Sophos Cloud Optix
Lots of people don’t worry much about encryption.
After all, security companies only promote encryption as a way of life because they’ve got encryption products to sell, right?
Perhaps.
Or perhaps they have encryption products to sell because they think encryption is a useful security tool for your digital lifestyle?
Regular Naked Security readers will remember that we found that out for ourselves back in 2011, when we went to a transit company’s annual lost property auction to buy up mislaid USB keys.
We were alert when we found that two thirds of the keys were infected with malware, and alarmed when we checked all the other files left behind: not one file on one USB key had been encrypted.
And, judging by the sort of stuff that was in those files, most of those keys contained information their owners would not have wanted to enter public life.
Of course, it’s easier to lose a USB key than a laptop, which for many users is a prized (or at least a valued) possession, even before the data is taken into account.
Or is it?
Here’s a video that made me vow to keep my beloved MacBook out of sight in public unless my hands are actually resting on the keyboard ready to grab it back from any prospective passing grab-and-run thieving rotter…
(Clicking on the image will take you to MSN’s website to view the video.)
Full disk encryption gives you an extra layer of defence against the potential cost of this sort of opportunistic theft.
The crook can still sell your laptop to a fence for its value as a stolen laptop, but he (or his fence) will struggle to get any data off that might bring additional revenue on the Underweb.
Actually, encrypting a laptop IS A GOOD THING to do BUT it might not have been of use in this case. This laptop was most probably turned on and by experience (sadly) most users deactivate screen saver password locks…
Don't do that 🙂
In fact, under recent versions of OS X (if memory serves) activating the screen lock also deactivates the Firewire/Thunderbolt driver, so you can't get a memory dump (from which the decryption password migth be recoverable) via what's called "remote DMA" (direct memory access) either.
Make sure that when sleep or screen saver kick in, your Mac locks. And set your screen lock to a brief delay, too. If you're not used to a two-minute lock, you'll be irritated for about a month. Then you will see someone else's laptop still unlocked five minutes after they wandered off and you'll think. "Well, THAT'S a silly idea," and you'll be converted permanently.
Getting into good, swift autolock habits (laptop and mobile devices) is like giving up smoking. It's a giant sweat at first. But once you're converted, you'll say to yourself, "What WAS I thinking?" (You'll also start banging on at all your friends who still smoke/are sloppy with passwords, and they'll pretend you're being boring and tiresome. Fear not. They secretly know you are right 🙂
>And set your screen lock to a brief delay, too.
Please explain.
Ah, poor choice of words. Sorry about that.
I meant, "Set a screen lock and choose a short inactivity period before the lock activates." In other words, lock after (say) two minutes of inactivity, not after 20 minutes.
The way I wrote it sounds as though I means "set the screen lock so it only stays activated for a short while" 🙂
Thanks Paul. I took me a while to remember how I had set this up before. Under Energy Saver I changed mine so the Display would sleep after 2 minutes (instead of 10). Under Security & Privacy I already had "Require password for sleep and screen saver" set to Immediately. I assume the first one is what you were suggesting. I assume this is what you're suggesting.
Yep. It's a bit all-o'er-the-place in the OS X System Preferences.
1. Desktop & Screen Saver | Screen Saver. (I use 2 minutes.)
2a. Energy Saver | Power Adapter | Display sleep. (I use 5 minutes.)
2b. Energy Saver | Battery | Display sleep. (I use 3 minutes.)
3. Security & Privacy | General | Require password after sleep or screen saver begins. (I use "immediately" so I know that when I close the lid, I lock the Mac at the same time.)
I configure the screen saver as well as the energy saver because….well, because I like the "Flurry" screen display, at least for a minute or so 🙂
Like you, it takes me a while to remember every time I want to adjust them…these settings would IMO be much better collected in one place, or at least all accessible together from Security & Privacy.
Any recommendation for full-disk encryption for individual private users? All Sophos products look very corporate.
If private individuals were able to easily encrypt their own PC’s (tied possibly to their (Wndows/Linux/etc.) logins, the culture would change such that corporate encryption would become the default.
If you use Windows 8 Pro, you could use BitLocker. If you're looking of an open source/free product, you could use TrueCrypt (google it).
I Hope this helps.
Yep, Sophos's encryption tools are designed (and licensed) for organisations, where things like centralised management, helpdesk-regulated key recovery, as well as file, folder and network encryption are needed along with FDE (full-disk encryption).
For home users, on Windows and Mac, you could just go with the OS-native, vanilla FDE product – Bitlocker for Windows and File Vault 2 for OS X.
Most modern Linux distros also support encrypted root partitions (the /boot partition is left unencrypted to load the drivers and mount "/"), using lvm2 and cryptsetup. Ubuntu-flavoured installers, amonst others, will do this for you automatically during setup.
On OS X, open System Preferences, choose Security & Privacy, click the FileVault tab.
On Windows…can a helpful Naked Security reader advise @outsidethemarginals on Bitlocker configuration?
