Three Wise Men

Sometimes protecting your computer with BIOS passwords and login passwords just doesn’t cut it. Your computer being stolen is one of such examples. When someone has physical access to your computer it is more or less cakewalk for them to access your data. They can simply disconnect your hard drive, put it in another computer and access all the data on it.

How to prevent this? Read on.

To block unauthorized access to your data you will need to put more effort in it. You will have to encrypt your hard drive. How to do this and which software to use is a little bit trickier. Nowadays options are almost countless. Starting with disk manufacturers who offer hardware based full disk encryption with pre-boot authetication to at least thirty different software solutions. Jesus almighty, what to pick? Hardware solution will at first seem like a reasonable choice, but is it really?

The pros and cons of hardware solutions

The only few pros in hardware solutions that I can think of. First, it doesn’t take any CPU time, it doesn’t use any RAM. No drain on your precioussss resources. Which, to be honest, shouldn’t be such an issue. Then there is ease of use, it should be easy to setup such drive. Nothing more than plugging it in, and selecting encryption in BIOS and setting the password. At last, but not least, portability. With hardware encryption it really doesn’t matter what operating system you’ll be running encryption will work all the time and your drive accessible whatever you boot. Ok, it actually involves selecting a proper filesystem too, but we’ll get to that later.

And the cons? Oh, where should I start? First above all is trust. How can you trust someone you don’t know? Is their encryption  algorithm good enough? Are there any back-doors included? What’s really under the hood? Putting all your data at mercy of one company or a single individual can be risky, so risky that many people simply don’t do it.

Go for Software

When you figure out that software solution is a way to go, you’ll have to pick one package out of many. Ordinary joe-blow users will be satisfied with a solution that came with their operating system. Mac OS X comes with FileVault which enables users to encrypt their home directory. Windows XP users are also limited to encrypting only folders. Windows Vista Ultimate comes with BitLocker enabling you to encrypt whole drives. If you’re not demanding these solutions might work for you but when you try to do something more advanced or you want to review your solution to make sure you are really safe then you hit the wall. Closed source, again you don’t see what is under the hood. Are you happy with that? Yes, then you can stop reading. :)

Wait! Did I mention Linux? No. Blasphemy! Ah, not really, Linux is so good that it doesn’t really need extra attention. It simply works. ;) For Linux you have a lot of different open source solutions, you can encrypt files, directories, whole partitions and disks. If you’re using Ubuntu or any other decent, self respected, distribution you’ll have all the tools you need in your repository.

Platforms, Operating systems, File systems

As I said before, if you have only one operating system you can stick with its encryption solution. However, if you have more than one, then you’re screwed. At the moment I am using three different operating systems. Ubuntu, Windows Vista and Mac OS X. I needed something that will work on all three operating systems as transparently as possible. I wanted to encrypt my external 1TB drive and make it accessible no matter what I booted.

I used encryption before and one of the best solutions out there is TrueCrypt. It supports many different encryption algorithms from the most basic AES to tripple Serpent-Twofish-AES combo that is virtually impossible to brute-force. On top of that, TrueCrypt is open source and available for Linux, Mac and Windows it appears that it is a perfect solution. Windows version also supports pre-boot authentication, but this is something that you don’t really need if you want to hide that you’re hiding something.

Hiding stuff

I’ll be doing this in OS X since this is what I have running at the moment if you’re running something else it doesn’t really matter. Installing TrueCrypt is rather straightforward so I won’t bother talking about it.

Starting TrueCrypt

Beauty of TrueCrypt is that it doesn’t require any special drivers and reboots after you install it. First we’re gonna create a TrueCrypt volume. Nothing too fancy, just a regular file containter. Start by clicking Create Volume.

Creating TrueCrypt Volume

Select first option, “Create an encrypted file container” and click “Next”.

Selecting volume type

Volume type should be set as Standard TrueCrypt volume. Hidden volumes are more advanced types of TrueCrypt volumes where you have a volume inside a volume, super secret and stuff. We will create just an ordinary volume.

Naming the volume

The location of the volume is really not important. Volume will look like an ordinary file and its contents indistinguishable from random data. That is the beauty of TrueCrypt volumes. You can’t tell that they are TrueCrypt volumes except that the size of a volume is divisible by 512.

Select encryption type

Selecting encryption type is simple and basic AES should be more than enough for an average user. It is good enough for US government. Well, the paranoid kind can go for Serpent-TwoFish-AES combo. Brute forcing it would probably require all the time in the universe.

Decide on volume size

For this example we’ll create only 10 MB volume. Creating large volumes takes time. Sometimes a lot of time.

Pick a password

Picking a password is tricky. Short passwords are easy to brute force, long passwords are hard to remember. Using keyfiles could be a solution, but if you lose a keyfile you’re screwed. Pick a long password a line of text that is easy for you to remember. My password is more than 30 characters long and it is not that hard to remember.

Formatting your volume

Pick a filesystem for your volume. This selection is based on your platform. You alway get to pick FAT, other choices depend on your operating system. On Mac, as you can see, you are able to select Mac OS Extended. On Windows the other option will be NTFS and on Linux ext3. Here comes the dilema, do you want your TrueCrypt drive to be portable between those three operating systems? Which filesystem to pick? I am Linux user and the logical choice for me was ext3. I thought that I’ll manage to mount it somehow in OS X and Vista. Oh boy, I was wrong.

Mounting ext3/2 volume in Vista and/or OS X proved to be a pain in the ass if I wanted stable, read/write access to my ext3 TrueCrypt volume. In the end I had to settle with FAT, making a mental note that I won’t be able to put files larger than 4GB on it. Imagine my pain when I was formatting my 1 TB external drive.

There is also an option to quick format the drive and is enabled only if you’re dealing with physical devices not files. Skipping quick format can save you A LOT of time. However when you quick format, you drive doesn’t get over written with random data and that could get you in trouble someday. ;)

Formatting in progess

After the format is complete you’ll get a notice about that on your screen and you’re ready to test your new encrypted volume.

Format finished

Mounting it

Closing Volume Wizard and clicking Selecvt File will pop-up file dialog. Pick the file you just created. Make sure you remember the name otherwise you can spend a lot of time looking for it. :)

Transfer some files

On the last screen you can see that SecretStuff file is mounted and presented to the system as NO NAME volume an that it contains one two items.

How safe are you now?

Pretty safe. TrueCrypt volume can’t really be identified with 100% certainty, your password should be long enough and that will make you more or less safe. Just don’t give your volumes meaningful names. SecretStuff in this example is quite a bad choice. ;) Once you’ve mastered TrueCrypt and you know how to use it, you can try encrypting whole /home disk¹. Or perhaps an USB drive that you carry around with you. Encrypting whole drive is basically the same as creating encrypted file container.

Regarding the safety there is one more thing that needs to be mentioned. There is absolutely no data recovery on encrypted disks. If your disk dies and you had encrypted data on it, forget about it. You’re screwed. I am not kidding, I mean it. You just send 1TB of encrypted data down the drain if you erased it by accident. Once you delete it, it’s gone and no-one can help you.

So make backups! Secure, safe backups. But you’re doing that already, aren’t you?

Related articles by Zemanta

• Hard Drive Encryption Specification (schneier.com)
• SecureFiles is a Dead Simple Volume Encryption Application (lifehacker.com)
• Enable Bitlocker On Unsupported Hardware (ghacks.net)