Laptop encryption software - anyone use it?

Barack Obama

I'm familiar with Pointsec and Safeboot, but I'm just looking to get something for my home laptop.

There is a freely available package called TrueCrypt. Anyone use this or something similar?

Cheers

RolandIRL

i use truecrypt sometimes. not much though, but it's a great program imo.

Random

i use truecrypt on my laptop. was handy enough to setup. doesn't slow things too much that i've noticed but it's a reasonably low spec laptop that was low spec anyway.

wolfric

Same, use truecrypt and found it brilliant and never had any major issues.
The only thing is that it needs to hook itself to encrypt/decrypt on the fly so you need to run as administrator. Not a big deal normally but makes difficult for pen drive use.

I wouldn't use it for much as i don't have that much data that's worth the inconvenience to encrypt.

Barack Obama

Thanks guys - I'll give it a try

CreepingDeath

Yep I use TrueCrypt but not for entire disks.

You can create a file container, eg. a 20Gb file, and mount/unmount it when you need it, then it appears as an extra drive.

It's perfect for USB disks and personal/financial information on your laptop.

I don't like the idea of TrueCrypt encrypting the entire disk.
1) read/write performance will probably slow down
2) if something goes wrong, eg. the encrypted disk becomes corrupt then I'd imagine that disk recovery tools wouldn't be able to fix an encrypted disk.

Barack Obama

CreepingDeath wrote: »

Yep I use TrueCrypt but not for entire disks.

You can create a file container, eg. a 20Gb file, and mount/unmount it when you need it, then it appears as an extra drive.

It's perfect for USB disks and personal/financial information on your laptop.

I don't like the idea of TrueCrypt encrypting the entire disk.
1) read/write performance will probably slow down
2) if something goes wrong, eg. the encrypted disk becomes corrupt then I'd imagine that disk recovery tools wouldn't be able to fix an encrypted disk.

The reason I am looking for full disk encryption is so that the laptop is completely protected if somebody else gets their hands on it though.

Following your advice though, what I might do is rebuild the laptop (was going to be done anyway) and create a new folder called 'Data', encrypt it and store everything in there. That way, folders such as WinNT & Program Files will not be affected.

Thanks!

JohnK

I use TrueCrypt to encrypt the entire drive on my laptop and I havent noticed any performance difference. Spec is Intel Core 2 Duo 2ghz with 4gb ram running Windows 7 Ultimate (64bit). I run a lot of virtual machines too (xp, server 2003, server 2008 etc) for development and they all run just fine; I havent tried any gaming on it but I wouldnt expect any issues there either.

Random

what plan to those that use truecrypt have in place if the pc packs in and you need to recover data from the hard drive when hooking it up to another pc?

JohnK

You can just mount it as you would an encrypted partition so you access it the same way you would a non encrypted drive. You'd need truecrypt installed on the second PC though obviously.

Random

maybe i should do a dummy run one of the days - is it just the "volumes - select device" option that i would chose?

wolfric

I'd imagine you'd have problems however if part of the drive became corrupted (although feel free to correct me). So if you lost a chunk of your drive for some reason i think the whole thing would be gone instead of being able to recover it part by part.

Bebop

I use Truecrypt in work, we have about 30+ encrypted Dell latitude laptops, company policy is to encrypt the entire drive so that it is not bootable without a password

It's a nice open source application that works fine with very little overhead, the only problem I have found is when you get a corrupted drive or a virus that prevents bootup, normal practice would be to boot from CD and run diagnostics or virus removal, With a Truecrypt machine you first have to remove the encryption, this can take several hours before you can access the hard drive to fix the problem, after that it has to be re-encrypted which takes another few hours, depending on how much data is on the HDD,

JohnK

Random wrote: »

maybe i should do a dummy run one of the days - is it just the "volumes - select device" option that i would chose?

It should be "volumes - select device" then "system - mount without pre-boot autentication", enter your normal preboot password and then the partition should be mounted as a normal truecrypt volume.

Now thats the theory anyway, I've never actually tested it myself...

wolfric wrote: »

I'd imagine you'd have problems however if part of the drive became corrupted (although feel free to correct me). So if you lost a chunk of your drive for some reason i think the whole thing would be gone instead of being able to recover it part by part.

While i cant comment on how truecrypt handles things, I would imagine once the header information (which can be backed up) of the volume is present then you should still be able to access any files that werent stored in the missing chunk. Thats how Jetico BestCrypt worked in the past and I did lose a chunk of that volume but it only lost the files that were fully or partially stored in that missing chunk.

