If you have a laptop, install TrueCrypt today

One of the greatest strengths of the laptop, its portability, is also its greatest weakness, as you’ll realize if it’s ever stolen. Even if you maintain good physical security practices, like never letting your laptop out of your sight, there’s always the possibility it can be stolen. If nothing else, there’s the old armed robbery stick-up. And if that happens, all of your valuable personal data is in the hands of the bad guy — stored passwords, saved login sessions, proprietary company secrets, your naughty personal photos, etc. Having a laptop stolen can be worse in terms of your safety from identity theft than having your wallet stolen or your postal mail intercepted.

Luckily, there’s a simple solution to prevent all of this. It’s called TrueCrypt, and it’s Free Software. TrueCrypt supports file, volume, and system level encryption. I’m using system level encryption on my work laptop right now. What that means is that when you first turn on the laptop, you’re presented with a password entry prompt that must be successfully answered before any of the data on the disk can be decrypted. And after you’ve typed in your password, your system appears to be running the same as it always was, except that now all transactions to and from the hard drive are encrypted and decrypted on the fly. As soon as you turn off the computer, nothing on it can be accessed without entering the password again. Just set it up once and forget about it (except when turning on your computer, of course); you don’t have to worry about specifically making sure your data is safe because all of it always is.

Installing TrueCrypt was a breeze. I chose pretty secure settings and it still only took four hours to encrypt my whole drive. The hardest part is choosing and remembering a >=20 character passphrase. It being a passphrase is the key part — trying to remember twenty random characters is hard, but if they have some secret mnemonic meaning that only you know, it’s not bad. And that’s all there is to it. I haven’t noticed any degraded performance caused by TrueCrypt, and I can go on work travel secure in the knowledge that if anyone manages to steal my laptop, all they’ll end up with is the hardware, because there’s no way they’re getting any of the data off it. Unless they steal it while it’s on, of course. That’s what you would use file or volume level encryption for: protecting specific files so that they are only decrypted explicitly when you want them to be and they are safe at all other times, even when your laptop is turned on.

Of course, you can use TrueCrypt on your home desktop as well, but laptops are much more likely to be stolen, so it’s more important that they have TrueCrypt installed on them. If you are reading this and you have a laptop, install TrueCrypt right now. It’s simple to do and safeguarding your private data is worth the effort.

12 Responses to “If you have a laptop, install TrueCrypt today”

  1. T2A` Says:

    Long passwords can be easy to remember if you make them a phrase as you said. ‘MyNameIsSteve’ is better than just ‘Steve’, for instance, and it’s no harder to remember.

    Another plus to encrypting your harddrive is that the US is taking extreme measures and can potentially seize and scan your harddrive if you travel abroad and then back to the US with your laptop. I don’t feel like looking for a link, but I remember hearing a story about some guy traveling to and from Canada having to hand over his laptop for scannage. Really gay, but hey, 1 in 300 people in the US is a terrorist. :D

    There’s nothing in the laws about you being required to tell them your password if your disk is encrypted, though. :]

  2. Cyde Weys Says:

    There’s also nothing in the laws about them being prohibited from asking your password, either. People have been detained for days and had their laptops permanently confiscated for refusing to let Customs agents inside their computer. If you’re traveling overseas, whole disk encryption might not be the best idea. Use a hidden volume, or only encrypt your critical files and hide them somewhere (renaming the encrypted product to a common large file extension like .iso might help too). Or don’t physically take your private data with you across the border at all — download it over a secure connection from a server once you arrive.

    ‘MyNameIsSteve’ still isn’t a good password though, because it’s completely proper English. You still need the mix of non-dictionary words, random capitalization, numbers, and punctuation. But it’s possible to do all that in a way that’s still meaningful. For instance, my 20 character passphrase is easier to remember than a mere 6 random characters, but just looking at you’d never know why.

  3. drinian Says:

    Fifth-amendment rights against self-incrimination.

    Also, TrueCrypt’s multiple-password “plausible deniability” feature, although that could lead to charges of perjury should something go to trial.

  4. Cyde Weys Says:

    I’m not sure where you’ve been during these past seven years of the Bush administration, but the Constitution is hardly relevant anymore. It matters not what should happen; it matters what does happen. And what’s happening right now is that people at the borders are being forced to give up their encryption passwords or face draconian penalties. Some foreigners have even been denied access to the United States over it.

  5. drinian Says:

    Actually, current case law supports me.

    Customs agents have historical rights to search personal effects without probable cause. Don’t blame that on the Bush administration.

