Laptop computers have become mobile stores of massive amounts of information. Add to that the proliferation of removable hard drives, and it becomes crystal clear how much sensitive data is on the move in the world, most of it woefully underprotected.
Many users have tried to safeguard their data with system passwords or other mechanisms. But the cold hard truth is that those protection schemes give a false sense of security. Windows desktop passwords are easily defeated with third-party boot-up tools, which provide access to any file on a drive partition, while other tools exist that can crack passwords on most applications.
A better alternative is to protect the contents of a storage device using a reliable encryption utility, making it almost impossible for a third party to access your data files. There are several ways to do this -- some utilities will encrypt single data files, while others may encrypt directories or archives, and a few will encrypt a complete drive partition.
What you choose to encrypt is only part of the story, though. How the data is encrypted is just as important.
There are several levels of encryption available, and the major difference them is the complexity of the encryption. Simply put, the more complicated the encryption scheme, the more secure your data will be. However, before selecting the most complex, most secure encryption scheme available, you should take into account another factor -- the processing power needed to encrypt or decrypt the data. More complexity means more security, but it also equals more demands on hardware.
Until recently, an inexpensive, easy-to-use, reliable drive-encryption utility was hard to come by. Either the tools available were too complex or expensive to be used by a nontechnical individual, or they impacted performance so severely that the PC slowed to a crawl. Luckily, much has changed over the last few years, and many new and improved products have come to market.
In this roundup, I've looked at three encryption packages: Microsoft's BitLocker, PGP Corp.'s Whole Disk Encryption, and TrueCrypt from the TrueCrypt Developers Association.
BitLocker is the easiest to obtain, at least for Windows users -- it's included with the Enterprise and Ultimate versions of Windows Vista and Windows 7. TrueCrypt is an open-source freeware application that is used by several universities and nonprofit agencies. For users looking for an affordable third-party encryption product that includes support from a leading vendor, Whole Disk Encryption (at $US149 per seat) is a top contender.
I installed each product on a Lenovo T61p notebook computer and a Toshiba Portege R600 ultralight notebook. I used a Fujitsu M2010 netbook to read the encrypted storage devices and encrypted files. All three systems were running Windows 7 Ultimate Edition.
I also tested each encryption product with a few Corsair USB drives of varying sizes and a 60GB external Verbatim USB hard drive.
Types of encryption
The two leading types of encryption are private key (also called symmetric key) cryptography and public key cryptography. In private key, a single key is used for both encryption and decryption. Private key algorithms are generally very fast and easily implemented in hardware, so they are commonly used for bulk data encryption.
Public key cryptography involves the use of two distinct but mathematically related keys: a public key and a private key. The public key is not secret and can be shared with anyone; it is used to encrypt data meant for the holder of the private key. The private key (or secret key) is used to decrypt any data encrypted by the public key. Public key cryptography is primarily used for e-mail messages, file attachments, digital signatures and other transaction-related processes.
Most file, directory and partition encryption products rely on private key scenarios, encrypting data files using a single secret key, which only the owner of the data knows. There are two general categories of private key algorithms: stream ciphers and block ciphers.
A stream cipher encrypts each byte of the data stream individually. Stream ciphers are commonly used for wireless communications. For example, A5, the algorithm used to encrypt GSM communications, is a stream cipher. The RC4 cipher and the one-time pad (OTP) are also stream ciphers.
On the other hand, block ciphers encrypt one block of data at a time and are used more often for data encryption. There are several block ciphers used today, all with variations in their approach, such as DES, AES, RSA and Diffie-Hellman.
Many encryption products that use block cipher encryption can integrate with a PC's Trusted Platform Module (TPM). TPM is a published specification detailing a secure crypto-processor that can store cryptographic keys that protect information. A TPM chip handles the secure generation of cryptographic keys using a hardware pseudo-random number generator. TPM also includes capabilities such as remote attestation (which creates a nearly unforgeable hash key summary of the hardware and software configuration) and sealed storage.
First, the good news -- BitLocker is free and does most everything a user could want. However, there's a catch: The full BitLocker product is only available with the Windows 7 Ultimate and Enterprise editions (or the Vista Enterprise and Ultimate editions), versions that are rarely installed on netbooks and seldom on notebooks. In addition, the Vista version of BitLocker lacks the ability to encrypt removable media, a very important feature now that USB key drives and external hard drives are common.
