Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Can I Keep Data on My Laptop Secure?

//
I travel a lot, and have sensitive data on the laptop I take with me that I need as part of my job. But I’m in fear of losing the laptop and that this data will fall into the wrong hands. What do you suggest?

I know how you feel. I also have sensitive information on my laptop that I would prefer not to fall into the wrong hands. I can handle losing the laptop, but thinking about the data in the wrong hands … well … that would be bad.

I’ve used a couple of different solutions over the years. They both share one thing in common: encryption.

Become a Patron of Ask Leo! and go ad-free!

Encrypting individual files

You could, of course, encrypt data using various archiving tools that allow you to assign the resulting file a password.

The most common approach is to use “zip” files, with tools like 7-Zip. The zip file format supports password protection, which encrypts the file’s contents. Originally, zip encryption was weak and easily cracked, but over the years it’s improved to be pretty good. One caveat is that a password-protected zip file still lists the filenames it contains – it’s only the contents of those files which are protected.

Another good tool for this purpose is AxCrypt. Unlike 7-Zip, AxCrypt encrypts exactly one file at a time, and the filename itself is not exposed (unless you choose to make it so). Once again, this is good, strong encryption.

The problem with individual file encryption is that you must manually decrypt the file to use it. This also means you need to re-encrypt it when you’re done, and erase all traces of the work you did, such as temporary files, that might be left in unencrypted form.

Individual file encryption can be appropriate for some things, but for frequent use it’s typically too cumbersome.

As an aside, encryption of individual files offered by specific applications – such as password protection in Microsoft Office documents – can be quite good. Unfortunately it can also be as good as no encryption at all. It depends on how the application has implemented encryption. Older version of Office, for example, were quite bad at encryption, but current versions are better. You’re really at the mercy of the expertise of each individual application vendor. If you go this route I much prefer dedicated encryption tools.

Encrypting the entire hard disk

Locked LaptopEncrypting the entire hard drive using whole-drive encryption is the other extreme. It is, indeed, one way to protect the contents of your entire system.

System-provided solutions, like Bitlocker in Windows, use encryption keys based on your system login to encrypt the hard drive. If you can’t log in, you can’t access your data – simple as that.

The bad news here is that it’s tied to your log-in account. If you lose your log-in account for any reason, you can lose access to your data permanently. Fortunately, Bitlocker encourages you to back up the encryption key separately when you first encrypt your drive. That key could presumably restore access later if you need it.

Third-party tools, like TrueCrypt (or supported derivatives like VeraCrypt), also support whole-drive encryption. This is independent of your system login, and typically relies on selecting an appropriately secure passphrase to decrypt the drive and boot your system.

Important: your data is fully secure only if you log out. As long as you log in and are able to access your data yourself, it’s available in unencrypted form. That means you likely want to avoid states like Sleep, or possibly even Hibernate, neither of which is an actual logout.

Whole-disk encryption is what I now use on my laptop, making sure to log out and shut down completely when appropriate.

Encrypted vaults

For many years I used TrueCrypt. While TrueCrypt itself is no longer supported, derivatives like VeraCrypt are, and are quite worthy successors.

VeraCrypt is free, open source, on-the-fly encryption software. It provides serious, industrial-strength encryption, while still being fairly easy to use. It can be used in several ways. The two most common are:

  • It can encrypt an entire disk volume, such as a USB thumb drive, a single partition, or an entire hard disk, as I described above.
  • It can create an encrypted virtual disk “volume” or container.

It’s the latter approach I use, as it makes it easy to copy entire containers from machine to machine.

An encrypted virtual disk is simply a file that VeraCrypt “mounts” as an additional drive letter on your machine. You specify the passphrase when the virtual drive is mounted, and the unencrypted contents of the container appear as another drive on your system.

For example, you might create an encrypted drive in a file c:\windowssecritstuf. If someone were to look at the contents of that file directly, they would see only random gibberish – the result of encryption. When mounted by VeraCrypt, it appears as a virtual drive – for example, selecting the drive letter “P:”. Drive P: would look and operate like any other disk, and would contain the unencrypted contents of the encrypted drive. Encryption is as simple as moving or copying a file to the drive.

