foobar on computers, software and the rest of the world

Encryption AND easy backup for laptops

, posted: 18-Oct-2007 12:58

Another article about stolen laptops of some government agency with sensitive data. This time though, the agency finally reacts and mandates the encryption of data on the laptops. Of course, they should have thought about that sooner. Oh well...

I have been encrypting data on my laptop for several years now. Laptops are highly attractive targets for thieves for a number of reasons. The thought of my personal data, e-mails, documents, but also photos of my family to be in the wrong hands is something I don't want to have to deal with. I would recommend that everyone with a laptop considers encryption as well. It can provide for peace of mind and a huge sigh of relieve if your laptop should be stolen and you then consider what could have been, if the data would be unencrypted.

Whole drive encryption or container file?

So, what to do? Encrypting the hard drive is the answer. But should the whole drive/partition be encrypted, or should you just go for a container file? With whole-drive encryption, all the data on the disk is encrypted. Depending on which partition (or drive) you have encrypted, it might not even be possible to boot the computer without providing a password. Some modern laptops come with encrypting hard drives already, with the computer's BIOS prompting for the password. An undeniable advantage of whole-disk-encryption, of course, is the fact that even temporary files and swap files are encrypted, and that you don't have to think about which files to explicitly place in an encrypted partition.

On the other hand, a container file is a single, huge file full of encrypted data, stored inside of the unencrypted file system. The container file contains a complete file system inside of it. Once mounted with a special utility it will appear to the OS like any new hard drive. All changes in that file system, new files, modifications of existing files, etc., take place inside of that container file. Accesses to the data in the container and the necessary encryption/decryption is handled at the lowest levels of the underlying system IO operations, and therefore are completely transparent to any application. All kinds of data from all applications can be stored in there, without any special actions being required once the password for decryption has been provided. All accesses to the files in that encrypted partition appear to be just like any other normal file accesses. But once the container file is 'unmounted' again, the new drive disappears and all you have is a giant file with random-looking, completely scrambled data.

Some nice things about container files

In my case, I chose the container file approach. I don't need the entire drive encrypted. Instead, I only moved my e-mail folders, document folders and all other items worth protecting into the container. With a container file, the computer will normally boot just fine. You can log in, and depending on how you set it all up, it might even be possible to start the web browser, or a few other applications, all without opening the encrypted partition. Just the data for your more critical applications can be protected, if you choose to do so. In my case, my Evolution mail client, Skype and some other applications will not even start up properly without the encrypted 'partition' being mounted, since their config files and data directories are 'missing'.

There is an additional benefit, which I find very valuable: I can take a complete backup of my sensitive data with just a single drag-and-drop operation. For that, I unmount the encrypted partition, connect my external USB hard-drive and then simply copy the entire container file over to the external hard-drive. My container file is 2 GBytes in size, so the copy takes a few minutes. That's something I usually start during my lunch break. I can browse the news a bit while having the backup take place in the background. The nice thing about this: The backup itself is of course also encrypted, and I don't have to deal with additional backup and recovery programs.

Another benefit of the container file approach: If your laptop ever needs maintenance, you can hand it over to whoever has to work on it without revealing any personal data or password.


The utility I am using for the encryption is Truecrypt. It is open source and free and available for Linux and Windows. It supports whole-disk-encryption as well as the container-file approach. There are plenty of other tools as well, some of them are commercial. But Truecrypt is not only open and free, but also has a very good reputation, so why not use it? It is also very fast: Access to encrypted data is only marginally slower than normal access to unencrypted data, which is mostly due to a good implementation of the fast, symmetric encryption algorithms it uses. Those algorithms, by the way, are all well reviewed, and well known standard algorithms (AES, Twofish, etc.) , which is good.

For the truly paranoid, here are a few other features provided by Truecrypt:
  • Truecrypt allows the creation of hidden volumes. Those are additional container files hidden inside of other containers. If someone forces you to divulge your password (such as what is now permissible in the UK), then they will not even be aware that there is actually a second encrypted container present. That second container remains completely hidden and its presence cannot be proven.
  • The Truecrypt container files do not contain any special markers or identifiers, and don't require a special extension. In theory, nobody can prove that those files aren't simply your personal collection of random bits. This also makes it attractive to hide these files via steganography in a large sound files or images, for example.
I personally don't take advantage of those additional features, but it is still interesting to note that they are there.

Other related posts:
More Apple madness (follow up)
The GPU, your personal desktop super computer
A truly light-weight OS: Written in ASM, with GUI, networking and apps

Comment by Noviota, on 18-Oct-2007 14:32

I have full drive encryption on my Laptop. I use Compusec from CE-Infosys. It works for me, requires a password before booting and logs me into Windows.

Comment by SilentOne, on 18-Oct-2007 16:31

Great post, very informative.. bookmarked for next Laptop upgrade :)

Comment by SNicolle, on 18-Oct-2007 21:18

very interesting,
I have a bios password on my laptop and it is setup to log straight through to Vista. My household use my laptop and I'm happy.

I work for a multinational and we use the whole encryption approach, its good boot up your laptop and you can use single sign on all the way to windows.

Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

foobar's profile

New Zealand

  • Who I am: Software developer and consultant.
  • What I do: System level programming, Linux/Unix. C, C++, Java, Python, and a long time ago even Assembler.
  • What I like: I'm a big fan of free and open source software. I'm Windows-free, running Ubuntu on my laptop. To a somewhat lesser degree, I also follow the SaaS industry.
  • Where I have been: Here and there, all over the place.

Google Search

Recent posts

Attack on net neutrality right...
Munich already saved millions ...
Iceland's public administratio...
More Apple madness (follow up)...
Apple demonstrates: With great...
Smooth sailing with the Karmic...
Censorship in New Zealand: Wid...
Image roll-over effects withou...
How about: Three strikes and Y...
UK government supports open so...

Top 10

How to write a Linux virus in ...
(11-Feb-2009 06:33, 464433 views)
Follow up: How to write a Linu...
(12-Feb-2009 08:10, 65298 views)
A truly light-weight OS: Writt...
(3-Feb-2009 10:39, 46845 views)
The 'Verified by Visa' fiasco ...
(20-Jun-2008 09:59, 32901 views)
EEE PC with XP is cheaper than...
(9-May-2008 06:50, 20433 views)
11 reasons to switch to Linux...
(4-Feb-2009 09:24, 20319 views)
Would you use Google App Engin...
(8-Apr-2008 20:02, 19732 views)
Censorship in New Zealand: Wid...
(16-Jul-2009 12:11, 19268 views)
Django Plugables: Tons of plug...
(11-Apr-2008 03:24, 16975 views)
Slow file copy bug in Vista: A...
(21-Dec-2007 12:18, 16127 views)