End-to-End Encryption: The PCI Security Holy Grail
- — 02 February, 2012 04:02
With groups like Anonymous actively looking to embarrass your company, laptops thefts occurring every second, and the recent poor US District Court ruling on fifth amendment password protection rights, it is time you actually encrypt your data properly.
Your Windows login password is not encrypting your computer (surprise!). Full-disk encryption (used by very few people) is a good step, but by itself it still will not completely protect your data from prying eyes, overzealous governments, or your own mistake of leaving your company's crown jewels at the local coffee shop.
More in the Investigator's Toolkit:
Instead—as with many successful security designs—you can set up a layered approach to protecting your data with encryption. It's fairly easy, quick, and free.
To create a more complete protection scheme, I am going to walk you through three steps to build this layered security approach:
install FDE (or turn it on) and encrypt your files,
create an encrypted hidden volume to prevent any government or person from forcing you to turn over your personal data,
and create a tracking capability in the event your computer is stolen or lost.
Step one: Install full-disk encryption
The key to proper encryption is not just the encryption itself, but also protecting the right data. This is why full-disk encryption (FDE) is a popular starting place for many users. You can purchase hard drives with built-in FDE or use software tools like Windows Bitlocker. In either case, your computer can be locked down as soon as it shuts off. If your laptop is stolen, or sold on eBay years later without a proper disk wipe, or even if it finds its way in the government's hands, it will be useless without a password.
If you have Windows 7 Ultimate or Enterprise, a tool called Bitlocker comes preinstalled and can turn your drive into an FDE. For all other systems, I recommend TrueCrypt, available for free at http://www.truecrypt.org/. After downloading and installing, select the Create Volume command and Encrypt the system partition or the entire system drive.
Now follow the instructions and create a strong password. I recommend using a sentence as your password, i.e: This is my password, it rocks!. You won't forget it and it won't crack easily. After your FDE is set up, you will need your password to boot-up the computer. Without the correct password, the drive is left encrypted and worthless even if viewed by forensic tools. Now your computer will be automatically locked down if it is lost or stolen.
However, you aren't finished.
Step two: Create a hidden volume
FDE drives still leave your data and personal information vulnerable in at least two scenarios: 1) You are forced to turn over your password (as in Judge Blackburn's District Court ruling), or 2) Someone has hacked into your live machine and remotely recording your keystrokes/data while you work.
To address these issues, we are also going to put our personal/business files in an encrypted directory—but not using just any encryption scheme. Encryption with hidden volumes is the key to really protecting your information and rights.
Here's a useful analogy for understanding hidden volumes:
Imagine a magic door. If you unlock the door with one key, it opens to a closet full of junk and old boxes. However, if you use a different key, and the door opens to the inside of a bank vault. If you look at the walls surrounding what's behind the door, they look the same size regardless of whether you are opening the closet or the vault . Anyone opening the tiny closet or looking at the structure of the door won't be able to see the giant bank hidden within.
[Also see End-to-end encryption: The PCI holy grail]
With a correctly implemented hidden volume on your encrypted hard drive, you don't have to worry when someone cracks (or coerces you into giving up) the password. When they use it to open the door, they will only see the closet.
I prefer to use the word "password" for the closet. It's easy to remember and sadly common, and any password-cracking tool will guess it in milliseconds with a simple dictionary attack. Once the closet is open, non-sensitive business files and perhaps a few love letters or copied movies—something that might cause minimum embarrassment—will be revealed. Even to a skilled thief with good forensic tools, the real data, the bank vault, cannot be seen. They have no indication or proof it even exists. For all that person knows, they got your password and opened your encrypted files. In a courtroom setting this is known as "plausible deniability". (Yes, you complied with the court order to give up your password.)
To get started, once again we turn to TrueCrypt to set up a hidden volume file. Open TrueCrypt, select create a volume, create encrypted file container, normal hidden volume. Make sure you create a very large outer layer as this will eventually contain both your closet and bank vault. For a normal "My Documents" folder, I create a 20GB file. Don't forget an easy password for the outer layer—this easy password will be the one that opens the closet.
After it formats, create the hidden volume inside this wrapper with 19 GB and a strong password, leaving 1 GB for your closet. After this hidden volume formats, open the outer layer by mounting and using the simple password. Import some non-sensitive files, photos and random documents. Test your work when you reboot: Use the easy password, and you should see only these non-sensitive files.
Going forward put all your important files in the hidden volume. Unless you leave your FDE and new encrypted My Documents folder open 24/7, your data will remain protected.
Step three: Set up tracking for your computer
One of the downfalls of FDE drives is not being able to hunt down someone who has stolen your computer. Your data is protected, but your actual computer is gone. To be able track someone who steals a locked down computer, install a hidden volume operating system. This is a lot more advanced than the steps above, but if you follow the TrueCrypt instructions you can create two operating systems that open with two different passwords, just like the closet/bank scenario. This alone can be useful for protecting your data for advanced needs or baiting a thief. Create a strong password for your normal operating system and "password" for a second, dummy version of the operating system. Now, on the dummy system install Prey Project's open-source laptop tracking tool. This tool uses Wi-Fi and IP addresses to find your stolen laptop for free.
Now if you computer is stolen A) the thief swaps out the drive and you never see it again, all while your data is protected or B) the thief guesses the password (who wouldn't try the most-commonly used password, "password"), logging into a clean OS with Prey installed allowing you track him down, all while your actual data is still fully protected in the other encrypted OS installation.
The three steps in this layered security approach really are very straightforward. If you have any troubles, more information can be easily found on TrueCrypt's website or Youtube. Just remember if you don't encrypt—and encrypt properly—then your data is not really protected.