The trick for security is to never mount the drive automatically. When your machine boots up, “P:”, for example, would be nowhere to be found. The file c:\windowssecritstuf would be present, but only visible as encrypted gibberish. If someone stole your machine, that’s all they would find.

Only after you’ve used the program to select the file (c:\windowssecritstuf), choose the drive to mount it as P:, and supplied the correct passphrase would the virtual drive be “mounted” and the encrypted data become accessible.

Encryption and security caveats

Most all of the approaches are relatively straightforward. The trade-off is complexity in setup versus complexity to use.

But there are additional items to keep in mind whenever you secure your system in this way.

  • Passphrases are the weakest link.  Encryption does not make a bad passphrase any more secure. If you choose an obvious passphrase, a dictionary attack can certainly be used to unlock your encrypted volume or decrypt your encrypted file.
  • Encrypted volumes and encrypted files do you no good if the files you care about are also elsewhere on your machine in some unencrypted form. This is one of the benefits of whole-disk encryption – it’s all encrypted, no matter what.
  • You must back up. Preferably keep the backups unencrypted but secure in some other way, in case you lose your computer, your encrypted disk or files, or if you forget your password. Without the password, encrypted data is not recoverable.

Data encryption is an important part of an overall security strategy. Keeping your sensitive data secure requires a little forethought and planning. With viruses and spyware running amok, not to mention theft, there’s no excuse not to take a little time now to save yourself some serious grief later, should the unthinkable happen.

Podcast audio

Play

64 comments on “How Can I Keep Data on My Laptop Secure?”

  1. When I last looked at PGP it wasn’t as clear to use and didn’t provide the virtual disk drive functionality. If that’s changed, it could be a good alternative as well.

  2. What about stuff like Srcusrar’s DriveCrypt Plus Pack DCPP? Encryption of the whole operating system at the kernell level…

  3. What about stuff like Secustar’s DriveCrypt Plus Pack DCPP? Encryption of the whole volume and operating system at the kernel level…

  4. Thank you for making this information available. It has been extremely helpful to me. I plan to do a lot of traveling and I needed a place to start the search for making my laptop secure. THANKS :o)

  5. I used pgp 7.0 which offered the same functionality, and more. The Truecrypt virtual disk looks to be just as good AND they added a nice new feature: the “hidden” volume. If forced to unveil a password you can mount the volume with a second password that only gives away part of the data, not your truly secret stuff. I started to use Truecrypt in the 1st place because I could not find a pgp (or gpg) version that supports XP anymore…

  6. use truecrypt instead of pgp because its a lot cheaper, but its a bitch to get started, i had to read the readme.


    Proxys get around bess

  7. Easy as pie

    Chuck the hard drive all togeather
    Set CDROM drive as master in bios
    boot up in slax linux,surf as usual
    keep a little usb thumbdrive handy for backing up stuff.
    Oh and a little knowledge in linux would help.

    But hey no body can get your data cause you don’t have a hard drive on that IDE cable inside the unit its self …lol

  8. Knoppix
    Slax
    Puppy linux
    Pc linux OS
    D@m small linux

    They all work on CD as a read only OS.
    You really DON’T need a hard drive!!!!.
    just use a small thumbdrive to store stuff.
    Make sure your on a router that has PPOE or auto DHCP selected so your linux CD knows you want to surf the WWW.

    Learn linux it’s the ultimate in privacy.
    Don’t count on payware that bloats your OS to the size of the hindenburg.
    Right now this message is being typed in Slax Linux 5.1.7 LIVE CD no HD
    Pentium 4 2.4 Ghx
    2 gig ddr
    4 gig Gigabyte I-ram pseudo drive____ ((((IDE CARD with 4 sticks of 1 gig each on it))))
    Nvidia 128 meg graphics.
    Linksys 10/100 ethernet card.
    1 dvd read drive
    2 cdrw burner drives.

