It’ll take a computer-savvy thief about five minutes to gain access to everything on your computer.
Everything you haven’t otherwise protected, that is.
Become a Patron of Ask Leo! and go ad-free!
There’s a fundamental concept that I remind people of from time to time. It’s simply this:
If it’s not physically secure, it’s not secure.
I normally bring that up when people have questions relating to sharing a computer, or perhaps sharing living space, and being somewhat concerned about what a roommate might or might not have access to when the computer’s owner isn’t around. Most commonly it applies to laptops and mobile devices.
The short version is that if someone has physical access to your computer, they can quickly gain access to everything on it.
Of course, computer theft is the very definition of physical access.
There are several ways that someone can gain access to your computer’s contents:
- They can reboot from a CD or USB device and reset the administrative log-in password. In fact, it’s so easy, here are the instructions: I’ve lost the password to my Windows Administrator account, how do I get it back? This is one of the things that the newer UEFI “Secure Boot” attempts to prevent.
- They can reboot from a Linux live CD and access the contents of your hard drive without needing to log in to Windows at all. Again, “Secure Boot”, when it’s enabled, is intended to prevent this.
- They can remove the hard disk from your machine, connect it to another, and once again access the contents of your hard disk without needing to log in to your copy of Windows at all.
All that should be pretty scary, mostly, because it is.
If it’s not physically secure, it’s not secure.
Keeping your data secure
So what do you do?
Well, in an after-the-fact case like you’re asking about, it’s too late. The computer has already been stolen. What’s important is that you know the data on it could be accessed by whoever has the machine now. If you have personal and confidential information on it, it’s time to assume it’s been completely compromised. It may not be. It may not be yet. It may never be. But you must assume the worst.
There are three approaches to prevention:
- Secure the machine.
- Encrypt the hard drive.
- Secure your data.
Secure the machine
Securing your machine means doing things like bolting it down, attaching it to something with a security cable, or putting it in a locked room or cabinet. (Make sure that the machine has enough ventilation if you put it in any enclosed space.)
These aren’t perfect solutions, as a very determined thief might still circumvent these measures, but they’ll at least stop the casual burglar by making it easier to steal something else.
Encrypt the hard drive
Encrypting the entire hard drive using whole-drive encryption is one way to protect the contents of your entire system.
If a thief cannot log in to your machine, then booting from something else, or even moving the hard drive to a different machine completely, doesn’t help them get at your stuff. Once it’s encrypted, all they would see is random, nonsensical data.
There are two approaches to whole-drive encryption: system-provided, and third-party-provided.
System-provided solutions, like BitLocker in Windows1, use encryption keys based on your system login to encrypt the hard drive. If you can’t log in, then you can’t access your data. The bad news here is that it’s tied to your log-in account. If you lose your log-in account for any reason, you can lose access to your data. Fortunately, in BitLocker’s case you are encouraged to back up the encryption key separately, which would presumably restore access. (Of course, you should be backing up your data as well.)
Third-party tools like TrueCrypt or the supported derivatives, like VeraCrypt, also support whole-drive encryption. This is independent of your system login, and typically relies on selecting an appropriately secure passphrase to decrypt the drive and boot your system.
Important: your data is fully secure only if you log out. As long as you are logged in and are able to access your data yourself, it’s available in unencrypted form. That means you likely want to avoid states like Sleep or possibly even Hibernate, neither of which is an actual logout.
Also important: BIOS or other pre-boot passwords may or may not be a form of protection. Some, but not all, may include hard disk encryption. You’ll have to check your system’s documentation to determine what the case is for your specific machine.
Encrypt your data
The good news about whole-drive encryption is that once enabled, it’s relatively transparent. The bad news is that losing access to your data can be a tad easier, and depending on the technique, completely encrypted drives can be somewhat less resilient to hardware failures.2
The compromise is to encrypt only parts of what you keep on the machine: your data.
There are three approaches I’d consider:
An encrypted partition. This uses whole-disk encryption to encrypt only a separate, non-boot partition on which you keep your data.
An encrypted vault. This uses TrueCrypt or VeraCrypt to create an encrypted “vault” that, when in use, looks like a separate partition.
An encrypted cloud folder. This uses a tool like BoxCryptor to perform file-by-file encryption of the contents of one or more folders on your machines. While it’s intended to secure the data you place in the cloud – and, indeed, you might already be using it for exactly that purpose – it secures that data on your machine as well. There’s no requirement that you use a cloud service to use a tool like BoxCryptor to encrypt sensitive data on your machine.
It’s about more than your desktop
Everything I’ve just described applies to more than your computer at home. Yes, it could be stolen, but in reality, if you travel at all, there’s a bigger risk.
For a variety of reasons, an incredible number of laptops are lost or stolen each year. On each of those is data – often sensitive data – that the thief or finder can then access should they have a mind to. (Thankfully, most do not, as they’re more interested in reusing or reselling the hardware, but the risk of data exposure remains very real.)
At a minimum, the techniques I’ve described above should be considered for any laptop or mobile PC. Applying the same techniques to your computers at home will simply give you added security from the same types of threats.
What I do
What I’ve done has changed over the years.
Originally, I simply used TrueCrypt to create an encrypted vault on my laptop, and placed all of my data in it. This was convenient for a variety of reasons, mostly involving the ability to move data around on my various devices in pre-cloud days.
Today, I use a multi-pronged approach:
- I use BoxCryptor to secure the data I place in my cloud service provider (a service similar to DropBox or OneDrive). The side effect is that this data is automatically encrypted on all the computers on which I choose to place it.
- I now use whole-disk encryption on my laptop. This decision came from thinking through the scenarios where whole-disk encryption adds risk, and protecting myself by backing up and saving encryption keys appropriately.
- I went all-in and now use whole-disk encryption on my desktop. Having thought through the issues, this amounted to a “why not?” kind of decision, to increase my security should my desktop machine actually ever be stolen.
While TrueCrypt is no longer part of my day-to-day strategy, I’d have no hesitation using VeraCrypt, a supported TrueCrypt successor, if a scenario called for it.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,