Encrypting Your Laptop Like You Mean It
https://firstlook.org/theintercept/2015/04/27/encrypting-laptop-like-mean/ Version 0 of 1. Time and again, people are told there is one obvious way to mitigate privacy threats of all sorts, from mass government surveillance to pervasive online tracking to cybercriminals: Encryption. As President Obama put it earlier this year, speaking in between his administration’s attacks on encryption, “There’s no scenario in which we don’t want really strong encryption.” Even after helping expose all the ways the government can get its hands on your data, NSA whistleblower Edward Snowden still maintained, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.” But how can ordinary people get started using encryption? Encryption comes in many forms and is used at many different stages in the handling of digital information (you’re using it right now, perhaps without even realizing it, because your connection to this website is encrypted). When you’re trying to protect your privacy, it’s totally unclear how, exactly, to start using encryption. One obvious place to start, where the privacy benefits are high and the technical learning curve is low, is something called full disk encryption. Full disk encryption not only provides the type of strong encryption Snowden and Obama reference, but it’s built-in to all major operating systems, it’s the only way to protect your data in case your laptop gets lost or stolen, and it takes minimal effort to get started and use. If you want to encrypt your hard disk and have it truly help protect your data, you shouldn’t just flip it on; you should know the basics of what disk encryption protects, what it doesn’t protect, and how to avoid common mistakes that could let an attacker easily bypass your encryption. If you’re in a hurry, go ahead and skip to the bottom, where I explain, step-by-step, how to encrypt your disk for Windows, Mac OS X, and Linux. Then, when you have time, come back and read the important caveats preceding those instructions. If someone gets physical access to your computer and you aren’t using disk encryption, they can very easily steal all of your files. It doesn’t matter if you have a good password because the attacker can simply boot to a new operating system off of a USB stick, bypassing your password, to look at your files. Or they can remove your hard disk and put it in a different computer to gain access. All they need is a screwdriver, a second computer, and a $10 USB enclosure. Computers have become an extension of our lives and private information continually piles up on our hard disks. Your computer probably contains work documents, photos and videos, password databases, web browser histories, and other scattered bits of information that doesn’t belong to anyone but you. Everyone should be running full-disk encryption on their laptops. Encrypting your disk will protect you and your data in case your laptop falls into the wrong hands, whether because you accidentally left it somewhere, because your home or office was burglarized, or because it was seized by government agents at home or abroad. It’s worth noting that no one has privacy rights when crossing borders. Even if you’re a U.S. citizen entering the United States, your Constitutional rights do not apply at the border, and border agents reserve the right to copy all of the files off of your computer or phone if they choose to. This is also true in Canada, and in other countries around the world. If you plan on traveling with electronic devices, disk encryption is the only way you have a chance at protecting your data if border agents insist on searching you. In some situations it might be in your best interest to cooperate and unlock your device, but in others it might not. Without disk encryption, the choice is made for you: the border agents get all your data. There’s a common misconception that encrypting your hard disk makes your computer secure, but this isn’t entirely true. In fact, disk encryption is only useful against attackers that have physical access to your computer. It doesn’t make your computer any harder to attack over a network. All of the common ways people get hacked still apply. Attackers can still trick you into installing malware. You can still visit malicious websites that exploit bugs in Flash, or in your web browser, or in your operating system’s font or image rendering engines, or countless other ways. When you visit benevolent websites, network attackers can still secretly make them malicious by modifying them in transit. Attackers can still exploit services running on your computer, such as network file sharing, iTunes playlist sharing, or your BitTorrent client, to name a few. And of course, disk encryption doesn’t do anything to stop internet surveillance. Spy agencies like NSA, who tap into the fiber optic cables that make up the backbone of the internet, will still be able to spy on nearly everything you do online. An entirely different category of encryption is needed to fix that systemic problem. The different ways you can get hacked or surveilled are too numerous to list in full. In future posts I’ll explain how to reduce the size of your probably-vast attack surface. But for now it’s important to know that disk encryption only protects against a single flavor of attack: physical access. How it works The goal of disk encryption is to make it so that if someone who isn’t you has access to your computer they won’t be able to access any of your files, but instead will only see scrambled, useless ciphertext. Most disk encryption works like this. When you first power your computer on, before your operating system can even boot up, you must unlock your disk by supplying the correct encryption key. The files that make up your operating system are on your encrypted disk, after all, so there’s no way for your computer to work with them until the disk is unlocked. In most cases, typing your passphrase doesn’t unlock the whole disk, it unlocks an encryption key, which in turn unlocks everything on the disk. This indirection allows you to change your passphrase without having to