In Depth: How to use encryption to secure your data: "
There was a time when all you really worried about was your laptop being stolen. But what about its contents? It's likely to be loaded with sensitive work, personal files, banking info, precious photos and irreplaceable videos.
Suddenly the laptop ceases to be the worry; now losing your data is what keeps you awake at night. And then there's the humble thumb drive – capacious yet oh so easy to lose.
The good news is that there's a simple solution to the danger of data loss: encryption. This involves encoding data using a mathematical process. These vary, but most use your password as a mathematical seed around which the code is built – if you don't know the password, you can't get to the data.
Most coding systems are somewhat vulnerable, but even the simplest will defeat most hackers. Given the availability of encryption systems, you've no excuse not to lock up your data.
We'll start with a look at BitLocker. This is the encryption system built into the Enterprise and Ultimate versions of Windows Vista and 7. If you don't use these OSes, don't worry – we'll check out some free alternatives.
BitLocker protection
BitLocker is a system designed to encrypt the entire Windows operating system volume on your hard disk. That all sounds pretty good. The problem is that BitLocker is notoriously difficult to set up on a PC already running Vista.
BitLocker needs two NTFS partitions – one for the system volume and one for the operating system volume. The split is needed because BitLocker's pre-startup authentication and system integrity verification must happen outside the encrypted operating system volume.
The unencrypted system volume should be at least 1.5GB. This means that there will be enough space for boot files and Windows' set-up programs. So if you're already running Vista then unfortunately you'll need to do some hefty repartitioning work before you begin installing the encryption system.
Thankfully, Microsoft released the BitLocker Drive Preparation Tool to help with all this. The tool comes as part of Vista Service Pack 1. If you're a Vista user, then there's a good chance you'll have it already. If you're a Windows 7 user, then the tool is integrated.
How to set up BitLocker
Now we can turn our attention to the Trusted Platform Module. This is a chip built into some motherboards that holds encryption keys. When you type in your password, Windows sends it to the TPM for validation. If your key is validated, BitLocker will carry out your request.
If your motherboard doesn't have a TPM chip, you can use a USB key. If you choose to go with the USB, the first step is to enable support for your flash drive as an alternative form of validation. Press [Windows]+[R], type gpedit.msc and press [Enter] to launch the Group Policy Editor. Next, browse to 'Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption'.
If you're running Windows 7, expand the Operating System Drives folder and double-click 'Require additional authentication at startup'; Vista users should simply double-click 'Control Panel Setup: Enable advanced startup option'. Finally, select 'Enabled', click 'OK' and then close the Group Policy Editor.
Now back to the hard disk setup. Assuming you're using Windows Vista and the BitLocker Drive Preparation Tool is present, creating the necessary split loading hard disk setup is simple.
Click 'Start | All Programs' and select 'Accessories'. Click' System Tools' followed by 'BitLocker' and then double-click the 'BitLocker Drive Preparation Tool'. When the tool has finished working its magic, restart the computer.
Finally, visit Control Panel and enable BitLocker. Help is available here.
Windows 7 users should follow exactly the same steps as those demanded by the BitLocker Drive Preparation Tool, complete with obligatory reboot. Then it's just a case of following a simple wizard from beginning to end.
The options you see will depend on whether or not you have a TPM installed. If necessary, insert a flash drive that you can save the required key to. You'll also be prompted to create a recovery key, which can be saved to a flash drive, as a file or printed out. You'll need this should BitLocker block access to the drive, so make a copy now (you can make additional copies through the Manage BitLocker utility later).
Once the drive is encrypted, you can encrypt more drives by right-clicking them and choosing 'Turn on BitLocker'.
NEVER FORGET: You'll need to enter your recovery key if BitLocker won't let you in
If you don't have access to BitLocker, don't worry. TrueCrypt is a free open-source alternative. It enables you to encrypt entire volumes, including your system partition and also flash drives. You can also use the tool to create encrypted containers, inside which you can store sensitive files and folders. You can even hide sensitive containers or partitions from view – the 'Hidden Drives' box on the previous page reveals more about this option.
Download and install the program from here. Launch TrueCrypt and click 'Create Volume'. To encrypt the partition containing Windows, select 'Encrypt the system partition or entire system drive' and then click 'Next'.
The wizard is straightforward to follow – step one gives you a choice between a normal or hidden operating system. You can then elect to encrypt the partition on which Windows resides or the entire physical drive that it resides on.
If you choose the latter, you'll be given the option of leaving any hidden data at the end of the drive unencrypted – this includes any recovery partition that might be present. You'll also be asked if the drive you're encrypting is a dual-boot setup.
TrueCrypt won't be able to encrypt entire drives containing two or more operating system partitions, so it will ask you questions to confirm this before refusing to go any further.
Next, choose your encryption method and then pick your password. You'll need to enter this every time you boot your PC, so make sure it's something only you know, but won't forget. The usual rules apply: try a mix of letters and numbers, and avoid words that feature in the dictionary.
If you can, create a password that's more than 20 characters long. The keys are then generated. The last step prior to actually encrypting your drive is to create a rescue CD, which you'll need should the drive or boot sector corrupt. (Be warned, though: this is no substitute for remembering your password.) You'll then be given an option to securely wipe free space for additional security.
Following that, a pre-test will happen. This verifies that the computer can be booted successfully before encryption takes place. Once this has completed, click 'Encrypt' and let TrueCrypt do its stuff.
The process for non-system partitions and drives (including flash drives) is similar – just select 'Encrypt a non-system partition/ drive' from the Volume Creation Wizard and follow the steps.
Encrypt your files
Encrypting your whole drive might seem like overkill if you only have a handful of sensitive files and folders to protect. Alternatively, you might feel that your data is still vulnerable – after all, when you're logged on, everything is accessible.
Once again, TrueCrypt rides to the rescue with encrypted containers. These are encrypted files inside which your data is stored on a special volume that's assigned its own drive letter when mounted in TrueCrypt, enabling you to use it like any other drive.
It adds an extra layer of security to your files in that you only mount it when you need to access it, and by remembering to unmount the drive when you've finished you can safely leave your PC on and logged in, secure in the knowledge that those files are inaccessible.
Secure your flash drive
Flash drives may have changed the way we transport data, but they're particularly vulnerable to data theft. That's why Microsoft developed BitLocker to Go, which enables you to encrypt your flash drive in the same way that you'd encrypt a drive in Windows.
Once done, you have to enter a password to use your drive. As BitLocker to Go is only available in Windows 7, Microsoft has developed a BitLocker to Go reader that enables you to read the drive's contents in Vista SP2 or XP SP3 – get it here.
BitLocker to Go isn't quite as portable as it could be, particularly if you're at someone else's computer and they don't want you cluttering up their drive. Once again, alternatives are available.
We've touched on how TrueCrypt can be used to encrypt your flash drive – the downside is that this can then only be used on a PC running TrueCrypt. So if you want to be able to access the drive from any computer without having to install TrueCrypt, we suggest going down the encrypted container route.
This means leaving enough free space on the drive to install a portable version of TrueCrypt (use the same set-up file you used to install it on your PC). You can then access the container on any PC without having to install TrueCrypt on that machine.
There's one drawback to using TrueCrypt in this way. It only works in administrator accounts, so if you think you'll need access to the drive while logged on as a standard user, take a look at Rohos Mini Drive instead.
The free version only supports up to 2GB file containers, but it works perfectly in standard user accounts. Get it from here. The set-up wizard does all the work for you, but note that it only creates a 500MB drive by default, so be sure to change this setting when prompted.
Related Stories
 |  |
(Via TechRadar: All latest feeds.)
No comments:
Post a Comment