Imagine you’re in a crowded airport bar waiting for your flight to leave. Your bags are close, but you’re watching the game on TV. A gentleman bumps your chair while passing and apologizes quickly and profusely before disappearing into the crowd. And five minutes later, you realize he’s taken your laptop bag with him. What now? If you’re like me, your laptop probably has a lot of sensitive information on it. In addition to some corporate documents, I have a fair bit of my personal information on the laptop as well – the tax return I just finished electronically filing, stored credentials for my e-mail account, bank statements, the works. Losing a laptop or other computer system is an enormous risk these days, but with a few relatively simple steps it’s possible to ensure that even if someone takes the computer with them, your data will remain safe and secure.
I’m a Windows user, so I’ll be looking at the two most common Windows solutions for system encryption: BitLocker, a native component of Microsoft Windows 7 and TrueCrypt, an open-source project that is compatible with several other operating systems.
BitLocker is available in the Enterprise and Ultimate versions of Windows 7; if you’re running one of the other versions like Home Premium commonly found on home desktops then you’ll want to skip straight to using TrueCrypt, but in a corporate environment it goes without saying that BitLocker is the way to go. It features a variety of modes of operation, but all require compatible hardware on your computer’s motherboard: a Trusted Platform Module (TPM) to securely store security information. Depending on how much security you want, you can choose to protect your system from a variety of attacks by selecting TPM-only protection, TPM+Pin, TPM+Pin+USB, TPM+USB, or just a USB Key by itself. The TPM-only method is capable of protecting against the Evil Maid Attack but doesn’t stop someone from starting your computer and trying to use it. Other options raise the security even further, by requiring you to enter something you know and supply an object you have in addition to having the correct checksums on your boot files.
BitLocker also integrates with Active Directory and allows central management for Enterprise users with management through Group Policy. For anyone in an Enterprise environment, BitLocker is the way to go.
TrueCrypt is a bit rougher around the edges, and definitely gives off an Open-Source vibe. Its dialog boxes are a bit more complex in the way only a product designed by engineers for use by engineers really can be.
TrueCrypt allows for you to transparently encrypt the entire disk and prompt for a password at boot time, but does not make use of a TPM so it is still vulnerable to the aforementioned Evil Maid Attack. It also allows you to encrypt any block device at the device or partition level, as well as create file containers that are mounted as disks to allow for a portable encrypted volume. Combine that with TrueCrypt’s Traveler mode, which does not require Administrator permissions to install or operate, and you have the makings of a cross-platform encrypted data transfer system. You can install it on top of any system and even encrypt your boot drive in place without data loss, on both single drives and RAID configurations.
TrueCrypt defaults to AES encryption, as does BitLocker, to take advantage of AES-NI hardware acceleration but if you are so inclined you can select an alternate encryption algorithm, or multiple algorithms chained together, for the truly paranoid.
BitLocker provides a nicer, more user-friendly experience. I’d recommend it over TrueCrypt if you have a modern computer and a high-end version of Windows. Otherwise, TrueCrypt it is.