  6. Greg Maxwell Says:

    I’ve used disk encryption for the past five years or so, not just on laptops but on most of my other computers as well. Since all my systems are GNU/Linux, this isn’t too hard and doesn’t require truecrypt. The Linux kernel has built in block-device encryption. Although truecrypt does support Linux, I generally consider that to be a feature for compatibility. You can use a truecrypt partition in Linux or windows, while a linux dmcrypt partition is pretty much Linux only.

    The reason I use disk encryption is very simple. A few years ago I had a disk go bad… it was working one day, clicking and refusing the work the next. The drive was under warranty so I sent the drive in for an RMA repair. The manufacturer sent a drive back right away. I powered it up and quickly discovered that it had someone elses data on it! The first few sectors were toast, so I don’t know if a typical user would have noticed, but I sure did.

    With this in mind you’d probably want to be sure to securely erase any data you have before sending a drive in for service. But how can you erase a drive that has failed and isn’t responding?? You can’t, and thats where encryption comes in.

    T2A’s password advice above is good. It’s generally much more secure to use a long but generally simple “pass phrase” than to use a short but complicated password. If you use 16 letters of just a-z and space (27^16) there are 100,000,000 times more combinations than you get from using 8 letters of most typeable characters (72^8).

    One long standing problem with things like disk encryption: People generally choose bad passwords. They are so bad at picking passwords that some have argued that if the attacker has enough access to test passwords quickly and you can only use a user provided password … you might as well have no password at all.

    Fortunately, any *good* disk encryption software will use a technique called ‘password strengthening’: Your password will be run though a computationally expensive irreversible transformation (Such as iterated SHA1) which might take your computer a half second or so. This means an attacker could not take much advantage of your password having known properties such as “it’s probably all English words” because for each guess he’d be forced to undertake that same half second operation. The Linux built in stuff (LUKS/dm-crypt) and truecrypt both perform password strengthening. Because of password strengthening your “not totally terrible” password is probably strong enough.

    One final note.. One neat thing that I’ve done with the encryption on my GNU/Linux laptops is that I encrypt only “/home” (and /var/log which is symlinked into /home). On a typical GNU/Linux system all of the interesting data is in /home, everything else is just boilerplate operating system stuff.

    In /home on my root file system there is a basic, nearly empty, home directory for my account. Normally that directory is hidden at bootup when the real /home partition is mounted. However, If you fail to enter the correct password three times then /home fails to mount and the boot up continues. The end result is that if you hit enter three times at the password prompt the system comes up and operates normally, but it looks like a brand new system with very little information on it.

    What this means is that if someone is trying to pressure me to allow access to my computer I can just say “press enter three times at the password prompt” and the attacker can waste his time inspecting a machine which has apparently nothing on it!

    Obviously that wouldn’t survive a careful analysis by someone clueful (truecrypt has a hidden volume mode that *might*), but it’s probably enough to get an idiot off my back without giving up my password, which is all I might care about. …. and I didn’t have to configure anything to get that behavior, it’s just the natural consequence of encrypting only /home.

  7. Kelly Martin Says:

    Cyde,

    The Fifth Amendment absolutely prohibits the gov’t from asking you for your passphrase. This is long-settled law (it goes back to the development of combination safes) and was recently reaffirmed specifically with respect to passphrases. Even with the current administration. Of course, that won’t help you if you end up in a secret CIA prison as a result….

  8. Greg Maxwell Says:

    Kelly, you might want to tell the fine folks in Minnesota about that, because it seems that they think otherwise (the actual decision is a little less expansive perhaps than the news suggests).

    Although there certainly is a lot more case-law going the other way… YMMV.

    … though if you get pulled into a civil suit, you’re pretty much screwed.

  9. admsupport Says:

    talking, talking, oh so nice opinions, Bush, 5th amendment, bla-bla-bla. Are you spies? Important people? I doubt it. I bet you are just average people.

    TrueCrypt is an excellent OPEN SOURCE software. However it has a serious downside on everyday use. What’s the most likely expectation on a day to day need? Protecting Data from prying eyes from knowledgeable users (at a certain level) as non-knowledgeable users. For the second matter TrueCrypt is dangerous for the simple fact it’s purpose is secrecy BUT we are usually not against the law right and we might not need it?

