On Encryption Tools st Updated July 31 2009 Jamie Holloway
Some folks were asking what I used to secure personal data on disk and removable media. These are my notes and recommendations.
Notes I am not an expert on cryptology. I don’t need to be an expert to state: Everything is breakable and has risk. Use strong passphrases/passwords. Use different passphrases/passwords for encrypting data, and when signing onto various accounts at work, on the web, and on your personal workstations.
Tools / Features TrueCrypt http://www.truecrypt.org/ Highly recommended open-source product which can be used to encrypt disk, and the entire system disk. The tool is free. This tool is probably the choice of spies, drug traffickers, and terrorists, because it has some special capabilities that enable plausible deniability etc. However, for those of us who simply want to protect the confidentiality of our personal data, it’s a good choice, and easy to use. I have never encountered a problem with it.
BitLocker http://bit.ly/140qEh This is a Microsoft Windows feature introduced with Vista. I use this for encrypting my laptops. It may be better than TrueCrypt in a couple of respects, but that is debatable. BitLocker it typically used a TPM (trusted platform module -- http://bit.ly/18hOgL) which is a specialized component that is incorporated into most laptops today. The TPM enables additional protection of the keys used to encrypt data on your drive. I’ve used BitLocker without a TPM, but there are some added complexities and I do not recommend it. If you do not have a TPM, use TrueCrypt. When your system boots, BitLocker does not required a pre-boot passphrase (as does TrueCrypt). This is a convenient feature. However, an inconvenient feature of BitLocker is that it will check your hardware configuration during boot up. If it has changed, new memory cards added, you enabled DEP or some other Windows features, then BitLocker may require you to
enter a “Recovery Key” to help ensure that your disk drive wasn’t stolen, and that the bad guy is trying to boot your operating system up on a different machine. This recovery key is a 48 byte numeric string which looks like this: 320491-348592-021329-327976-230192-230498-396176304918 So, the question is, where do you keep it? It needs to be handy, just in case, but you don’t want to write it down and keep it in your wallet. I keep my recovery keys stored (encrypted) on my server, and on a couple of laptops. However, I have been locked out of my primary laptop – on two rare occasions – and had to run down to my car to get my backup laptop to get the key.
EFS – Encrypted File System http://www.pgp.com/ EFS is a Windows feature which encrypts your files on disk. I have this enabled for all my sensitive data, even a lot of non-sensitive data. However, once your machine’s password is broken by using some sort of brute-force attack, or rainbow tables, etc, then your disks are not protected. This is why Microsoft invented BitLocker. However, using EFS provides you with a higher level of protection. It won’t protect your data from the NSA, but it will from the average thief.
WinZip http://www.winzip.com WinZip offers both compression, and encryption. I use it for the compression, but I also encrypt my files just because… (defense in depth concept). If you encrypt your files, however, the directory structure is not protected, and the file names themselves may be sensitive data that you want to protect.
PGP http://www.pgp.com/ PGP used to be a free open-source tool, but now it’s a paid-for product. I do not recommend PGP because 1) better free alternatives exist, and 2) I never really liked the product version of PGP. I used it for several years until TrueCrypt became available.
GnuPG http://www.gnupg.org/ GnuPG is an open-source tool based on the PGP algorithms, which are still open. Given that I used the open-source and paid-for versions of PGP for many years, I have backup and archive files that I sometimes need to access. I use this tool for this purpose, and it works well for that alone. Otherwise, the user interface is weak and I do not recommend it.