    Not meant to impress just to show the configuration.
    Gigabyte motherboard

  9. Some time I used PGP disk to protect my private data, but now I am using Eterlogic SecretDrive, it supports many encryption algorithms, RAM disk, and hidden volumes. It is fully compatible with Windows Vista, so I recommend it to anyone.
    You can get it at http://www.eterlogic.com

  10. I wonder what about keyloggin programs for Windows XP? If a potential intruder would like to get to the encrypted volume, he could install keyloggin software considering he has the access.
    Is TrueCrypt offers any protection for such scenario?

  11. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    If your system has been compromised with a keylogger, then absolutely, all bets
    are off as they could easily sniff anything you type including your TrueCrypt
    password.

    Basically if your system has been compromised in any way, you must assume the
    worse.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFG7xaYCMEe9B/8oqERAmzhAJ46vhyOKUANsQMxKizN3H+SPof7JwCgi/DW
    egxssENxomLOCleB5seo3NM=
    =Dal0
    —–END PGP SIGNATURE—–

  12. Hey I was wondering about Lojack on my Dell. It seems like a great way to protect sensitive data. My Dell Laptop has Absolute’s Computrace Module on the BIOS but I disabled it b/c I read about how the company is able to see private files on my compute, although i now don’t know how much more important this is compared to tracking down my computer if it were stolen. I was wondering if i could still install the software and it work without the hardware side of the service working, and if so i have another question. Couldn’t someone then just wipe the harddrive or reinstall windows or i heard it doesn’t work on non-windows OS’s, so then install say ubuntu or something and connect to the internet no problem. Cool, that’s all for now, Hey great work, much appreciated. Thanks, Blaze

  13. I think Truecrypt has limitations – not above 100 MB. I find deslock easy to use, without any limitations and is free.

  14. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    It may have limitations, but that’s not one of them. I have
    a 16 gigabyte TryeCrypt volume on my 32gig thumbdrive.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIFoMYCMEe9B/8oqERAvXsAJ9vkHbfk7E6QR/bcHUddleD/TvSwQCfVCGu
    FdP4MOj5s8DALpFilaeC71I=
    =7ZJV
    —–END PGP SIGNATURE—–

  15. while the suggestions others made are good ones (using “live CD’s” etc) I have to go with Leo on this one..

    Truecrypt is practically the industry standard for any pc techs in the know.. it being Open Source *to me* means it is more trustworthy as far any possible “backdoors or backdoor keys” being built in or handed over to the NSA or Big Brother, seeing as how you can check the code yourself..(or anyone else) its offers very fast on the fly encryption in various forms as well as multifactor authentication.. ie, you can set it up so it needs both a password and a keyfile (or as many keyfiles as you wish) to unlock its goodies)

    the keyfile can be any file you choose, anything, even an mp3..or let truecrpt randomly generate one.. -on the laptop itself or on separate media (USB key, CD etc) for added protection..

    you can encrypt the whole drive or create an “opaque” file that is mounted as another drive letter, -which can easily be burned/copied to external media.. it also allows you to combine encryption algorythms if want to go crazy. although you will take a little more of performance hit doing that.

    Trucrypt limits the volume size to a max of 1 Petabyte. -which i’m sure is all you’ll need for the time being. -so no worries there.

    personally, i’d just keep sensitive data on two USB keys (or smart cards such as those used in cameras and the like) and leave the rest of the laptop unencrypted. -thats your call.

    Trucrypt also has “Traveler Mode” for USB keys so you can carry any important data on just a the key itself.

    what this mode does is allow the USB key to be a become a fully self-contained, plug-in, on the fly encrypt/decrypt hardware device. -that leaves no foot prints. -you could combine this with a say, a “Live CD” Ubuntu distro on a bootable high-speed USB key for the ultimate easy “ready to boot” secure “traveling O/S” that you can plug into any USB 2.0 port..

    lastly, Truecrypt volumes contain no volume headers of any kind and truly look like a bunch of random noise (gibberish).. cant prove there is anything there..for those who need a bit more discretion than the average joe..

