Saturday, July 4, 2009

Protecting your sensitive data with TrueCrypt

About two weeks ago, I finally took the big plunge and encrypted my laptop's entire hard drive. I knew in theory that it was a good security precaution, and in fact, our mission's IT policy requires hard drive encryption on all laptops. It's a policy that is still more honored in the breech than in practice. Why didn't I do it earlier?

Not that I've been totally slack about protecting my data. I've always kept my passwords and financial accounts encrypted. (Always? What about those home accounting programs--I know my Microsoft Money program opens without a password....) I don't think there is any sensitive information in my email folders, except that anyone successfully logging on to the computer could get enough information about me and my contacts to start lots of scams even without actually breaking into my email server. ("This is Pastor Jonah, friend of Mike, who you support. He's been in a bad accident and needs money for treatment. Please urgently send $1000 to this account number ...") The bottom line is that any unencrypted information on my computer is potentially exposed to anyone who steals or borrows my laptop.

But since I have a good password for even logging on to my laptop, no one should even get that far, right? Wrong. It's very easy to break into a Windows computer if you have physical access to it. Anyway, if the data is not encrypted, someone can take out the hard drive and read it on another operating system.

Last year, I finally installed TrueCrypt, an excellent, free encryption tool. TrueCrypt can work in three main ways:

  • Create an encrypted virtual hard drive. Tell TrueCrypt where to put the file to contain the data, assign a pass phrase, and TrueCrypt creates new, encrypted volume ("hard drive") for you with the drive letter you choose, such as "T:". From then on, you can use it exactly like any other drive. As long as the volume is unlocked with your pass phrase, you can't even tell that the data is encrypted. Lock it again and the drive letter disappears, leaving only what looks like a file of random garbage.
  • Encrypt a partition. Most hard drives these days are divided into different logical areas or partitions, each with its own drive letter ("C drive," "D drive," etc.). TrueCrypt encrypts all the data in the entire partition, making it inaccessible until you supply the pass phrase. This option allows you to keep some data unprotected and more sensitive data encrypted on a separate partition. Unless you encrypt the operating system partition (usually C: in Windows), you can still boot the computer without the password.
  • Encrypt an entire drive. In this case, everything on the drive is encrypted and nothing can be accessed without the pass phrase. Nothing, that is, except the tiny boot program that loads enough TrueCrypt to get your password and unlock the drive for you. If you lose your pass phrase, there is no way you're going boot your system or recover your data, period.

Rather than encrypting my whole drive, I started with the first option--a virtual hard drive where I could keep my sensitive data. Next time I'll show just how easy it was.

No comments:

Post a Comment