I looked at the BitLocker application included with Windows 7, which is broken down into two services: BitLocker, which works with hard drive partitions, and BitLocker to Go, which is meant for removable media.
BitLocker uses the AES encryption algorithm in cyber-block chaining (CBC) mode with a 128-bit key, combined with the Elephant diffuser for additional disk-encryption-specific security not provided by AES.
At a Glance
Price: Free (with Windows 7 Ultimate and Enterprise editions or Vista Enterprise and Ultimate editions)
The application works by encrypting a disk partition; that partition can be located on the system or on a removable device. If you are using BitLocker to secure your system's hard drive, for example, it will create a system partition (which contains the files needed to start your computer) and an operating system partition, which contains your applications, data and Windows. The operating system partition will be encrypted and the system partition will remain unencrypted so your computer can start.
BitLocker reaches its full potential on computers equipped with TPM. BitLocker can use either transparent operation mode (where the TPM automates key entry) or a user authentication mode (where the user must manually input a password). The TPM hardware detects any unauthorized changes to the pre-boot environment, including to the BIOS and master boot record (MBR). If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device or a recovery password entered by hand. Either of these cryptographic secrets will decrypt the Volume Master Key (VMK) and allow the bootup process to continue.
BitLocker offers additional protection in the form of BitLocker To Go, an encryption option that can be used with removable media.
BitLocker is tightly integrated into Windows 7; it launches from the Windows 7 Control panel and includes a wizard-driven setup that simplifies configuration. To get started, I launched the BitLocker application from the Windows 7 Control panel on the Toshiba Portege and chose "Turn on BitLocker." This launched a system requirements wizard, which checked to make sure that the system was compatible with the software and listed any changes that needed to be made. In my case, BitLocker recommended that I turn on the TPM security hardware on my test system, which required me to reboot the system and enable the TPM hardware in the system BIOS.
On my Lenovo T61p, TPM was already enabled, so BitLocker was able to start the drive encryption process immediately.
As part of the encryption process, BitLocker offers a way to save a "recovery key" -- a 40-digit code provided specifically as a means to access your data if there is a problem with your system or you lose your PIN. You can save the recovery key to a USB drive or a local file, or you can print it out. The encryption process can take some time to complete -- it all comes down to the amount of data stored on the partitions, the speed of the hard disk and processor performance. The Toshiba Portege system, which had a solid-state drive with about 30GB of data, took over 3 hours to encrypt (luckily, the encryption process can run in the background). The Lenovo T61p, with 70GB of data stored on an internal 120GB hard drive, took a lot longer -- in fact, I wound up letting the encryption process run overnight.
After encrypting the drives, I found little difference in how the systems performed -- applications seemed to load as quickly, boot times remained about the same and operations such as file copying seemed just as fast. That said, there was some measurable CPU overhead when encrypting and decrypting files, but, as indicated by Windows Task Manager, it was less than 8 per cent and was not noticeable during normal use.
BitLocker To Go
BitLocker To Go proved to be very easy to use. All you do is launch the product and create a passphrase (or use a smartcard) to encrypt/decrypt the drive. The process takes just a few minutes; like its big brother, the utility creates a 40-digit recovery key. Once configured, BitLocker To Go can automatically encrypt USB drives whenever you insert one. That tight integration with the operating system makes it extremely easy to use for removable media. The BitLocker To Go reader automatically launches when a USB drive is inserted into a system, and then it asks for the passkey to access the data stored on the device. I encrypted eight USB key drives of various sizes -- each only took a few minutes to encrypt and all worked flawlessly.
BitLocker To Go allows the removable drive to be used with other systems, such as Windows XP and Windows Vista PCs. The only catch is that the application only allows older OSes to read the data -- new data cannot be added.
BitLocker and BitLocker To Go are a great way to encrypt and protect data files on Windows 7 PCs and should be one of the first choices for mobile and home workers who want to protect their sensitive data files.
BitLocker also supports Windows Networks, and administrators can set up Windows group policies that can enforce the use of Bitlocker on removable storage devices and also encrypt the hard drives on servers and PCs -- which may be a good way to prevent data being taken off a retired piece of IT equipment, just in case the administrator forgets to properly wipe or destroy the hard drive.
If you aren't running Windows 7, or you want to use something other than a Microsoft product (and don't want to spend any money), TrueCrypt from the TrueCrypt Developers Association is pretty hard to beat.
