Laptop Security–Encrypting Disk Drives
Laptops are routinely carried to and used in airports, libraries, coffee shops and other places where they can easily be stolen. The cost of a stolen laptop is many times the value of the computer itself–if the laptop contained sensitive data personally identifiable data, the cost can get into millions of dollars in potential costs. The first step should be making sure that laptops do not contain sensitive data in the first place, but that cannot be the only step, as email logs invariably contain a tremendous amount of sensitive data.
Small businesses don’t have a large IT staff to help with this the process of securing a laptop; this article is intended to help small businesses secure laptops to minimize the data security problems of a lost laptop by discussing alternatives for encrypting the data on the laptop. The article is divided into the following sections:
Laptop Disk Drive Encryption Alternatives
There are a number of alternatives for encrypting data on a laptop, including both file or directory level encryption or whole-disk encryption tools. If your systems are all Apple, or all Microsoft, the built-in tools available on Apple (OS X and higher) or Microsoft Windows (8.0 and higher) are probably the most convenient approaches to take. If your systems include any combination of OS X, Windows and Linux, or you are on Windows 7 Professional, the choices aren’t as simple, as you will want a solution that can read external drives on any machine, assuming the file format is readable on the machine.
Table 1 below provides a listing of a few encryption software packages. This is by no means a complete list.
| Product | Windows | OS X | Linux | Comments |
|---|---|---|---|---|
| BitLocker | Yes | No | No | Closed source. Built-in to Windows 8.0 and 8.1 and Ultimate and Enterprise versions of Vista and 7. This is an obvious choice for a Windows-only network. |
| OS X File Vault 2 | No | Yes | No | Closed source. File Vault 2 is built in to OS X Lion (10.7) and newer. Lion went out of support in the fall of 2014, so at this point all currently supported versions of OS X offer full disk encryption. |
| Symantec Endpoint Encryption | Yes | Yes | No | Closed source. Offers key management (requires Windows server) and other features that are attractive for managing multiple laptops. |
| Trend Endpoint Encryption | Yes | Yes | No | Closed source. Offers key management (requires Windows server) and other features that are attractive for managing multiple laptops. |
| McAfee Endpoint Protection Essential for SMB | Yes | Yes | No | Closed source. This is a total solution that is designed for “Small and Medium Businesses” of up to 250 employees. It probably isn't manageable until you get to 10 or 20 workstations. |
| McAfee All Access File Lock | Yes | No | No | Closed source. This is a part of McAfee All Access, a virus/firewall/general security package. It encrypts at the directory level only; if you store a sensitive file outside the File Lock directory, it will not be encrypted. |
| Linux Unified Key Setup | No | No | Yes | Open source. This is the standard encryption tool in most Linux distributions, and is generally available during the installation process. |
| DiskCryptor | Yes | No | No | Open source. Encrypts all partitions. |
| CipherShed | Future | Future | Future | Open source. A fork of TrueCrypt. As of February 17, 2015, CipherShed is available only in a beta version. |
| BoxCryptor | Yes | Yes | Yes | Closed source. Primarily for encryption of data stored on cloud applications; this may be a useful solution in combination with another full-disk or partition encryption solution. Available for iOS, Android, Windows Phone, Windows RT (tablet) and Blackberry. Available in a limited feature free version or paid personal and business versions with more features. |
| AxCrypt | Yes | No | No | Open source. File level encryption, not folder or partition level encryption. |
| VeraCrypt | Yes | Yes | Yes | Open source. A fork of TrueCrypt. Hibernation power-saving function on laptops may not work properly. |
Windows-only Encryption Solutions
For users of Windows 8.0 and later, the built-in encryption is almost certainly the best alternative. For Windows 7 users (which comprises the vast majority of the visitors to this web site at this writing) the choices become more difficult and expensive. If file- or directory-level encryption is sufficient, the anti-virus solution that you use will probably have an encryption capability as part of the software. This generally won’t be helpful for email files. There are a number of alternatives, but the three identified for this article are DiskCryptor, CipherShed (alpha a this writing) and VeraCrypt. The latter is the one that I ended up choosing, and is the one discussed further in this article.
OS X-only Encryption Solutions
The built-in disk encryption capabilities of OS X have been around for a while and are such that there aren’t many OS X-only encryption solutions. Unless you need compatibility of external drives with Windows machines–and have NTFS or JFS+ drivers that allow sharing external drives–the OS X built-in encryption is almost certainly the best choice.
Multi-platform Encryption Solutions
Several anti-virus vendors offer enterprise encryption solutions; if you use their enterprise products these are likely the most convenient solutions to choose for a multi-platform environment. If you are a really small shop and don’t use an enterprise solution, one of the open source multi-platform solutions could be a good choice. Most of the multi-platform solutions are forks of the well-known but discontinued TrueCrypt tool. VeraCrypt is probably the best-known at this point, but for project organization reasons, CipherShed may become the preferred solution once it comes out with a production reasons.
Encrypting Your Laptop Disk Drive
The basic steps for encrypting your laptop drive are as follows:
- Backing up a Laptop Disk Drive before Encrypting the Drive
- Choose a Password
- Install VeraCrypt (or Other Encryption Software)
- Encrypting a Laptop Disk Drive Using Veracrypt
- Modify Backup Procedures to Accomodate Encryption
Back Up the Unencrypted Laptop Disk Drive before Encrypting the Drive
The first step in encrypting your laptop is to make an unencrypted backup from which to recover should something go wrong during the installation. It is impossible to emphasize this step strongly enough. You will also need to make sure that your backup procedures allow you to recover from a disk failure. Clonezilla is a widely used open source tool for disk-level backups and is a good tool to use for backups on a regular basis. I’ve used it many times backup disk drives, and recover the information on a larger drive that I replaced in a laptop.
Choose a Password
Before installing any of the encryption tools, you will need to choose a strong password–preferrably 20 characters or more. You must remember it and enter it each time you boot the machine. Do not forget it, because you will not be able to read any of your data without it. You can record it, but not on anything that will be available to a laptop thief.
Above all, do not forget it, and do not put it in a place where someone will find it.
Install VeraCrypt (or Other Encryption Software)
When you download VeraCrypt or other software, make sure to check the MD5 signature for the download to verify that no one has tampered with it. On Windows, you can install Cygwin and use the md5sum filename.msi command to check the MD5 signature. On OS X, you can install MacPorts and use the md5sum filename.dmg to check the MD5 signature.
If the binary is signed–in Windows, the yellow caution window for making changes to your disk drive will have a company or individual name rather than “unknown”–you know that no one tampered with the file and don't need to check an MD5 signature.
Installing VeraCrypt is just like installing other programs from this point onward.
Encrypting a Laptop Disk Drive Using Veracrypt
The instructions for VeraCrypt are really pretty straight-forward; I won’t repeat them here. Before you begin, make sure that you have a backup, and that you know the password that you are using to encrypt the drive. You will also need at least one writable CD (not DVD) to store the encryption keys necessary for a recovery of the disk. Store these in a safe place. A 250G drive on a 2012 Windows 7 laptop with an i5 processor took about four hours with nothing else going on. You should start the encryption process after virus and other disk scans have finished.
Once you encrypt the drive, the boot time will increase noticeably, but the overall performance of the machine will be largely unchanged. Hibernation may not work, so you will need to disable this mode in your power settings.
Modify Backup Procedures to Accommodate Encryption
Once you have encrypted the laptop disk drive, you will need to modify your backup and recovery approaches appropriately to accommodate the encryption. In some cases there will be no changes, but other cases you will need to make changes. Your key backup CDs and password should be stored in a safe place, which will in most cases be with your backups. If you backup with disk-level tools, recognize that your backup will now be encrypted and will require the password to access.
Conclusions
The first defense for preventing data theft from a laptop is not to store sensitive data on the laptop. When this is not possible, disk encryption can safeguard the sensitive data–usually email. There are a number of alternatives for encryption of laptop disk drives that are manageable for a non-technical user to install. With encryption, your backup strategy is increasingly important; if you forget the password, you will not be able to get to the data on the laptop and will need to access a backup of the data.