Don't expose your data to hackers and thieves. This tutorial explains encryption and shows you how to protect your own files.
The idea of encryption conjures up images of espionage and military operations. But as more and more information is stored and transferred electronically, it’s becoming a part of daily life.
Happily, it’s also becoming easier. For much of the 20th century, encryption required special equipment, such as the famous Enigma machine used by German forces in World War II. Today, encrypting confidential files is a simpler process – and a more reliable one. Where the allies were able to decode many Enigma messages during the war, modern encryption techniques are so impenetrable that cracking a single encrypted email would take many lifetimes of guesswork.
Of course, it’s unlikely that the files on your PC will relate to matters of life and death, like the Enigma messages. But encryption isn’t only useful for sending secret information, it’s also a protection against data loss.
For example, if you accidentally leave a USB flash drive in a taxi, or have your laptop stolen, all the unencrypted information is compromised. That could mean the loss of your bank details, or of commercially sensitive data. It could even put you in breach of your data protection obligations: UK employment services company A4e was fined $92,000 by the Information Commissioner’s Office last year after losing a laptop containing unencrypted client information.
Encryption can be valuable for email, too: if you send your messages and attachments in plain text, it’s possible for an eavesdropping hacker to snoop on your sensitive information.On these pages, we’ll reveal how to protect your data, and yourself.
HOW ENCRYPTION WORKS
Computer encryption works by applying some sort of systematic transformation to the binary data within your files. For example, one simple algorithm for encrypting messages, known as ROT13, works by moving all the letters of the alphabet forward (or backward) by 13 places, so that ABCXYZ becomes NOPKLM.
ROT13 was popular in the early days of the internet for concealing information that someone might not want to see by accident – such as spoilers for a film plot, or hints for an adventure game. Clearly, though, it’s far too rudimentary to protect sensitive data, not least because no password is used, so anybody can decode it by simply applying the ROT13 process again.
Serious encryption employs much more complex mathematical algorithms, involving passwords and lengthy encryption “keys”, to turn structured data files into what looks like a completely disordered string of bytes. Without the password, and without knowing exactly what process was used to create the file, it’s all but impossible to recreate the original file.
One of the most popular encryption methods is the Advanced Encryption Standard, or AES. The standard was ratified by the US Government in 2001 – but although it’s used for confidential governmental business, it’s an open standard that you’re free to use for your data.
The mathematics of AES is somewhat abstruse – if you’re feeling brave, you can download the standard in PDF format from http://tinyurl.com/qksc6. Its benefits, however, are easy to understand. In short, computer processors can apply AES encryption to files very quickly, and decrypt them just as swiftly – given the correct password.
If you don’t have the password, however, the only way to find it is by guesswork – and this isn’t feasible because the “keys” AES uses to encrypt your data are very long indeed. Even the simplest form of AES encryption uses a 128-bit encryption key – which means there are 2128 = 340,282,366,920,938,000,000,000,000,000,000,000,000 possible combinations. The maximum security CyberGhost is a free public VPN service version of AES uses a 256-bit key, giving 2128 times as many possible combinations.
This doesn’t mean everything encrypted with AES is necessarily impenetrable. Encryption tools typically work by asking you to come up with a password, which is then used to mathematically derive the key. If you pick a very simple password (such as “123”) then it’s still possible for an interloper to guess it, feed it into the program and gain access to your key.
However, if you choose a strong password you have little to worry about. It’s recommended that you use a long mix of capital and lower-case letters, numbers and punctuation marks – and steer clear of dictionary words and easy transformations thereof. This makes a cracker’s job almost impossible. For example, to find the password “Dari^en’sComp^uter” by brute force would take millions of years with current technology.
ENCRYPTING YOUR FILES
If you want to protect the files on your PC using AES or a similar algorithm, you have a choice of encryption software. Windows 7 Professional and Ultimate come with Microsoft’s own Encrypting File System (EFS), which lets you automatically encrypt and decrypt files as they’re written to and read back from NTFS drives. The Ultimate edition also offers BitLocker Drive Encryption, which lets you encrypt entire local hard disks and external drives.
If you’re using a home edition of Windows, these options aren’t available to you, but there are plenty of alternatives. One of the most popular is a tool called TrueCrypt. It’s free – in fact, it’s open source, so anyone can audit the code and confirm that the encrypted files it produces don’t have any weaknesses or “back doors” that might expose your data.
You can easily get the latest version of TrueCrypt by downloading it free from www.truecrypt.org. It works on OS X and Linux, too, so it’s convenient for multi-platform use – an advantage over Microsoft’s proprietary encryption systems.
TrueCrypt uses a “container” model of encryption: rather than focusing on individual files, the software presents a virtual encrypted hard disk that you can use to store sensitive data. The disk is, in reality, a file on your hard disk – called a container – and until you provide the host software with the correct password, it can’t be accessed within Windows. Once the password is entered, you can load, save and run files from the secure drive as if it were a real disk or an external hard disk. This way, you need only enter your password once per session. Indeed, if your secure volume is on an external device such as a USB flash drive, you can cache the password so you don’t need to enter it at all – but it will still be required to access your files from any other computer.
The first thing to do after you install TrueCrypt, therefore, is to create your container – see the walkthrough on p89 for a guide. Alternatively, you can choose to encrypt an entire partition or disk, but it’s more convenient to use a container. This stores all your secure data in a single file, so you can back it up, without having to decrypt your files and leave them potentially vulnerable. It’s also more efficient: although your virtual volume may appear to Windows as several gigabytes in size, the container file will grow to accommodate only the files you’ve written to it.
TrueCrypt offers many advanced features that could be useful to those who work with particularly sensitive data. It defaults to 256-bit AES encryption, but there are two other algorithms you can use instead – the exotically named Serpent and Twofish systems – to make life harder for would-be crackers. It’s possible to use encryption “cascades”, encrypting all your data with first one algorithm, then another, so that even if someone were somehow to successfully crack one level of encryption, they would still be left with only an incomprehensible string of binary data.
The software can even encrypt your entire Windows installation, so that the password must be entered before Windows will boot. This could be a good idea if you regularly access sensitive data over the net, for example, as it ensures that not only your saved files but also temporary files, browser histories and web caches are inaccessible. If the password isn’t entered correctly, a fake “missing operating system” message is shown, giving the impression that the disk is corrupted. If you’re really paranoid, you can even install a second, decoy operating system – so someone can watch you boot up the PC, and never see your hidden files.
You’ll find extensive documentation on these features, plus technical explanations of the processes used, at the TrueCrypt website; but if you only want to ensure your files can’t be read by outsiders, TrueCrypt’s basic features provide peace of mind in a few clicks.