Simple Disk Encryption for Laptops 2
When you have a laptop, you expect to take it with you. When you have a portable computer, the data on it is at higher than normal risk for theft. This means you need to take steps to protect that data. In 2010, the Commonwealth of Massachusetts passed laws that require non-public consumer data be encrypted on disk and networks. Basically, disk encryption is here to stay, but there are some drawbacks. Below I’ll describe why you want to encrypt much of your laptop disk storage, why you probably don’t want whole disk encryption, and the setup that I’m using.
Why You Want to Encrypt Your Laptop
There are many reasons.
- Laptops are stolen
- Company data; proprietary data is everywhere, including caches on the disk
- Private data; financial data like Quicken
- Eventually, we all need support, the support guys at the big box stores are known to go thru all your data for fun looking for images, videos, music and financial data
- Password security – ok, you really should use a password manager like KeePass or KeePassX or LastPass anyway, which will encrypt those.
A few examples
I heard about a guy who was performing some security consulting work a few months ago for a very popular Flash gaming company. He uses a Mac laptop, but the gaming company gave him a Windows laptop to access their network. I guess it had VPN keys, Active Directory credentials, and other corporate stuff, etc., on it. His rental car was broken into while parked on a street in San Fransisco and both laptops were stolen. The Mac, his personal laptop containing client data, personal data, and invoices was encrypted with TrueCrypt. No problem, the data is safe. The company laptop was not encrypted in any way. Remote VPN access, security scans from inside and outside the company and many other sensitive items were on it. Not the type of data you want just anyone having.
A former coworker (at a previous telecom job) took his laptop home and stopped at the grocery store for a few minutes on the way home. The window to his truck was broken and his work laptop bag was stolen. The laptop was not encrypted and probably contained lots and lots of proprietary data, including SSNs for the entire team of 120 people – including mine. I know when I worked there, I retained data on many projects on my laptop and some spreadsheets with proprietary and personal data that was shared across our team. All of it was backed up, but it wasn’t encrypted. I’d still rather not have that data available to anyone outside the company or group.
Eventually, something bad will happen to every laptop and you will need to leave it with a service organization, either internal to the company or an external provider. I’m a highly technical person, but my last laptop overheated and died. I ended up swapping the HDD out before taking it in to a service team rather than leaving sensitive data on it. I had to take it in to get an estimate to get it fixed so insurance would reimburse me for the loss. The less technical you are, the more you need your data encrypted to protect it against IT Service people.
If you are a company and your laptops aren’t encrypted, I gotta wonder what you’re thinking. The risks are too great to ignore anymore. Teaching your people to protect proprietary data is simply too difficult, complex and too easy for them to forget. It is much easier to simply encrypt the disks and be done with it.
Why You Don’t Want Whole Disk Encryption
For highest level of security you want whole disk encryption and you want daily or continuous backups of your data. In a corporate environment, you definitely want whole disk encryption to protect all the data, emails, cached data, and other “things” on the system regardless of what the end user does. Most of us can’t have continuous data backup due to the total amount of data or because we we don’t want to wait while a backup is performed every 15 minutes. It just isn’t practical.
The main issue with whole disk encryption is that disk maintenance becomes excessively difficult on a failing disk. With disks that are completely encrypted, it is very important that excellent backups be created – often – since when the disk fails, your data is really gone. Sending it to a data recovery company will not return any of your data. Further, if a portion of the data is unrecoverable, that entire encryption block is lost, not just the 45 bytes of data that was really lost on the physical disk.
Whole disk encryption also prevents the use of external programs and tools, like specialized Linux distributions, to solve some of the most common MS-Windows issues. Sometimes the only way to clean a Windows installed of spyware and viruses is with an externally booted operating system. You can’t do this when whole disk encryption is used. If you are in a corporate environment, your IT guys will probably wipe the entire disk and place a fresh OS image on it, then try to recover the backups of your data. Any local-only data that wasn’t backed up, perhaps PST files and local project files, would be lost.
Whole disk encryption does protect some of the most sensitive things on most PCs that encrypting a second partition would miss. Cache files for email and web browsers. These programs store, unencrypted files containing all the websites visited and all the emails on the system. If you use Outlook, you can place the local PST files on the encrypted D: drive, but some of the current data will be located under the c:/user account areas regardless.
The only answer to any issue is to reload the OS and recover your data from a backup. That makes perfect sense in a business, where disk images are used for every PC. It makes less sense for a home user who will desire to remove spyware and viruses before going with the nuclear option of wiping the OS from the HDD and starting over.
My Setup
With the data above, here’s what I decided to do. My partitions on the single HDD in the laptop now look like this.
- 50MB – unknown but seems required for Windows7
- 8GB – Recovery Partition to reload the OS from the vendor
- 60GB – Windows7 OS and Applications
- 250GB – Data – ENCRYPTED
- 120+GB – unused.
Only the 250GB partition is encrypted, but that partition is where I place everything I can on the laptop. TrueCrypt with AES and a fairly long key is used to access it. I limited this to 250GB due to the size of my backup 2.5 inch disk. When planning storage, I always think about the backup solution. If I can’t back up the storage, then I don’t need it. This 250GB partition is where all my VirtualBox OS install VDI files are located too.
Don’t forget that my daily use OS is Linux running inside a VM from the D: partition, so all my emails and browser history are basically full disk encrypted, without the risks. Those VDI files are also completely backed up weekly to another machine and the HOME directory inside them is backed up nightly.
What did I do poorly with this setup?
How can it be improved, but still stay simple and secure?
Trackbacks
Use the following link to trackback from your own site:
https://blog.jdpfu.com/trackbacks?article_id=770
About a month ago, I encrypted my laptop as described above. I figured an update after real world use would be good.
So far, so good. No major issues. Performance has been just as good on the encrypted disk as for non-encrypted disks. I reboot the laptop about every 5 days, but that is more a Windows stability issue and prevents my main Linux VM from having the power ripped out underneath it when Windows crashes.
I’m very pleased with how this turned out and would recommend it. I’d set this up the same way again.
It is March 2011 and the laptop is still encrypted as described above.