Micah Lee
Apr. 27 2015, 3:36 p.m.
Time and again, people are told there is one obvious way to mitigate privacy threats of all sorts, from mass government surveillance to pervasive online tracking to cybercriminals: Encryption. As President Obama put it earlier this year, speaking in between his administration’s attacks on encryption, “There’s no scenario in which we don’t want really strong encryption.” Even after helping expose all the ways the government can get its hands on your data, NSA whistleblower Edward Snowden still maintained, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
But how can ordinary people get started using encryption? Encryption comes in many forms and is used at many different stages in the handling of digital information (you’re using it right now, perhaps without even realizing it, because your connection to this website is encrypted). When you’re trying to protect your privacy, it’s totally unclear how, exactly, to start using encryption. One obvious place to start, where the privacy benefits are high and the technical learning curve is low, is something called full disk encryption. Full disk encryption not only provides the type of strong encryption Snowden and Obama reference, but it’s built-in to all major operating systems, it’s the only way to protect your data in case your laptop gets lost or stolen, and it takes minimal effort to get started and use.
If you want to encrypt your hard disk and have it truly help protect your data, you shouldn’t just flip it on; you should know the basics of what disk encryption protects, what it doesn’t protect, and how to avoid common mistakes that could let an attacker easily bypass your encryption.
If you’re in a hurry, go ahead and skip to the bottom, where I explain, step-by-step, how to encrypt your disk for Windows, Mac OS X, and Linux. Then, when you have time, come back and read the important caveats preceding those instructions.
How to encrypt your disk in Windows
BitLocker, which is Microsoft’s disk encryption technology, is only included in the Ultimate and Enterprise editions of Windows Vista and Windows 7, and the Enterprise and Pro editions of Windows 8 and 8.1, but not the Home editions, which is what often comes pre-installed on Windows laptops. To see if BitLocker is supported on your version of Windows, open up Windows Explorer, right-click on C drive, and see if you have a “Turn on BitLocker” option (if you see a “Manage BitLocker” option, then congratulations, your disk is already encrypted, though you may want to finish reading this section anyway).
If BitLocker isn’t supported in your version of Windows, you can choose to upgrade to a version of Windows that is supported by buying a license (open Control Panel, System and Security, System, and click “Get more features with a new edition of Windows”). You can also choose to use different full disk encryption software, such as the open source programDiskCryptor.
BitLocker is designed to be used with a Trusted Platform Module (TPM), a tamper-resistent chip that is built into new PCs that can store your disk encryption key. Because BitLocker keys are stored in the TPM, by default it doesn’t require users to enter a passphrase when booting up. If your computer doesn’t have a TPM (BitLocker will tell you as soon as you try enabling it), it’s possible to use BitLocker without a TPM and to use a passphrase or USB stick instead.
If you only rely on your TPM to protect your encryption key, your disk will get automatically unlocked just by powering on the computer. This means an attacker who steals your computer while it’s fully powered off can simply power it on in order to do a DMA or cold boot attack to extract the key. If you want your disk encryption to be much more secure, in addition to using your TPM you should also set a PIN to unlock your disk or require inserting a USB stick on boot. This is more complicated, but worth it for the extra security.
Whenever you’re ready, try enabling BitLocker on your hard disk by right-clicking on C drive and choosing the “Turn on BitLocker” option. First you’ll be prompted to make a backup of your recovery key, which can be used to unlock your disk in case you ever get locked out.
I recommend that you don’t save a copy of your recovery key to your Microsoft account. If you do, Microsoft—and by extension anyone Microsoft is compelled to share data with, such as law enforcement or intelligence agencies, or anyone that hacks into Microsoft’s servers and can steal their data—will have the ability to unlock your encrypted disk. Instead, you should save your recovery key to a file on another drive or print it. The recovery key can unlock your disk, so it’s important that it doesn’t fall into the wrong hands.
Follow the rest of the simple instructions and reboot your computer. When it boots up again, your disk will begin encrypting. You can continue to work on your computer while it’s encrypting in the background.
Once your disk is done encrypting, the next step is to set a PIN. This requires tweaking some internal Windows settings, but it shouldn’t be too hard if you follow the instructions to the dot.
Click Start and type “gpedit.msc” and press enter to open the Local Group Policy Editor. In the pane to the left, navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
In the pane to the right, double-click on “Require additional authentication at startup.” Change it from “Not Configured” to “Enabled”, and click OK. You can close the Local Group Policy Editor.
Now open Windows Explorer, right-click on drive C, and click “Manage BitLocker”.
