I know how you feel. I also have sensitive information on my laptop that I would prefer not to fall into the wrong hands. I can handle losing the laptop, but thinking about the data in the wrong hands … well … that would be bad.
Encrypting individual files
You could, of course, encrypt data using various archiving tools that allow you to assign the resulting file a password.
The most common approach is to use “zip” files, with tools like 7-Zip. The zip file format supports password protection, which encrypts the file’s contents. Originally, zip encryption was weak and easily cracked, but over the years it’s improved to be pretty good. One caveat is that a password-protected zip file still lists the filenames it contains – it’s only the contents of those files which are protected.
Another good tool for this purpose is AxCrypt. Unlike 7-Zip, AxCrypt encrypts exactly one file at a time, and the filename itself is not exposed (unless you choose to make it so). Once again, this is good, strong encryption.
The problem with individual file encryption is that you must manually decrypt the file to use it. This also means you need to re-encrypt it when you’re done, and erase all traces of the work you did, such as temporary files, that might be left in unencrypted form.
Individual file encryption can be appropriate for some things, but for frequent use it’s typically too cumbersome.
As an aside, encryption of individual files offered by specific applications – such as password protection in Microsoft Office documents – can be quite good. Unfortunately it can also be as good as no encryption at all. It depends on how the application has implemented encryption. Older version of Office, for example, were quite bad at encryption, but current versions are better. You’re really at the mercy of the expertise of each individual application vendor. If you go this route I much prefer dedicated encryption tools.
Encrypting the entire hard disk
Encrypting the entire hard drive using whole-drive encryption is the other extreme. It is, indeed, one way to protect the contents of your entire system.
System-provided solutions, like Bitlocker in Windows, use encryption keys based on your system login to encrypt the hard drive. If you can’t log in, you can’t access your data – simple as that.
The bad news here is that it’s tied to your log-in account. If you lose your log-in account for any reason, you can lose access to your data permanently. Fortunately, Bitlocker encourages you to back up the encryption key separately when you first encrypt your drive. That key could presumably restore access later if you need it.
Third-party tools, like TrueCrypt (or supported derivatives like VeraCrypt), also support whole-drive encryption. This is independent of your system login, and typically relies on selecting an appropriately secure passphrase to decrypt the drive and boot your system.
Important: your data is fully secure only if you log out. As long as you log in and are able to access your data yourself, it’s available in unencrypted form. That means you likely want to avoid states like Sleep, or possibly even Hibernate, neither of which is an actual logout.
Whole-disk encryption is what I now use on my laptop, making sure to log out and shut down completely when appropriate.
VeraCrypt is free, open source, on-the-fly encryption software. It provides serious, industrial-strength encryption, while still being fairly easy to use. It can be used in several ways. The two most common are:
- It can encrypt an entire disk volume, such as a USB thumb drive, a single partition, or an entire hard disk, as I described above.
- It can create an encrypted virtual disk “volume” or container.
It’s the latter approach I use, as it makes it easy to copy entire containers from machine to machine.
An encrypted virtual disk is simply a file that VeraCrypt “mounts” as an additional drive letter on your machine. You specify the passphrase when the virtual drive is mounted, and the unencrypted contents of the container appear as another drive on your system.
For example, you might create an encrypted drive in a file c:\windowssecritstuf. If someone were to look at the contents of that file directly, they would see only random gibberish – the result of encryption. When mounted by VeraCrypt, it appears as a virtual drive – for example, selecting the drive letter “P:”. Drive P: would look and operate like any other disk, and would contain the unencrypted contents of the encrypted drive. Encryption is as simple as moving or copying a file to the drive.
The trick for security is to never mount the drive automatically. When your machine boots up, “P:”, for example, would be nowhere to be found. The file c:\windowssecritstuf would be present, but only visible as encrypted gibberish. If someone stole your machine, that’s all they would find.
Only after you’ve used the program to select the file (c:\windowssecritstuf), choose the drive to mount it as P:, and supplied the correct passphrase would the virtual drive be “mounted” and the encrypted data become accessible.
Encryption and security caveats
Most all of the approaches are relatively straightforward. The trade-off is complexity in setup versus complexity to use.
But there are additional items to keep in mind whenever you secure your system in this way.
- Passphrases are the weakest link. Encryption does not make a bad passphrase any more secure. If you choose an obvious passphrase, a dictionary attack can certainly be used to unlock your encrypted volume or decrypt your encrypted file.
- Encrypted volumes and encrypted files do you no good if the files you care about are also elsewhere on your machine in some unencrypted form. This is one of the benefits of whole-disk encryption – it’s all encrypted, no matter what.
- You must back up. Preferably keep the backups unencrypted but secure in some other way, in case you lose your computer, your encrypted disk or files, or if you forget your password. Without the password, encrypted data is not recoverable.
Data encryption is an important part of an overall security strategy. Keeping your sensitive data secure requires a little forethought and planning. With viruses and spyware running amok, not to mention theft, there’s no excuse not to take a little time now to save yourself some serious grief later, should the unthinkable happen.