Bebop wrote: »

...after that it has to be re-encrypted which takes another few hours, depending on how much data is on the HDD,

That is a pain all right however you can keep using the machine while its re-encrypting everything so its not entirely lost time.

matt-dublin

are you using vista / windows 7 ultimate etc?

bitlocker is free on those versions of windows and is full disk encryption although you will need to repartition your hard drive.

windows is able to do this for you without any data loss.

all you need to do is enable the tpm chip in your bios to enable bitlocker.

http://www.microsoft.com/windows/windows-7/features/bitlocker.aspx

phill106

matt-dublin wrote: »

are you using vista / windows 7 ultimate etc?

bitlocker is free on those versions of windows and is full disk encryption although you will need to repartition your hard drive.

windows is able to do this for you without any data loss.

all you need to do is enable the tpm chip in your bios to enable bitlocker.

http://www.microsoft.com/windows/windows-7/features/bitlocker.aspx

mutters about silly laptop without tpm chip....
Apparently they are mostly on "business" machines, rather then home ones.

Bebop

you are better off without the TPM chip, the vendors are planning to use it for DRM,
WIKI on TPM:
"with DRM (Digital Rights Mgmt) being worked on by the same group, it's a matter of time that they merge the two; which means that sofware and hardware vendors will have the possibility to constantly have be looking over your shoulder."

matt-dublin

not verified.

and it doesn't quite work like that

JohnK

Said I'd give this thread a bit of a bump since I've discovered an issue with wholedisk encryption using truecrypt; if you open up the windows repair console on windows 7 you cant actually get at the encrypted system partition event though you've already got past the pre-boot authentication bit & supplied the correct password. Bit of a pain as it now means I have to decrypt the whole bloody thing (about 200gb) just to do one simple task that'll probably take about 10 seconds

Bebop

This is the main drawback with TrueCrypt, if you get a laptop that needs to be re-imaged or say a virus removed, you cannot boot from a CD, the encryption has to be removed first and then re-applied when the job is done, if the laptop is not bootable to windows then you need to use the rescue CD, a command line decrypt may take a full day

rolion

Check Symantec Endpoint Encryption:

http://www.symantec.com/business/endpoint-encryption

JohnK

Symantec might work but it has a bit of a flaw in that its not free

On TrueCrypt though, I wonder if it is possible for it to function in the WinPE environment, at one point I was being prompted if I wanted to load a custom driver and to scan the network for a base image so it might be possible for them to get something in that screen - I'm thinking along the lines of a driver that handles the decryption transparently so WinPE doesnt even know of the encryption. I did search for something along those lines but got no results.

jpl888

According to http://www.truecrypt.org/faq you can run Truecrypt from BartPE by downloading and extracting rather than installing. Is that what you are looking for?

JohnK

Thanks but no thats different from the WinPE/Recovery stuff. It does look interesting though, I'll have to take a look at it one of these days.

Chord of Souls

I seem to recall some laptops used to come with encryption built into the hardware from day one. So you needed the password to boot up the laptop in the first place and if you didn't have that the whole thing was unintelligble. Sounds like a nice lazy option for me as long as I don't forget the password.

Can you still buy laptops with hardware-based encryption?

Bebop

Most laptops come with a drivelock option that allows you to set a password on the hard drive, without the password you cannot boot or access the hard drive even if you take the drive out; this is not the same as encryption and can be broken with a brute force attack

Chord of Souls

Thanks Bebop,

In your opinion would you think this would be an acceptable standard of security for a laptop that would contain information about my database of customers?

I'm trying to be pragmatic. No point in spending loads of time and money on some CIA-strength encryption capability, if in real life only someone in the IT security industry is likely to be able to break your suggested drivelock and not your common-or-garden laptop-nicking gouger. I don't flatter my little business to think that I'd be the target of an organised cyber-attack. A mugging is far more likely.

matt-dublin

drive lock can easily be got around.

your best bet is to buy encryption software and either encrypt the files or encrypt your hard drive.

http://www.symantec.com/business/whole-disk-encryption

Capt'n Midnight

matt-dublin wrote: »

drive lock can easily be got around.

your best bet is to buy encryption software and either encrypt the files or encrypt your hard drive.

http://www.symantec.com/business/whole-disk-encryption

truecrypt is fine for business once you encrypt the whole drive, no need to buy commercial software. Especially software that may have been developed in Israel where EU/US data protection laws don't apply and where the government has basically said "no comment" when it comes to the possibility of backdoors for their security services.

if you are going to be paranoid, it's best not to do it by halves :pac:

you can add layers too, no point in making things easy

within windows you can also use EFS , ( unless you have Windows 7 home "premium" :mad: another feature for which XP > 7 ) - if you decide to go EFS make bloody sure you also make a recovery floppy, EFS is transparent so no extra passwords or anything - right click on the files/folders and away you go, also if someone resets your password with the password reset disk or admin rights they can't assess the files

http://windows.microsoft.com/en-US/windows7/What-is-Encrypting-File-System-EFS