    Research it for yourself. you’ll find many industry heavyweights using it. -combine it with a virtual machine for added fun.. 🙂

    btw: if you want to learn more about PC security, give steve gibson’s Security Now podcasts a listen. -over at grc.com.

    if you cant make an informed decision after getting schooled by him, well..

    -soundwash

  16. TrueCrypt doesn’t work from a usb drive unless you have admin access to the PC. This rules it out for me as most corporate PCs I use (and public ones) don’t allow admin access.
    Any decent alternatives?

    There are two issues:

    Yes, the device driver either requires administrator privileges or an administrator must have already installed TrueCrypt making it accessible to all users.

    But are you really saying you want to open your sensitive encrypted data on a system where you don’t know who the administrator is? A system that might have been compromised with spyware or what not before you even got to it?

    It just doesn’t seem like a good thing do to, in my opinion.

    All that being said, perhaps http://sourceforge.net/projects/tcexplorer/ might be an option.

    -Leo

  17. >> But are you really saying you want to open your sensitive encrypted data on a system where you don’t know who the administrator is? A system that might have been compromised with spyware or what not before you even got to it?

    Fair comment, but I work in a variety of universities & companies, I need access to my data while there and very few allow admin access!
    I’ll look at tcexplorer – thanks
    S

  18. Rick,
    I have a need for serious data security. Is there a program that would automaticly wipe clean my hard drive if say..I dint log in every 2 hours. Is there something that will allow me to call from a cellphone and activate the program that would WIPE my hard drive. By wipe I mean NEVER be able to recover the data or for that matter use the laptop again at all.

    WIPE? No. But you can get just as secure, I believe, by keeping your data in a TrueCrypt volume with an appropriately strong passphrase, and configuring it to auto-dismount on inactivity.

    – Leo
    12-Dec-2008
  19. You can also use the BIOS option of providing a password to your hard drive – this keeps honest but nosy people out and is much more difficult to “break” than a Windows password.

  20. I am working in a company which makes website for health, fitness, mini roulette, IT, shopping etc and I was in a great need of buying a laptop. So I finally bought a Dell Latitude D530, laptop last week.
    Most of the people adviced me that it would not be a good deal to buy a laptop, instead they advised me to buy a desktop. I don’t know why people have so much misconception regarding buying a laptop.

  21. I’m 99% ready to set up TrueCrypt. I travel and do not want anyone to steal my data – if they steal my laptop. What setting should I select? BB

  22. File protection is great with passwords for access and editing. But it doesn’t stop somone from accidently deleting the file.

    How do I stop an accidental deletion?

  23. This is a great article and discussion. One of the things I have been pleased by is services services like Alertsec which offer hard disk encryption as a fully managed service. It uses the Full Disk Encryption (former Pointsec) software but is a web based encryption service that radically simplifies deployment and management of PC encryption. It is a heck of a lot easier for an enterprise than trying to manage all those laptop encryption on your own! We put off encryption for way too long (and got burned once) and this managed approach made it possible for us to afford it from a money and more importantly staff resource perspective.

  24. I run Alertsec and it sure is easy. The good thing is that they have a great telephone support which help you unlock your laptop when you forget or type your password in wrongly (Which I have done twice in the last 16 months..) so it is worth that little extra you pay – compared to installing it yourself. It is encryption we are talk about here – so if you b-gger it up you are really and truly lost.

  25. Hi, when installing TrueCrypt what is the best option to use: Install or Extract (for travel) … BTW I run Windows 7 and there is a message saying is not supported … any risk on using it despite of this !?

    I just install. (Extract is useful for some cases, but if you’re not sure, just install.) From what I’ve seen it works fine in Win 7, but I’d expect an update very quickly after 7 releases.