re-encrypt your disk with a new key, and also makes it possible to have multiple passphrases that can unlock the disk, for example if you add another user account to your laptop. This means that your disk encryption passphrase is potentially one of the weakest security links. If your passphrase is “letmein”, a competent attacker will get past your disk encryption immediately. But if you use a properly generated high-entropy passphrase like “runge wall brave punch tick zesty pier”, it’s likely that no attacker, not even the NSA or Chinese intelligence, will ever be able to guess it. You have to be extremely careful with strong disk encryption that can only be unlocked with a passphrase you’ve memorized. If you forget the passphrase, you get locked out of your own computer, losing your data forever. No data recovery service can help you, and if you give your machine to the FBI they won’t be able to access your files either. Because that’s kind of the point of disk encryption. Once your computer is on and you’ve entered your passphrase, your disk encryption is completely transparent to you and to the applications on your computer. Files open and close as they normally would, and programs work just as they would on an unencrypted machine. You won’t notice any performance impact. This means, however, that when your computer is powered on and unlocked, whomever is sitting at it has access to all your files and data, unencumbered by encryption. So if you want your disk encryption to work to its full potential, you need to lock your screen when your computer is going to be on while you’re away, and, for those times when you forget to lock it, to set it to lock automatically after, say, 10 minutes of idling. It’s also important that you don’t have any other users on your system that have weak passwords or no passwords, and that you disable the guest account. If someone grabs your laptop, you don’t want them to be able to login at all. There are a few attacks against disk encryption that are tricky to defend against. Here are some precautions you can take. Power off your computer completely (don’t just suspend it) when you think it’s at risk of falling into someone else’s hands, like right before going through customs when entering a new country. This defends against memory-based attacks. Computers have temporary storage called RAM (otherwise known as memory) which you can think of as scratch paper for all of your software. When your computer is powered on, your software is constantly writing to and deleting from parts of your RAM. If you use disk encryption, as soon as you successfully unlock your encrypted disk the encryption key is stored in RAM until you power your computer off. It needs to be—otherwise there would be no way to encrypt and decrypt files on the fly as you use your computer. But unfortunately, laptops have ports that have direct memory access, or DMA, including FireWire, ExpressCard, Thunderbolt, PCI, PCI Express, and others. If an attacker has access to your computer and your disk is unlocked (this is true even if your laptop is suspended), they can simply plug a malicious device into your computer to be able to manipulate your RAM. This could include directly reading your encryption keys or injecting commands into your operating system, such as closing the screen lock program. There is open source software called Inception that does just this using a FireWire cable and a second laptop, and there’s plenty of commercial hardware available too, like this one, or this one. It’s worth noting that new versions of Mac OS X uses a cool virtualization technology called VT-d to thwart this type of DMA attack. Demonstration of a cold boot attack. (Photo courtesy of J. Alex Halderman et al. “Lest We Forget: Cold Boot Attacks on Encryption Keys”.) But there are other ways for an attacker to learn what’s in your RAM. When you power your computer off, everything in RAM fades into nothingness. But this doesn’t happen immediately; it takes a few minutes, and an attacker can make it take even longer by physically freezing the RAM. An attacker with physical access to your powered-on computer can use a screwdriver to open the case of your computer and then use an upside-down can of compressed air to freeze your RAM (as in the image above). Then they can quickly cut the power to your computer, unplug your RAM, plug the RAM into a different computer, and dump all of the data from RAM to a disk. By sifting through that data, they can find a copy of your encryption key, which can then be used to decrypt all of the files on your hard disk. This is called the cold boot attack, and you can see a video of it in action here. The key takeaway is that while your encrypted disk is unlocked, disk encryption doesn’t fully protect your data. Because of this, you may consider closing all your work and completely shutting down your computer at the end of the day rather than just suspending it. It’s also important to make sure your laptop is always physically secure so that only people you trust ever have access to it. You should consider carrying your laptop with you wherever you go, as inconvenient as that may be, if your data is extremely important to you. When traveling, bring it with you in a carry-on bag instead of checking it in your luggage, and carry it with you rather than leaving it in a hotel room. Keep it with a trusted friend or locked in a safe when you can’t babysit it yourself. This is all to defend against a different type of disk encryption attack known, in somewhat archaic language, as the “evil maid” attack. People often leave their laptops in their hotel room while traveling, and all it takes is one hotel housekeeper/elite hacker to foil your disk encryption. Even when you use full disk encryption you normally don’t encrypt 100% of your disk. There’s a tiny part of it that remains in plaintext. The program that runs as soon as you power on your computer, that asks you to type in your passphrase and unlocks your encrypted disk, isn’t encrypted itself. An attacker with physical access to your computer could modify that program on the tiny part of your disk that