If you have a laptop, install TrueCrypt today
One of the greatest strengths of the laptop, its portability, is also its greatest weakness, as you’ll realize if it’s ever stolen. Even if you maintain good physical security practices, like never letting your laptop out of your sight, there’s always the possibility it can be stolen. If nothing else, there’s the old armed robbery stick-up. And if that happens, all of your valuable personal data is in the hands of the bad guy — stored passwords, saved login sessions, proprietary company secrets, your naughty personal photos, etc. Having a laptop stolen can be worse in terms of your safety from identity theft than having your wallet stolen or your postal mail intercepted.
Luckily, there’s a simple solution to prevent all of this. It’s called TrueCrypt, and it’s Free Software. TrueCrypt supports file, volume, and system level encryption. I’m using system level encryption on my work laptop right now. What that means is that when you first turn on the laptop, you’re presented with a password entry prompt that must be successfully answered before any of the data on the disk can be decrypted. And after you’ve typed in your password, your system appears to be running the same as it always was, except that now all transactions to and from the hard drive are encrypted and decrypted on the fly. As soon as you turn off the computer, nothing on it can be accessed without entering the password again. Just set it up once and forget about it (except when turning on your computer, of course); you don’t have to worry about specifically making sure your data is safe because all of it always is.
Installing TrueCrypt was a breeze. I chose pretty secure settings and it still only took four hours to encrypt my whole drive. The hardest part is choosing and remembering a >=20 character passphrase. It being a passphrase is the key part — trying to remember twenty random characters is hard, but if they have some secret mnemonic meaning that only you know, it’s not bad. And that’s all there is to it. I haven’t noticed any degraded performance caused by TrueCrypt, and I can go on work travel secure in the knowledge that if anyone manages to steal my laptop, all they’ll end up with is the hardware, because there’s no way they’re getting any of the data off it. Unless they steal it while it’s on, of course. That’s what you would use file or volume level encryption for: protecting specific files so that they are only decrypted explicitly when you want them to be and they are safe at all other times, even when your laptop is turned on.
Of course, you can use TrueCrypt on your home desktop as well, but laptops are much more likely to be stolen, so it’s more important that they have TrueCrypt installed on them. If you are reading this and you have a laptop, install TrueCrypt right now. It’s simple to do and safeguarding your private data is worth the effort.
March 13th, 2008 at 19:58
Long passwords can be easy to remember if you make them a phrase as you said. ‘MyNameIsSteve’ is better than just ‘Steve’, for instance, and it’s no harder to remember.
Another plus to encrypting your harddrive is that the US is taking extreme measures and can potentially seize and scan your harddrive if you travel abroad and then back to the US with your laptop. I don’t feel like looking for a link, but I remember hearing a story about some guy traveling to and from Canada having to hand over his laptop for scannage. Really gay, but hey, 1 in 300 people in the US is a terrorist. :D
There’s nothing in the laws about you being required to tell them your password if your disk is encrypted, though. :]
March 13th, 2008 at 20:07
There’s also nothing in the laws about them being prohibited from asking your password, either. People have been detained for days and had their laptops permanently confiscated for refusing to let Customs agents inside their computer. If you’re traveling overseas, whole disk encryption might not be the best idea. Use a hidden volume, or only encrypt your critical files and hide them somewhere (renaming the encrypted product to a common large file extension like .iso might help too). Or don’t physically take your private data with you across the border at all — download it over a secure connection from a server once you arrive.
‘MyNameIsSteve’ still isn’t a good password though, because it’s completely proper English. You still need the mix of non-dictionary words, random capitalization, numbers, and punctuation. But it’s possible to do all that in a way that’s still meaningful. For instance, my 20 character passphrase is easier to remember than a mere 6 random characters, but just looking at you’d never know why.
March 13th, 2008 at 21:00
Fifth-amendment rights against self-incrimination.
Also, TrueCrypt’s multiple-password “plausible deniability” feature, although that could lead to charges of perjury should something go to trial.
