TIME AND AGAIN, people are told there is one obvious way to mitigate privacy threats of all sorts, from mass government surveillance to pervasive online tracking to cybercriminals: encryption. As President Obama put it earlier this year, speaking in between his administration’s attacks on encryption, “There‚Äôs no scenario in which we don‚Äôt want really strong encryption.‚ÄĚ Even after helping expose all the ways the government can get its hands on your data, NSA whistleblower Edward Snowden still maintained, ‚ÄúEncryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.‚ÄĚ

But how can ordinary¬†people get started using encryption? Encryption comes in many forms and is used at many different stages in the handling of digital information (you’re using it right now, perhaps without even realizing it,¬†because your connection to this website is encrypted). When you’re trying to protect your privacy, it’s totally unclear how, exactly, to start using encryption. One obvious place to start, where the privacy benefits are high and the technical¬†learning curve¬†is low, is something called full disk encryption. Full disk encryption not only provides¬†the type of strong encryption Snowden and Obama reference, but it’s built in to all major operating systems, it’s the only way to protect your data in case your laptop gets lost or stolen, and it takes minimal effort to get started and use.

If you want to encrypt your hard disk¬†and have it truly help protect your data, you shouldn’t just flip it on; you should know the basics of what disk encryption protects, what it doesn’t protect, and how to avoid common mistakes that could let an attacker easily bypass your encryption.

If you’re in a hurry, go ahead and skip to the bottom, where I explain, step by step, how to encrypt your disk for Windows, Mac OS X, and Linux. Then, when you have time, come back and read the important caveats preceding those instructions.

What disk encryption guards against

If someone gets physical access to your computer and you aren’t using disk encryption, they can very easily steal all of your files.

It doesn’t matter if you have a good password because the attacker can simply boot to a new operating system off of a USB stick, bypassing your password, to look at your files. Or they can remove your hard disk and put it in a different computer to gain access. All they need is a screwdriver, a second computer, and a $10 USB enclosure.

Computers have become an extension of our lives, and private information continually piles up on our hard disks. Your computer probably¬†contains¬†work documents,¬†photos and videos, password databases, web browser histories, and other scattered bits of information that doesn’t belong to anyone but you. Everyone should be running full disk encryption on their laptops.

Encrypting your disk will protect you and your data in case your laptop falls into the wrong hands, whether it’s because you accidentally left it somewhere, your home or office was burglarized, or it was seized by government agents at home or abroad.

It’s worth noting that no one has privacy rights when crossing borders. Even if you’re a U.S. citizen entering the United States, your Constitutional rights do not apply at the border, and border agents reserve the right to copy all of the files off of your computer or phone if they choose to. This is also true in Canada, and in other countries around the world.¬†If you plan on traveling with electronic devices, disk encryption is the only way you have a chance at protecting your data if border agents insist on searching you.¬†In some situations it might be¬†in your best interest to cooperate and unlock your device, but in others it might not.¬†Without disk encryption, the choice is made for you: The border agents get all your data.

What disk encryption is useless against

There’s a common misconception that encrypting your hard disk makes your computer secure, but this isn’t entirely true. In fact, disk encryption is only useful against¬†attackers that have physical access to your computer. It doesn’t make your computer any harder to attack over a network.

All of the common ways people get hacked still apply. Attackers can still trick you into installing malware. You can still visit malicious websites that exploit bugs in Flash, or in your web browser, or in your operating system’s font or image rendering engines, or countless other ways. When you visit benevolent websites, network attackers can still secretly make them malicious by modifying them in transit. Attackers can still exploit services running on your computer, such as network file sharing, iTunes playlist sharing, or your BitTorrent client, to name a few.

And of course, disk encryption doesn’t do anything to stop internet surveillance. Spy agencies like the NSA, which¬†taps into the fiber-optic cables that make up the backbone of the internet, will still be able to spy on nearly everything you do online. An entirely different category of encryption is needed to fix that systemic problem.

The different ways you can get hacked or surveilled are too numerous to list in full. In future posts I’ll explain how to reduce the size of your probably vast attack surface. But for now it’s important to know that disk encryption only protects against a single flavor of attack: physical access.

