(TFC) – As computer users across the globe are aware, digital privacy and data security important for everyone, from the average person to the largest corporation. The ability to prevent data from falling prey to theft or interception is critical for even the average person, and even more so for those who wish to protect sensitive data. Most people use encryption to secure data online daily whether they know it or not, but what about your personal computer, and the treasure trove of information held therein?
The digital answer for those who wish to secure their data against theft and prying eyes is encryption, and there are many tools designed specifically for that purpose. Encryption is the use of complex mathematical formulas to make digital data unreadable to anyone that does not have the proper passkey. Fortunately for users, there are many tools available to make encryption very user friendly. Unfortunately, there is a great deal of incorrect information on many of these tools and their proper use. I will attempt to simplify the technical aspects, while providing the reader with a moderate understanding not only of how to use some common tools for proper data security, but also to understand the methodologies behind them and why they do, or don’t in some cases, work against particular threat models.
Some people are unaware that setting up a passphrase to use your computer does not prevent even a very lowly skilled adversary from accessing the files on your hard drive. Not only are the photos, videos, documents, internet search history, etc. accessible, but also deleted files and passwords saved in your internet browser, among other things. This information may give an adversary access to your social media, email, bank accounts, critical work files, and all the data they need to completely control your digital life. The common defense against this is full disk encryption, or FDE, which encrypts the entire hard drive, making any computer that is stolen or physically compromised by an adversary theoretically secure against any of the data on that drive being compromised. This should be the minimum of defense on all computers, and a layer of defense on more secure systems.
The second simple method of securing data via encryption, to be used either as an option to or in conjunction with FDE is the use of encrypted compartments. Whereas FDE is in essence a locked room, an encrypted container would simply be a locked safe within a room (that may or may not be locked itself) that you can use to store files that you wish to keep from falling into the wrong hands. With some software, this option can be quite effective, particularly as yet another layer in your security protocol. Even when FDE is utilized, an additional layer of security can help to defeat common side-channel attacks, such as cold-boot and Firewire attacks. The reason for this is that only the mounted (decrypted) drives or containers will have their keys stored in the RAM (temporary memory), so having additional containers that were not decrypted offer a second line of defense for any data therein, even if your machine should be stolen while running or in sleep mode.
The third type we will discuss is independent file encryption. Many programs offer a user the chance to password protect a file when saving it in order to offer some level of security. Many compression tools and some office software offer this capability. This is often significantly weaker than using software that is designed primarily for the purpose of encryption, however it beats nothing. Use of this form of encryption is akin to having a locked briefcase. What methods a user may choose, and how they may implement them will depend entirely on their threat analysis. This will include taking into consideration many questions only the user can answer. What is the level of information are they trying to protect? What actors are likely to attempt to compromise their security? What is the capability and resources of said actors?
Full disk encryption is often considered second only to physical security when it comes to securing your data, and there are many tools available for this task. Many companies offer programs that are capable of FDE on both PC and Mac computers. The issue with using commercial software for this is that the source code of the program is not open to inspection, and there may be backdoors in the code in order to allow access by State agents. Even if you are fine with your local law enforcement having access to your files, any weak point that can be exploited by them can also be exploited by others. All of the following encryption programs are known to have worked closely with digital forensic software developers in order to ensure that the State agents that examine their software would have access to files that were encrypted with their software, however the extent to which is not known publicly:
– CheckPoint Full Disk Encryption
– Dell Data Protection
– Apple File Vault
– McAfee Endpoint Encryption
– Microsoft BitLocker
– Sophos Safeguard
– Symantec PGP Whole Disk Encryption
– Symantec Endpoint Encryption
– WinMagic SecureDoc
These are just some that I am aware of, and a more comprehensive list would be huge. For this reason, I cannot recommend any of them to anyone that is serious about their digital security or privacy. Of these, one in particular sticks out. Microsoft’s flagship encryption, BitLocker, is included in the Enterprise and Professional versions of the Windows operating system and is often used by many corporations as a primary solution to their data security needs at the machine level. It has long been surmised that BitLocker, being a Microsoft product, had a backdoor which could be exploited. However, I do not believe this to be the case. There is no need for a hidden backdoor into a locked room when there is a spare key under the welcome mat. In order to gain access into a BitLocker encrypted drive, you must know the passphrase or the recovery key. Many websites have made it known that a BitLocker user’s recovery key is automatically uploaded to Microsoft’s servers, and that they must take measures to remove it from those servers, however there is a much larger problem that I have not seen brought to the attention of this product’s users. To wit: BitLocker stores the recovery key in plaintext. This means that if a person has physical control over the machine, there is software that can be used with little skill to extract the recovery key, thereby giving full access to the contents of the encrypted drive. This is not a bug in the code, simply a terribly insecure design, making this product useless for anyone that actually cares about data security. Using BitLocker alone is worse than having no security, for it is a false sense of security.
Though there are some commercial providers, such as BestCrypt, that claim to have no backdoors engineered into their programs, but as their source code is not available for peer review you must be willing to take them at their word if you use their software. For this reason, I tend to recommend open source software when it is available. Open source software allows programmers to look through their source code, looking for weaknesses that can then be fixed. The popularity of the software will determine how many people have actually taken the time to inspect the source code, so using a relatively unknown product may not be the best idea. The algorithms used will likely be the same, however the implementation is going to be different.
Rather than cover every possible program and the pros and cons of each, I will instead give my personal preferences. For both Windows and Mac, VeraCrypt offers the best algorithms available, with some of the strongest hashing available, and great documentation coupled with a very easy to use interface. VeraCrypt allows for both FDE and encrypted containers. If using this software, the only other encryption the average user may need would be quick encryption of individual files and asymmetric encryption. Both of these are easily accomplished using OpenPGP and associated tools, such as Kleopatra for Windows. Asymmetric encryption is the ability to have one key which can be publicly disseminated encrypt a message while still requiring a secret key decrypt it. Only the secret-key that is paired to that particular public-key can unlock that message or data. This is useful if you wish to send encrypted files to another without knowing their password to decrypt the file. You may encrypt a file with their public-key, which is only used to encrypt, or “lock” the file and only that person may unlock it. You may do the same if using your public-key. This is one of the great features of OpenPGP. Note, when you encrypt a file using PGP simply for secure storage purposes, the original file still exists and must be erased securely using a program such as Eraser, BleachBit, or CCleaner.
However you may choose to go about securing your data, a little work on your end makes the effort required by any attacker several orders of magnitude more difficult. Use passphrases that are as long and complex as you can remember, as the passphrase is the weak link. Never forget rule 5 of the “10 Immutable Laws of Security” to wit: Weak passwords trump strong security.