My wife is a psychotherapist. Her laptop is a repository of confidential information, both ethically and legally speaking. That has made me nervous ever since she began her private practice. Shel isn’t technologically-challenged, but neither is she geekly. She needed to secure the laptop to HIPAA standards, and she needed something that was fairly automatic because she lives a fast-paced life and doesn’t have time to fool around with moving files to encrypted volumes, deciding what needs encryption and what doesn’t, and so forth.
After looking at a number of possibilities, including Windows 7’s own encryption system, I was dissatisfied. They weren’t automatic enough, and in Windows’ case not secure enough, either. I wanted something that was totally secure and completely transparent as to operation. In short, foolproof and invisible.
There is a great little open-source program called TrueCrypt that I’ve used for years (available for Windows 7/Vista/XP, Mac OS X, and Linux). Its big advantages are the open source aspect, which insures that a bunch of crypto-geeks are always looking over the program for possible flaws, and that it employs “on the fly” encryption. (It’s also free.) In brief, you create a “container” for your sensitive files. Things that you drag and drop on the container (or save to it) are automatically encrypted with the strongest encryption available, and things that you open within it or drag out of it are decrypted automatically and seamlessly. (By “strongest encryption available” I mean that a supercomputer, working for literally thousands of years, couldn’t crack it if you choose a strong enough password.)
While trying to figure out a way to use it to Shel’s best advantage, I read through the comprehensive help file and discovered a function that I’d never noticed before: TrueCrypt gives you the option of encrypting an entire system drive (Windows only, at present). This looked like the answer: a single password to boot the PC, totally secure data, and a hard drive that makes an interesting paperweight unless you know that password. Someone steals your computer, cracks open the drive and tries to read the disks directly — ain’t happenin’. He’s got nuthin’. Now that’s security! You also have the option of overwriting the “empty” space on the drive (which often isn’t), effectively erasing remnants of old files that are theoretically recoverable.
Reading further, I found that before TrueCrypt will let you encrypt a disk it requires you to make a recovery disk that will permit you to boot the computer if there is a boot-up glitch. It uses the same password, so it’s secure too. Without the password, there is no way — period — to access the data on the drive. I can’t overemphasize that!
Naturally you make a complete backup of the data before you fool with this project. I was leery of commending Shel’s ThinkPad to the care of the encryption gods without some personal assurance that it would work, so I created an image of (cloned) the drive of my Acer AspireOne, using Windows 7’s backup tool. That way if things went south I could, even in the worst case of being unable to boot the little PC at all, throw in a new hard drive and populate it with the cloned image, recreating my entire operating system, setup and files.
When all was ready, with fingers and toes twitching to be crossed, I fired up TrueCrypt, started the wizard, created the restoration disc, and hit the Go button. Then I opened Firefox 4 and started surfing the Web while the encryption went on in the background. Yes, the program is that good. It works entirely on its own. You can even shut the system down (or have a power failure) and when you fire TrueCrypt back up and tell it to continue, it will do so with never a hiccup. It did eat up quite a few cycles from the netbook’s 1 GHz dual-core AMD 50 processor, along with consuming quite a bit of RAM, but apart from a slight slowdown and really slow image editing, I was able to compute normally during the four hours it took to encrypt the entire 320 GHz system partition.
After the program announced it was finished, I shut down the netbook. Then, because I believe in cold boots after major changes, I removed the battery and pressed the power button for a second, which discharged any remaining potential in the system and left the little computer totally dead electrically. Then I replaced the battery and powered up.
One second, two seconds, three…four, and the familiar Acer splash screen appeared. Then a pretty gray screen with some system text asking for the password. I’ll admit feeling a bit squeamish about hitting Enter after typing my long passphrase* but my concerns were for naught. Instantly the screen announced “booting,” and the mini-PC booted up in its normal fashion, with nary a glitch.
There is truly no way to tell the system is encrypted while working in it. Apart from the initial entry of the new passphrase* there is no discernible difference at all. Everything works normally, at normal speed, and there are no issues whatever. Since the netbook I have completed the same process (DON’T forget the complete backup) on Shel’s laptop and our home desktop (8 hours for the 1 TB drive). Absolutely no issues at all.
Based on my experience, I can’t see why anyone who knows the basics — backups, restoration discs, etc. — should have any hesitation about completing this process, or letting their geeky brother-in-law do it for them. In fact, given the sensitive material on any computer (think temp files, correspondence, etc.) I can’t come up with a good reason for not doing it to every computer you own. If you want to try TrueCrypt out, for its conventional uses or drive encryption, be certain you download it from links on the official site to insure that you don’t get a corrupted version with a backdoor or hack. Type http://www.truecrypt.org/ into your browser window to get there, don’t google it. They had 13,853 downloads yesterday, but there’s still some left.
*If you’re not going to use a good passphrase, forget the whole thing. The strength of encryption depends entirely on the strength of your password. If you use the cat’s name again, your system won’t be any more secure than it was to begin with. Go to http://www.microsoft.com/security/online-privacy/passwords-create.aspx for all you need to know about passwords and passphrases, and why they are important.
PPS: Since the system behaves like any other after you enter the initial passphrase, you still need the passwords for the various user accounts. That’s a totally different issue. Try using the same STRONG passphrase, since you have to remember it anyway.