How it works

The goal of disk encryption is to make it so that if someone who isn’t you has access to your computer they won’t be able to access any of your files, but instead will only see scrambled, useless ciphertext.

Most disk encryption works like this. When you first power your computer on, before your operating system can even boot up, you must unlock your¬†disk¬†by supplying the correct encryption key. The files that make up your operating system are on your encrypted disk, after all, so there’s no way for your computer to work with them until the disk is unlocked.

In most cases, typing your passphrase doesn’t unlock the whole disk, it unlocks an encryption key, which in turn unlocks everything on the¬†disk. This indirection allows you to change your passphrase without having to re-encrypt your disk with a new key, and also makes it possible to have multiple passphrases that can unlock the disk, for example, if you add another user account to your laptop.

This means that your disk encryption passphrase is potentially one of the weakest security links. If your passphrase is ‚Äúletmein,‚ÄĚ a competent attacker will get past your disk encryption immediately. But if you use a properly generated high-entropy passphrase like ‚Äúrunge wall brave punch tick zesty pier,‚ÄĚ it’s likely that no attacker, not even the NSA or Chinese intelligence, will ever be able to guess it.

You have to be extremely careful with strong disk encryption¬†that can only be unlocked with a passphrase you’ve memorized. If you forget the passphrase, you get locked out of your own computer, losing your data forever. No data recovery service can help you, and if you give your machine to the FBI, it¬†won’t be able to access your files either. Because that’s kind of the point of disk encryption.

Once your computer is on and you’ve entered your passphrase, your disk encryption is completely transparent to you and to the applications on your computer. Files open and close as they normally would, and programs work just as they would on an unencrypted machine. You won’t notice any performance impact.

This means, however, that when your computer is powered on and unlocked, whomever is sitting at it has access to all your files and data, unencumbered by encryption. So if you want your disk encryption to work to its full potential, you need to lock your screen when your computer is going to be on while you’re away, and, for those times when you forget to lock it, you need to set it to lock automatically after, say, 10 minutes of idling.

It’s also important that you don’t have any other users on your system who¬†have weak passwords or no passwords, and that you disable the guest account. If someone grabs your laptop, you don’t want them to be able to log in at all.

Attacks against disk encryption

There are a few attacks against disk encryption that are tricky to defend against. Here are some precautions you can take.

Power off your computer completely (don’t just suspend it) when you think it’s¬†at risk of¬†falling into someone else’s hands, like¬†right before¬†going through customs when entering a new country. This¬†defends against memory-based attacks.

Computers have temporary storage called RAM (otherwise known as memory), which you can think of as scratch paper for all of your software. When your computer is powered on, your software is constantly writing to and deleting from parts of your RAM.¬†If you use disk encryption, as soon as you successfully unlock your encrypted disk the encryption key is stored in RAM until you power your computer off. It needs to be ‚ÄĒ otherwise there would be no way to encrypt and decrypt files on the fly as you use your computer.

But unfortunately, laptops have ports that have direct memory access, or DMA, including FireWire, ExpressCard, Thunderbolt, PCI, PCI Express, and others. If an attacker has access to your computer and your disk is unlocked (this is true even if your laptop is¬†suspended), the attacker¬†can simply plug a malicious device into your computer to be able to manipulate your RAM. This could include directly reading your encryption keys or injecting commands into your operating system, such as closing the screen lock program. There is open source software called Inception that does just this using a FireWire cable and a second laptop, and there’s plenty of commercial hardware available too, like this one, or this one.¬†It’s worth noting that new versions of Mac OS X use a cool virtualization technology called VT-d to thwart this type of DMA attack.


cold-boot

Demonstration of a cold boot attack.

Photo courtesy of J. Alex Halderman et al. "Lest We Forget: Cold Boot Attacks on Encryption Keys"

But there are other ways¬†for an attacker to learn what’s in your RAM.¬†When you power your computer off, everything in RAM fades into nothingness. But this doesn’t happen immediately; it takes a few minutes, and an attacker¬†can make it take even longer by physically freezing the RAM.¬†An attacker with physical access to your powered-on computer can use a screwdriver to open the case of your computer and then use an upside-down can of compressed air to freeze your RAM (as in the image above). Then the attacker¬†can quickly cut the power to your computer, unplug your RAM, plug the RAM into a different computer, and dump all of the data from RAM to a disk. By sifting through that data, they can find a copy of your encryption key, which can then be used to decrypt all of the files on your hard disk. This is called the cold boot attack, and you can see a video of it in action here.

