Thieves can see more than you might think unless you’ve taken additional steps.
It takes a computer-savvy thief less than five minutes to gain access to everything on your computer.
Everything you haven’t otherwise protected, that is.
Become a Patron of Ask Leo! and go ad-free!
If your computer is not physically secure, it’s not secure. A thief can access data on your hard drive in several ways, removing it if needed. Besides physically securing the computer itself, encryption (of either entire drives, partitions, or individual files) protects its contents. BitLocker, VeraCrypt, and BoxCryptor are useful tools to protect information stored on your hard disk.
There’s a fundamental concept that I remind people of from time to time. It’s simply this:
If it’s not physically secure, it’s not secure.
I bring that up in response to questions about sharing a computer or living space. People are sometimes concerned about what a roommate might or might not have access to when they’re not around. Most commonly, it applies to laptops and mobile devices.
The short version is that if someone has physical access to your computer, they can quickly access everything on it.
Of course, computer theft is the very definition of physical access.
There are several ways someone can access your computer’s contents:
- They can reboot from a CD or USB thumb drive and reset the administrative log-in password. Here are the instructions: I’ve Lost the Password to My Windows Administrator Account, How Do I Get It Back? The newer UEFI “Secure Boot” prevents this, if enabled.
- They can reboot from a Linux live CD or thumb drive and access the contents of your hard drive without needing to log in to Windows at all. Again, “Secure Boot”, when enabled, is intended to prevent this.
- They can remove the hard disk from your machine, connect it to another, and once again access the contents of your hard disk without needing to use the rest of your machine at all.
All that should be pretty scary, mostly because it is.
If it’s not physically secure, it’s not secure.
Keeping your data secure
So what do you do?
In your case, it’s too late. The computer has already been stolen. What’s important is knowing the data could be accessed by whoever has the machine. If you have confidential information on it, assume it’s been compromised. It may not be. It may not be yet. It may never be. But you must assume the worst.
There are three approaches to keeping your data secure.
- Secure the machine.
- Encrypt the hard drive.
- Secure your data on the disk.
Secure the machine
Physically securing your machine includes bolting it down, attaching it to something with a security cable, or putting it in a locked room or cabinet. (Make sure the machine has enough ventilation if you put it in an enclosed space.)
These aren’t perfect solutions, as a very determined thief might still circumvent them, but they’ll at least stop the casual burglar by making it easier to steal something else.
Encrypt the hard drive
Encrypting the entire hard drive using whole-drive encryption protects the contents of your entire system.
With an encrypted hard drive, even moving the hard drive to a different machine doesn’t help a thief, because all they would see is random, nonsensical data.
There are two approaches to whole-drive encryption: system solutions and third-party tools.
System solutions (like BitLocker, for Windows1) use encryption keys based on your system login to encrypt the hard drive. If you can’t log in, then you can’t access your data. If you lose your log-in account for any reason, you can lose access to your data. You are encouraged to back up the encryption key separately, which would restore access.
Third-party tools like VeraCrypt also support whole-drive encryption. This is independent of your system login, and typically relies on selecting an appropriately secure passphrase to decrypt the drive and boot your system.
Important: In both cases, your data is fully secure only if you log out. As long as you are logged in and can access your data yourself, it’s available in unencrypted form. You may want to avoid Sleep and Hibernate, neither of which is an actual logout.
Also important: BIOS or other pre-boot passwords may or may not be a form of protection. Some, but not all, include hard disk encryption. You’ll have to check your system’s documentation to determine that for your specific machine.
Encrypt your data
The good news about whole-drive encryption is that once enabled, it’s pretty transparent. The bad news is losing access to your data can be a tad easier, and depending on the technique, completely encrypted drives can be somewhat less resilient to hardware failures.2
The compromise is to encrypt only parts of what you keep on the machine: your data.
To do that, I’d consider three approaches.
An encrypted partition. Rather than encrypting your entire hard disk, this uses whole-disk encryption tools like BitLocker to encrypt only a separate, non-boot partition on which you keep your data.
An encrypted vault. This uses VeraCrypt to create an encrypted “vault” that, when in use, looks like a separate partition.
An encrypted cloud folder. This uses a tool like BoxCryptor to perform file-by-file encryption of the contents of one or more folders on your machines. While intended to secure data you place in the cloud — you might even already be using it for that purpose — it secures that data on your machine as well. There’s no requirement to use a cloud service to use BoxCryptor to encrypt data.
It’s about more than your desktop
Everything I’ve described applies to more than your home computer. Yes, it could be stolen, but if you travel at all there’s a bigger risk:
An incredible number of laptops are lost or stolen each year. They all contain data — often sensitive data — the thief or finder can then access. (Thankfully, most do not, as they’re more interested in reusing or reselling the hardware — but the risk of data exposure remains real.)
At a minimum, the techniques I’ve described above should be considered for any laptop or mobile PC. Applying the same techniques to your computers at home gives you added security from the same types of threats.
What I do
What I’ve done has changed over the years.
Originally, I used TrueCrypt to create an encrypted vault on my laptop, and placed all of my data in it. This was convenient for various reasons, mostly involving the ability to move data around on my various devices in pre-cloud days.
Today, I use a multi-pronged approach:
- I use BoxCryptor to secure the data I place in my DropBox folders. The side effect is that this data is also encrypted on all the computers on which I choose to place it.
- I use BitLocker whole-disk encryption on my laptop. This includes protecting myself by backing up data regularly and securing the encryption keys appropriately.
- While I don’t currently, I have also used whole-disk encryption on my desktop.3
I’d also have no hesitation using VeraCrypt, TrueCrypt’s supported successor, if a scenario called for it.