Having your laptop stolen can ruin your whole week. Hopefully, by now, you’re backing it up regularly and you know that there’s software available that can dramatically improve the odds of getting your computer back. But perhaps the creepiest aspect of having your laptop stolen is that someone might be going through the information you have on it: Email, contact lists, web browsing history, passwords, financial information, family photos and, if you use the computer for work, potentially sensitive business information.
Just imagine a drug addict (they steal computers and sell them to buy — you guessed it — more drugs), a competitor (they’d like to know what you’re up to) or a nosy, unethical employee where you work (70 per cent of thefts are committed by insiders) sitting there looking at everything on your notebook, including some things that even have been deleted.
And then there are overzealous governments, criminals, and other prying eyes who might enjoy rifling through your notebook hard drive or even copying every bit on the hard drive for a detailed forensic analysis when you’re not around.
If none of that would bother you, no need to read further. But, for the rest of you…
There are a lot of different encryption products available to protect data on your laptop. But, sadly, many of them dive quickly into technical details and scare most people off. So, while I’d be happy to answer your technical or security questions , I’m going to avoid all that and just tell you what you need: Full disk encryption software or FDE, for short.
Once installed, FDE software protects your entire hard drive and is very simple to use: You turn on your computer, type in your passphrase, and then the computer boots as usual. Some people confuse their computer’s BIOS password with FDE. but the two are quite different. BIOS passwords can be easily bypassed but, if you forget your FDE passphrase, the same mechanism that stops an intruder from getting your data will apply to you. If you’re using a corporate FDE solution, your company will almost always have a system that allows them to recover your passphrase or decrypt your hard drive. If you’re using a stand-alone solution, make sure you understand the recovery options availible. For example, many products will allow you to create a recovery disk to keep somewhere safe in case you forget your passphrase.
There are several good products on the market, including SecureDoc from WinMagic, Check Point Full Disk Encryption (formerly Pointsec), McAfee Endpoint Encryption (formerly SafeBoot), DriveCrypt, from SecurStar, and TrueCrypt.
The WinMagic, Check Point, and McAfee products cater primarily to corporate and government clients. These products emphasize enterprise management of encrypted drives and are generally too complex and expensive for individual users.
DriveCrypt is available as an online purchase from Germany, and TrueCrypt is a free, relatively easy-to-use open source product with a huge following. Both offer some interesting features, including the ability to hide one operating system inside another. While there are some catches, the feature is intended for situations where one may be (or feel) compelled to disclose their FDE passphrase. Without going into technical details, it basically gives the user two passphrases. One provides access to their “real” system, while the other provides access to a decoy.
While each of the products has its strong points, TrueCrypt is hard to beat for individual users. I’ve tested it on several laptops with great success. Corporations, of course, should compare the commercial products so that they can retain control of their encrypted information and assist users should they forget their passphrase. When purchasing a new notebook, both individuals and businesses should also consider a “self encrypting hard drive” if offered by the manufacturer. (More on hard drives with built-in cryptography in another article.)
No matter which product you choose, there are three very important things to remember:
- Pre-boot authentication is a MUST. In other words, if you can turn on your computer and it boots into Windows (or whatever operating system you are running), your data is not protected.
- You must choose a complex (i.e. difficult-to-guess) passphrase and it must not be written on your computer, in your laptop case, or anywhere else someone is likely to find it. The best passphrases are created by creating a phrase that is easy for you to remember and difficult for others to guess. For example “elephantseatbreakfastB4readingtheTLP” would be very difficult to someone to break. Chances are you’ll only be typing it once or twice a day, so make it long!
- Take the time to understand the recovery capability your product provides. If it offers to create a recovery disk, do so and store it safely. Never store it with your computer!
Protecting your data in the event that your laptop is stolen is easy and, in the case of TrueCrypt, it’s also free. Speaking of free, I also should mention that some of the easiest ways of preventing laptop theft are free: Don’t leave it unattended in hotels, airports or meeting rooms — even for a few minutes — and make sure it is not visible if you leave it in your car.
Evolving Squid
And remember… if you enter Canada with a laptop or USB stick, you\’ll have a good chance of Canada Border Services wanting to nitpick through your equipment looking for child porn… because we all know that anyone travelling with a laptop or memory is a pervert.
AFAIK, they cannot compel the password from you, however. So if you don\’t want some border troll picking over your sensitive work files, your family pictures and personal information, it\’s important to have it encrypted. It\’s also important to have it backed up in case the device is seized.
