Encryption as a data security tool

Expanding on the previous blogposts on the secure deletion of data, we’d now like to give you an introduction to encryption as a further data security tool.

Encryption is meant to allow you to shield your data from any prying eyes. This is achieved by converting the plaintext of your (sensitive) data into a secret code that is undecipherable to unauthorized parties. In the following paragraphs we will detail which Windows and Mac OS tools can be used to encrypt single files or entire partitions.

Encrypting entire partitions and systems

Windows 8 Pro and later (Pro) versions of Windows offer ‘Bitlocker (to go)’, which can encrypt entire partitions including the system partition. It also allows for the encryption of USB drives and external hard disks to protect them from unauthorized access. After encryption no file access is possible without the right password or smartcard. Bitlocker can be accessed in the context menu when right-clicking a drive in the file explorer. After clicking on ‘Turn on Bitlocker’ the menu with the corresponding options for encryption will open. You can find further instruction on the right encryption options here.

A TPM chip version 1.2 or higher is necessary to use Bitlocker on a system partition. This chip has been included in almost all Neptun devices for some time. If your device should lack this ‘Trusted Platform Module’ you can find instructions on how to use the encryption without it here.

Bitlocker requires the system to be configured with a secondary boot partition on the same drive. This partition layout has been automatically configured by Microsoft starting with Windows 7. If that should not be the case in your system, a second partition may be created by shrinking the system partition with the built-in disk management tool of Windows: Diskmgmt.msc.

As an alternative to Windows’ built-in encryption tool experts used to recommend ‘TrueCrypt’. However, the developers of TrueCrypt have ceased development of the software in May 2014 due to security concerns. The latest version of TrueCrypt is therefore unsuitable for continued use and should only be used as a starting point to switch to another encryption software. The unofficial successor of TrueCrypt is ‘VeraCrypt’ which we can warmly recommend. This encryption software fixes many shortcomings of TrueCrypt.  

In addition to Windows VeraCrypt also supports Mac OS X and Linux. The interoperability isn’t the only advantage that VeraCrypt has over Bitlocker, but one of many. According to tests it is a more robust tool than its Windows counterpart.

As an alternative to commercial software there are several free and open source encryption tools. Among the best is ‘DiskCryptor’. It allows for the encryption of entire partitions and hard drives on Windows systems and is recommended by Projekt Neptun as a fast alternative to TrueCrypt/VeraCrypt.

Apart from ‘FileVault’ Mac OS X offers no encryption options to the user during the installation of the system. FileVault allows for the encryption of personal files on Mac devices. It has been available on Macs since Mac OS X 10.3 Panther and it is the default encryption tool. You can find instructions on how to activate and control FileVault here. It is recommended to also encrypt the Time Machine backup if you’re using FileVault.
FileVault allows for the password protected encryption of the entire hard drive. Usage of FileVault is particularly advisable on laptops, which are taken everywhere and can easily change hands. It protects sensitive data like documents or credit card numbers even after theft and shields them from prying eyes. FileVault is an all-or-nothing encryption tool that doesn’t allow for the encryption of single folders or files.

Encryption of single files

Windows users can (since Windows 2000) use a Microsoft feature called ‘EFS’ (Encrypting File System) to encrypt single files or folders. It’s a built-in tool of Windows intended for fine-grained encryption jobs. EFS can also store the certificate and the key of the encrypted files on an external medium. Ease of use and the integration into the operating system are the advantage of this tool. Simply right-click on a file or folder and select ‘Properties’ in the context menu. From here go to ‘Advanced’ where you can choose to ‘Encrypt contents to secure data’. After encryption the difference between encrypted and unencrypted data is easily recognizable. If so chosen, the file explorer can display encrypted folders in different colors while the icons of encrypted files are marked with a small lock per default. There is no difference in access of encrypted and unencrypted files, which makes the entire process transparent.

Encryption with EFS is intended to protect files and folders from the access of other users on the same computer; even an administrator is denied access to encrypted files. A drawback of this system is that encrypted files remain visible and that it only works with a NTFS file system. Support on USB drives or on file systems formatted with FAT is spotty at best.

Final words

Most modern SSDs and some hard drives are ‘Self Encrypting Devices’ (SED), which are encrypted even without any intervention of the user. As detailed in our blogpost on the secure deletion of data, SED drives encrypt all of their contents with a random key that can be reset by the user with the help of disk management tools. If the data on a drive has to be rendered inaccessible, for example when selling the drive, the user can simply delete the random key to make all data unreadable. We recommend this link where the mode of operation and the encryption process of SED drives is explained.

As we’ve detailed in this blogpost, multiple, tedious overwriting processes of data or hard drives to protect them from prying eyes is unnecessary if they’ve been previously encrypted. Thus, encryption is an ever more popular and reliable alternative to lengthy deletion processes. Especially in our current digital age the matter of encryption is directly connected to concerns on privacy – in the private as well as the professional sphere. Mobile devices in particular can be a great safety risk as they are quite vulnerable to theft and loss. The large amount of sensible data on these devices, even if it’s only the personal e-mail account, can easily be used to create enormous personal and financial damage.

The following essential points cannot be stressed enough in this context: Security in general rises and falls with the strength of the password and safely storing a strong password is vital. Backups, passwords, and encryption keys should be well protected. The loss of a password may in the worst case lead to the loss of all data.