Thanks, however I thought Bitlocker was for Windows 7 Ultimate or Windows 7 Enterprise and not available for Window Home (which is what most individuals have).
So Upgrade my Windows, buy separately or go third party? Ideally I want (nearly) fit and forget!
What is the processing overhead – presumably quite high if your swap file is busy?
Not sure about the availability of Bitlocker on the various degrees of Windows 🙂
For processing overhead, "it depends."
When I installed Sophos SafeGuard full disk encryption for OS X, I was determined to measure the difference, so I did a load of timing checks before and after and I couldn't find any difference that was statistically significant.
That was on a dual-core MacBook Pro that I use heavily, but not intensively, if that makes sense. By that I mean I work on it most of the day but only render videos once in a while, compile Android occasionally, but usually don't have both CPUs at full blast. (In short: the fan rarely comes on audibly.)
So I figured that there was always had enough spare "go" on one processor core to handle the encryption and decryption without getting noticeably in the way.
I also have an underpowered laptop running Ubuntu's FDE (lvm2+cryptsetup) and it's fine. I can't tell you if it's slower than unencrypted as I have only ever used it with FDE activated…but the performance feels like what I'd expect from the 1.1GHz CPU and the price point of the laptop.
Correct, you require ultimate or enterprise for bit locker on win 7.
If you have one of the supported configs though it doesn't seem to make and difference to performance once the initial encryption has finished and it does work, we have had a few corporate laptops motherboards die and without the key (which we had) it would have been impossible to retrieve data from it.
Truecrypt is what I use for all my private and work systems. I also try to get my friends to use it on theirs as it's pretty simple to use. It's also free.
I wrote a pretty lengthy tutorial (Windows users) on it. I won't link to it here as that's considered spamming, but you can find plenty of decent instructions on how to implement full disk encryption using either Truecrypt, or as Paul has said, Bitlocker via a quick search on Google. Be mindful though that Bitlocker has its limitations and can't be used on XP.
The thing to bear in mind with TrueCrypt is that it doesn't do FDE (full disk encryption, or "system encryption" as TrueCrypt calls it) on anything but Windows.
Also, according to its own website, it doesn't yet support Windows 8.
So Linux, OS X and Eight users are out of luck with TrueCrypt.
Sorry, I had my Windows hat on.
It’s surprising that Mac OS X & Linux users are still unable to fully use the software yet though, and I’d love to know if they will ever be able to use it? I know that full support for Windows 8 is currently being planned, although I have no clue as to when that will be.
How do I encrypt my com? Where do I start first?
See my reply above to @outsidethemarginals.
And then someone else came along and stole the smartphone left on the table, and the tablet left on the chair.
And the chair.
If one is looking for an Open Source product, I strongly recommend “TrueCrypt”.
It’s available for various flavors of Linux, Windows, and Mac OS X.
The FAQ is too large to post here, but it is well-worth reading.
I use it on my laptops and my desktop machines at home.
As I mentioned above to @TheGift73, TrueCrypt on Linux, OS X and Windows 8 doesn't support full disk encryption (FDE), which is really what you want. In my opinion.
That's where the whole system is encrypted, including the OS partition, so that you put the password in before the OS begins to boot.
FDE means that you don't have to concern yourself with some parts of the directory tree being encrypted (e.g. your home folder) and others being in cleartext (e.g. various system and temporary folders). One less thing to worry about…
Many laptops are supported with HDD/SDD encryption by BIOS. OSs like Ubuntu asks for home directory encryption during installation or total disk encryption with LUKS.
Will FDE slow down my system, especially boot? How feasible to restore the data if user forget the encryption key?
For "how much will my computer slow down," see above in the thread started by @outsidethemargins.
As for "can you recover the data if the user forgets the key", if the answer isn't a big, fat, definite NO then avoid the product completely. If there is a "backdoor" then the system isn't secure.
Enterprise-flavoured FDE systems (like, ahem, Sophos's SafeGuard 🙂 will usually support some kind of key recovery, such as a long code that the helpdesk can give a remote user as a one-time replacement for a forgotten password, and Apple's FileVault 2 produces a long "recovery key" you should write down and lock in a safe when you enable encryption.
But if you can recover the data *without recovering the key via some alternative means that can be managed securely* (such as a piece of paper locked in a safe) then the FDE software should be considered to have a hole and is not IMO fit for purpose.
Not that I feel strongly about it 🙂
Had these men been armed and practiced in quick draw technique they could have appropriately thwarted this theft and punished the miscreant.
😉
Shooting at a thief in a public area just to keep your laptop from being stolen is not a good idea. If you miss, you might hit an innocent bystander. If the perpetrator had a gun and was about to kill someone, that would be better justification of lethal force.
The issue for non-corporate users is, as I see it, can I used Windows Restore and can I make backups and use them to replace lost/corrupted data? And can I make a full image that can be used to ‘rebuild’ a Windows computer?
I use XP Pro, it does all I need, but like every Windows version ever produced it has some ‘unworthy’ habits of falling over and getting itself knotted, so users have to do re-installs from time to time. But if we use some form of FDE and make encrypted backups then are we sure it can safely and effectively be used to resurrect a cantankerous computer?
