Everyone knows that laptops are wonderful. I have one so that I can work almost anywhere and that’s awesome. But I’ve had lingering issues with what’s the best way to deal with private data on it. I’m talking about things like financial records, billion dollar ideas, etc that could harm me if they were publicly known. Things like my resume don’t fall into this category. It was pretty easy to decide that I needed to encrypt some of my files on my laptop, but the unfortunate truth is that encryption can be a real pain to use in a practical way. Before I started to look at different encryption methods I decided that I wanted protection from sophisticated thieves and not bomb proof FBI can’t get me protection. So let’s take a look at what’s out there for the average user.
Truecrypt is recommended by many as a good free open source tool and I initially tried it. Soon after I installed it I discovered that while source code is available for it, no one besides the Truecrypt developers has been able to build it. In fact, no one even knows who the developers are! That didn’t sound very “open” to me so I decided to keep looking. I also didn’t like the user interface and how I had to manually manage all the encrypted volumes. The security was probably pretty good, it’s just that the inconvenience to me as a user was too high.
The next option I looked at was the encrypting file system (EFS) option in Windows XP through to Windows 7. It looked like an easy to use solution for me and it was once I upgraded from Windows 7 Home Premium to Professional to gain access to EFS. All you have to do is click on the “Advanced” button in the folder or files properties window and select “Encrypt contents to secure data”. Windows will automatically generate encryption keys if needed and transparently handle the encryption once you log in. With this method you files are secure as long as no one else can figure out your password or knows the administrator password. The weakest link with this method is that the encryption keys and data are on the same media and even Microsoft’s own best practices document recommends deleting the keys off the hard drive if you don’t need to access the encrypted data. The problem is the password database in Windows isn’t secure.
Even though the password database is encrypted too, the encryption keys are also stored on the local hard drive. This makes is easy for a determined individual to decrypt the password file and to guess the user passwords. Once the correct passwords are determined then the attacker can log in the machine and gain access to the encrypted files. I wanted protection from this so I looked into the Syskey utility in Windows. It allows the machine encryption keys for the password database to be on a USB key. In this configuration Windows won’t start without the USB key installed. It the attacker has only 1 piece of the combination then it is useless to them. It’s a good solution as long as you never lose or damage the USB key. If you do you will have to format the laptop to use it again. For me this was too high of a price to pay to protect my data.
By this point I had decided that I wanted to keep the encryption keys separate from the data. That left me with the following choices:
- Store the data on an encrypted USB key. All you have to do is reformat the key with NTFS.
- Store the encryption keys on a USB key and the data on the laptop hard drive. Windows 7 Professional doesn’t directly support this.
I chose the second option because I liked the idea of being able to store as much data as I wanted on my hard disk. I loosely followed the directions here, with the following changes:
- The certificate store in Windows 7 was in a different location so I used this one instead.
- Windows 7 and XP don’t need extra programs to make links. On Windows 7 use
mklink /j <link> <source>. Windows XP use
fsutil hardlink create <link> <source>.
My laptop operates perfectly with or without the USB key attached which is what I wanted. Windows cannot not open the private files without the USB key installed and instead will give an error saying it can’t open the file. I think the reason why Microsoft makes this process so difficult is because it competes with its Bitlocker functionality in Windows Ultimate. So far I’m a happy camper!