The product matches the features offered by Microsoft's BitLocker and offers a couple of interesting additional features, such as the ability to create a virtual encrypted volume that is mounted as a drive letter or associated with a virtual folder. In other words, you can store all of your critical data files on a separate, encrypted disk volume and then access those data files by associating a drive letter with the volume and entering the associated passkey. That way you can allow others to use your PC while your sensitive data is protected from prying eyes.
At a Glance
TrueCrypt Developers Association
That method offers several advantages. First off, you can "hide" the encrypted volumes, so other users don't even know that they exist. You can also segregate your data files, only encrypting what you deem important. And finally, you do not need to encrypt your application or operating system files, which means the system won't take as much of a performance hit.
TrueCrypt uses several different encryption algorithms, including AES, Serpent and Twofish. Those algorithms can be combined in many different ways to create complex encryption schemes -- those looking to delve into the technical details of TrueCrypt's encryption algorithms can check out the dozens of pages of information on its Web site. I downloaded version 6.3 from the site; installation was a matter of minutes.
When I launched the application, I was presented with a concise management console that was very easy to navigate. It offered a list of drive letters (which could be associated with encrypted volumes), as well as several buttons used to mount and dismount encrypted volumes. The top of the screen offers several pull-down menus, which include features such as encrypting the system volume, creating rescue media, building keys and so on. Simply put, anything that TrueCrypt could do was right at my fingertips.
One of the first things I chose to do was encrypt my complete hard drive on my system. Selecting that option launched a wizard that made the process ridiculously easy. Like BitLocker, the encryption process ran in the background. It took about two hours to encrypt the contents of the Toshiba Portege system, almost an hour faster than BitLocker. Also, TrueCrypt used negligible amounts of CPU time, as little as 2 per cent or 3 per cent of processor utilization.
TrueCrypt offers several other features that are worth noting. First of all, the product comes with extensive context-sensitive help function, which does an excellent job of illustrating its capabilities and nuances -- in fact, its help is as good as that from the two other products, which have commercial vendors. Secondly, I found TrueCrypt's approach to mounting encrypted devices to be a logical and manageable process.
Simply put, when you want to access an encrypted volume, you just mount that volume with a drive letter. All you need to do then is type in your passkey to access the data. You can also make those connections persistent and automatic, so that you will not have to enter passwords or manually map drives whenever you insert an encrypted device or access an encrypted volume. While that does make things a little simpler, automating password or key entry can defeat the purpose of encryption on a portable system. However, automation does work well with removable media -- that way, when traveling with a key drive, the data is fully protected and only available when plugged into a system that contains the proper passkey.
I tested TrueCrypt's ability to work with removable media by encrypting four USB key drives. While the process was not quite as automated as with BitLocker, it still proved easy. All I had to do was insert the USB drive, select the device from the TrueCrypt menu and then launch the encryption wizard.
Unlike BitLocker, TrueCrypt does not include any type of a reader application -- that means any system that needs to read the encrypted removable media must have TrueCrypt installed. TrueCrypt automatically works with TPM and adheres to the standard.
TrueCrypt also offers a plethora of configuration settings, default options and operational choices. For example, users worried about forgetting their passkeys can create rescue media that will grant them access to an encrypted volume if needed. TrueCrypt works with Microsoft Windows 7/Vista/XP/2000; it is also available for Apple Mac OS X and Linux systems, making it a good choice for users who work with multiple platforms.
In fact, the number of choices can be overwhelming. Luckily, TrueCrypt's extensive documentation helps you to navigate through the choices -- and it's safe to say that the majority of users will only use the basic features of the product.
The only area where TrueCrypt comes up short is networking -- the product does not integrate with Windows server policies or offer the advanced networking capabilities needed by administrators looking to encrypt volumes remotely or across a LAN. Other than that, TrueCrypt is a real winner and comes at a price that can't be beat.
PGP Corp. has been around since 2002, but the company's roots go back to 1991, when the code base for Pretty Good Privacy (PGP) was developed. Over the years, PGP has become one of the leaders in encryption technologies. The company offers a wide variety of products that help users encrypt data files, e-mails and many other types of data. For the mobile worker and the individual user, PGP Whole Disk Protection is a very good choice for protecting the data on a hard drive.
PGP Whole Disk Encryption offers all of the same basic features as BitLocker and TrueCrypt. The management console runs as a desktop application -- similar in design to both BitLocker and TrueCrypt -- offering wizards, interactive help and tools to encrypt and decrypt data files stored on encrypted volumes.