March 13th, 2008 at 21:12
I’m not sure where you’ve been during these past seven years of the Bush administration, but the Constitution is hardly relevant anymore. It matters not what should happen; it matters what does happen. And what’s happening right now is that people at the borders are being forced to give up their encryption passwords or face draconian penalties. Some foreigners have even been denied access to the United States over it.
March 13th, 2008 at 21:49
Actually, current case law supports me.
Customs agents have historical rights to search personal effects without probable cause. Don’t blame that on the Bush administration.
March 13th, 2008 at 21:52
I’ve used disk encryption for the past five years or so, not just on laptops but on most of my other computers as well. Since all my systems are GNU/Linux, this isn’t too hard and doesn’t require truecrypt. The Linux kernel has built in block-device encryption. Although truecrypt does support Linux, I generally consider that to be a feature for compatibility. You can use a truecrypt partition in Linux or windows, while a linux dmcrypt partition is pretty much Linux only.
The reason I use disk encryption is very simple. A few years ago I had a disk go bad… it was working one day, clicking and refusing the work the next. The drive was under warranty so I sent the drive in for an RMA repair. The manufacturer sent a drive back right away. I powered it up and quickly discovered that it had someone elses data on it! The first few sectors were toast, so I don’t know if a typical user would have noticed, but I sure did.
With this in mind you’d probably want to be sure to securely erase any data you have before sending a drive in for service. But how can you erase a drive that has failed and isn’t responding?? You can’t, and thats where encryption comes in.
T2A’s password advice above is good. It’s generally much more secure to use a long but generally simple “pass phrase” than to use a short but complicated password. If you use 16 letters of just a-z and space (27^16) there are 100,000,000 times more combinations than you get from using 8 letters of most typeable characters (72^8).
One long standing problem with things like disk encryption: People generally choose bad passwords. They are so bad at picking passwords that some have argued that if the attacker has enough access to test passwords quickly and you can only use a user provided password … you might as well have no password at all.
Fortunately, any *good* disk encryption software will use a technique called ‘password strengthening’: Your password will be run though a computationally expensive irreversible transformation (Such as iterated SHA1) which might take your computer a half second or so. This means an attacker could not take much advantage of your password having known properties such as “it’s probably all English words” because for each guess he’d be forced to undertake that same half second operation. The Linux built in stuff (LUKS/dm-crypt) and truecrypt both perform password strengthening. Because of password strengthening your “not totally terrible” password is probably strong enough.
One final note.. One neat thing that I’ve done with the encryption on my GNU/Linux laptops is that I encrypt only “/home” (and /var/log which is symlinked into /home). On a typical GNU/Linux system all of the interesting data is in /home, everything else is just boilerplate operating system stuff.
In /home on my root file system there is a basic, nearly empty, home directory for my account. Normally that directory is hidden at bootup when the real /home partition is mounted. However, If you fail to enter the correct password three times then /home fails to mount and the boot up continues. The end result is that if you hit enter three times at the password prompt the system comes up and operates normally, but it looks like a brand new system with very little information on it.
What this means is that if someone is trying to pressure me to allow access to my computer I can just say “press enter three times at the password prompt” and the attacker can waste his time inspecting a machine which has apparently nothing on it!
Obviously that wouldn’t survive a careful analysis by someone clueful (truecrypt has a hidden volume mode that *might*), but it’s probably enough to get an idiot off my back without giving up my password, which is all I might care about. …. and I didn’t have to configure anything to get that behavior, it’s just the natural consequence of encrypting only /home.
March 13th, 2008 at 22:51
Cyde,
The Fifth Amendment absolutely prohibits the gov’t from asking you for your passphrase. This is long-settled law (it goes back to the development of combination safes) and was recently reaffirmed specifically with respect to passphrases. Even with the current administration. Of course, that won’t help you if you end up in a secret CIA prison as a result….
March 14th, 2008 at 00:50
Kelly, you might want to tell the fine folks in Minnesota about that, because it seems that they think otherwise (the actual decision is a little less expansive perhaps than the news suggests).
Although there certainly is a lot more case-law going the other way… YMMV.
… though if you get pulled into a civil suit, you’re pretty much screwed.