4 simple steps to bulletproof laptop security
Follow these tips, tools, and techniques to protect your Windows notebook against theft, intrusion, and data loss
- A TPM (Trusted Platform Module) in the notebook in question. Notebooks equipped with a fingerprint reader generally have a TPM included, and BitLocker uses the TPM as a safe place to store the encryption keys.
- A removable USB drive which serves as a boot key for the system. By default BitLocker looks for a TPM, so it will need some administrative modification to use a USB key.
I've used BitLocker on notebooks both with and without TPM. On the whole, TPM makes it far simpler, but there's no appreciable difference in functionality on a system that's protected by USB key only. If you plan on using a USB key, do yourself a favor and spend some money to buy the smallest USB drive you can find (that you're confident you won't lose). This makes it less onerous to plug and unplug, especially if you find yourself doing so on the train.
Microsoft went through some trouble to make sure that data stored on BitLocker drives are recoverable in the event of hard disk damage or failure. BitLocker-encrypted drives can also be accessed in the Windows pre-installation environment and the Recovery Console, provided you have the encryption key or the backup password. If something does indeed go wrong, you will still have some way to access the encrypted drive. Also, if you're using the notebook in an Active Directory-managed environment, you can have a backup of the key saved in AD. It remains a good idea to have any valuable data backed up elsewhere (and to keep those backups encrypted, too), of course. My point is that you have multiple lines of defense against disaster.
BitLocker has one restriction that may put it out of the reach of many users: It's available in only the Enterprise and Ultimate SKUs of Windows. Since not everyone can afford those editions, it's good to know much of the same functionality is available through free third-party software.
One of the best ways to get roughly the same level of functionality as BitLocker is via TrueCrypt, an on-disk encryption system for multiple platforms that allows for full system-disk encryption in Windows. Once a system drive is encrypted with TrueCrypt, it requires a password at boot time -- one that you should pick according to the parameters I outlined previously. No password, no boot; no boot, no data.
Another major feature offered by TrueCrypt is the ability to create a hidden operating system partition. Depending on the password you supply at boot time, you can boot to one of two partitions: a visible OS partition (in which you have nothing of consequence) or a partition hidden at the end of the visible one that contains your real OS. This is an extension of an existing TrueCrypt function, where you can hide one encrypted volume inside another. If you're ever in a position where you're forced to reveal your encryption password, you can do so without giving up your secrets. I recommend this only for the truly cautious, because a) setting up a hidden OS is somewhat complicated and b) it's not likely you'll need it unless you work in an environment where guns might end up being pointed at you.
TrueCrypt also insists on creating a recovery .iso that you can boot (from a CD or USB drive) to perform system recovery in the event the drive doesn't boot properly for whatever reason. Thus, you have something to fall back to in the event of a problem.
If you're loathe to encrypt the whole system, you can use BitLocker or TrueCrypt to encrypt individual nonsystem volumes -- USB drives, for instance, where you might keep your most sensitive data. This provides less global protection, but also with slightly less hassle.