You Need to Encrypt Your Laptop Right Now
THERE AREN’T TOO MANY ARGUMENTS for encrypting a desktop that’s inside your home. The case for encrypting your laptop, however, is stronger by several orders of magnitude. Encrypting your laptop and mobile devices is one of the smartest moves you can make
Imagine this nightmare scenario: You’re a grad student working on your master’s thesis at a hip cafe downtown. It’s getting a bit crowded, but you realize that third cup of tea has made you need to pee. You get up in a hurry, and rush to the bathroom, nearly flattening a toddler, and smashing into a another patron who is miraculously wearing earbuds, holding two coffees, chewing gum, and texting all at once. After you come out of the bathroom, relieved, you find your laptop is gone.
You begin to think about having to re-write those four pages of your thesis that hadn’t been synched, while you simultaneously fantasize about finding the rat bastard who stole your PC. That rage turns to panic, as you realize that your tax returns, email history, and Evernote database are on the laptop.
This, sadly, happens all too often in cafes and on university campuses all over the country. Many times, laptops are stolen for the machine’s value, not the data. But what if someone wanted the sensitive data stored on the laptop? This happened recently to an NFL executive, who had players’ personal information on his PC. If data is what the thief is after, device encryption can save you. Luckily, open-source device encryption software exists.
It’s a good idea to start with a clean slate. I like to back up all of my data to an (encrypted, if necessary) external drive. If you’re going to be installing Windows again, use the Media Creation Tool to create a Windows install USB drive. Boot to an Ubuntu live USB, and delete all the drive’s partitions with Gnome Disk Utility. (Search for “Disks.”) If you’re using an SSD, you’ll want to make sure to clear all the cells on the SSD. There’s a great howto on the Arch Wiki ( https://wiki. aarchlinux. org/ index. php/ SSD_ mm emory_ cell_ clearing ). From th there, it’s usually OK to get started w with your system installation, al although you can use “shred” or “d “dd” with “if=/dev/urandom” to ov overwrite your HDD with random nu numbers if you’re paranoid.
If you’re going with Ubuntu or Debian Linux, the installation process prompts you and asks whether you’d like to use fulldisk encryption. (In Linux,
the /boot partition has to remain in the clear, to make booting possible.) Setting up disk crypto can get a bit more involved if using a distribution such as Arch, or if you want to use a removable USB drive as a boot key.
For Windows, you have a couple of options. Professional and Enterprise versions of Windows come with Microsoft’s BitLocker, which can enable whole-disk encryption. If you’re uneasy about letting Microsoft manage your keys, you can use VeraCrypt instead. (VeraCrypt is the successor to TrueCrypt.) VeraCrypt’s full-disk encryption requires you to install Windows on an MBR partitioned drive, instead of EFI. You can force this mode by choosing “Legacy” mode for your storage in your BIOS.
When software allows it, be sure to write random data to all of the unused blocks on the encrypted drive. It’s also important to remember that as long as your machine is powered on and booted, your data is still accessible. Device or full-disk encryption is only a part of an overall data encryption and security scheme (along with things such as secure passphrases). Lost data is bad, but stolen data is worse.