Laptop computers have become mobile stores of massive amounts of information. Add to that the proliferation of removable hard drives, and it becomes crystal clear how much sensitive data is on the move in the world, most of it woefully underprotected.
Many users have tried to safeguard their data with system passwords or other mechanisms. But the cold hard truth is that those protection schemes give a false sense of security. Windows desktop passwords are easily defeated with third-party boot-up tools, which provide access to any file on a drive partition, while other tools exist that can crack passwords on most applications.
A better alternative is to protect the contents of a storage device using a reliable encryption utility, making it almost impossible for a third party to access your data files. There are several ways to do this -- some utilities will encrypt single data files, while others may encrypt directories or archives, and a few will encrypt a complete drive partition.
What you choose to encrypt is only part of the story, though. How the data is encrypted is just as important.
There are several levels of encryption available, and the major difference them is the complexity of the encryption. Simply put, the more complicated the encryption scheme, the more secure your data will be. However, before selecting the most complex, most secure encryption scheme available, you should take into account another factor -- the processing power needed to encrypt or decrypt the data. More complexity means more security, but it also equals more demands on hardware.
Until recently, an inexpensive, easy-to-use, reliable drive-encryption utility was hard to come by. Either the tools available were too complex or expensive to be used by a nontechnical individual, or they impacted performance so severely that the PC slowed to a crawl. Luckily, much has changed over the last few years, and many new and improved products have come to market.
In this roundup, I've looked at three encryption packages: Microsoft's BitLocker, PGP Corp.'s Whole Disk Encryption, and TrueCrypt from the TrueCrypt Developers Association.
BitLocker is the easiest to obtain, at least for Windows users -- it's included with the Enterprise and Ultimate versions of Windows Vista and Windows 7. TrueCrypt is an open-source freeware application that is used by several universities and nonprofit agencies. For users looking for an affordable third-party encryption product that includes support from a leading vendor, Whole Disk Encryption (at $149 per seat) is a top contender.
I installed each product on a Lenovo T61p notebook computer and a Toshiba Portege R600 ultralight notebook. I used a Fujitsu M2010 netbook to read the encrypted storage devices and encrypted files. All three systems were running Windows 7 Ultimate Edition.
I also tested each encryption product with a few Corsair USB drives of varying sizes and a 60GB external Verbatim USB hard drive.
Types of encryption
The two leading types of encryption are private key (also called symmetric key) cryptography and public key cryptography. In private key, a single key is used for both encryption and decryption. Private key algorithms are generally very fast and easily implemented in hardware, so they are commonly used for bulk data encryption.
Public key cryptography involves the use of two distinct but mathematically related keys: a public key and a private key. The public key is not secret and can be shared with anyone; it is used to encrypt data meant for the holder of the private key. The private key (or secret key) is used to decrypt any data encrypted by the public key. Public key cryptography is primarily used for e-mail messages, file attachments, digital signatures and other transaction-related processes.
Most file, directory and partition encryption products rely on private key scenarios, encrypting data files using a single secret key, which only the owner of the data knows. There are two general categories of private key algorithms: stream ciphers and block ciphers.
A stream cipher encrypts each byte of the data stream individually. Stream ciphers are commonly used for wireless communications. For example, A5, the algorithm used to encrypt GSM communications, is a stream cipher. The RC4 cipher and the one-time pad (OTP) are also stream ciphers.
On the other hand, block ciphers encrypt one block of data at a time and are used more often for data encryption. There are several block ciphers used today, all with variations in their approach, such as DES, AES, RSA and Diffie-Hellman.
Many encryption products that use block cipher encryption can integrate with a PC's Trusted Platform Module (TPM). TPM is a published specification detailing a secure crypto-processor that can store cryptographic keys that protect information. A TPM chip handles the secure generation of cryptographic keys using a hardware pseudo-random number generator. TPM also includes capabilities such as remote attestation (which creates a nearly unforgeable hash key summary of the hardware and software configuration) and sealed storage.
First, the good news -- BitLocker is free and does most everything a user could want. However, there's a catch: The full BitLocker product is only available with the Windows 7 Ultimate and Enterprise editions (or the Vista Enterprise and Ultimate editions), versions that are rarely installed on netbooks and seldom on notebooks. In addition, the Vista version of BitLocker lacks the ability to encrypt removable media, a very important feature now that USB key drives and external hard drives are common.
I looked at the BitLocker application included with Windows 7, which is broken down into two services: BitLocker, which works with hard drive partitions, and BitLocker to Go, which is meant for removable media.
BitLocker uses the AES encryption algorithm in cyber-block chaining (CBC) mode with a 128-bit key, combined with the Elephant diffuser for additional disk-encryption-specific security not provided by AES.
At a Glance
Price: Free (with Windows 7 Ultimate and Enterprise editions or Vista Enterprise and Ultimate editions)
The application works by encrypting a disk partition; that partition can be located on the system or on a removable device. If you are using BitLocker to secure your system's hard drive, for example, it will create a system partition (which contains the files needed to start your computer) and an operating system partition, which contains your applications, data and Windows. The operating system partition will be encrypted and the system partition will remain unencrypted so your computer can start.