isn’t encrypted to secretly do something malicious, like wait for you to type your passphrase and then install malware in your operating system as soon as you successfully unlock the disk. Microsoft BitLocker does some cool tricks to make software-based evil maid attacks considerably harder by storing your encryption key in a special tamper-resistant chip in your computer called a Trusted Platform Module, or TPM. It’s designed to only release your encryption key after confirming that your bootloader hasn’t been modified to be malicious, thwarting evil maid attacks. Of course, there are other attacks against TPMs. Last month The Intercept published a document about the CIA’s research into stealing keys from TPMs, with the explicit aim of attacking BitLocker. They have successfully done it, both by monitoring electricity usage of a computer while the TPM is being used and by “measuring electromagnetic signals emanating from the TPM while it remains on the motherboard.” You can set up your Linux laptop to always boot off of a USB stick that you carry around with you, which also mitigates against evil maid attacks (in this case, 100% of your disk actually is encrypted, and you carry the tiny unencrypted part around with you). But attackers with temporary access to your laptop can do more than modify your boot code. They could install a hardware keylogger, for example, that you would have no way of knowing is in your computer. The important thing about evil maid attacks is that they work by tampering with a computer without the owner’s knowledge, but they still rely on the legitimate user to unlock the encrypted disk. If someone steals your laptop they can’t do an evil maid attack against you. Rather than stealing it, the attacker needs to secretly tamper with it and return it to you without raising your suspicions. You can try using bleeding-edge tamper-evidence technology such as glitter nail polish to detect if someone has tampered with your computer. This is quite difficult to do in practice. If you have reason to believe that someone might have maliciously tampered with your computer, don’t type your passphrase into it. Defending against these attacks might sound intimidating, but the good news is that most people don’t need to worry about it. It all depends on your threat model, which basically is an assessment of your situation to determine how paranoid you really need to be. Only the most high-risk users need to worry about memory-dumping or evil maid attacks. The rest of you can simply turn on disk encryption and forget about it. TrueCrypt is popular disk encryption software used by millions of people. In May of 2014, the security community went into shock when the software’s anonymous developers shut down the project, replacing the homepage with a warning that, “Using TrueCrypt is not secure as it may contain unfixed security issues.” TrueCrypt recently underwent a thorough security audit showing that it doesn’t have any backdoors or major security issues. Despite this, I don’t recommend that people use TrueCrypt simply because it isn’t maintained anymore. As soon as a security bug is discovered in TrueCrypt (all software contains bugs), it will never get fixed. You’re safer using actively developed encryption software. BitLocker, which is Microsoft’s disk encryption technology, is only included in the Ultimate and Enterprise editions of Windows Vista and Windows 7, and the Enterprise and Pro editions of Windows 8 and 8.1, but not the Home editions, which is what often comes pre-installed on Windows laptops. To see if BitLocker is supported on your version of Windows, open up Windows Explorer, right-click on C drive, and see if you have a “Turn on BitLocker” option (if you see a “Manage BitLocker” option, then congratulations, your disk is already encrypted, though you may want to finish reading this section anyway). If BitLocker isn’t supported in your version of Windows, you can choose to upgrade to a version of Windows that is supported by buying a license (open Control Panel, System and Security, System, and click “Get more features with a new edition of Windows”). You can also choose to use different full disk encryption software, such as the open source program DiskCryptor. BitLocker is designed to be used with a Trusted Platform Module (TPM), a tamper-resistent chip that is built into new PCs that can store your disk encryption key. Because BitLocker keys are stored in the TPM, by default it doesn’t require users to enter a passphrase when booting up. If your computer doesn’t have a TPM (BitLocker will tell you as soon as you try enabling it), it’s possible to use BitLocker without a TPM and to use a passphrase or USB stick instead. If you only rely on your TPM to protect your encryption key, your disk will get automatically unlocked just by powering on the computer. This means an attacker who steals your computer while it’s fully powered off can simply power it on in order to do a DMA or cold boot attack to extract the key. If you want your disk encryption to be much more secure, in addition to using your TPM you should also set a PIN to unlock your disk or require inserting a USB stick on boot. This is more complicated, but worth it for the extra security. Whenever you’re ready, try enabling BitLocker on your hard disk by right-clicking on C drive and choosing the “Turn on BitLocker” option. First you’ll be prompted to make a backup of your recovery key, which can be used to unlock your disk in case you ever get locked out. I recommend that you don’t save a copy of your recovery key to your Microsoft account. If you do, Microsoft—and by extension anyone Microsoft is compelled to share data with, such as law enforcement or intelligence agencies, or anyone that hacks into Microsoft’s servers and can steal their data—will have the ability to unlock your encrypted disk. Instead, you should save your recovery key to a file on another drive or print it. The recovery key can unlock your disk, so it’s important that it doesn’t fall into the wrong hands. Follow the rest of the simple instructions and reboot your computer. When it boots up again, your