End-to-End Encryption: The PCI Security Holy Grail

With groups like Anonymous actively looking to embarrass your company, laptops thefts occurring every second, and the recent poor US District Court ruling on fifth amendment password protection rights, it is time you actually encrypt your data properly.

Your Windows login password is not encrypting your computer (surprise!). Full-disk encryption (used by very few people) is a good step, but by itself it still will not completely protect your data from prying eyes, overzealous governments, or your own mistake of leaving your company's crown jewels at the local coffee shop.

More in the Investigator's Toolkit:

How to build your own digital forensics lab for cheap

5 free ways to use crowdsourcing for investigations

Covert investigations: Setting up surveillance

Instead—as with many successful security designs—you can set up a layered approach to protecting your data with encryption. It's fairly easy, quick, and free.

To create a more complete protection scheme, I am going to walk you through three steps to build this layered security approach:

install FDE (or turn it on) and encrypt your files,

create an encrypted hidden volume to prevent any government or person from forcing you to turn over your personal data,

and create a tracking capability in the event your computer is stolen or lost.

Step one: Install full-disk encryption

The key to proper encryption is not just the encryption itself, but also protecting the right data. This is why full-disk encryption (FDE) is a popular starting place for many users. You can purchase hard drives with built-in FDE or use software tools like Windows Bitlocker. In either case, your computer can be locked down as soon as it shuts off. If your laptop is stolen, or sold on eBay years later without a proper disk wipe, or even if it finds its way in the government's hands, it will be useless without a password.

If you have Windows 7 Ultimate or Enterprise, a tool called Bitlocker comes preinstalled and can turn your drive into an FDE. For all other systems, I recommend TrueCrypt, available for free at http://www.truecrypt.org/. After downloading and installing, select the Create Volume command and Encrypt the system partition or the entire system drive.

Now follow the instructions and create a strong password. I recommend using a sentence as your password, i.e: This is my password, it rocks!. You won't forget it and it won't crack easily. After your FDE is set up, you will need your password to boot-up the computer. Without the correct password, the drive is left encrypted and worthless even if viewed by forensic tools. Now your computer will be automatically locked down if it is lost or stolen.

However, you aren't finished.

Step two: Create a hidden volume

FDE drives still leave your data and personal information vulnerable in at least two scenarios: 1) You are forced to turn over your password (as in Judge Blackburn's District Court ruling), or 2) Someone has hacked into your live machine and remotely recording your keystrokes/data while you work.

To address these issues, we are also going to put our personal/business files in an encrypted directory—but not using just any encryption scheme. Encryption with hidden volumes is the key to really protecting your information and rights.

Here's a useful analogy for understanding hidden volumes:

Imagine a magic door. If you unlock the door with one key, it opens to a closet full of junk and old boxes. However, if you use a different key, and the door opens to the inside of a bank vault. If you look at the walls surrounding what's behind the door, they look the same size regardless of whether you are opening the closet or the vault . Anyone opening the tiny closet or looking at the structure of the door won't be able to see the giant bank hidden within.

[Also see End-to-end encryption: The PCI holy grail]

With a correctly implemented hidden volume on your encrypted hard drive, you don't have to worry when someone cracks (or coerces you into giving up) the password. When they use it to open the door, they will only see the closet.

I prefer to use the word "password" for the closet. It's easy to remember and sadly common, and any password-cracking tool will guess it in milliseconds with a simple dictionary attack. Once the closet is open, non-sensitive business files and perhaps a few love letters or copied movies—something that might cause minimum embarrassment—will be revealed. Even to a skilled thief with good forensic tools, the real data, the bank vault, cannot be seen. They have no indication or proof it even exists. For all that person knows, they got your password and opened your encrypted files. In a courtroom setting this is known as "plausible deniability". (Yes, you complied with the court order to give up your password.)

To get started, once again we turn to TrueCrypt to set up a hidden volume file. Open TrueCrypt, select create a volume, create encrypted file container, normal hidden volume. Make sure you create a very large outer layer as this will eventually contain both your closet and bank vault. For a normal "My Documents" folder, I create a 20GB file. Don't forget an easy password for the outer layer—this easy password will be the one that opens the closet.

After it formats, create the hidden volume inside this wrapper with 19 GB and a strong password, leaving 1 GB for your closet. After this hidden volume formats, open the outer layer by mounting and using the simple password. Import some non-sensitive files, photos and random documents. Test your work when you reboot: Use the easy password, and you should see only these non-sensitive files.

Going forward put all your important files in the hidden volume. Unless you leave your FDE and new encrypted My Documents folder open 24/7, your data will remain protected.

Step three: Set up tracking for your computer

One of the downfalls of FDE drives is not being able to hunt down someone who has stolen your computer. Your data is protected, but your actual computer is gone. To be able track someone who steals a locked down computer, install a hidden volume operating system. This is a lot more advanced than the steps above, but if you follow the TrueCrypt instructions you can create two operating systems that open with two different passwords, just like the closet/bank scenario. This alone can be useful for protecting your data for advanced needs or baiting a thief. Create a strong password for your normal operating system and "password" for a second, dummy version of the operating system. Now, on the dummy system install Prey Project's open-source laptop tracking tool. This tool uses Wi-Fi and IP addresses to find your stolen laptop for free.

Now if you computer is stolen A) the thief swaps out the drive and you never see it again, all while your data is protected or B) the thief guesses the password (who wouldn't try the most-commonly used password, "password"), logging into a clean OS with Prey installed allowing you track him down, all while your actual data is still fully protected in the other encrypted OS installation.

The three steps in this layered security approach really are very straightforward. If you have any troubles, more information can be easily found on TrueCrypt's website or Youtube. Just remember if you don't encrypt—and encrypt properly—then your data is not really protected.

Join the CSO newsletter!

Error: Please check your email address.

More about CBS CorporationeBayLinuxTech TalkToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ben Rothke and David Mundhenk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place