Effective yet simple encryption for a laptop
March 1, 2015 4:07 AM Subscribe
What is the simplest and most effective way to protect data on a laptop - simple enough for a not tech-savvy lady in her 60s?
Asking for a family friend - she works with sensitive documents that she would not want to be accessed should she lose her laptop (left it on a train, or it got stolen for example).
Whilst no encryption system is uncrackable what can I setup for her that would give her the peace of mind that the documents were as safe as they can realistically be, but also easy enough for her to work with on a daily basis?
This can either be on her existing Windows machine or she might consider buying a new laptop so OSX is not out of the question.
Asking for a family friend - she works with sensitive documents that she would not want to be accessed should she lose her laptop (left it on a train, or it got stolen for example).
Whilst no encryption system is uncrackable what can I setup for her that would give her the peace of mind that the documents were as safe as they can realistically be, but also easy enough for her to work with on a daily basis?
This can either be on her existing Windows machine or she might consider buying a new laptop so OSX is not out of the question.
I am ignorant of what's available on Windows, but OS X has a built in facility called FileVault, which is full disk encryption and allows for remote wiping of the disk if required, and if they have Find My Mac switched on. I don't use it myself, but I'm pretty sure it works transparently for the user and is effective. There is a reasonably comprehensive article about it on MacWorld, here.
As you probably know, the thing about this kind of stuff is that if the user forgets their password it is all over. If this were not true, then it wouldn't be worth having.
posted by mewsic at 4:31 AM on March 1, 2015
As you probably know, the thing about this kind of stuff is that if the user forgets their password it is all over. If this were not true, then it wouldn't be worth having.
posted by mewsic at 4:31 AM on March 1, 2015
Seconding Windows BitLocker.
posted by MrBobaFett at 5:56 AM on March 1, 2015
posted by MrBobaFett at 5:56 AM on March 1, 2015
Prefacing this by saying that any encryption effectiveness will hinge on a good passphrase. She should write it down in a piece of paper and store it somewhere safe (definitely not in items that might get stolen along with the laptop) just in case she forgets it, 2nding mewsic's comment. For strong passphrase generation, if she doesn't have one yet, I suggest Diceware.
Tool choice depends on the threat model and the level of convenience desired: if she is confident that her laptop will never be stolen while powered on, full disk encryption (FDE) is enough; if not, file level encryption is needed in addition to FDE, and even so it must be assumed that at time of theft the encrypted files were not in a readable state. Since the adversary is a random thief and not a government agency or other powerful entity, Windows or Mac should be safe enough for the purpose, so no need for new hardware or OS.
FDE should _always_ be used no matter the threat model to prevent OS-level leaks (swap file, temp files, etc). See also this recent AskMe for a very good example of why FDE is important.
I strongly recommend TrueCrypt:
- it's probaly the most user-friendly encryption tool I know of;
- so far there's no reason to believe it's unsafe in any way, quite the contrary, actually;
- cross-platform support - in case of hardware failure of the laptop, it may be useful to take out the HDD and mount it in another system (this of course doesn't remove the necessity of proper backups). Unlike BitLocker and others, TC-encrypted volumes can be mounted on ALL major OSes, with a consistent GUI: GNU/Linux distros, Windows and OS X. There's also the command-line only tcplay, an indepedent implementation for other UNIX-like systems.
If she is currently using Windows, an NTFS-formatted (the default since XP) system encrypted volume is the way to go, she'll be asked for the TrueCrypt passphrase every time before Windows starts and then it's business as usual. Note that the TrueCrypt passphrase has nothing to do with the Windows user passphrase, they may be the same or not, both should be strong enough for the desired security/convenience trade-off.
Should file level encryption be desired as well, I again recommend TrueCrypt, this time as a file container inside the TC-encrypted system disk.
Double-click the container file, and the TC GUI pops-up asking for a passphrase to unlock the container, which will then be mounted to a drive letter of her choice, and show up as an extra HDD, as if she plugged in an external USB disk. When done reading/editing the documents, unmount the volume using the GUI and the extra drive letter will disappear. For extra security, she might even use a keyfile stored on removable storage in addition to the passphrase to unlock the TC container, but be careful not to over-complicate things for little or no added benfit.
