Information Security For Travelers - Drive Encryption Part 1

I've analyzed my threats and vulnerabilities.  Now it's time to look at drive encryption as a security measure to mitigate the risk of someone exploiting those vulnerabilities.  Drive encryption is now cheap and easy for everyone.  If your drives aren't encrypted, why not?

Drive encryption addresses two of my threats:
  1. identity thieves with access to my (presumably stolen) hardware
  2. overzealous search & seizure, which may happen at the hands of legitimate or illegitimate authorities

I'm going to focus on these areas:
  • Whole drive encryption
  • Storage encryption for other gizmos
  • Portable USB encryption
  • Password file Encryption

Whole Drive Encryption

Because my netbook  doesn't have a Trusted Computing Module (TPM) and I want cross-platform compatibility between Windows and Linux, I'm using TrueCrypt.  Dm-crypt for Linux or Bitlocker for Windows are also good choices.  I don't do Apple so I can't help you there.

Most people will simply use TrueCrypt to encrypt the entire disk where Windows is installed.  A password is required at boot time in this configuration.

In addition, you might optionally choose to add a hidden encrypted volume to your drive.  To do this, you'll need an empty partition available on your drive.  You won't be able to resize any partitions once the drive is encrypted so it's best to sort this out now.  I don't need such a partition so I won't detail that here.

To get started, download and installed TrueCrypt.  Once it is installed, proceed by selecting Encrypt System Volume from the System Menu.

This will kick off a wizard that will walk you through the process.  Part-way through you'll be prompted to reboot the computer so TrueCrypt can complete a pretest.

Here are the answers I gave:
  • Area to Encrypt: Encrypt the whole drive

    If your drive is used only for a single operating system (Windows) then the safest option is to encrypt the whole drive.  Since I'm starting from a new fresh drive and I don't plan to use it for anything but my Windows install, I've encrypted the whole drive.

  • Encryption of Host Protected Area: No

    Since I'm using a fresh drive, I know the HPA is available to be encrypted.  This might not be the case for some factory-built machines that store drivers or recovery tools there.

  • Number of Operating Systems: Single-boot

    I'm only planning to boot Windows on this netbook.

  • Encryption Options: Defaults

    I simply chose the default encryption and hashing algorithms.

  • Password

    This is the password you'll use to boot the computer.  Of course it is essential that you choose something that you can remember. 

    TrueCrypt stores the decryption key for your hard drive on the drive itself.  It is protected by this password, so you should also choose something long and not easily guessable.

    A weak password will be vulnerable to brute force attacks (i.e. automated password guessing) should someone steal your hard drive and really want the contents.  Of course, if they really wanted the contents, they'd just beat you or lock you away until you gave up the password.

  • Collecting Random Data

    Just wiggle your mouse around for a bit.  The software needs the movement of your mouse to generate random numbers for key generation.  It's not as goofy as it seems.

  • Wipe Mode: None

    This drive is new and has never had any sensitive information stored on it.  Wiping isn't necessary.

You will also be prompted to create a recovery disc.  This is how you recover your hard drive in case the decryption key is damage or corrupted.  Since I don't have a CD-burner, I chose to save the recovery disc as an ISO file which I will write to a USB stick for safekeeping.

Once you've finished the wizard, TrueCrypt goes to work in the background encrypting your drive.  From this point on you can ignore TrueCrypt - it will run silently.

No comments:

Post a Comment