End-to-end encryption: The PCI security Holy Grail
Implementation challenges abound. Here's how to handle encryption's 'key issues'
With groups like Anonymous actively looking to embarrass your company, laptops thefts occurring every second, and the recent poor U.S. District Court ruling on fifth amendment password protection rights, it is time you actually encrypt your data properly.
Your Windows login password is not encrypting your computer (surprise!). Full-disk encryption (used by very few people) is a good step, but by itself it still will not completely protect your data from prying eyes, overzealous governments, or your own mistake of leaving your company's crown jewels at the local coffee shop.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
More in the Investigator's Toolkit:
How to build your own digital forensics lab for cheap
5 free ways to use crowdsourcing forinvestigations
Covert investigations: Setting up surveillance
Instead -- as with many successful security designs -- you can set up a layered approach to protecting your data with encryption. It's fairly easy, quick, and free.
To create a more complete protection scheme, I am going to walk you through three steps to build this layered security approach:
- install FDE (or turn it on) and encrypt your files,
- create an encrypted hidden volume to prevent any government or person from forcing you to turn over your personal data,
- and create a tracking capability in the event your computer is stolen or lost.
Step one: Install full-disk encryption
The key to proper encryption is not just the encryption itself, but also protecting the right data. This is why full-disk encryption (FDE) is a popular starting place for many users. You can purchase hard drives with built-in FDE or use software tools like Windows Bitlocker. In either case, your computer can be locked down as soon as it shuts off. If your laptop is stolen, or sold on eBay years later without a proper disk wipe, or even if it finds its way in the government's hands, it will be useless without a password.
If you have Windows 7 Ultimate or Enterprise, a tool called Bitlocker comes preinstalled and can turn your drive into an FDE. For all other systems, I recommend TrueCrypt, available for free at http://www.truecrypt.org/. After downloading and installing, select the Create Volume command and Encrypt the system partition or the entire system drive.
Now follow the instructions and create a strong password. I recommend using a sentence as your password, i.e: This is my password, it rocks!. You won't forget it and it won't crack easily. After your FDE is set up, you will need your password to boot-up the computer. Without the correct password, the drive is left encrypted and worthless even if viewed by forensic tools. Now your computer will be automatically locked down if it is lost or stolen.
