Data Disk Encryption

Discussion in 'privacy technology' started by starfish_001, Sep 22, 2017.

  1. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    I am looking for a solid reliable program for data disk encryption on windows 10 home laptop. Not sure what is best
    BitLocker
    VeraCrypt
    Beecrypt

    I am looking for reasonable security and good relaiblitly - any advice would be appreciated
     
  2. kaljukass

    kaljukass Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    244
    Why do you need to do this? It's better to buy a safe lock-box if your home is so precarious.
    It's worth considering that if you encrypt, then very often it happens that after some time no one will ever be able to open it. Not You, not anyone. Then it is safely protected for ever.
    And that's true, I've been on the internet and in forums for a long time. One of the main topics is - how to open, help me! I have very important documents there, I need them ....
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Well, I've been using LUKS in Linux for several years. Typically LUKS on RAID10 arrays. I've had a couple disk failures, so had to replace and rebuild RAID. But LUKS was totally oblivious. You do need to allow booting from degraded RAID array :)

    Re Windows, I have seen many "how can I recover my data?" questions for TrueCrypt. Maybe for VeraCrypt too, but I haven't been paying attention. And I did lose a TrueCrypt FDE USB drive, once. So in Windows, I'd probably go with BitLocker, if ability to access data is most important. If security is most important, then maybe VeraCrypt. But others here are more qualified to advise.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Since you're using W10 on a laptop, and want "reasonable security" and presumably wish to encrypt the system partition, Bitlocker is the best choice, particularly if you have a TPM chip on the laptop.

    The reason for saying this is that you are already "owned" by MS, and Bitlocker is supported for the system disk and GPT. In addition, because laptops are frequently being rebooted, you probably do not want to have to enter a sufficiently long password for entropy purposes, every time, and the TPM + Bitlocker effectively allows for a strong password to be produced with a shorter pin or none if you prefer. That does shift the onus then onto protecting your account credentials well (for example with 2FA).

    My experience of Bitlocker on Windows is that it is very reliable, though you obviously do need to keep good records for recovery purposes - as you do with any of the other choices.

    None of this precludes, of course, use of open source encryption for usb drives etc. though be aware that you are always vulnerable via the operating system.

    I'd also point out that threats to data at rest are only one class of attack; for instance, your data may also be exfiltrated or hit by ransomware due to online attacks. For this reason, I'd recommend sandboxing internet facing application or running them in a virtual machine.
     
  5. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    thanks guys - many of the worries expressed crossed my my mind hence my question. As this is not for me personally; I tend to use vercrypt for data.
    Ease of use and reliable are ahead of ultimate security - the data set will be backed up securely.

    Looks like bitlocker is a reasonable choice or perhaps BestCrypt
     
  6. alawyer

    alawyer Registered Member

    Joined:
    May 17, 2017
    Posts:
    35
    Location:
    the final frontier
    Deslock?
     
  7. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    deslock looks interesting
     
  8. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Is it free? Does it have UEFI SecureBoot support?

    Edit: Checked their site, FDE is not free. Meh.
     
  9. alawyer

    alawyer Registered Member

    Joined:
    May 17, 2017
    Posts:
    35
    Location:
    the final frontier
    For free you get what you pay for.
     
  10. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Like Linux?
     
  11. chileverde

    chileverde Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    50
    Any advantage to a virtual drive encrypted by BitLocker over using BitLocker to encrypt a regular partition to protect sensitive data?

    I am setting up a new computer and for the first time am using BitLocker for encryption and Image for Windows for backups (due to many recent problems with Symantec Encryption and Casper Secure Drive BU).

    I have always had at least one partition besides the OS partition, where I kept data, so I would not lose it if the OS became corrupted and I had to restore an earlier version of the OS partition. I kept personal data on a virtual PGP-encrypted drive. Even after whole disk encryption became available, I continued to keep personal data on the virtual encrypted drive, so it would be protected if I had to allow someone access to my computer to work on it. (Other data that I would not want to lose, but was not sensitive, such as downloaded programs, I would keep on the data partition itself, not on the virtual drive, whose .pgd file was stored on the data partition.)

    When I decided to change to using BitLocker and IFW, I originally planned to use a BitLocker-encrypted virtual drive the way I had used the PGP encrypted drive. But now, as I am setting up BitLocker, I see it is possible to encrypt a data partition and require an additional password to access it after Windows 10 is started. That seems a little more straightforward.

    Is there any advantage to using the virtual drive under BitLocker? If I did, I would keep it on the data partition, which would be encrypted but set to unlock automatically. Practically, is that any more secure than just using a regular partition encrypted by BitLocker?

