Secret Files
Make sure lost or stolen data can not be accessed
How much personal information is on your computer? Is there anything on your computer that, if it were published on the Internet, would make you uncomfortable or even jeopardize your well-being? If so, then you need to use encryption.
Rule of thumb: encrypt everything!
There are different ways to encrypt your data. At the very least, your data should be encrypted while at rest. That means that if your hard drive or flash drive were stolen, your data would remain unencryptable without providing your secret key. On Mac OS, a built-in feature called Filevault will do the job, and on Windows, the equivalent is BitLocker. Linux distributions often provide a way to perform whole-disk encryption, too. However, if you don’t have to enter your password when your computer boots up, you really should enable that, as anyone who attempts to boot your computer would have unfettered access to your data. Also, don’t store your encryption key with your encrypted data!
Safeguard sensitive information
You may think that if your whole disk is encrypted that your data is safe. While whole-disk encryption may protect the data on the drive while it is turned off, anyone with access to the computer (legitimately or not) while it is running will be able to read data on the disk. Backups of your files on your encrypted drive will be decrypted when copied, so your backups won’t be encrypted unless you explicitly encrypt them. If a drive is removed from its host computer, there are tools that may be used which may be able to give access to the data depending on the configuration of the host computer.
The threats we are trying to protect against are:
- Keeping data secret if the physical medium storing it is lost or stolen
- Protecting all non-public information on portable drives due to high probability of being misplaced or left unguarded
- Protecting sensitive data from being accessed by malicious software or other illegitimate means
I recommend encrypting your sensitive data using a third party mechanism, even if it is stored on an encrypted drive. My requirements for such a tool are:
- Cross platform: Can run on Mac OS, Windows, and Linux, and preferrably on Android and iOS, too.
- Portable: I.e., can be run without installing on the host computer. This is very useful when protecting data on removable or portable drives on public computers.
- Open source: Auditable by anyone.
VeraCrypt to the rescue!
VeraCrypt (and its predecesor, TrueCrypt) meet these requirements and then some. It even offers plausible deniability using hidden volumes, so you can provide a password to an encrypted file containing false or less sensitive data, while the really sensitive data is encrypted a second time inside the first file while not being detectable. That’s pretty cool. There are also third-party iOS and Android apps that can manage VeraCrypt files (see the link for Android and iOS support on the VeraCrypt home page).
I’ve used this tool for years to protect sensitive data on a flash drive that I carry on my keychain. Veracrypt, while it can be installed on a host computer, can also be run directly from a flash drive or USB hard drive without being installed, opening up all sorts of oppurtunites for accessing data on any platform.
How does VeraCrypt work?
VeraCrypt can encrypt an entire drive, one or more partitions on the drive, or it can work with a virtual drive stored as a file on a physical drive. I like to to use VeraCrypt in that last mode, so that’s what I will talk about today. If you’ve ever worked with disk images in Mac OS, this concept will be very familiar to you.
When you launch VeraCrypt, you are given the opportunity to create a new virtual drive or to use an existing one. You simply select the file containing the virtual drive, enter the password and you will have an additional drive available to your system whose contents are encrypted. Since the VeraCrypt executable can be run from a flash drive, this is a very convenient way of storing sensitive information on a flash drive (I carry one on my keychain). If you combine this setup with a live distribution of Linux, you can stick your flash drive in any public computer, boot from it, and have relatively secure access to your sensitive data. And it all fits on a very portable flash drive.
You could also place your virtual drive on a remote system such as a network attached storage (NAS) device. This is probably not optimal for large datasets, but for additional security on small files, it will work just fine. If your use case involves networked storage, check to see what encryption options your networked storage platform offers as it will likely have better performance. Theoretically, you could store your virtual disk on a cloud drive, but performance may not be very good, and I wouldn’t store highly sensitive information this way.
When you are finished using any files on the encrypted virtual drive, simply unmount the virtual drive. (Use the eject command on Mac OS or Windows.). Remember to do this before disconnecting any removable drives to avoid data corruption. I recommend disabling write caching for removable drives, if your system has such a setting.
Caveats
Backups for encrypted drives may require some extra attention. The drive, volume, or virtual disk must be unlocked before you can copy files from it to another location, and this may complicate your existing backup mechanisms. If you use cloning software to copy your entire disk, you will generally be okay, though sometimes it may not be possbile to backup disks with encrypted partitions. I suggest you read the documentation for the disk encryption software you will use as well as the backup software you will use.
Don’t lose your encryption key! If you can’t find or recover your key, you will be unable to access your encrypted data, so make sure to store your encryption key in a safe place. How safe of a place depends on the consequences of your data being accessed by the wrong person, so think carefully about your threats and the risks associated with them.
So, learn about the built-in encryption mechanisms that ship with your operating system and if they don’t meet your needs, look into third party solutions–there are many. VeraCrypt is a tried and true free and open source solution that has worked well for me for a long time, and may very well be adequate for your needs, too.