Using TrueCrypt is as easy as encryption can possibly get, but when setting things up initially (encrypting the system voulme, backing up the headers, creating the container, etc) some guidance will probably be required, so if possible you or someone else knowledgeable enough should help her if you feel it's necessary.
And to re-iterate: write down the important passphrase(s), backup the TC-volume header(s) and keyfile(s) and store them all together in a safe place for an emergency. Don't neglect the possiblity of her locking herself out of her files forever!
posted by Bangaioh at 7:17 AM on March 1, 2015 [1 favorite]
Tool choice depends on the threat model and the level of convenience desired: if she is confident that her laptop will never be stolen while powered on, full disk encryption (FDE) is enough; if not, file level encryption is needed in addition to FDE, and even so it must be assumed that at time of theft the encrypted files were not in a readable state. Since the adversary is a random thief and not a government agency or other powerful entity, Windows or Mac should be safe enough for the purpose, so no need for new hardware or OS.
FDE should _always_ be used no matter the threat model to prevent OS-level leaks (swap file, temp files, etc). See also this recent AskMe for a very good example of why FDE is important.
I strongly recommend TrueCrypt:
- it's probaly the most user-friendly encryption tool I know of;
- so far there's no reason to believe it's unsafe in any way, quite the contrary, actually;
- cross-platform support - in case of hardware failure of the laptop, it may be useful to take out the HDD and mount it in another system (this of course doesn't remove the necessity of proper backups). Unlike BitLocker and others, TC-encrypted volumes can be mounted on ALL major OSes, with a consistent GUI: GNU/Linux distros, Windows and OS X. There's also the command-line only tcplay, an indepedent implementation for other UNIX-like systems.
If she is currently using Windows, an NTFS-formatted (the default since XP) system encrypted volume is the way to go, she'll be asked for the TrueCrypt passphrase every time before Windows starts and then it's business as usual. Note that the TrueCrypt passphrase has nothing to do with the Windows user passphrase, they may be the same or not, both should be strong enough for the desired security/convenience trade-off.
Should file level encryption be desired as well, I again recommend TrueCrypt, this time as a file container inside the TC-encrypted system disk.
Double-click the container file, and the TC GUI pops-up asking for a passphrase to unlock the container, which will then be mounted to a drive letter of her choice, and show up as an extra HDD, as if she plugged in an external USB disk. When done reading/editing the documents, unmount the volume using the GUI and the extra drive letter will disappear. For extra security, she might even use a keyfile stored on removable storage in addition to the passphrase to unlock the TC container, but be careful not to over-complicate things for little or no added benfit.
Using TrueCrypt is as easy as encryption can possibly get, but when setting things up initially (encrypting the system voulme, backing up the headers, creating the container, etc) some guidance will probably be required, so if possible you or someone else knowledgeable enough should help her if you feel it's necessary.
And to re-iterate: write down the important passphrase(s), backup the TC-volume header(s) and keyfile(s) and store them all together in a safe place for an emergency. Don't neglect the possiblity of her locking herself out of her files forever!
posted by Bangaioh at 7:17 AM on March 1, 2015 [1 favorite]
n'thing BitLocker, once it's setup there's very little maintenance. Check if there's a TPM on the laptop.
Make sure she's backing up her documents also in case of a damage or stolen laptop. Or a deleted document.
posted by beowulf573 at 7:54 AM on March 1, 2015
Make sure she's backing up her documents also in case of a damage or stolen laptop. Or a deleted document.
posted by beowulf573 at 7:54 AM on March 1, 2015
I used PGP on a business laptop. All the sensitive data went on a encrypted virtual drive. All it took as a user was to type in the pass phrase when booting. Simple. However, dealing with PGP was a wonky experience, so help with setup would be a good idea for a non-nerd.
To be effective, the user has to do his/her part, not put data in the wrong place, shut down rather than hibernating when leaving the house, etc.
posted by SemiSalt at 4:53 PM on March 1, 2015
To be effective, the user has to do his/her part, not put data in the wrong place, shut down rather than hibernating when leaving the house, etc.
posted by SemiSalt at 4:53 PM on March 1, 2015
« Older miscarriage number two. so now what? | What are the ethical concerns of owning pet fish? Newer »
This thread is closed to new comments.
posted by alex1965 at 4:28 AM on March 1, 2015 [1 favorite]