safe computing – encryption

“Those who do not learn history are doomed to repeat it.”

George Santayana

Recently a friend of mine had an old computer that had a lot of personal photographs on it but it stopped working.  To be honest, he really is quite content with his tablet.  It fits in your lap, has fabulous battery life and you can put it into your briefcase or backpack.  He just wanted his old pictures back.

The request was simple, can I copy this information from the computer to a USB stick.  I simply took the computer home and took out the hard disk.  I connected it up to another computer and proceeded to copy all the files to a USB stick.

Windows didn’t stop me because I never gave it the chance, I booted up a different operating system.  It is not really a defect in windows, it was a case of simply working around the existing security, not terribly different than the Maginot line defense in world war II.

The Maginot line was a 200 mile long strategic defense in France to prevent an invasion from Germany.  It turned out to be a very good defense for direct attacks but essentially ineffective as the Germans simply invaded through Belgium.  They simply worked around the existing defenses.

The format of the filesystem has changed since the old days of Microsoft DOS but nevertheless it is a standard and well known.  Due to the size of the install base of Microsoft Windows and the file systems that they use, makes it inevitable that non-Microsoft utilities and operating systems would ensure that they would support this large user base.

The entire reason that I was able to get this data is because of how common everything is and how unprotected this drive was.  The data was not encrypted so any person, utility or operating system has a free hand in accessing it.

Encryption, or the controlled scrambling of the hard disk contents, is the solution.  The good news is that encrypting your disk with keep prying eyes from using such a simple work around.  The bad news is that if your computer breaks the same encrypted hard disk will be impossible to read unless you have saved your key.

If you are using BitLocker, from Microsoft, when setting up the encryption you need to either save the key to a USB stick or print it out.  Failing that, your data is 100% secure, even from you.

This is exactly the same situation for Truecrypt, Veracrypt, Zulucrypt, or any other full disk solution.  Besides isn’t Truecrypt unsafe?  Well, Truecrypt did pass its security audit, and although it is not perfect it is secure. The project which was abandoned has been forked to a new life.

Even if any of these solutions was compromised by any government or private organization, there is a minimum level of security.  If the laptop is lost or stolen your bank records, tax records and other private information is fairly safe from prying eyes.  My mentor Ivan has reminded me that if the authorities want your information they will get it one way or the other.

If the government is not able to brute force the password it probably wasn’t very well protected or otherwise they will take other things from you like liberty until you do supply the information that they want.

Encryption is a great idea if you are protecting national secrets but it is an equally good idea if you are not.  In this day and age, people have a lot of personal information stored on their personal computer.  This data may be a tax details, bank account details, pictures from your last holidays or even an especially embarrassing selfie.

Encrypting a file, partition or even the whole disk is a good idea but as always there is a downside.  When using a software based solution you are securing the data but taking the CPU away from its main tasks so it can encrypt and decrypt the reading and writing of data.  You may not see the speed degradation depending on the number and size of the files you process.

A solution for the speed problem is to purchase a disk that does the encryption in hardware.  Such a drive is referred to as a self encrypting drive – SED. The drive itself will have the necessary hardware to deal with the encryption.

You simply provide a authorization key (password)  when powering up the computer and the drive will be unlocked until it is powered off.  This is convenient but the downside is that locking the computer or hibernating the computer will not re-lock the hard disk.  Also, it is not possible to simply purchase a SED and put it into all of your computers as it is important that the motherboard has the ability to pass the authorization key to the drive.

I personally like having software do my encryption as I have a little bit more control over how much of the hard disk is encrypted and when it is locked or unlocked.

For more information about self encrypting drives, there is a very detailed article from pugetsystems.com.

https://www.pugetsystems.com/labs/articles/Introduction-to-Self-Encrypting-Drives-SED-557/

 

This entry was posted in security. Bookmark the permalink.