In the BitLocker Drive Encryption page, click “Change how drive is unlocked at startup”. Now you can choose to either require a PIN while starting up, or requiring that you insert a USB flash drive. Both work well, but I suggest you use a PIN because it’s something that you memorize. So if you get detained while crossing a border, for example, you can choose not to type your PIN to unlock your drive, however you can’t help it if border agents confiscate your USB flash drive and use that to boot your computer.
If you choose to require a PIN, it must be between 4 and 20 numbers long. The longer you make it the more secure it is, but make sure you choose one that you can memorize. It’s best if you pick this PIN entirely at random rather than basing it on something in your life, so avoid easily guessable PINs like birthdates of loved ones or phone numbers. Whatever you choose make sure you don’t forget it, because otherwise you’ll be locked out of your computer. After entering your PIN twice, click Set PIN.
Now reboot your computer. Before Windows starts booting this time, you should be promped to type your PIN.
Finally, open User Accounts to see all of the users on your computer, confirm that they all have passwords set and change them to be stronger if necessary. Disable the guest account if it’s enabled.
How to encrypt your disk in Mac OS X
FileVault, Apple’s disk encryption technology for Macs, is simple to enable. Open System Preferences, click on the Security & Privacy icon, and switch to the FileVault tab. If you see a button that says “Turn Off FileVault…”, then congratulations, your disk is already encrypted. Otherwise, click the lock icon in the bottom left so you can make changes, and click “Turn On FileVault…”.
Next you will be asked if you want to store a copy of your disk encryption recovery key in your iCloud account.
I recommend that you don’t allow your iCloud account to unlock your disk. If you do, Apple — and by extension anyone Apple is compelled to share data with, such as law enforcement or intelligence agencies, or anyone that hacks into Apple’s servers and can steal their data — will have the ability to unlock your encrypted disk. If you do store your recovery key in your iCloud account, Apple encrypts it using your answers to a series of secret questions as an encryption key itself, offering little real security.
Instead, choose “Create a recovery key and do not use my iCloud account” and click Continue. The next window will show you your recovery key, which is twenty-four random letters and numbers. You can write this down if you wish. The recovery key can unlock your disk, so it’s important that it doesn’t fall into the wrong hands.
Once you click Continue you will be prompted to reboot your computer. After rebooting, FileVault will begin encrypting your hard disk. You can continue to work on your computer while it’s encrypting in the background.
With FileVault, Mac OS X user passwords double as passphrases to unlock your encrypted disk. If you want your passphrase to survive guessing attempts by even the most well-funded spy agencies in the world, you should follow the instructions here to generate a high-entropy passphrase to use to login to your Mac.
Go back to System Preferences and this time click on the Users & Groups icon. From there you should disable the guest account, remove any users that you don’t use, and update any weak passwords to be strong passphrases.
How to encrypt your disk in Linux
Unlike in Windows and Mac OS X, you can only encrypt your disk when you first install Linux. If you already have Linux installed without disk encryption, you’re going to need to backup your data and reinstall Linux. While there’s a huge variety of Linux distributions, I’m going to use Ubuntu as an example, but setting up disk encryption in all major distributions is similar.
Start by booting to your Ubuntu DVD or USB stick and follow the simple instructions to install Ubuntu. When you get to the “Installation type” page, check the box “Encrypt the new Ubuntu installation for security,” and then click Install Now.
On the next page, “Choose a security key,” you must type your encryption passphrase. You’ll have to type this each time you power on your computer to unlock your encrypted disk. If you want your passphrase to survive guessing attempts by even the most well-funded spy agencies in the world, you should follow the instructions here.
Then click Install Now, and follow the rest of the instructions until you get to the “Who are you?” page. Make sure to choose a strong password—if someone steals your laptop while it’s suspended, this password is all that comes between the attacker and your data. And make sure that “Require my password to log in” is checked, and that “Log in automatically” is not checked. There is no reason to check “Encrypt my home folder” here, because you’re already encrypting your entire disk.
And that’s it.
Correction: This post originally gave an incorrect date for when the TrueCrypt project was shut down. April 27 12:35 pm ET.
Correction: This post originally said that USB ports have direct memory access (DMA), but this isn’t true. FireWire, ExpressCard, Thunderbolt, PCI, and PCI Express all have DMA. April 29 6:17 pm ET.
Correction: This post originally said that BitLocker was included in Windows Vista and Windows 7 Pro editions, but it is only included in Ultimate and Enterprise editions for those versions of Windows. May 1 6:00 pm ET.
https://theintercept.com/2015/04/27/encrypting-laptop-like-mean/
