rm /tmp/free_space_eater
Knox is handy if you already do full-disk encryption, because it lets you segregate data further (personal financials, client work, etc), so that even if you lose your computer while it's (say) on, an attacker will still need the key to yet another encrypted volume to get that data. I find it extremely useful for things I know I'm not going to need to access often; I also use it for my mail spool.
I don't use whole-disk encryption but I have almost all my applications on the encrypted partition, thanks to PortableApps (http://portableapps.com/). As a bonus it's very easy to backup all my PortableApps data, as well as take everything on an external drive and start working on a different computer (provided it has Truecrypt).
Edit: link to FreeOTFE: http://www.freeotfe.org/
Edit: or other things that would be ok but can be used against you by law enforcement, for example what about your collection of pirated MP3s or DivX?
Is this more acceptable than accidentally downloading porn with someone that might look underage? (Or having looked at it because some trolled linked it to you)
Fortunately that is not my case but I can't say I don't have any MP3s of DivXs that aren't, err, properly licensed.
Edit: or cracked software, we have very high fines in Italy for using softwares without a license.
I'm just saying that in case the police have a look to your laptop and they WANT you to charge with something, they will.
They had their children taken away because they went to a photo shop to have the film developed and the clerk called the police.
http://www.salon.com/life/feature/2006/07/18/photos/index.ht...
I recall other vaguely-similar cases reported in less detail in earlier years. The clerks may not have good judgment, and the incentives for the clerks and many of the agencies involved are to err on the side of assuming-the-worst.
The stigma of even having been accused may make people in such a situation unwilling to talk about it even after being cleared afterwards. After all, many will assume law enforcement would only get involved if "the pictures weren't so 'innocent'".
Folder based encryption will not provide protection, only whole disk encryption.
As for /tmp and swap: those are not required to be persistent over reboots. So you can regenerate those with a random key on every boot. <a href="http://paste.pocoo.org/show/260932/>Here are some pointers to help you do that with dm-crypt</a> for a swap device backed by a loopback device.
With full source and a build environment for our product on their laptop. That makes me paranoid about loosing a laptop in the chaos of a trade show, while our booth is surrounded by our competitors.
I’m using PGP Whole Disk Encryption http://www.pgp.com/products/wholediskencryption/index.html, which works perfectly. I prefer it over OS X’s FileVault feature since it just protects everything and is completely transparent to the system and the user.
And, btw, I’m still hoping for a mobile OS besides BlackBerry’s that provides a reasonable secure encryption option.
One thing to consider, however, are SSDs. To my knowledge, encrypted data is only written to blocks that already contain random data. You therefore might want to look for disks whose performance does not degrade that much when free blocks are no longer available.
As a side note, I do all my picture editing in Gimp. While this is not commom among professional photographers, it contributes in some ways to my landmark style.
I actually used Gimp before PS and from my perspective the only things it really misses are layer groups and layer styles. For PS users there is Gimp Shop[1] which attempts to "deweirdify" the UI to something more reminiscent of PS.
[1]: http://gimpshop.com
Meanwhile, one can run the external plugins such as this: http://registry.gimp.org/node/16563
For a programmer, GIMP is fine for an occasional photo editing job. Just wish, it could do a better job of importing Photoshop files. I know it is more of PS fault not GIMP's, but still.
Thanks
Bitlocker Tips:
1. You might have to enable it in your group policy (see http://www.sevenforums.com/tutorials/4681-bitlocker-drive-en...) for the option to use a USB key to show up.
2. You'll need the USB key inserted to power on the laptop or resume from hibernate, but not for waking it from sleep. That helps with convenience since you won't have to use the key to unlock it from sleep.
3. Make sure to back up the Bitlocker Recovery Key saved to the USB drive. It's saved as a hidden file, just put it somewhere safe online in case you lose the USB key.
4. Don't lose the USB key along with your laptop! Since that sort of defeats the point of encrypting the drive in the first place...
http://www.jetico.com/encryption-bestcrypt-volume-encryption...
You do not require a TPM chip to use BitLocker, although it's better if you have one as the TPM makes it very difficult to tamper the boot code.
Use full volume encryption products (like BitLocker or Bestcrypt VE). There's always useful data in temporary files and it protects against leaving a sensitive file out of an encrypted volume.
I haven't researched this, but is it possible to remotely delete a Dropbox drive? I.e. if my laptop is stolen, to use the site to wipe the data from the laptop? I assume it's possible.
From https://www.dropbox.com/account#manage (pressing "unlink"): "[The unlinked] computer will no longer stay in sync, but it will keep a copy of any file it currently has."
I run PGP Whole Disk Encryption and am very happy with it. I also use Super Duper for backing up to two different external drives. One is unencrypted which I keep in the firesafe at home, and the other is also encrypted with PGP WDE which I take with me when traveling. That way, if my laptop were stolen, I can pick up a new one and restore the drive to it.