    Take a very simple example: A workgroup of a few computers and a external HDD (like those Buffalo or Logitec, in RAID1 or 5) encrypted with TrueCrypt.
    Q. is it cheap
    R. yes
    Q. is it secure
    R. yes (for what it worth)
    Q. is it safe
    R. NO IT IS NOT

    Why it is not safe, because anyone with administrative rights can REFORMAT THE ENCRYPTED VOLUME without any warning. I.e. for secrecy purpose the volume is visible as an empty volume when it is not mounted. From the perspective of a non-knowledgeable user, 2 clicks and all the data is gone.

    Yes, yes, this message is not for the corporate world, but for the average (and the majority) of small shop/business owner, family, group of various interests, computer users but not computer savy (99% of the people on earth). They think Hey! that’s cool, a free solution to protect my data. Let’s give it a try because it look better than the proprietary encryption software bundled with the external HDD or NAS (and yes, indeed it is better), but they don’t realize the danger, because they don’t know.

    So before to talk about Privacy, Bush adm., and all this theoretical topics (in our dreams people). It is maybe good to teach the mass about the reality and a technical fact. I.e. you have much more chances to lose your data doing a mistake (you or someone else) than to be safe, because by design TrueCrypt Volume/partion are not protected against deletion, while proprietary Encyption software are (like Secure Lock Encryption).

    No you can make a choice according to your real situation and needs.

  10. Cyde Weys Says:

    As a counter-point to your arguments — how often do we hear that a laptop was lost containing the personal details of some obscene number of people? How often is that data not encrypted? Way too often! Using full disk encryption with TrueCrypt is one simple way to prevent that kind of loss.

    Also, laptop theft isn’t some obscure problem that happens once in a blue moon. No, hundreds of thousands of laptops are stolen each year. You don’t need to be a “spy” or an “important person” or someone worried about the “5th amendment” or “Bush” to protect your data from any common thief. Just look at all of the login sessions stored in a browser and ask yourself if a thief could get an advantage from that. For instance, with your webmail account, he has access to any site that might have a forgotten password through email feature, like, say, your bank, your stock broker, etc.

    And by the way, the purpose of TrueCrypt isn’t necessarily secrecy. I don’t use it to keep my data hidden; I use it to keep my data safe. The TrueCrypt prompt is the first thing you see when you start my laptop, so it’s hardly hidden.

    And I really don’t see how proprietary encryption software is going to prevent data loss. You can always reformat a partition or delete an encrypted file. And I really have a hard time believing I’m going to lose my data “by mistake”. I’m not going to accidentally reformat my system, I can guarantee you that.

  11. admsupport Says:

    sorry, you are right and I was wrong. Your purpose is correct but my post is misplaced.

    TrueCrypt is indeed transparent in the manner that the encrypted partitions (I am talking about simple partitions, not a system partition) show in the ‘my computer’ windows with a drive letter as an unformatted partition. That was the point of my post which is related to TrueCrypt but not directly related to your article.

    Some times ago, we (I) have implemented an encryption policy among our workgroups (a language school in 3 locations). Because of the nature of the activity, a multitude of teachers/staff access the workgroup computer set a server from their laptop (Try to implement any security rule related to privileges and rights in this type of architecture and you’ll end up crazy).

    TC was much easier to implement on a workgroup than EFS (interesting on server where you can manage centrally the certificates and the recovery agents) both were free options. The point was to cut short some wannabe hacker part-time teachers with effective cracking tool like SAMInside or LP5, and the usual NO password policy. At that time, it was TC version 5, so no full system partition encryption as it is now.

    The downside: designated staff and teachers could see the partitions in their my computer windows. Because they don’t know or they don’t really understand, what do they do in 90% of the case, they try to format it (they click YES, because that’s usually all what they do). The data is gone…

    Once again, this would not occur in a well implemented workgroup. But there is little to say when your boss (of course with admin rights) wipes an ‘unknown and empty’?!? partition which is in fact the main ‘server’ TC partition. Out of idea, I have simply installed the Secure Lock Ware on the NAS (buffalo products). The result is almost the same, you can still erase the drives from a computer without the Secure Lock Ware software installed, but the drives do not show up on the machine with the software installed (unless to enter the correct password). It is very dumb, but since we made this software mandatory on all the machines, I am out of trouble (well this one).

    PS: I do use TC on a regular basis on my laptop as a single user.

  12. gu Says:

    admsupport said: “The result is almost the same, you can still erase the drives from a computer without the Secure Lock Ware software installed, but the drives do not show up on the machine with the software installed”

    You can simply hide drive letters (or actually dismount) when you go in Administrative Tools->Computer Management->Disk Management, then select encrypted partition, right click on it, select Change drive letter.. and remove. This way windows won’t mount drive letter for this partition even if you restart pc.