When you copy files off an FDE-protected computer, the files are copied unencrypted (unless you take steps otherwise). FDE is transparent, by design, to all applications, because the encryption and decryption takes places between the OS and the disk.
So you can make backups as usual. If you really need to restore, you can just reinstall the OS and copy the files back, with or without FDE installed.
Encrypting your backups is a good idea (a very, very good idea) but is, in general, independent of the FDE – unless you backup to an FDE-encrypted removable drive.
(That's what I do. I have an FDE-encrypted MacBook and some independently FDE-encrypted removable drives for archive purposes.)
My husband has a MacbookPro and he is very paranoid about his data. Basically, he uses OSX FileVault 2 FDE (he did use PGP FDE before but it was slow (1) and was a nightmare to recover (2) after OSX Firmware update). He encrypts all his external HDDs with FileVault 2 (if they are solely used with Macbook – for Time Machine backups for instance) otherwise he encrypts the partitions with Truecrypt (they can be accessed from Linux/Windows/OSX).
So if you have OSX then definitely FileVault 2 – don't just rely on ScreenLock and Firmware Lock!
Also, make sure you use V3ryyC00mpl1c@t#dPa$$word (yes, use broken grammar/words!)
using a passphrase without spaces? that's pretty noobish.
seriously, you don't need !@#$%$%^&%$^&*%^ and all that shit just make your password this:
Soggy waffles are the best with syrup and jelly.
^^ do you know how long it would take to crack that passphrase? too long.
This certainly would help but it may be also worth letting people know that if you store your files on a separate encrypted partition, if you ever do a complete re-install of your OS for whatever reason you may not be able to access your files again as they will be encrypted.
This happened to me a long time ago on Windows XP and I lost a ton of data.
I don’t know if there are ways around this problem now or on other OSs. Nowadays I just don’t store any private or personal data on my laptop or I encrypt and password protect individual files rather than the whole drive.
Some one may explain a better way around this problem. I am not a security guru. I just don’t want to lose my files again.
Can't speak for Bitlocker, but on OS X, I've used FileVault 2 on personal removable drives.
When I plug them in, OS X says, "Do you want to unlock the encrypted partition on here" and I simply type in the password for that device. It's then unlocked and mounted.
I can mount the drive on any FV2-capable Mac in the same way, or after a recovery boot from my OS X boot/recovery/install USB key.
If I don't enter the password when the prompt comes up, I can either unplug/replug the drive to provoke the dialog again, or use the "diskutil coreStorage" command from a terminal.
I made sure I practised doing all those steps (mount encrypted disks on another Mac, mount encrypted disk from command line, and mount encrypted disks by hand, including my internal hard disk volume, which is a non-swappable SSD, after booting from USB).
In fact, I practised several times 🙂
If you really want unencrypted backups, I recommend using a dedicated drive or DVD and keeping it locked up in a safe place, e.g. in a safe.
Thanks. I should have mentioned I was using only the Windows XP in-built encryption.
No doubt a third party encryption tool would be sophisticated enough to avoid this problem.
I just thought it would be useful to mention in case someone thinks WIndows built-in encryption is an adequate solution. It probably is as far as encryption goes but not at all for recovery.
I agree with Paul, Apple made encryption a damn easy thing with their FileVault 2.
If you are using Windows, I highly recommend Truecrypt. If you are afraid of using encrypted partitions then use Truecrypt encrypted containers. It is just a file but when you decrypt it through Truecrypt it gets mounted as a separate disk (removable media kinda).
Make sure you ALWAYS backup your data. Use robocopy (free utility from Microsoft) If you are Windows user, use Time Machine (or old school rsync) if you are OSX user
With windows bit locker on windows 7 (and probably 8) you can unlock the drive again, we have had to do it a couple of times here when motherboards have died on laptops, the process was boot computer and enter recovery key login and turn off encryption for the drive (I cant remember if you had to enter the key again or not) then re-encrypt the drive and its ready to go again.
I might try that bitlocker. Windows 7 backup scheduler is hounding me again to backup my stuff. I do use a seperate 500GB harddrive for only backups and nothing else. I stay away from using small regular size USB sticks since they can disappear in plain sight. I use portable harddrives that are the same size as my smartphone so its easy to spot.
Hmm… the link to the video is dead. Too bad.
Just Google it and you'll find it.
I couldn't watch the video either. Now I know it's not my PC.
doesnt matter if its encrypted or not, anyone who gets their hands on it can just dban it then boot up a nice fresh install and enjoy their newly acquired laptop
The page you requested cannot be found.
The Web page you are attempting to view may not exist or may have moved. You may have reached this page from an incorrect link. Try double checking the Web address.
Click here to return to homepage.
Hmmm. Maybe someone stole it 🙂
the problem with encryption is very hassle to use. it would take some time to decrypt all your files. that would only be applicable with external hard drives. just put password on bios.