BitLocker reaches its full potential on computers equipped with TPM. BitLocker can use either transparent operation mode (where the TPM automates key entry) or a user authentication mode (where the user must manually input a password). The TPM hardware detects any unauthorized changes to the pre-boot environment, including to the BIOS and master boot record (MBR). If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device or a recovery password entered by hand. Either of these cryptographic secrets will decrypt the Volume Master Key (VMK) and allow the bootup process to continue.
BitLocker offers additional protection in the form of BitLocker To Go, an encryption option that can be used with removable media.
BitLocker is tightly integrated into Windows 7; it launches from the Windows 7 Control panel and includes a wizard-driven setup that simplifies configuration. To get started, I launched the BitLocker application from the Windows 7 Control panel on the Toshiba Portege and chose "Turn on BitLocker." This launched a system requirements wizard, which checked to make sure that the system was compatible with the software and listed any changes that needed to be made. In my case, BitLocker recommended that I turn on the TPM security hardware on my test system, which required me to reboot the system and enable the TPM hardware in the system BIOS.
On my Lenovo T61p, TPM was already enabled, so BitLocker was able to start the drive encryption process immediately.
As part of the encryption process, BitLocker offers a way to save a "recovery key" -- a 40-digit code provided specifically as a means to access your data if there is a problem with your system or you lose your PIN. You can save the recovery key to a USB drive or a local file, or you can print it out. The encryption process can take some time to complete -- it all comes down to the amount of data stored on the partitions, the speed of the hard disk and processor performance. The Toshiba Portege system, which had a solid-state drive with about 30GB of data, took over 3 hours to encrypt (luckily, the encryption process can run in the background). The Lenovo T61p, with 70GB of data stored on an internal 120GB hard drive, took a lot longer -- in fact, I wound up letting the encryption process run overnight.
After encrypting the drives, I found little difference in how the systems performed -- applications seemed to load as quickly, boot times remained about the same and operations such as file copying seemed just as fast. That said, there was some measurable CPU overhead when encrypting and decrypting files, but, as indicated by Windows Task Manager, it was less than 8% and was not noticeable during normal use.
BitLocker To Go
BitLocker To Go proved to be very easy to use. All you do is launch the product and create a passphrase (or use a smartcard) to encrypt/decrypt the drive. The process takes just a few minutes; like its big brother, the utility creates a 40-digit recovery key. Once configured, BitLocker To Go can automatically encrypt USB drives whenever you insert one. That tight integration with the operating system makes it extremely easy to use for removable media. The BitLocker To Go reader automatically launches when a USB drive is inserted into a system, and then it asks for the passkey to access the data stored on the device. I encrypted eight USB key drives of various sizes -- each only took a few minutes to encrypt and all worked flawlessly.
BitLocker To Go allows the removable drive to be used with other systems, such as Windows XP and Windows Vista PCs. The only catch is that the application only allows older OSes to read the data -- new data cannot be added.
BitLocker and BitLocker To Go are a great way to encrypt and protect data files on Windows 7 PCs and should be one of the first choices for mobile and home workers who want to protect their sensitive data files.
BitLocker also supports Windows Networks, and administrators can set up Windows group policies that can enforce the use of Bitlocker on removable storage devices and also encrypt the hard drives on servers and PCs -- which may be a good way to prevent data being taken off a retired piece of IT equipment, just in case the administrator forgets to properly wipe or destroy the hard drive.
If you aren't running Windows 7, or you want to use something other than a Microsoft product (and don't want to spend any money), TrueCrypt from the TrueCrypt Developers Association is pretty hard to beat.
The product matches the features offered by Microsoft's BitLocker and offers a couple of interesting additional features, such as the ability to create a virtual encrypted volume that is mounted as a drive letter or associated with a virtual folder. In other words, you can store all of your critical data files on a separate, encrypted disk volume and then access those data files by associating a drive letter with the volume and entering the associated passkey. That way you can allow others to use your PC while your sensitive data is protected from prying eyes.
At a Glance
TrueCrypt Developers Association
That method offers several advantages. First off, you can "hide" the encrypted volumes, so other users don't even know that they exist. You can also segregate your data files, only encrypting what you deem important. And finally, you do not need to encrypt your application or operating system files, which means the system won't take as much of a performance hit.
TrueCrypt uses several different encryption algorithms, including AES, Serpent and Twofish. Those algorithms can be combined in many different ways to create complex encryption schemes -- those looking to delve into the technical details of TrueCrypt's encryption algorithms can check out the dozens of pages of information on its Web site. I downloaded version 6.3 from the site; installation was a matter of minutes.
When I launched the application, I was presented with a concise management console that was very easy to navigate. It offered a list of drive letters (which could be associated with encrypted volumes), as well as several buttons used to mount and dismount encrypted volumes. The top of the screen offers several pull-down menus, which include features such as encrypting the system volume, creating rescue media, building keys and so on. Simply put, anything that TrueCrypt could do was right at my fingertips.