The key takeaway is that while your encrypted disk is unlocked, disk encryption doesn’t fully protect your data. Because of this, you may consider closing all your work and completely shutting down your computer at the end of the day rather than just suspending it.

It’s also important to¬†make sure your laptop is always physically secure so that only people you trust ever have access to it. You should consider carrying your laptop with you¬†wherever you go, as inconvenient as that may be, if your data is extremely important to you. When traveling, bring it with you in a¬†carry-on bag instead of checking it in your luggage, and carry it with you¬†rather than leaving it in a¬†hotel room. Keep it with a trusted friend or locked in a safe when you can’t babysit it yourself.

This is all to defend against a different type of¬†disk encryption attack known, in somewhat archaic language, as the “evil maid” attack. People often leave their laptops in their hotel room while traveling, and all it takes is one hotel housekeeper/elite hacker to foil your disk encryption.

Even when you use full disk encryption, you normally don’t encrypt 100 percent of your disk. There’s a tiny part of it that remains in plaintext. The program¬†that runs as soon as you power on your computer, which¬†asks you to type in your passphrase and unlocks your encrypted disk, isn’t encrypted itself. An attacker with physical access to your computer could modify that program on the tiny part of your disk that isn’t encrypted to secretly do something malicious, like wait for you to type your passphrase and then install malware in your operating system as soon as you successfully unlock the disk.

Microsoft BitLocker does some cool tricks to make software-based evil maid attacks considerably harder by storing your encryption key in a special tamper-resistant chip in your computer called a Trusted Platform Module, or TPM. It’s designed to release your encryption key only after confirming that¬†your bootloader hasn’t been modified to be malicious,¬†thwarting evil maid attacks. Of course, there are other attacks against TPMs.¬†Last month The Intercept¬†published a document¬†about the CIA’s research into¬†stealing keys from TPMs, with the explicit aim of attacking BitLocker. They have successfully done it, both by monitoring electricity usage of a computer while the TPM is being used and by¬†‚Äúmeasuring electromagnetic signals emanating from the TPM while it remains on the motherboard.‚ÄĚ

You can set up your Linux laptop to always boot off of a USB stick that you carry around with you, which also mitigates against evil maid attacks (in this case, 100 percent of your disk actually is encrypted, and you carry the tiny unencrypted part around with you). But attackers with temporary access to your laptop can do more than modify your boot code. They could install a hardware keylogger, for example, that you would have no way of knowing is in your computer.

The important thing about evil maid attacks is that they work by tampering with a computer without the owner’s knowledge, but they still rely on the legitimate user to unlock the encrypted disk. If someone steals your laptop they can’t do an evil maid attack against you. Rather than stealing it, the attacker needs to secretly tamper with it and return it to you without raising your suspicions.

You can try using bleeding-edge tamper-evidence technology, such as glitter nail polish, to detect if someone has tampered with your computer. This is quite difficult to do in practice. If you have reason to believe that someone might have maliciously tampered with your computer, don’t type your passphrase into it.

Defending against these attacks might sound intimidating, but the good news is that most people don’t need to worry about it. It all depends on your threat model, which basically is an assessment of your situation to determine how paranoid you really need to be. Only the most high-risk users need to worry about memory-dumping or evil maid attacks. The rest of you can simply turn on disk encryption and forget about it.

What about TrueCrypt?

TrueCrypt is popular disk encryption software used by millions of people. In May 2014, the security community went into shock when the software’s anonymous developers shut down the project, replacing the homepage with a warning that ‚Äúusing TrueCrypt is not secure as it may contain unfixed security issues.‚ÄĚ

TrueCrypt recently underwent a thorough security audit showing that it doesn’t have any backdoors or major security issues. Despite this, I don’t recommend that people use TrueCrypt simply because it isn’t maintained anymore. As soon as a security bug is discovered in TrueCrypt (all software contains bugs), it will never get fixed. You’re safer using actively developed encryption software.