    I am using BitLocker with TPM + PIN.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    If you have Bitlocker on the system drive, then a separate data drive can be automatically unlocked when mounted (this can also apply to external drives), and also it only takes one drive letter. Other volume encryption schemes open additional drive letters when mounted. If you want to keep a container based distinct encryption, then you can do that as normal on a file basis. The potential advantage is that this can have a distinct password than the Bitlocker one, and the Bitlocker password will be in memory at all times. In addition, the ciphers can be different to the AES + diffuser used by Bitlocker. It can be handy to store a distinct manageable container on the main Bitlocker protected system even if you never open it on that system, for backup purposes and so on. The Bitlocker provides the normal system commercial-level encryption, while the container follows its own policy - so for instance, someone else could know the Bitlocker password, but not the container one.
     
  13. chileverde

    chileverde Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    50
    Thanks.
    BitLocker allows one to establish separate password for each drive. Or are you saying that the BitLocker password(s) for specific drive(s) would also be in memory at all times, not just the PIN I used to boot my computer, even if the other drive(s) had not been opened? But the password for a BitLocker-encrypted virtual drive would not be in memory?

    I realize that the virtual drive could be encrypted with a program other than BitLocker, e.g., BestCrypt, but for the present I am just using BitLocker, as there is enough of a learning curve for BitLocker and IFW.
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Well, let's step back and just call it a key - the password is used with a salt (and in bitlocker's case the TPM+PIN) - to derive the key to a header which contains the actual disk encryption key (this is what allows you to change the password without altering the disk encryption). The latter is what would stick in memory, and that would apply while the disk is mounted, whether bitlocker or anything else. By default, one would have the Bitlocker disks opened on start-up, and obviously the contents are then open to any internet based malware (ransomware), and potentially to other machine users. In that sense, the additional container encryption can assist in that the key is only in memory while opened, and even if other users have access to the disk or backup, they will not be able to open the container.

    Do be sure and keep the recovery keys available and safe, there are circumstances when you will need them (e.g. if you want to access safe mode).
     
  15. chileverde

    chileverde Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    50
    Thanks. If I used a regular partition, I would not have BitLocker open it automatically; I would use a different password. However, since I am needing to access personal data almost all the time I have the computer running, I have the drive unlocked virtually all the time I am using the computer. The only time I would have it locked would be if a technician were working on the laptop—maybe once in a couple of years! Sounds like risks on a day-to-day basis are similar. And I presume that if the computer is stolen in hibernated state, risks of either set-up would be similar—I would be relying on BitLocker encryption of the OS drive, which would contain sensitive data in hiberfil.sys.

    I guess another question is whether BitLocker-virtual encrypted drives are particularly finicky. I have never had trouble with virtual drives created and encrypted by PGP.

    Thanks for your reminded re keeping recovery keys accessible and safe.
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Yes, the hiberfil.sys is a risk in a number of ways. These days, particularly with SSD which is getting mandatory for a laptop, I just shut things down, there's not a big difference versus hibernating.

    I've found Bitlocker non-finicky and reliable, but that's dependent - like any other equivalent, on keeping the headers/recovery keys available offline. The only weird thing I've had is that a 4Tb drive had to be partitioned slightly under to get Bitlocker to work on the partition, it wouldn't accept the full space.

    Could I also make my non-sponsored recommendation to operate containerisation as well, in order to make it harder for remote malware to subvert memory or access disks (which are effectively unencrypted by the time you are running in your account with FDE). All the good stuff like sandboxing and virtual machine operation helps.
     
  17. chileverde

    chileverde Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    50
    I had heard the term "container", but I was not sure what it meant. Just looked it up and have some idea now. Will have to consider that. Thanks for your help.

    You made a good point about not using hibernation with an SSD. This is my first computer with one. I usually have several programs and files open, but I may find that on this computer it does not take that much time to shut down and reopen what I need.
     
    Last edited: May 21, 2018
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Bitlocker is a Microsoft product isn't it? I may be wrong but I assume that Microsoft could open it. That doesn't sound very secure to me.
     
  19. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    That notion does the rounds from time to time. On the Richter scale of threats, I'd see that as tiny in comparison with the huge exposures, whether deliberate or not, from the Byzantine labyrinth that is the operating system. So even if Bitlocker had full integrity, the OS could be reporting the key back to the mothership in its many encrypted telemetry messages - not saying it is, but there are likely many much easier things than attacking the crypto.

    Personally, I find Bitlocker a good solution to standard commercial threats, you would obviously be doing many different things if you wanted more. As it is, it's extremely convenient and is the only FDE which easily supports TPM.
     
  20. chileverde

    chileverde Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    50
    Early in the following article there are links to discussions about the possibility that Microsoft may have created a back door in BitLocker:

    https://www.schneier.com/blog/archives/2015/06/encrypting_wind.html

    Partly because of those concerns, I used a non-Microsoft product, PGP, for years. But it was ultimately sold to Symantec, and its current successor, Symantec Encryption Desktop, does not work with Windows 10 1709.
     
  21. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    That's a pretty scary thought
     
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Actually, not, for me at any rate. I tend to be far more concerned with remote threats, which Bitlocker doesn't really deal with at all. In order to exploit a Bitlocker key on a disk, "they" have to have physical access to it, which likely means that they also likely have physical access to me. Whoever "they" are, I would sing like a bird!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.