I'm an editor for SANS' NewsBytes security "announcements" E-zine, and have been getting really sick of the drumbeat of news items that read stuff like:
Major whatsit admits 2,000,000 user accounts exposed when employee loses laptop at airport.
Federal department of thus-and-so reports 24 million taxpayer records included with hard drive sold on ebay.
Journalist in Iraq buys US Army deployment plans on thumb drive in bazaar for $15.
At TechnoSecurity conference last month there was a vendor demonstrating a very cool hydraulic-powered hard-disk mulcher, intended to make it possible for enterprises to "securely decommission" a drive and its data, without having to worry about the cost of wiping the drive. Cost of wiping the drive? Huh?! Didn't you mean "cost of forgetting your encryption key"? I.e.: Zero.
And, then, to top it off, I bought a new used laptop on Ebay and the seller was kind enough to re-install Windows but not technically savvy enough to realize that XP's installer won't overwrite an existing partition's data. So not only did she get a new laptop but we got a truly amazing collection of gay porn. Well, I didn't look at all 7 gigabytes of it; I was reaching for my OpenBSD boot CD before I was past the second file. Quick! Quick: "dd if=/dev/zero of=/dev/wd0c" - Cost of wiping the drive?
Anyhow, it's 2006 and maybe it's time to think about hard disk encryption?
I first experimented with hard disk encryption back when I was at TIS and we were funded by DARPA to do some research in portable security (and build a firewall) for the White House. At the time (1992), there were a lot of white house staffers that were really into MacIntosh computers and laptops and there was a serious concern that some crucial data might be lost someplace. In fact, as it happened, some Clinton big-shot apparently lost a MacIntosh at an airport - including the negotiating stop points for some trade treaty with Japan; since this was pre-Ebay, it probably wound up in a pawn shop someplace. But I digress. Anyhow, Fred Avolio OK'd me buying a thing called SuperCrypt for the Mac, and another thing called Watchdog for DOS, and I spent a day or two playing with them and we made a recommendation that read, basically: "Hey, this stuff is really easy to use; we think you should give it a whirl." The rest, as they say, is history. I mean, of course, that we were completely ignored.
I'm not sure why I've been so cavalier about my data since then, but to tell you the truth I've never bothered with hard disk encryption, personally. I think part of it was that I didn't particularly care if anyone got my data, because I like to live an open life, but it's been slowly sinking in that there's no sense making life easy for the bad guys. If I can rob some phisher, hacker, or spammer of a moment's pleasure at little cost to myself, that seems like a worthy goal.
After a few days of researching I stumbled across a thing called TrueCrypt. It meets a lot of my requirements, namely:
Now, it's not as if I'm going to go through and review the entire source code of the engine but I like the fact that it's being developed openly and (as far as I can tell) is part of a project that is not socially or financially beholden to anyone.
I've been slowly migrating all of my data over to encrypted volumes; mostly the delay is because moving the data means copying stuff back and forth across my little home LAN and reformatting/creating container files. When you're moving terabytes around, it takes time; there's no way around it.
TrueCrypt is simply a piece of cake to use. It passed my "bozo benchmark"(1) with flying colors: I was able to start using the software without having to read any directions at all. In fact, it has been so ridiculously easy to use that I have been wondering where the catch is. There's got to be one, right?
(From the SourceFire Security Calendar)
Hard disk write speeds on my slow laptop are about 10MB/second, which is a slight performance degradation, but acceptable. I'd already set my laptop up so that my personal files are on a separate volume (C: and D:) and all I had to do to encrypt everything was copy all of D: to one of my network servers, zap that partition, and create a container file that occupied most of the D: drive, then copy the data back. With 18GB of data, that took all of 1/2 hour, during which I entertained the dogs, drank some coffee, and read a book. The hardest part of the process was getting my installation of Eudora to look for its mail archives in another directory - which took 2 seconds of looking in Eudora.ini with notepad. Next time I wipe and reload my laptop (about every 6-9 months) I'll just make the entire partition an encrypted volume, but for now I think I'll leave my MP3 directory unencrypted. If ninjas kill me and get my laptop, I hope they're Ray Wylie Hubbard fans, too.
Creating an encrypted volume to stick all my backup images in was merely an exercise in patience: over my LAN, writing to my fileserver, it took 9 hours (i.e.: overnight) to format a 300GB encrypted container file. Secure backups appear to be something that eludes most major businesses or government agencies; it was a problem I solved for myself while I was sound asleep. I probably could have done my backup volume as an entire encrypted device but my file server is running a 5 year-old version of BSD and I am reluctant to mess with something that already works.
Looking at the TrueCrypt statistics for downloads I see that several thousand people are downloading it every day, and over a million have downloaded it so far. That's pretty impressive!! It's too bad the corporate muckety-mucks who are spending millions of dollars complying with paper exercise security standards like HIPAA can't be bothered to install something like that. And it's a shame that some corporations are going to spend millions of dollars doing damage control because of data loss, when they could have spent, ummmm, nothing, instead.
I rate TrueCrypt as five stars out of five! Get this software. Use it. Sneer at the people who are so lazy that they do not encrypt their laptop drives. Call them stupid. And make sure you do your backups.
Sitting on the porch watching the pond grow, Bellwether Farm, Morrisdale, PA
June 24 2006
(1) The infamous "bozo benchmark" is when you install and start using the thing without reading any directions or warning labels. This benchmark can be used for everything from computer components to motorcycles, weed-whackers, and firearms. My wife says that the "bozo benchmark" is merely a cheap fiction that I created to justify my typical male tendency to want to wade into stuff without reading the instructions. By enshrining that tendency as a benchmark, I legitimize it! She is, of course, completely correct.