Tuesday, March 19, 2013
Naaahhh Naahhh Na na na na naaaaah etc (Star Trek Theme tune...) Yup it`s Captain Demotricus Berk again and its time for more mumbo jumbo talk... Encryption. ______________ The story so far... Our intrepid hero has set up two computers , one with Windows 8 Pro , and the other with Windows 7 , a Bittorrent client (Deluge) and a VPN , and, and... Oh well, just read the first post`s :-) Today I will be tackling encryption. -what I used, why I used what I did, and how to set it up. The first type of encryption I set my beady eye to was "Bitlocker" - the microsoft offering, which comes with windows 7 Ultimate or Enteprise edition`s and windows 8 pro. This is the Wilkepedia entry :- http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption What is Encryption I hear you ask...Well in a nutshell, its a combination lock on your computers data. In the same way that you would need a combination to get into your work locker or home safe you can set your computer up so that you need an encryption key to get into your computers data. When you use drive encryption - ALL of the data on the drive (or "container" ) is encrypted and unreadable without the encryption key. The key can be any combination of ascii characters, the more characters you use, the better the security. You CAN if you wish use just a password but it will not be as secure as if you follow my advice and use at least 20 characters. -I generally think of an easy to remember phrase then substitute key characters in the phrase with similar ascii characters. e.g the phrase "thequickbrownfoxjumpsoverthelazydog" can be written so:- "th3qu1ckbr0wnf0xjump50v3rth3l4zyd0g" (I tend to leave spaces out of the phrase, but you can include them if you wish). _________________________ A note about Bitlocker. When you first come to use bitlocker you may find that you are unable to use it and may receive a error message on your PC telling you that bitlocker requires a special chip installed on your motherboard. -This threw me for a long time until I discovered that you have to alter a setting in your computer in order to use it without this chip. the message reads :- "A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found. Please contact your System Administrator to Enable Bitlocker" Well as YOU are usually the "System Administrator" this is what you have to do to enable bitlocker. open a "run" window and enter "gpedit.msc" (this must be done as an administrator) this will open a "Local Group Policy Editor" window. Navigate to Computer Configuration Administrative Templates Windows Components Bit Locker Drive Encryption Operating System Drives and double click on Require additional authentication at startup. Enable the feature and check the box next to Allow BitLocker without a compatible TPM, click Apply and Ok, and close out of Local Group Policy Editor. Now when you switch on bitlocker in your control panel , instead of the error message you will be ushered into the bitlocker setup wizard which will prompt you to choose your drive to be encrypted, it will also ask you for a key and then prompt you to backup the key to a thumb drive or CD/DVD.(These are sensible precautions). You can use bitlocker to encrypt an entire drive, which can be your C drive if you so wish , or a slave Hard disk drive or external USB Hard disk drive. you can also encrypt thumb drives using "Bitlocker-to-go" which basically means that windows installs a reader on the drive when it encrypts it.-you then have a thumb drive that is worthless without the password or key.(useful). Bitlocker IS a strong encryption system but a word of warning. -it is NOT infallible. - I recently came across an illuminating microsoft document that was part of a presentation to forensic detectives instructing them just how to bypass and decrypt Bitlocker encrypted drives.(!!) A strong "Plus" for the Bitlocker system is the ability to encrypt drives "on the fly" or transparently.. - in laymans terms it just means that once you have unlocked the drive or system with your key, -the computer behaves exactly the same as an unencrypted system. -You only have to enter your key when you boot up, and then carry on as normal. Source of above info :- http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/ _____________________________ TrueCrypt. the other system I use (and have used for a number of years) is Truecrypt. Truecrypt is an open source encryption system that has VERY strong encryption algorythms. it is widely used and provides security for people all over this planet including many governments and companys (Even the U.S. Government uses it). Here is their Website :- http://www.truecrypt.org/ Truecrypt gives you the option of choosing an encryption algorythm or method these include:- AES Serpent Twofish AES-Twofish AES-Twofish-Serpent Serpent-AES Serpent-Twofish-AES Twofish-Serpent RIPEMD-160 SHA-512 Whirlpool They are all good and as you can probably guess by the names , some are variations that combine two or more basic algorythms to make one stronger method. in practice it doesn`t really matter which you use but as a general rule,the more complex an algorythm, the longer the encryption process and consequently the slower a system will seem to run. Truecrypt is Extremely configurable and its use goes way beyond the scope of this brief description. You can use Truecrypt "on the Fly" and in the same way as Bitlocker, you can create portable drives in the same manner as bitlocker-to-go with thumbdrives. You can also create "virtual encrypted drives" which appear in your system as large files.- You mount them in the same way as ISO`s can now be mounted in windows 8. I won`t embarass myself trying to explain how to use truecrypt`s many features but will instead point you towards the excellent tutorial on their site which walks you through the process of creating an encrypted drive by using a "wizard". http://www.truecrypt.org/docs/ When I set my system up I made use of Bitlocker on the Windows 8 machine because of its ease of use. -Once you`ve set it up its just a matter of entering your key when you boot up your machine, -you only have to enter it once and then its invisible,working in the background and everything is normal and identical to using an unencrypted system. I used Truecrypt on the windows 7 machine for a couple of key reasons, 1. the encryption is stronger. (& I got spooked by the microsoft document I mentioned). 2. Having used it before, I was familiar with its use, and I have a number of volumes already encrypted with truecrypt that I wanted easy access to, so needed the client software installed somewhere. 3. I figured if its used by the N.S.A. then its good enough for me... 4. I like it. When using Truecrypt you have to run a TSR (Terminate and Stay Resident) program upon booting, and then you mount the encrypted Drive . - The physical drive letter becomes unaccessable (you`ll get an error if you try to click on the drive), and the new mounted drive is allocated a new letter. (which then behaves as a normal drive). All these methods are probably irrelevant if it comes to the crunch though, if the "powers that be" want to see what you`ve got on your computer then they have ways and means of doing so ( as the microsoft document demonstrates). One last thing, If you are serious about wanting security by using encryption... DON`T WRITE DOWN YOUR PASSWORD OR KEY. Make it something that you can remember easily. - If you make an unlock disk or thumbdrive (for forgotten passwords or keys) Then keep them away from your computer, preferably give them to a friend or keep them at work -use your imagination. Until next time... Demotricus signing off.... Edit:-Ooooh! - a little footnote... Because windows 8 Pro has been behaving itself for a while now , I have bought it (and myself) a present, - yes I have re-ordered the touchscreen.. it`s a Dell S2340T 23 inch Full HD Widescreen LED Multi-Touch Monitor. I will post pics when it arrives, (monday hopefully). :-) Edit:- some chance of that! - its now the 15/02/2013 and I`m still waiting.
Posted by Nick at 5:06 PM