Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Will hard disk encryption protect me from network attacks?

I was told that hard disc encryption prevents people who have physical
access to my laptop from reading my files, does that work against online
hackers who hacked into my network? Would a complete hard disc encryption make
any difference?

Yes and no.

While encryption is a powerful tool in your security tool box, it’s not a
replacement for good network security, or any number of other important
security measures for that matter.

We need to look at exactly what is, and is not, protected when you have, and
when you use, encrypted data.

Become a Patron of Ask Leo! and go ad-free!

The rule is actually quite simple: encryption prevents access to the
encrypted data unless you have the key.

Let’s say you have an encrypted file on your hard disk. Assuming you’ve used
appropriately strong encryption, then if someone steals the computer they would
not be able to see the contents of that file.

The same applies if your network or machine were compromised … if all the
intruders gain access to is the encrypted file, then they still have
access to nothing since they can’t see what’s inside.

However…

Encrypted data must be decrypted in order to be used. So what if you were
using the data at the time the network breach occurred? Or while you had some
kind of malware infection on your machine?

“… if you can access the unencrypted data, then a
security breach … could also allow an attacker to have access.”

Then, to put it bluntly, all bets are off.

I’ll use a TrueCrypt volume as an
example. When not in use the volume is just a file full of encrypted data that
no one but you, using the corresponding passphrase, can access. In order to use
a TrueCrypt volume, you must supply the correct passphrase when you mount it.
Once mounted its contents are then visible to you as unencrypted
data.

And therein lies the problem: if you can see it, then a successful attacker
could see it. If there were a network breach while you had your encrypted data
mounted and visible, that data could be accessible to a remote attacker.

And, in my opinion, it actually gets worse if you rely on whole-disk
encryption of your system drive.

With whole-disk encryption, the hard disk is completely encrypted including
not only your data, but all your programs and even Windows itself. Before you
can even boot your machine you must provide the proper passphrase to decrypt
the drive.

That’s actually pretty cool protection if the machine is off. Someone can
walk away with your laptop and the entire hard disk is simply so much encrypted
noise to them.

The problem, as I see it, is that if you’re using your machine then
everything is being decrypted and is fully accessible. A malicious network
based attack could once again have access to everything.

That’s why, personally, I don’t use full-drive encryption. My
approach is actually to encrypt what should be encrypted, and thus only have
that data accessible while I need it. When not in use the encrypted volume is
not mounted, and hence inaccessible to not only myself, but any
possible intruder as well.

And that’s truly the bottom line: if you can access the unencrypted
data, then a security breach in the form of a network attack, spyware or other
malware, could also allow an attacker to have access.

The lesson is simple: encryption has an important role in security, but it’s
no substitute for the rest of the package: having a firewall, using
anti-malware scans, staying up to date, and being security conscious as you go
about your day.

Do this:

Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.

I'll see you there!

4 comments on “Will hard disk encryption protect me from network attacks?”

  1. Hey Leo,

    Great article!

    Just wondering though, if I had a laptop with a full encrypted hard drive AND small TrueCrypt files to encrypt the REALLY important stuff I wouldn’t want anyone to see when the computer was unencrypted that would be better than just having the TrueCrypt files on their own right?

    Thanks,

    Dan

    Reply
  2. @Dan:

    No, not really. If you use a strong enough password with Truecrypt (at *least* 10 characters, no dictionary words, mix of upper & lower case, a number or two thrown in), then using Windows Encrypted File System as well adds little to the security, but greatly increases the chance that you’ll be inadvertantly locked out of your laptop.

    As long as all the files you want to secure are in Truecrypt volumes with good passwords, the only thing that full disk encryption protects against is the possibility of someone stealing your laptop, extracting the platters from the hard drive, and scanning through them for swap traces, on the offchance that the files in your truecrypt volumes will have been loaded into the Windows Pagefile (virtual memory) at some point when you last viewed them.

    I suggest that that the chances of that happening to you are probably quite low (unless, of course, you’re habitually referred to as “Number Six”), and so one layer of encryption is probably enough.

    Reply
  3. I thought when you (we) mount a TrueCrypt volume, the files are only decrypted in RAM; the entire volume otherwise remains encrypted. Have I missed something in TrueCrypt’s instruction set? Ciao!

    Reply
  4. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    In a sense that’s true. A file isn’t decrypted until it’s
    accessed. However the list of files – the directory – is
    quite visible. The mounted volume just “looks like” any
    other disk drive. Any malware that simple accesses files
    will be able to access files from a mounted TrueCrypt
    volume.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIAsjwCMEe9B/8oqERAnLNAJ44wuFIU7ziktyysDsKkrB6SEZvtQCeK8m8
    OjJwHg+HVDvHzvNhlzbEmmo=
    =YSRv
    —–END PGP SIGNATURE—–

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.