How do I secure a hard drive before sending it in for repair?

When sending your computer out for repair, you're handing over everything on it, including your data. Options to secure a hard drive are limited.

//
How does one secure a hard drive while sending the computer to a repair facility? I have personal financial information on my hard drive and will just a password provide sufficient protection while the computer is in the shop? After the fact, is there maybe a way to find out if someone has copied the files?

What you’ve presented is actually quite a dilemma.

To answer the second part first: no. There’s simply no way to determine if your files have been copied – at least not in any way that absolutely says they were copied with malicious intent.

The problem is, there’s really no fool-proof solution to your scenario. In fact, I’ve heard of companies occasionally electing not to repair a hard drive, because it meant that sensitive data might be visible to repair technicians.

Your options to secure a hard drive are limited, but if you can plan ahead, there’s a chance.

Physical security

The problem is basic. Handing your computer to a technician for repair violates one of the fundamental principles of computer security: if ‘s not physically secure, it’s not secure. Period.

That’s actually true regardless of the reason. Handing your computer over to anyone is fundamentally not secure.

It really all boils down to trust. In an ideal world, you would have a totally trustworthy technician working on your machine. In the real world, we’ve all heard of data being stolen by folks with access to your machine.

So what to do?

Plan ahead with encryption

The only completely secure solution to safeguard a hard drive is to encrypt it, or the sensitive data you store on it.

Now, you might opt for whole-disk encryption, but the problem here is that the technician might still need access to it to fix your machine – meaning you’ll have to share the decryption keys so he or she can boot the system. After doing so, the tech will have access to everything.

The more practical solution to secure a hard drive would be to encrypt only your data, using tools like TrueCrypt, BoxCryptor, or others.

When your data is not “mounted” (the approach both of those tools use to access your encrypted data), your technician can work on your machine without being able to access your sensitive information.

Can you secure a hard drive?Last-minute solutions

That type of encryption is nice if you’re willing to put the effort in ahead of time, and if it’s worth the hassle to protect the data just in case the machine might someday need to be sent to a technician.

For most people, I suspect it’s just not worth the effort.

Unfortunately, there aren’t really any last-minute solutions. You might want to encrypt before you send the machine off for repair, but if your machine is so broken that you can’t do that, then you’re stuck.

There’s one possibility: if the problem you’re having the technician look into is not hard-disk related, one option might be to remove the hard disk while he or she works on your machine. He or she (or you) would need to provide a temporary hard disk so he can work on your machine, but at least that wouldn’t have your data on it. When you get the machine back, you replace your hard drive, and hopefully all is well.

Unfortunately, most problems involve the hard disk at some point. Be it actual hard disk failures or software configuration, what’s on the hard disk is typically at the heart of any repair work.

Application password protection

Using an application’s own password protection is better than nothing. If your bookkeeping program, word processor, or some other program provides this layer of protection, you should probably use it.

Ultimately, however, application password protection isn’t the same as taking steps to secure a hard drive. It’s best to think of it as no more than “keeping honest people honest”.

The problems with using the password protection provided by many applications include:

  • Sometimes, a password doesn’t mean the data is encrypted. It simply prevents the application from opening the file without the proper password, but the information in the data file remains unencrypted and potentially visible.
  • Sometimes, the encryption is “light”. By that I mean that the encryption is perhaps more properly called “obfuscation” to keep the data from being so easily visible. To someone truly interested in cracking the file, it’s not much of a barrier at all.
  • Sometimes, the encryption is wrong. By that I mean that there are simply bugs in the application, or poor decisions made by the designers, that make the encryption less than completely secure. Application authors are rarely security experts. The net result is that the file could be vulnerable to a hacker intent on breaking in.

Yes, it’s possible – probable, even – that with major, mature, applications the encryption is appropriately secure. It’s also unlikely that your technician is an expert hacker ready to crack half-way reasonable encryption.

But, in either case, how do you know?

The bottom line is trust

Your options are few and inconvenient.

  • If you can, if you’re willing, encrypting sensitive data ahead of time makes sense in general. It also protects you should your computer ever be stolen.
  • Investigating the security of the password protection of your applications is a good idea; if it’s good, using it to secure your data can help.
  • If you have sensitive data that you know is unencrypted or vulnerable, then never give that machine to someone you don’t trust completely.
  • If you can’t find someone to trust, then perhaps not repairing the system – or at least the hard drive – might be the most pragmatic solution of all.

Naturally, I have to throw in a recommendation for backing up.

Backups sidestep this issue completely in many (though not all) cases. If your hard drive dies, rather than having a technician fix it – and potentially access your data – replace it immediately and restore from your most recent backup. Destroy the broken drive for additional security if you like.

As I said, that doesn’t work for all situations – such as a motherboard failure1 – but it’s relatively quick and easy, and above all, secure.

But like most of the solutions we’ve discussed here, proper prior planning is required.

This is an update to an article originally posted : January 29, 2009
Play
Footnotes and references

1: Though for that, you could swap out the hard drive with an empty one, and let the technician have at the machine that way.

Comments

  1. John Williams

    Back everything p regularly with a disk imagine program and then wipe the disk -properly -before sending in the pc for repair

  2. Banyarola

    If possible I would put in a substitute hard drive if available.Almost everyone I know that has brought a PC in for repair has had the hard drive formatted by the tech even if you leave instructions for them now to do so.
    [link removed]

  3. Jim Shipton

    My Solution – I have a second H/D that I have straped as a slave and use hardware from Manhatan (Hi-speed USB 2.0 to SATA/IDE Adapter w/powersupply about $25.00). That way I can save my data to the slave and after any repairs I just transfer my data back to my orignal H/D. Very User friendly.