How to encrypt your disk in Windows

BitLocker, which is Microsoft’s disk encryption technology, is only included in the Ultimate and Enterprise editions¬†of Windows Vista and Windows 7, and the Enterprise and Pro editions of Windows 8 and 8.1, but not the Home editions, which is what often comes pre-installed on Windows laptops. To see if BitLocker is supported on your version of Windows, open up Windows Explorer, right-click on C drive, and see if you have a ‚ÄúTurn on BitLocker‚ÄĚ option (if you see a ‚ÄúManage BitLocker‚ÄĚ option, then congratulations, your disk is already encrypted, though you may want to finish reading this section anyway).

If BitLocker isn’t supported in your version of Windows, you can choose to upgrade to a version of Windows that is supported by buying a license (open Control Panel, System and Security, System, and click “Get more features with a new edition of Windows”). You can also choose to use different full disk encryption software, such as the open source program DiskCryptor.

BitLocker is designed to be used with a¬†Trusted Platform Module, the tamper-resistant chip built in to new PCs¬†that can store your disk encryption key. Because BitLocker keys are stored in the TPM, by default it doesn’t require users to enter a passphrase when booting up. If your computer doesn’t have a TPM (BitLocker will tell you as soon as you try enabling it), it’s possible to use BitLocker without a TPM and to use a passphrase or USB stick instead.

If you only rely on your TPM to protect your encryption key, your disk will get automatically unlocked¬†just by powering on the computer. This means¬†an attacker who steals your computer¬†while it’s fully powered off can simply power it on in order to do a¬†DMA or cold boot attack to extract the key. If you want your disk encryption to be much more secure,¬†in addition to using your TPM you should also¬†set a PIN to unlock your disk¬†or require inserting a USB stick on boot. This is more complicated, but worth¬†it for the extra security.

Whenever you’re ready, try enabling BitLocker on your hard disk by right-clicking on C drive and choosing the ‚ÄúTurn on BitLocker‚ÄĚ option. First you’ll be prompted to make a backup of your recovery key, which can be used to unlock your disk in case you ever get locked out.

I recommend that you don’t save a copy of your recovery key to your Microsoft account. If you do, Microsoft ‚ÄĒ and by extension anyone Microsoft is compelled to share data with, such as law enforcement or intelligence agencies, or anyone who¬†hacks into Microsoft’s servers and can steal its¬†data ‚ÄĒ will have the ability to unlock your encrypted disk. Instead, you should save your recovery key to a file on another drive or print it. The recovery key can unlock your disk, so it’s important that it doesn’t fall into the wrong hands.

Follow the rest of the simple instructions and reboot your computer. When it boots up again, your disk will begin encrypting. You can continue to work on your computer while it’s encrypting in the background.

Once your disk is done encrypting, the next step is to¬†set a PIN. This requires tweaking some internal¬†Windows settings,¬†but it shouldn’t be too hard if you follow the instructions to the dot.

Click Start and type “gpedit.msc” and press enter to open the Local¬†Group Policy Editor. In the pane to the left, navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

In the pane to the right, double-click on “Require additional¬†authentication at startup.” Change it from “Not Configured” to “Enabled,” and click OK.¬†You can close the Local Group Policy Editor.

Now open Windows Explorer, right-click on drive C, and click “Manage BitLocker”.

In the BitLocker Drive Encryption page, click “Change how drive is unlocked at startup.” Now¬†you can choose to¬†either require a PIN while starting up, or requiring that you insert a USB flash drive. Both¬†work well, but I suggest you¬†use a PIN because it’s something that you memorize. So if you get detained while crossing a border, for example, you can choose not to type your PIN to unlock your drive, however you can’t help it if border agents confiscate your USB flash drive and use that to boot your computer.

If you choose to require a PIN, it must be between four and 20 numbers long.¬†The longer you make it, the more secure it is, but¬†make sure you choose one that you can memorize. It’s best if you pick this PIN¬†entirely at random rather than basing it on something in your life, so avoid easily guessable PINs like birthdates of loved ones or phone numbers. Whatever you choose, make sure you don’t forget it, because otherwise you’ll be locked out of your computer. After entering your PIN twice, click Set PIN.