Unlike BitLocker, which is bundled with Windows 7, and TrueCrypt, which is free, PGP Whole Disk Encryption comes with a price tag: $US149 per seat. However, that price tag delivers some capabilities not found in other products.
At a Glance
Price: $US149 per seat
For example, unlike BitLocker, PGP Whole Disk Encryption works with a number of platforms, including 32-bit and 64-bit versions of Windows 2003, XP, Vista and Mac OS X. Also, unlike TrueCrypt, PGP Whole Disk Encryption can scale for networked environments and can be managed using a networked console, the PGP Universal Gateway, which manages the keys and other enterprise aspects of the platform.
PGP Whole Disk Encryption is available as a standalone, single-user product and is also available in work group, server and managed-services editions, which allows the product to scale from a single-user solution to a large enterprise network.
The product is very easy to install. Adding encryption to a drive or device is just as simple, yet you have a great deal of control over how the product works with your data, thanks to granular menus that allow you to configure options for everything from encryption strength to target devices.
By default, PGP Whole Disk Encryption uses 256-bit AES encryption and leverages PGP's Hybrid Cryptographic Optimizer (HCO) technology. HCO uses improved algorithms and is designed to be very efficient, which helps to improve performance.
PGP Whole Disk Encryption offers many features, including the ability to use single sign-on, a technology that limits the number of times that you have to enter passwords or keys -- ideally, you will only have to enter those at the beginning of your session and then have access to all of your authorized devices without having to authenticate again.
The program also lets you create an encrypted "PGP Zip" file that you can send to others (your recipients will not need a copy of PGP to access the files). PGP also includes a secure data-shredding tool for making any deleted file unrecoverable.
PGP's whole disk functionality allows users to encrypt a complete hard drive in a single step, with no need to separately encrypt the partitions on the hard drive. That makes the concept of encryption much easier to grasp for neophyte users and also makes it easier to apply the product to portable systems.
PGP Whole Disk Protection also works with TPM, if the system is so equipped. When paired with single sign-on capabilities, PGP Whole Disk Protection works transparently, making it very easy to deploy to multiple users without generating requests for help or training.
I found the whole process very easy. Once PGP Whole Disk Protection was installed, all I had to do was launch the PGP Desktop and click on "Encrypt whole disk." The encryption process runs in the background and requires only that you input a password. It only took about two hours to encrypt my Toshiba Portege and about five hours to do my Lenovo T61p. When I rebooted the systems, a PGP screen came up asking for my password; once I entered that, the boot process continued as normal.
PGP Whole Disk Protection is adept at handling removable media. I encrypted six USB drives, and the process was very straightforward. All I needed to do was insert a fresh USB drive into the system and then launch the appropriate wizard from the PGP Desktop. You can encrypt the whole USB drive or create a Virtual Volume. A Virtual Volume allows you to create an encrypted container on the drive, which can then be mounted as a separate drive. Once the password is entered, a Virtual Volume works just like any other storage device.
The product proved to be easier to use than TrueCrypt, although not as easy as BitLocker, thanks to the PGP Desktop, which is laid out in an easy-to-understand fashion and features single-click wizards, such as "encrypt my hard drive," that eliminate many steps for the user.
PGP offers excellent documentation and support, including text and video tutorials and numerous tips.
PGP offers an upgrade path to PGP Desktop Professional, which includes encryption for e-mail and chat, as well as support for creating encrypted disk images. Users looking to encrypt more than just their hard drive contents will want to consider the move to PGP Desktop Professional, which goes for $US199 for a perpetual license.
It has never been easier to encrypt your hard drives and removable storage devices, and the excuses not to do so are quickly evaporating. The only difficulty is choosing the correct product.
If you have the latest PC with Windows 7 Ultimate or Enterprise, it makes the most sense to stick with BitLocker and BitLocker To Go -- after all, those applications are included with the operating system. If you are comfortable with open-source products, then TrueCrypt may prove to be the best choice. It's easy to use and it's free.
Finally, if you are looking to protect multiple platforms, have access to additional encryption technologies, such as email and IM session encryption, or want to support encryption on a networked environment, then PGP's Whole Disk Encryption may be your best bet. At a price of $US149, PGP Whole Disk Encryption may cost more than TrueCrypt, but it is a bit cheaper than upgrading to Windows 7 Ultimate.
Frank J. Ohlhorst is a technology professional specializing in products and services analysis and writes for several technology publications. His Web site can be found at www.ohlhorst.net.