  4. WOFTBO

    Sending back a laptop without a booting hard disk drive is not acceptable to at least one of the largest mfg’s (provided the problem is not the hdd). Jim’s solution above would be one the best.

  5. dgr

    This is basically Jim’s ans above but with a twist. It seems to me that the simplest way is to put your sensitive data on an external drive. With your data there it doesn’t matter what happens to your computer. Basically, you don’t worry about sensitive data on your computer because it never was on your computer in the first place. BTW, I just got a 1TB drive for under $130.

    Two issues: 1) what if that external drive fails? (i.e. be sure you backup), and 2) what about sensitive data whose location you can’t control, (i.e. perhaps there’s something you’d consider “sensitive” in your registry?)

    – Leo
    06-Feb-2009
  6. Shawn Patrick

    I’m glad that there are others that have taken the words right out of my mouth. Always do you best to learn how to keep your pants at your waistline and not at your knees. LOL Shawn Patrick from Toronto, Canada

  7. L. O'Neal

    When I get a new computer or install a new HDD, the the first thing is to make an image of the HDD with Acronis True Image to external media. Then make regular image backups. Before turning the computer over to someone else, Wipe the HDD and put the orignal image back on it.

  8. Jenny

    Some very good suggestions. Thanks. However one of my concerns, not covered, is how to securely lockdown one’s email client prior to handing over the computer? Seems to me that email itself often contains a huge amount of personal data. Mine sure does. Password protection of the app is sometimes possible, but useless, as so easily broken.

    Just a word here too about the security passwords built into laptops. These provide very good protection, too good, as I found out to my lasting regret when I spilt a BIT of water onto the k’board. Some of the keys shorted and I was no longer able to enter a part of my password, so was permanently locked out of my laptop. An external USB keyboard of course was no help at all. These passwords are so built-in esp. the SVP which I believe resides in a hidden chip on the m’board, that you’re hosed if you forget them or have a disaster like mine. Seems there’s no password unlocking utilty around that can recover them. Well I certainly hadn’t forgotten mine. So be warned!

    If anyone’s got any lateral thinking on a solution for this, other than a new MB, please reply.

    I store all my mail folders on an encrypted TrueCrypt drive. Without the password, they can’t be seen.

    – Leo
    15-Mar-2009
  9. Gabreil Garrigues

    Hi

    Thanking Leo.
    Regarding this problem how a technicine is going to repair your computer if the hard disk is empty ?
    I was rather thinking of a deontological protection.

    The technician will boot from a diagnostic CD or other media.

    – Leo
    06-Apr-2009
  10. James

    I know techs who say they never pay any attention to what’s on a hard drive and I know techs who say they always look at what files are on them. Some of the latter say they just look to see what the person has in their music and picture folders. One guy was honest enough to tell me that he goes through the files of every hard drive that comes through his shop, looking to see what (if any) porn pics the person has on there.

    So the basic rule is, never have anything saved on your hard drive that you’d be embarrassed to have a computer tech see if he snoops through your stuff.

    • Mark Jacobs

      Unfortunately, most technicians wouldn’t allow it. The job takes usually takes longer with someone asking questions, making useless suggestions etc. I don’t mind as so much if I’m getting paid by the hour. :)

    • Mostly because repair people are often in other places miles away. Some are large corporations that dont’ allow random strangers into their work areas. And some technicians work on their schedule, not yours.

  11. CorneliusSneedely

    The obvious solution that comes to mind is to learn to do your own repairs. It is not nearly as difficult as many people seem to think. You can find videos on YouTube about diagnosing problems and replacing components, and once you get into it, you will probably find yourself wondering why you ever paid anyone to do these things.

  12. Leo

    I have two 2TB external drives that everything goes on, and to play it real safe I also have Google and Asus Cloud Storage for my docs. But I also have nothing to hide.

  13. Howard Steeley

    I have Roboform Everywhere so I uninstalled it, and then reinstalled it using the online sync function after repair.

  14. Sheri

    Excellent article and some of the replies are good too:-) In particular, Jenny’s one about locking down your email client rang very loud alarm bells! I have all my user folders stored on a slave hard drive, which I could easily remove before sending my PC for repair. I also have a 10GB folder encrypted by VeraCrypt, into which I save all my sensitive data. And I do regular daily backups to external drives. But it had just never occurred to me that anyone can just click on your email client, get all your email addresses and read all the emails still stored on it! And even if I disconnected the slave drive, which contains my Windows Live storage folder, because all my emails are now IMAP, they would all just be downloaded again if anyone opened the email client while the slave drive was disconnected. And I cannot see any way round that problem at all. So if anyone has any suggestions, I would be most grateful.

    • Mark Jacobs

      One way to prevent people from being able to download your IMAP or POP emails is to remove the stored password from your Email program. That way anybody using your computer would have to know the password to re-download those emails.

  15. Alan M.

    Another thing to think about are “shortcuts” for your browser. The shortcuts can be easily found, copied to an external drive, then deleted from your main drive leaving just an empty folder. Shortcuts may be the most embarassing thing on your computer. If not embarassing at least it will tell them sights you frequent.

      • Alan M

        Sorry about using sights instead of sites. I’m at that age (over 60) that doesn’t accept new words easily. When I went to school site was a mis-spelled word. Now it is a real word. Aint wasn’t a word either bur was listed in the dictionart as a comonly mis-used abreviation for is not and are not. Times change faster than I can keep up.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.

Your email address will not be published. Required fields are marked *