Now reboot your computer. Before Windows starts booting this time, you should be prompted to type your PIN.

Finally, open User Accounts to see all of the users on your computer, confirm that they all have¬†passwords set, and change them to be stronger if necessary. Disable the guest account if it’s enabled.

How to encrypt your disk in Mac OS X

FileVault, Apple’s disk encryption technology for Macs, is simple to enable. Open System Preferences, click on the Security & Privacy icon, and switch to the FileVault tab. If you see a button that says ‚ÄúTurn Off FileVault…‚ÄĚ then congratulations, your disk is already encrypted. Otherwise, click the lock icon in the bottom left so you can make changes, and click ‚ÄúTurn On FileVault…‚ÄĚ

Next you will be asked if you want to store a copy of your disk encryption recovery key in your iCloud account.

I recommend that you don’t allow your iCloud account to unlock your disk. If you do, Apple ‚ÄĒ and by extension anyone Apple is compelled to share data with, such as law enforcement or intelligence agencies, or anyone who¬†hacks into Apple’s servers and can steal its¬†data ‚ÄĒ will have the ability to unlock your encrypted disk. If you do store your recovery key in your iCloud account, Apple encrypts it using¬†your answers to a series of secret questions as an encryption key itself, offering little real security.

Instead, choose ‚ÄúCreate a recovery key and do not use my iCloud account‚ÄĚ and click Continue. The next window will show you your recovery key, which is 24¬†random letters and numbers. You can write this down if you wish. The recovery key can unlock your disk, so it’s important that it doesn’t fall into the wrong hands.

Once you click Continue you will be prompted to reboot your computer. After rebooting, FileVault will begin encrypting your hard disk. You can continue to work on your computer while it’s encrypting in the background.

With FileVault, Mac OS X user passwords double as passphrases to unlock your encrypted disk. If you want your passphrase to survive guessing attempts by even the most well-funded spy agencies in the world, you should follow the instructions here to generate a high-entropy passphrase to use to log in to your Mac.

Go back to System Preferences and this time click on the Users & Groups icon. From there you should disable the guest account, remove any users that you don’t use, and update any weak passwords to be strong passphrases.

How to encrypt your disk in Linux

Unlike in Windows and Mac OS X, you can only encrypt your disk when you first install Linux. If you already have Linux installed without disk encryption, you’re going to need to back up your data and reinstall Linux. While there’s a huge variety of Linux distributions, I’m going to use Ubuntu as an example, but setting up disk encryption in all major distributions is similar.

Start by booting to your Ubuntu DVD or USB stick and follow the simple instructions to install Ubuntu. When you get to the ‚ÄúInstallation type‚ÄĚ page, check the box ‚ÄúEncrypt the new Ubuntu installation for security,‚ÄĚ and then click Install Now.

On the next page, ‚ÄúChoose a security key,‚ÄĚ you must type your encryption passphrase. You’ll have to type this each time you power on your computer to unlock your encrypted disk. Again, if you want your passphrase to survive guessing attempts by even the most well-funded spy agencies,¬†follow the instructions here.

Then click Install Now, and follow the rest of the instructions until you get to the ‚ÄúWho are you?‚ÄĚ page. Make sure to choose a strong password ‚ÄĒ if someone steals your laptop while it’s suspended, this password is all that comes between the attacker and your data. And make sure that ‚ÄúRequire my password to log in‚ÄĚ is checked, and that ‚ÄúLog in automatically‚ÄĚ is not checked. There is no reason to check ‚ÄúEncrypt my home folder‚ÄĚ here, because you’re already encrypting your entire disk.

And that’s it.

Correction: April 27, 2015
This post originally gave an incorrect date for when the TrueCrypt project was shut down.

Correction: April 29, 2015
This post originally said that USB ports have direct memory access (DMA), but this isn’t true. FireWire, ExpressCard, Thunderbolt, PCI, and PCI Express all have DMA.

Correction: May 1, 2015
This post originally said that BitLocker was included in Windows Vista and Windows 7 Pro editions, but it is only included in Ultimate and Enterprise editions for those versions of Windows.