I have been encrypting data on my laptop for several years now. Laptops are highly attractive targets for thieves for a number of reasons. The thought of my personal data, e-mails, documents, but also photos of my family to be in the wrong hands is something I don't want to have to deal with. I would recommend that everyone with a laptop considers encryption as well. It can provide for peace of mind and a huge sigh of relieve if your laptop should be stolen and you then consider what could have been, if the data would be unencrypted.
Whole drive encryption or container file?
So, what to do? Encrypting the hard drive is the answer. But should the whole drive/partition be encrypted, or should you just go for a container file? With whole-drive encryption, all the data on the disk is encrypted. Depending on which partition (or drive) you have encrypted, it might not even be possible to boot the computer without providing a password. Some modern laptops come with encrypting hard drives already, with the computer's BIOS prompting for the password. An undeniable advantage of whole-disk-encryption, of course, is the fact that even temporary files and swap files are encrypted, and that you don't have to think about which files to explicitly place in an encrypted partition.
On the other hand, a container file is a single, huge file full of encrypted data, stored inside of the unencrypted file system. The container file contains a complete file system inside of it. Once mounted with a special utility it will appear to the OS like any new hard drive. All changes in that file system, new files, modifications of existing files, etc., take place inside of that container file. Accesses to the data in the container and the necessary encryption/decryption is handled at the lowest levels of the underlying system IO operations, and therefore are completely transparent to any application. All kinds of data from all applications can be stored in there, without any special actions being required once the password for decryption has been provided. All accesses to the files in that encrypted partition appear to be just like any other normal file accesses. But once the container file is 'unmounted' again, the new drive disappears and all you have is a giant file with random-looking, completely scrambled data.
Some nice things about container files
In my case, I chose the container file approach. I don't need the entire drive encrypted. Instead, I only moved my e-mail folders, document folders and all other items worth protecting into the container. With a container file, the computer will normally boot just fine. You can log in, and depending on how you set it all up, it might even be possible to start the web browser, or a few other applications, all without opening the encrypted partition. Just the data for your more critical applications can be protected, if you choose to do so. In my case, my Evolution mail client, Skype and some other applications will not even start up properly without the encrypted 'partition' being mounted, since their config files and data directories are 'missing'.
There is an additional benefit, which I find very valuable: I can take a complete backup of my sensitive data with just a single drag-and-drop operation. For that, I unmount the encrypted partition, connect my external USB hard-drive and then simply copy the entire container file over to the external hard-drive. My container file is 2 GBytes in size, so the copy takes a few minutes. That's something I usually start during my lunch break. I can browse the news a bit while having the backup take place in the background. The nice thing about this: The backup itself is of course also encrypted, and I don't have to deal with additional backup and recovery programs.
Another benefit of the container file approach: If your laptop ever needs maintenance, you can hand it over to whoever has to work on it without revealing any personal data or password.
The utility I am using for the encryption is Truecrypt. It is open source and free and available for Linux and Windows. It supports whole-disk-encryption as well as the container-file approach. There are plenty of other tools as well, some of them are commercial. But Truecrypt is not only open and free, but also has a very good reputation, so why not use it? It is also very fast: Access to encrypted data is only marginally slower than normal access to unencrypted data, which is mostly due to a good implementation of the fast, symmetric encryption algorithms it uses. Those algorithms, by the way, are all well reviewed, and well known standard algorithms (AES, Twofish, etc.) , which is good.
For the truly paranoid, here are a few other features provided by Truecrypt:
- Truecrypt allows the creation of hidden volumes. Those are additional container files hidden inside of other containers. If someone forces you to divulge your password (such as what is now permissible in the UK), then they will not even be aware that there is actually a second encrypted container present. That second container remains completely hidden and its presence cannot be proven.
- The Truecrypt container files do not contain any special markers or identifiers, and don't require a special extension. In theory, nobody can prove that those files aren't simply your personal collection of random bits. This also makes it attractive to hide these files via steganography in a large sound files or images, for example.
Other related posts:
More Apple madness (follow up)
The GPU, your personal desktop super computer
A truly light-weight OS: Written in ASM, with GUI, networking and apps
Comment by Noviota, on 18-Oct-2007 14:32
Comment by SilentOne, on 18-Oct-2007 16:31
Great post, very informative.. bookmarked for next Laptop upgrade :)
Comment by SNicolle, on 18-Oct-2007 21:18
I have a bios password on my laptop and it is setup to log straight through to Vista. My household use my laptop and I'm happy.
I work for a multinational and we use the whole encryption approach, its good boot up your laptop and you can use single sign on all the way to windows.
Add a comment
Please note: comments that are inappropriate or promotional in nature will be deleted.
E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.
Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.