Sunday, July 28, 2013

Personal Whole Disk Encryption

So about two or three weeks ago I decided to bite the bullet and install a whole-disk-encryption solution to my personal laptop.

We use whole disk encryption (WDE) at work on all our systems for security and data-loss prevention so the whole concept is well covered here and I’ve done a number of posts on PGP WDE in particular, when combined with WinPE solutions.

But PGP is a commercial solution, and like some other commercial WDE products, is pretty costly and not a practical solution for most home users.

The whole concept of whole disk encryption is that even if someone physically steals your computer/laptop/portable-drive, they cannot access the data in a readable format without the use of an encryption key. In many ways, I think this is one of the very last bastions of standard computing security practice that hasn’t made it down to the average consumer level…and sadly…many companies and small businesses.  I always shudder when I see computers in small mom-and-pop businesses sitting out in the open near windows and wonder if their customer data is really safe at rest on them.

Anyway, it was time to lock-down the Valca laptops.

There were a small number of free/$$ consumer products out there for whole disk encryption I could have gone with. The two major factors I was particularly concerned with were 1) would system/disk performance be negatively impacted and 2) would recovery options to off-line mount the encrypted disk be available for me to use under a WinPE platform?

Advances in standard desktop hardware performance pretty much rendered the first one not a concern, and I have been using the portable version of TrueCrypt off USB drives and in WinPE for quite a while.

In the end I went with TrueCrypt and haven’t been disappointed.

The whole process is very easy to go through and I’ve seen absolutely no performance issues. In fact, I did all my recent HD video editing exercise with nary a performance blip shortly after my system was running the TrueCrypt whole disk encryption.

You might want to consider some of the points that Michael Pietroforte raised last week over at 4SysOps

  • Is TrueCrypt trustworthy? - 4sysops. I think he does make some valid points, but regardless, my primary concern is data loss prevention from robbery/burglary/my-own-stupidity and not from possible back-door exploits from shadowy gobernment data-collection operations run against the citizenry. Anyway, I thought Michael provided a great and often unconsidered perspective.

Alternative whole disk encryption solutions worth considering for home users

CE-Infosys - Free CompuSec PC Security Suite - I first stumbled across this German based software solution back when I was seeing how WDE might protect against KON-BOOT. It is completely free for both personal and professional use.

DiskCryptor - Open Source disk partition encryption program. I am not as familiar with this program but it has been kicking around now for a very long time. In addition it also supports Windows LiveCD integration.

Microsoft BitLocker/TPM - Note you need to be running Windows 7 Enterprise or Ultimate (or other Vista/Win 8 supported editions). Windows 7/8 Home editions don’t support it. A system board with TPM chip is not required, but recommended.

For commercial products, this article may be helpful:

Buyer's Guide to Full Disk Encryption - eSecurity Planet

Cheers and stay secure,

Claus Valca

No comments: