Securing Your Computer with Full Disk Encryption
Several years ago, my wife and I had our world rocked a bit when someone broke into our house. They took some inconsequential things here and there, but the truly dangerous item they snagged was our MacBook Pro (our primary computer at the time).
We reacted by changing all of our passwords and marking it as an ‘unsafe computer’ on the services with that kind of feature. We also turned on the “Find My Mac” feature and set it to wipe the hard drive immediately upon detection, but it never showed up on the internet.
At that point, there was nothing more we could do to protect our data and we had no assurance of its safety. We could only hope the thief reformatted our hard drive before hawking it.
Have you ever worried about what might happen to the data on your computer if it got stolen?
A Solution: Full Disk Encryption
While it would be ideal for your computer to never get stolen in the first place, this kind of thing will sometimes just happen.
Setting up full disk encryption ensures that all of the data on your drive is encrypted - your documents, videos, pictures and even those files your programs store automatically (such as your browser’s cache and cookies).
This isn’t the only solution out there, but it’s a darn good one and certainly goes a long way to put my own mind at ease.
Key Safety and RAM
Full disk encryption keys (passwords used to encrypt/decrypt data) do stay in RAM when your computer is locked or in sleep-mode. This leaves your key(s) vulnerable to things like a Cold Boot Attack.
If you need to step away from your computer for an extended period of time and you use encryption, it’s generally recommended to go into Hibernation-Mode or power down. Hibernation will dump your RAM to a file on your hard drive (requiring you to enter your key again on wake) while powering down flushes your RAM.
VeraCrypt (Windows, macOS, Linux)
VeraCrypt is standalone program forked from the no-longer-maintained TrueCrypt. So far, it’s done a great job of addressing the vulnerabilities of its ancestor (ref: 1, 2) and is actively maintained/developed by the fine people at IDRIX.
- Windows XP and later (though you really shouldn’t be using Windows XP anymore)
- MacOSX 10.6 and later; OSXFuse must be installed.
- Linux x86 (32-bit and 64-bit) versions with kernel 2.6 and later
During setup, you’ll be required to create a rescue disk to protect against the boot-loader or other components of your operating system becoming damaged. This doesn’t decrypt your drive or volume, however.
- Remote: There is no remote recovery option available. For more information, see the VeraCrypt FAQ on this question. Your only option is privacy, so approach this with the understanding that all responsibility rests on your own shoulders.
- Local: You’re expected to save a copy of your password to some form of media or even paper/plastic and store it in a safety deposit box or some other secure location
BitLocker is a full disk encryption solution built into Windows that’s commonly recommended for its convenience.
Recent Security Vulnerability
Within this past month, BitLocker has come under scrutiny due to a serious vulnerability. Microsoft is usually good about addressing security issues and, as the article states, a fix is currently being worked on by Microsoft.
- Windows Vista & 7: Ultimate and Enterprise editions
- Windows 8 & 8.1: Pro and Enterprise editions
- Windows 10: Pro, Enterprise, and Education editions
- Windows Server 2008 and later
- Online: During setup, you have the choice to upload the recovery key to your Microsoft Account. This option is convenient, but keep in mind that choosing it requires you to trust Microsoft with your recovery key.
- Local: Save to a USB flash drive, to a file, or print the key. It’s generally recommended to keep this key somewhere away from your computer, such as a safety deposit box at a local bank.
FileVault is a full disk encryption that’s built into macOS and generally recommended for the same reasons BitLocker is for Windows users.
- OS X: Lion (v10.7.0) or later
- macOS: any version
- Online: During setup, you have the choice to upload your recovery key to Apple’s systems for retrieval should the need arise. Like the similar option in BitLocker, this can be convenient - but keep in mind that using this option requires you to trust Apple with your recovery key. With this option enabled, you’ll have access to Apple’s Reset Password Assistant. Their documentation explains that accessing this feature will require you to either authenticate with your Apple ID, or verify yourself via a set of security questions (the available option may depend on your version of macOS).
- Local: You’ll also have the opportunity to print/save your recovery key. This should be stored somewhere safe, such as a safety deposit box in your local bank. This recovery key can be used to regain access to your drive/user login if necessary. See the Recovery Key guide for more details.
You may want to take this a step further and set up a Firmware password, which would prevent a thief from reaching your recovery options in the first place. This also has the added benefit of requiring the firmware password before your drive can be reformatted (i.e. to wipe and prep for sale).
Hope you find these tips helpful, you can never be too safe when protecting your data!