Eric
I think that\’s included in the \"overzealous governments\" category 🙂
For anyone who has missed the issue, border agents in Canada are abusing the \"border search exemption\" to examine and copy information from hard drives and other media without even as much as a reasonble suspicion of wrongdoing. The real issue is that when the exemption was put in place, there was no such thing as electronic data, and the border agents were searching physical goods. Now they feel that they also have the right to look at information, even though any other law enforcement officer in Canada would need to obtain a warrant.
The child pornography argument is simply positioning to make it harder for people to oppose. It is easier to violate people\’s rights if you can come up with a way to make anyone who objects seem like a bad guy. It\’s the \"if you don\’t have anything to hide\" falacy.
Interestingly enough, while there have been a lot of social and technical discussions on it, even by lawyers, what we haven\’t seen is discussion on the issue of whether or not border agents have the ability to compel one to disclose a password. I don\’t believe that they do, but of course I\’m not a lawyer.
Rynhere
To the author:
Your article is a poor overview of the drive encryption market, for one matter. You should have looked at the drive encryption vendors on the Gartner magic quadrant and correlated that with drive encryption products that at least hold industry certifications like FIPS 140-2, the gold standard industry certification that assures that a vendors encryption product functions as they assert.
For another issue, how in the world do you derive that Truecrypt should find itself on the “good product” list when it’s an open source utility that has many well documented vulnerabilities, including storing encryption keys in the clear (ie, unencrypted)?
Why didn’t you include PGP? or Utimaco? or Guardian Edge? in your “good vendor” list?
Please do research before throwing out baseless assertions about products that you likely used while you still lived at home and connected to the internet through AOL. Is that too much to ask?
Eric Jacksch
Thanks for your note Rynhere.
The article was not intended as a overview of the market, and one can, as you point out, purchase that from Gartner. The point of the article is that people should be encrypting their notebook hard drives. In most cases any FDE product with pre-boot authentication would put people miles ahead of where they are now.
I’m not aware of any serious vulnerabilities in the current version of Truecrypt, and the fact that it is free open source software is great news for individuals and small businesses that need hard drive encryption. In today’s economy a good free security product is hard to ignore.
I haven’t had the opportunity to try out the PGP, Utimaco, or Guardian Edge products. If you are by chance connected with one of these vendors, do feel free to point your media relations person in my direction.
On the topic of certifications, while FIPS 140-2 is nice, calling it the “gold standard industry certification” is quite a stretch, especially when you don’t state which level of 140-2 you refer to. FDE Software can only be verified to FIPS 140-2 Level 1, which only really means that the cryptographic module in the software works right. To put this in perspective, you can download a free FIPS 140-2 Level 1 crypto library and use it in your product. FIPS 140-2 certification does not provide assurance that the software product as a whole provides any given level of security. If you’re serious about your cryptographic products you should be looking for both FIPS 140-2 (preferably Level 2) and EAL4 against a good protection profile.
But for the vast majority of us, any reasonable product that prompts the notebook thief for a passphrase prior to booting the operating system and that protects data from access via a boot CD or connecting it to another computer is good enough.
Melisa
Rynhere, you accuse the author of making baseless assertions and then go on to make your own baseless assertions in the same sentence. What’s your point?
Evolving Squid
Vulnerabilities in the current version (V6) of TrueCrypt:
http://secunia.com/advisories/product/19432/
That site also shows no vulnerabilities in V5, three in V4.
Also http://www.cert.org shows no vulnerabilities for TrueCrypt.
It’s fair to say that TrueCrypt has no currently known vulnerabilities, unless Rynhere is aware of some through other means. If this is the case, then personally, I invite him to present a paper on such vulnerabilities.
Scott Wright
Well done, Eric. I think people need to realize that in today’s social-oriented Internet, there is a wide range of technical guidance information available, depending on how much you want to pay for it. As Chris Anderson says in The Long Tail, “Context is King” beats “Content is King” now. Getting information that is relevant to your situation is tricky.
As a result, we depend on bloggers and articles in free media sites to give us a “point of view” that we can put into our own context.
Interestingly, I am finding myself in a similar situation as you, and am only able to afford the time to evaluate products I’ve had the opportunity to use. I have, in fact, been approached by PR companies on behalf of their clients who are security vendors. So, I get a better look at their products and a chance to evaluate their merits. I don’t try to pick a winner as much as highlight their strengths. I don’t have time to argue about what information I may have missed.
But people still find the insights useful. Thanks for standing up for all of us who enjoy writing to bring our insights to others who appreciate them!
Eric Jacksch
Scott, thanks for your comments.
I try to be fair to all vendors, and I’m always willing to look at their products. I point my corporate and government clients toward products that meet their needs. But TLP is about the average person, and it’s hard to beat a good level of security for free. As I often tell my clients, price, features, support. Pick two 🙂