    Leo
    11-Oct-2009

  26. I personally use SecureDoc (by WinMagic) to encrypt, from BOOT level, the whole hard drive.
    Power down, drive off, no one can access that drive, even by ripping it out to take files (understood, some espionage hacker might….)

    this way, I can have home, personal, finance, etc, with me at all times, .;

    I do NOT do STANDBY/sleep modes ever

    I ALSO use TrueCrypt for usb drives, even other containers ON the encrypted hard drive itself.

    TrueCrypt has a bootable protection feature also, but I have not tried it.

    Look up Blue Cross laptop theft. YOUR INSURANCE companies can’t even get it right; 850,000 physicnan names/social security numbers/provider numbers on that stolen laptop, couple months ago. Laptop was NOT encrypted.

    anyway, hope this helps
    nick

  27. Have different passwords for different things (banking, websites, blogs) was always forgetting which password went where.

    Installed truecrypt as a container file with a really strong letters and number password.

    Now, if i am uncertain which password goes where just mount the virtual disk and they are all there.

    excellent program

  28. I understand that without the password the data cannot be hacked – yes maybe NASA can break it . But these days there are several professional agencies with a lot of fancy software who recover such data from computers. If someone took my laptop to such a professional agency specialising in recovering/ hacking such data could the agency recover this data without the password in say one or two weeks of attempt.

    This point is especially important as it will help determine the the level of confidential info i can store on my laptop.

  29. I make encrypted vaults which are on my Laptop and external drive using Dekart. I selected them because you can run the Dekart application from the external drive. So if you want to access your data from your external drive the computer you access it from doesn’t need Dekart installed.

  30. An important consideration for travelers using encryption software such as TrueCrypt is that they should never put anything inside an encrypted volume that might get them in trouble with the authorities. When crossing international borders, authorities do have the right to examine your computer and media and to demand that you unlock any encrypted volumes. If you refuse then you run the risk of having your computer impounded.

  31. Can you encrypt the information you want saved from the laptop to a high capcity thumb drive then completely erase the harddrive of the encrypted informaiton?

  32. @ Ernest You can do this, but be aware of two things. 1. Thumb drives are easy to lose and subject to data loss. Keep a few backups. 2. When you say completely erase the file, you should use a file shredder to permanently erase your file. Personally, I’d keep the encrypted file on my computer or at least on a removable hard drive. Thumb drives are good for transporting data but not so good for permanent storage.

  33. How much overhead does the whole disk encryption place on your system? At work, I’ve had to use Symantec’s PGP WDE for a few years now. Every laptop we have used it installed on whether an old 2.5ghz Intel Core 2 Duo or an I5, or even an I7, we’ve found that about between 4 to 8 minutes is added to the boot time. Also, once booted the system performs noticeably slower.

    I’d like to use a type of whole disk encryption, on my personal laptop. However, I don’t want excessively long boot time and performance issues. So how have the alternatives like BitLocker, TrueCrypt/VeraCrypt gone for you? How much of an impact has it had on boot time and performance?

    -Yes, the personal laptop has an SSD and a less than 45 second boot time currently.

    Please, no arguments about why whole disk encryption is necessary. As it is, on the work side I already deal with data on laptops I don’t want falling into the wrong hands. I can find ways to limit the data on my personal laptop to an encrypted folder on it or a thumb drive. What I’m looking for is how your find the performance of your laptop after securing it.

    • Last week I had a rare opportunity. I was able to use a SSD in one of our Samsung I5 laptops. The only non-standard portion is that this one has 12gb of ram than the usual 6gb. System was also built on our standard Windows 7 image. With an SSD this system would take about 30 seconds to reach the desktop. Adding the Symantec WDE has only added 15 seconds to the boot time and no noticeable issues on startup. I’m impressed the SSD was able to tear through the encryption process and subsequent reboots. 4-5 Minutes is the usual boot time for the same system with 6gb ram and a standard HDD.

      So if you want some form of WDE, get SSD.