disk will begin encrypting. You can continue to work on your computer while it’s encrypting in the background. Once your disk is done encrypting, the next step is to set a PIN. This requires tweaking some internal Windows settings, but it shouldn’t be too hard if you follow the instructions to the dot. Click Start and type “gpedit.msc” and press enter to open the Local Group Policy Editor. In the pane to the left, navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. In the pane to the right, double-click on “Require additional authentication at startup.” Change it from “Not Configured” to “Enabled”, and click OK. You can close the Local Group Policy Editor. Now open Windows Explorer, right-click on drive C, and click “Manage BitLocker”. In the BitLocker Drive Encryption page, click “Change how drive is unlocked at startup”. Now you can choose to either require a PIN while starting up, or requiring that you insert a USB flash drive. Both work well, but I suggest you use a PIN because it’s something that you memorize. So if you get detained while crossing a border, for example, you can choose not to type your PIN to unlock your drive, however you can’t help it if border agents confiscate your USB flash drive and use that to boot your computer. If you choose to require a PIN, it must be between 4 and 20 numbers long. The longer you make it the more secure it is, but make sure you choose one that you can memorize. It’s best if you pick this PIN entirely at random rather than basing it on something in your life, so avoid easily guessable PINs like birthdates of loved ones or phone numbers. Whatever you choose make sure you don’t forget it, because otherwise you’ll be locked out of your computer. After entering your PIN twice, click Set PIN. Now reboot your computer. Before Windows starts booting this time, you should be promped to type your PIN. Finally, open User Accounts to see all of the users on your computer, confirm that they all have passwords set and change them to be stronger if necessary. Disable the guest account if it’s enabled. FileVault, Apple’s disk encryption technology for Macs, is simple to enable. Open System Preferences, click on the Security & Privacy icon, and switch to the FileVault tab. If you see a button that says “Turn Off FileVault…”, then congratulations, your disk is already encrypted. Otherwise, click the lock icon in the bottom left so you can make changes, and click “Turn On FileVault…”. Next you will be asked if you want to store a copy of your disk encryption recovery key in your iCloud account. I recommend that you don’t allow your iCloud account to unlock your disk. If you do, Apple — and by extension anyone Apple is compelled to share data with, such as law enforcement or intelligence agencies, or anyone that hacks into Apple’s servers and can steal their data — will have the ability to unlock your encrypted disk. If you do store your recovery key in your iCloud account, Apple encrypts it using your answers to a series of secret questions as an encryption key itself, offering little real security. Instead, choose “Create a recovery key and do not use my iCloud account” and click Continue. The next window will show you your recovery key, which is twenty-four random letters and numbers. You can write this down if you wish. The recovery key can unlock your disk, so it’s important that it doesn’t fall into the wrong hands. Once you click Continue you will be prompted to reboot your computer. After rebooting, FileVault will begin encrypting your hard disk. You can continue to work on your computer while it’s encrypting in the background. With FileVault, Mac OS X user passwords double as passphrases to unlock your encrypted disk. If you want your passphrase to survive guessing attempts by even the most well-funded spy agencies in the world, you should follow the instructions here to generate a high-entropy passphrase to use to login to your Mac. Go back to System Preferences and this time click on the Users & Groups icon. From there you should disable the guest account, remove any users that you don’t use, and update any weak passwords to be strong passphrases. Unlike in Windows and Mac OS X, you can only encrypt your disk when you first install Linux. If you already have Linux installed without disk encryption, you’re going to need to backup your data and reinstall Linux. While there’s a huge variety of Linux distributions, I’m going to use Ubuntu as an example, but setting up disk encryption in all major distributions is similar. Start by booting to your Ubuntu DVD or USB stick and follow the simple instructions to install Ubuntu. When you get to the “Installation type” page, check the box “Encrypt the new Ubuntu installation for security,” and then click Install Now. On the next page, “Choose a security key,” you must type your encryption passphrase. You’ll have to type this each time you power on your computer to unlock your encrypted disk. If you want your passphrase to survive guessing attempts by even the most well-funded spy agencies in the world, you should follow the instructions here. Then click Install Now, and follow the rest of the instructions until you get to the “Who are you?” page. Make sure to choose a strong password—if someone steals your laptop while it’s suspended, this password is all that comes between the attacker and your data. And make sure that “Require my password to log in” is checked, and that “Log in automatically” is not checked. There is no reason to check “Encrypt my home folder” here, because you’re already encrypting your entire disk. And that’s it. Correction: This post originally gave an incorrect date for when the TrueCrypt project was shut down. April 27 12:35 pm ET. Correction: This post originally said that USB ports have direct memory access (DMA), but this isn’t true. FireWire, ExpressCard, Thunderbolt, PCI, and PCI Express all have DMA. April 29 6:17 pm ET. Correction: This post originally said that BitLocker was included in Windows Vista and Windows 7 Pro editions, but it is only included in Ultimate and Enterprise editions for those versions of Windows. May 1 6:00 pm ET. |