Why You Should Encrypt Your Entire Laptop

If you have a laptop and you take is out of the house with you, it is a good idea to have the entire hard-disk encrypted. This article will explain why and what software you can get to do this for you.

Most people have laptops rather than desktops these days, making them more easy to loose and be stolen. How easy is it for people to snatch your laptop from your table at a cafe?

Losing the hardware is not as big of a problem as losing the sensitive information contained on the laptop. The hardware is a thousand dollars lost, but it can be replaced. The problem is the personal and sensitive information that the thief stole.

Your laptop may contains sensitivity information like the banking, health, personal identifiable information, passwords, patient information, etc. This is a much bigger problem than losing a thousand dollars, because in some cases you may be required to report the data breach. And you or your employer may need to notify customers of this breach.

Okay, you really should not have customer credit card information on the disk of a laptop in the first place. But anyways, this is just a scenario of what people could have done.

While it is true that some thieves only care about reselling the laptop and not about your information, you never know. There could be identity thieves and hackers who wants access to the file where you wrote down all your bank passwords. Yes, people do write their online bank passwords in a file on their laptop. Otherwise, how else are you gonna remember all those passwords?

If you are going to write passwords in a file on a laptop, you should encrypt the file and store a backup elsewhere in addition to the full disk encryption that I'm going to talk about. I'll explain in the later section.

Having a password to log onto your laptop is not good enough. The thieve don't even have to crack your logon password (even though there are software that helps do that), but instead it would be easier to just unscrew your hard disk and have a disk reader and some software read the bits right off the surface of the disk. It can even read your previously deleted files.

But what if I just encrypt my sensitive file (such as that file that contains all the passwords to online banking). That's better but still not good enough. You still need to encrypt the entire disk, because the operating system sometimes write temporary copies of your files, browser can write information to caches, etc. And hackers know how to harvest the information from those.

With full disk encryption, anything written to the hard disk is encrypted. This means that temporary swap files and hidden files used by the operating system is also encrypted. Files are encrypted and decrypted transparently in real time as files are written to and being read from the disk and used. The user does not have to explicitly manually encrypt and decrypt files. The software handles all that. So user workflow is not affected.

eSecurityPlanet.com has a good article that explains this. While Full Disk Encyrption is pretty good protection, no system is 100% secure and the article goes into to some of the possible attack vectors even on a fully encrypted disk.

Now that I have convinced you of the benefit of full disk encryption, before you jump in there are a few things you have to keep in mind. Don't blame me if you don't take these precautions and something goes wrong. It is possible that you can lose everything on your laptop. Not even the people at Geek Squad or other disk recovery specialist can retrieve your data. After all, this is the point of full-disk encryption -- no one in theory is suppose to be able to get the data.

Before you do a full-disk encryption ...

1. Depending on your encryption scheme, if you forget your password to access your laptop and possible another separate password to decrypt or possibly loose a removable token on a thumb drive, you may never be able to get into the data contained in your laptop ever again.

2. Let's say you are not going to forget your main password. But hardware and software can fail. The software that is going to initially encrypt the entire disk will take many hours to maybe day encrypting the whole disk. While rare, hardware can fail and something can go wrong during that time. It is possible that things gets partially encrypted and you no longer are able to get access to the information in the laptop again. That is why you need to do a full backup of your stuff before doing the full disk encryption.

That is why I mentioned if you have important documents that you can not afford to loose (like that file that contains all your passwords), you have to store it in another location -- like in a cloud backup, or safe deposit box, or whatever up to you. But it needs to be encrypted by itself when you store it up in the cloud. So you encrypt that backup file using something like 7-zip archive with a password. Or some full-disk encyption software comes with a feature to create encrypted archive.

3. There may be a slight performance degradation when you have your full-disk encrypted, because now the system has to decrypt and encrypt files every time you access the disk. The typical causal user is not likely to notice the performance difference. This only applies to people using disk-intensive software such as high-performance gaming or video processing.

The article on Time writes of a case of the stolen laptop back in 2010. While lots of things in the article are still true, its recommendation of the use of free and open-source TrueCrypt is outdated. TrueCrypt is NOT recommended anymore. Because on its site says

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues".

Encryption software is complicated to write and need continual support and security fixes. You really should go with a commercial software that backed and produced by a large software company that have teams of engineers. This is not a time to go with free software or skim on cost.

If you are on a Windows machine that comes with Microsoft's BitLocker, you can use that. Or if not, you can purchase Symantec's Drive Encryption (also known as Symantec's Endpoint Encryption).

See Wikipedia for comparison with other various full disk encryption software.

My Windows laptop is too old to have Microsoft Bit Locker, so I went with Symantec full disk encryption. It took many hours to initially encrypt the entire disk. But you can continue to work on the machine during encryption. The encryption pauses on its own when you sleep your machine, or when your internet connection is lost, or when it detects other issues. It will resume again on its own when conditions have restored. Although I haven't tried it, you can do a normal shut down from the Windows menu (not a forced power off) of your machine and the encryption process is paused and will resume when you start up again.

Keep in mind that your disk is not protected unless it completes 100% of this initial encryption process. There are various options. I selected the option where the encyption pass phrase is the same as my Windows logon. (Also sometimes known as single-sign-on) So now whenever, I boot up my laptop, the Symantec password screen comes up even before the operating system boots. This is same as my Windows password. So I don't have to enter my Windows password again for the Windows boot up.

Everything else works normally. I set my screen saver to turn on after 15 minutes of idle and when laptop lid is closed, or when laptop goes to sleep. The screen saver wakes with a Windows password prompt. If I need to step away from my laptop for a few seconds, I close the lid. Even if the thief steals my laptop with the lid open, they are likely to close the lid as they run away. The next time the lid is open, it is prompted with a password. To hack this password, the thief is likely to need a reboot of the machine which purges any random access memory. Only the disk storage is left, but that is encrypted.

So the only way a thief is able to get my personal information off this laptop is if they push me aside while the lid is open and then start clicking around to open my files.

I do not notice any performance difference. There is a lock icon at my Windows status bar to indicate that my disk is fully encrypted. Right-clicking on it enables me to open the Symantec Encyption Desktop, which gives me tools to create encypted archive files. Although I still tend to use 7-zip password archive.

I also get a PGP Viewer which allow me to decrypt files sent to me by individuals for whom I have their PGP public key (which I can store public keys in the Symantec Encyrption Desktop).

I also get a PGP Shredder where I can drag sensitive files to and it will irretrievably delete the sensitive file. Normal Windows file deletion can be retrieved by hacker professionals.

This blog entry was written in 2014 and is only opinion at the time of writing. Things may be different by the time you read this.