Republished with permission from WatchGuard Technologies, Inc.
PC Disk Encryption: A Lesson Learned and Recommendations
Fredrick M. Avolio
In a previous column I wrote on the subject of deploying cryptography. I wrote, "Start encrypting sensitive files on your PC... Some software requires you to decrypt -- to unlock -- a file to read it or edit it, and encrypt it again to store it safely. Others allow you to store files in an electronic 'safe'... Now, if someone steals your notebook PC, or if someone breaks into your file server and accesses your files, the attacker will find unintelligible data."
Disclosure #1. A few months ago my notebook PC was stolen. I routinely back up my PCs, and there were no client confidential files on the PC. But it did feel creepy to think of someone reading faxes I had sent to my tax advisor, letters I had written to doctors and my childrens teachers, etc.
Even before I had bought a replacement PC, I decided that I would start encrypting everything personal on the PC. One of my criteria was I did not want to have to depend on my memory to *remember* to encrypt sensitive files. Also, I wanted everything that was *mine* encrypted.
There are three options for protecting data on notebook PC disks: encrypt individual files, encrypt folders, and encrypt the whole PC disk. [Note: there are numerous products available that do one or all of the above and many reviews of them in on-line magazines.] I chose a product that encrypted the whole disk. It seemed the simplest and the most thorough.
The installation went smoothly. As recommended, I first did a complete backup. The product worked! If someone tried to boot the PC, he would need a password. If the thief reset the BIOS, the hard disk was still encrypted. All one could do was reformat the disk.
The product worked for a week. The day before I was to leave town to teach a class I booted up the notebook PC to synch it with my desktop. Up came a message "Encrypted disk corrupted". Now, the only thing I had done was run Symantec SpeedDisk. I had specifically asked the vendor whether using Norton Utilities would be a problem. I was told, "No problem"; yes, problem!
To make a long story short, a further complication was that I could not find where the program had put the log file for the recovery operation. I was hosed: My disk was encrypted beyond recovery, and my briefcase was 3 pounds lighter on my trip.
After my trip I restored the PCs disk from the vendors CD and the backup. I went with Plan B, a product that had an option to create a large file to be treated as a separate partition. When unmounted, it is a large (you specify the size) encrypted file. When "mounted" with this software (which requires a password), it looks, acts, and feels just like a PC partition. Everything created in it was encrypted, because, unmounted, the partition itself was encrypted.
This handled one of my criteria: it was automatic. But what about the other, to encrypt everything? Being an old UNIX hacker, I have always created a "home" directory for myself on every PC Ive ever used. So, most of my files were in C:\fred. However, some files were not. It took a bit of work, but I moved everything that might be considered "private" into my home directory. I also moved my Eudora mailboxes (but not the executables -- write to me if you need to know how). Everything was put in \fred under an encrypted partition that I always mount as "D:".
Now if anything happens to corrupt my "partition," I still have a working system available. My files -- my personal things -- are protected. And the next thief well, you cannot have everything. He *will* have a usable system, but he will not be able to access any of my personal data.
So what did I learn and what do I recommend? First, I should practice what I preach. My original PC data should have been encrypted. Second, while encrypting the whole disk seemed to be the most secure and thorough action I could take, encrypting only my personal files is more than sufficient. This has the side benefit of lowering the risk of a catastrophe should there be a system failure. (Also, if you use a whole disk encryption product, dont run any disk defragmenting software on it until you are certain it will not harm the disk encryption.) And always make backups and have a way to recover.