Encryption

Published on

So, I’ve decided to migrate my devices towards encryption. I’ve documented the process here, in case you find it useful.

Desktop PC

This runs Windows 7, however only the “Professional” version, so no Bitlocker technology (shame). I’m using TrueCrypt’s volumes for my non-SSD drive which stores the bulk of my personal files. My profile (AppData folder) and programs run off my SSD, and sensitive data (AppData, MSN logs, Desktop and local code checkouts) is encrypted using Windows 7’s EFS (my user profile).

However, my personal data (Documents, Music, Photos, etc) is shared with my laptop for file syncing, and would TrueCrypt volumes being mounted at log in time, this means the shares aren’t automatically recreated every log in. A Windows batch file is used to automate this:

"C:\Program Files (x86)\TrueCrypt\TrueCrypt.exe" /auto favorites /quit net share Archive=Z:\Archive /GRANT:Chris,READ /CACHE:Documents net share Documents=Z:\Documents /GRANT:Chris,FULL /CACHE:Documents net share Music=Z:\Music /GRANT:Chris,FULL /CACHE:Documents net share Pictures=Z:\Pictures /GRANT:Chris,FULL /CACHE:Documents

Obviously the share names, locations, permissions, etc, will all need changing, but invoking TrueCrypt this way (rather than its automount favourites on startup option) guarantees the availability of the share (as long as you don’t cancel the mount). However, this script needs to be run as Administrator, and with no UAC allowed at login, a scheduled task had to be created to get this working.

This machine is backed up with Mozy, which is supposedly encrypted, but the private key isn’t mine – so I’ve now changed to using my own custom AES key for Mozy. This key as well as the EFS ones is itself backed up (in a TrueCrypt volume) in the event they ever need to be restored.

Laptop PC

Again, with Windows 7 Professional, so no Bitlocker, but Windows’ EFS is used on sensitive data (my user profile), which makes encryption pretty simple to use. My personal files are shared on my desktop (requiring appropriate credentials, obviously), and these shares are mounted on my laptop, using the ‘Offline Files’ feature. This has a built in option to use EFS to encrypt the Offline Files cache, which is used to encrypt those personal files.

Netbook

This machine is Fedora based, and so supports encryption out-of-the-box. However, there appears to be no easy migration path to an encrypted volume if it’s not already encrypted, so I’m putting off implementing this until I need to rebuild my netbook. I don’t store my personal or business files on it (it’s literally just a web browsing machine), so exposure here is limited to basically my browser history.

Phone

The Nokia E71 supports full encryption out of the box, and this was very simple to set up.

iPod

My iPod Classic doesn’t support any type of native encryption (nor is it possible to install full device encryption), however my iPod Classic doesn’t contain any data I consider dangerous if unencrypted (just my music collection), so this isn’t an issue. The iPod Touch is more of an annoyance, as it has things like E-mail, Calendars, Contacts, etc, as well as the myriad apps that seem to stay logged in. Coming to review it at first, I realised how much of an issue it would be if I did lose it or my iPod Touch got stolen. I removed all the auto-sign in password things (however, I will have to remember to manually log out every time I use an app on it), set up a passcode and got rid of the link to my e-mail/contacts/calendar, etc.

iOS 4 did correct this obvious shortcoming with it’s new data encryption features, so I’m back to using my iPod Touch as it’s meant to be used.

Memory Stick

This is a fairly simple case of TrueCrypt encryption again, however, instead of full drive encryption, I am only going to create a TrueCrypt volume – this allows for easy transfer of unencrypted data between any machine that does not have Truecrypt on, if need be (although obviously I must be careful to not put any sensitive documents in there).

And that’s it! With the exception of trivial storage (such as the SD card in my camera with recent photos), my digital storage now has some sort of protection. I realise it’s not perfect – binaries aren’t encrypted (full disk encryption on an SSD is heavily advised against from multiple sources I’ve read), backing up encryption keys in a TrueCrypt volume is possibly a weak link in my system, as are things like hibernation files/leading my laptop in sleep mode, and of course the human link (I know the passphrases) – but hopefully it’s better than nothing, and if my phone or laptop or desktop does get stolen, me (and my customers) can be confident that my records, and my own financial records, are safe.

In other news, I might as well blog a few links as to what I’ve been up to lately: