Protecting laptop data with TrueCrypt
Based on press coverage, the unintentional disclosure of private information seems to be rising. In fact, it isn’t but is being reported more due to laws in some U.S. states forcing companies to do so.
Laptops are not the only way sensitive data are lost but as demonstrated by the massive loss of U.S. Veterans private data due to theft of an employee’s laptop, laptops are a favorite target for thieves.
And why not? A laptop is worth thousands, easy to steal, and easy to sell. The value and liquidity are high enough that thieves have entered crowded coffee shops and snatched them away while the owners were using them.
Fortunately, the thief usually only wants to pawn the laptop for cash and doesn’t know or care what’s on it. Regardless, the organization responsible for the data must assume the worst and start the expensive and embarrassing process of notifying clients and regulatory bodies and attempting to compensate for the potential damage.
The amazing thing about laptop theft is that hundreds of products exist specifically designed to protect data on portable devices. Disk and file encryption can make sure that when a laptop is stolen no sensitive data can be recovered.
The free, open source product TrueCrypt is ideal for laptops. With it you create a virtual drive that transparently encrypts and decrypts files using multiple recognized algorithms such as AES. When you start up your laptop, you mount the drive by entering a passphrase. From then on, the encrypted files appear under their own drive letter.
When the laptop is shutdown or hibernates, TrueCrypt can automatically disconnect the drive so you need to enter the passphrase again to access encrypted files. So, even if a thief snatches your laptop out of your hands, the moment they close the cover, sensitive files on the encrypted drive are protected.
So the protection is there, but how much trouble is TrueCrypt for the user? After all, if users have to keep entering a passphrase all the time, won’t they just revert to saving files to “My Documents”?
Some user discipline is required to use products like TrueCrypt. Hopefully anyone entrusted to care for a laptop and sensitive information has enough self-discipline to enter their passphrase and save files to the encrypted drive.
Here are some tips we’ve found that help:
Move My Documents to the encrypted drive
In Windows 2000 and XP you can move the location of the special “My Documents” folder to another drive. Just right-click on the folder and select “Move”. All the files will be moved. Move the laptop user’s “My Documents” to the encrypted drive to make it the default location for saving files. If the drive is not mounted, the user will get an error, reminding them to mount the drive.
Create a “mount” icon
Mounting an encrypted drive with the TrueCrypt dialog boxes takes too long. Help the user by creating a Windows Shortcut icon with the “Target” property like this:
"C:\Program Files\TrueCrypt\TrueCrypt.exe" /q /auto /m rm /letter f /v "C:\files\private.tc"
The above instructs the TrueCrypt executable to mount the volume “C:\files\private.tc” as drive letter F: Create the about as a shortcut and put it in the “Quick Launch” toolbar next to the Windows “Start” button. When the user clicks it, they are prompted for their passphrase and the encrypted drive is mounted for them.
You can also copy the shortcut to the “Startup” folder so the user is prompted to mount the encrypted drive each time they log in.
One small problem with creating a mount shortcut is the loss of the “plausible deniability” feature of TrueCrypt. Encrypted volumes created by TrueCrypt are designed to have no characteristics that can identify them, making an attacker’s job more difficult. It’s harder to crack an encrypted drive when you’re not sure what you’re attacking really is one and not just a blob of random junk.
A mount shortcut points directly to the encrypted volume, so you loose that deniability. This could be an issue if for example you’re a British citizen where by law you are required to surrender encryption passphrases to law enforcement. Otherwise, the encryption used is still virtually impossible to break so using a mount icon doesn’t affect the protection of the data in that way.
Use a dynamic volume
The latest version of TrueCrypt allows creation of volumes that are either a fixed size (disk space is used even when the volume is empty) or dynamic (disk space is used as needed). A dynamic volume has an upper maximum size but only uses space as files are stored in it.
Create a dynamic volume with a maximum size near the free space available on the hard drive. That will allow users to store as much or as little as they need, while the unencrypted portion of the laptop can be used for installed applications, games, multimedia and other unimportant bits every road warrior loves to have.
There is a minor loss of security when using a dynamic volume as explained in the TrueCrypt documentation but nothing most user need to worry about.
But is it really secure?
The encryption algorithms used by TrueCrypt are regarded by cryptographers as sound and would take thousands of years to crack using brute force methods. However, in every crypto system the actual algorithms are the strongest link in a chain of weak links.
The files stored in an encrypted volume are as secure as the underlying encryption implementation and the secrecy of the passphrase. A bug in implementation may allow an attacker to bypass or weaken the encryption. So far no bugs have been published for TrueCrypt, and the source code is available for everyone to inspect.
The greatest weakness is the passphrase. Once revealed, no amount of encryption can help. TrueCrypt offers the option of also using key files for authentication (such as a JPEG image on the hard drive or USB memory stick) as a form of two-factor authentication. An attacker must have both the passphrase and the key files to open the encrypted volume. That helps guard against attackers gaining access via a keylogger.
Temporary files are another concern. Windows and most applications write temporary data to directories c:\Windows\temp and in c:\Documents and settings\username These files can contain copies of word processing documents, bits of memory and either complete copies or fragments of sensitive data. You can use Windows “Encrypted file system” (EFS) to apply low level encryption to those directories, but that interferes with some Windows applications.
Regular cleaning of those directories with Windows “Disk cleanup” and a product like Eraser can help remove temporary files. Using the Windows security option “clear virtual memory pagefile” on shutdown can reduce the presence of sensitive data in the Windows pagefile.
Other products
TrueCrypt is the best free disk encryption product we’ve found, but there are many disk encryption products available, some of which claim to encrypt the entire hard drive, temporary areas and all. A quick Internet search will find many. It’s important to find the best one for your organization, but more important than the specific features is that you actually use one.
Encryption is not a panacea for data loss. Even when an encrypted laptop is stolen you have to assume that the sensitive data has been disclosed. In real terms, though, the likelihood of that actually happening is vastly reduced. Using encryption also demonstrates due diligence: it shows you actually care about client data and took effective steps to protect it.
Related posts:
- Data security and the Patriot Act
- Little known features: Symmetric encryption with PGP/GPG
- U.S. Energy Department loses nearly 20 laptops a month
2 Responses to “Protecting laptop data with TrueCrypt”:
October 9th, 2006 at 3:35 pm
I used Truecrypt about 2 months ago to encrypt a portable drive. I know the password has the word “colgate” in it (as in colgate university).
Is there any way to try numerous passwords? Dictionary attack?
Whenever I put in a guess it only takes like a tenth of a second to tell me it’s wrong. Can’t this process be automated?
john
October 10th, 2006 at 1:43 pm
I hope it really is your drive… accessing (or even just attempting to access) computer data without authorization is a criminal act in many jurisdictions.
You could probably write something to brute force the password using a windows scripting tool like http://www.autoitscript.com/autoit3/
But there are many common-line brute-force tools for Windows available… search the usual places such as http://www.packetstormsecurity.org/ and you’ll find a bunch.