  34. The one reason holding me back from using full disk encryption is that I sometimes need to reboot my computer remotely. If my disk is encrypted, don’t I need to be physically at my keyboard to type in the password before it will actually boot up the operating system?

    If so, is there any way around that requirement? For example, an option that lets you enter your password before rebooting, and automatically enters that password during the next (and only the next) reboot?

    • Mike,

      I don’t know about the other software, but I have bypassed the password with Symantec’s PGP Whole Disk Encryption.

      https://support.symantec.com/en_US/article.TECH171761.html

      Also in the past, I had a machine with a TrueCrypt encrypted external mounted drive. I used a batch file to mount it automatically when necessary. When used this was set to run at startup. @Echo Off is used so that someone booting or logging into the computer does not see the password displayed on the screen

      @Echo Off
      “c:\Program Files\truecrypt\truecrypt.exe” /v e:\Backups\backups /a /l K /p Your-P4sswordIsXposedHere! /q

      http://andryou.com/truecrypt/docs/command-line-usage.php

    • I’m not aware of a workaround. In a way such a work around could be seen as a serious weakening of the very security you’re looking for. If you need remote reboot you’ll need to secure your data some other way.

  35. Well, Duh. All that’s well & good about encryption, but there’s a step that was overlooked. I use a strong tether inserted into my laptop and wrap it around a table leg or whatever is available. That seems like an obvious safety precaution to me. This is particularly useful when working in a coffee shop and having to decide what to do when nature calls.

  36. Hi Leo

    If I use encryption, how will I be able to leave my PC at a repair shop? I assume I would have to leave it un-encrypted to allow them to work on it.
    My main concern would be Word Files, which I am led to beleive the passwords can be cracked easily by a techie.

    Regards

    • It would depend on what you need done with the repairs. If it’s a hardware repair you may be able to keep it encrypted. If it’s a software problem, then of course the tech will need to boot it up and sign in if it’s fully encrypted. Basically, you’ll need to really think through your encryption needs if you have to take the computer to a tech. For instance, if you are mostly worried about your Word files, then perhaps encrypting just that directory will be enough.

    • You are correct, in general. If you use whole-disk encryption, then the technicians would need access to your machine to help you.

  37. Steganos Privacy Suite. Create a secure drive with “”SAFE”” that does not appear in the windows directory until you open it with the password.
    Then it appears and works like any other windows drive.

  38. Leo, I think this might be a good topic for a book. I would suggest a simple way to setup and encrypt file for a simple person like me. My biggest fear would be theft of my computer. Most stuff I could care less about but files like financial date I worry about.

  39. If you’re working on something–say a Word document–in an encrypted volume P:, what about temporary files and such: could they be exposed?

    • Yes. You’d need to take steps to clean up temp files (a free space wiper, for example). One reason to consider whole-disk encryption.

  40. I use the hard-drive password option in the bios. Separate from the bios password.
    I also use SafeHouse Explorer, which is encrypted containers.
    I don’t really know how SafeHouse Explorer rates, compared to others, but I just use it to keep my non-tech siblings out.

  41. I recently discovered a freeware application that will encrypt either files or folders. It’s called EncryptOnClick, made by the people who created PKWare. It uses 256-bit AES encryption, files are both compressed & encrypted which results in a smaller file size (good for saving to cloud storage services), they are password protected, there’s an option to encrypt filenames, keep or delete the original file, and it can be used on a USB key by copying 3 specific files to it.

    It’s available at: http://www.2brightsparks.com/freeware/index.html

  42. I’m confused about one point. If I encrypt my files, and back these files up, won’t the backup copies also be encrypted? If so, these backups won’t save me from losing my password.

    • If you back up encrypted files, the files in the backup will also be encrypted. You would always have to remember the master password you use to encrypt your other passwords. If you forget that, all your encrypted files would be lost.

    • This depends ENTIRELY on how you encrypt your files, AND how you back up.

      Backing up encrypted files will not protect you from password loss. However backing up UNencrypted files (which I also tend to recommend) and then securing those backups some other way, does.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.