I use encrypted Western Digital HDs for backups and they work great, particularly since I keep one offsite in our safety deposit box.

However, I'm getting a little more paranoid. My wife and I are to the point that it's much more dangerous to lose the data and the possible identity theft than replace the laptop itself. Sure, at businesses, laptop encryption has been going on for years but I've always thought it too much a hassle to do at home.

Truecrypt looks like the easy winner for freeware encryption. But before jumping in, I'm curious of thoughts for anyone that's done it:

Is there something else out there that's worth considering?
How's the hit to performance?
Any unexpected downsides other than performance hit?
I can use it but is it something that if I set it up, my wife could use? It looks pretty straightforward from the tutorial. Any hidden gotchas?
My wife's laptop is running an SSD- is there anything wonky that it does to solid state drives (too many writes for premature drive death, etc)?
Any other thoughts?

SI

I use encrypted Western Digital HDs for backups and they work great, particularly since I keep one offsite in our safety deposit box.

However, I'm getting a little more paranoid. My wife and I are to the point that it's much more dangerous to lose the data and the possible identity theft than replace the laptop itself. Sure, at businesses, laptop encryption has been going on for years but I've always thought it too much a hassle to do at home.

Truecrypt looks like the easy winner for freeware encryption. But before jumping in, I'm curious of thoughts for anyone that's done it:

Is there something else out there that's worth considering?
How's the hit to performance?
Any unexpected downsides other than performance hit?
I can use it but is it something that if I set it up, my wife could use? It looks pretty straightforward from the tutorial. Any hidden gotchas?
My wife's laptop is running an SSD- is there anything wonky that it does to solid state drives (too many writes for premature drive death, etc)?
Any other thoughts?

SI

I've used it for several years now and have not had any problems.

I have used Truecrypt for a couple of years on some Win XP laptops and have had no issues. It was pretty easy to set up. The users have not noticed any kind of performance impact. I have not used it on SSD's so I can't speak to that.

I just used the entire hard drive encryption option so it would probably be classified as a basic installation so I can't speak to the advanced options.

Overall I am very satisfied with it especially considering the free aspect.

Todd

Yeah- I'm just looking for a simple "full hd" option. The idea is, as described: if someone stole my laptop from the house or while I was at the airport or whatnot, I can have some piece of mind that my hattrick spreadsheets and vacation pictures will not be used for nefarious purposes. Oh, and the other types of stuff that could be more dangerous in the wrong hands.

SI

There is one potential gotcha with SSDs and TrueCrypt. You mentioned a concern about uneven wear and premature drive failure with SSDs. The way you mitigate that is if the drive supports TRIM. But the way TRIM works is that it marks "deleted" space as free without actually deleting the contents. It is a bit esoteric, but that info could be useful to someone who was trying to break into the contents of the drive.

That probably isn't a deal breaker in your case, but it has been for one of our government clients.

Yeah- I'm just looking for a simple "full hd" option. The idea is, as described: if someone stole my laptop from the house or while I was at the airport or whatnot, I can have some piece of mind that my hattrick spreadsheets and vacation pictures will not be used for nefarious purposes. Oh, and the other types of stuff that could be more dangerous in the wrong hands.

SI

I have mine set up as a 4g file so I can back it up to a dvd.
Then set it up to load on boot.

So when I boot, a popup asks for my password, and from then on it is treated as just another hard drive.

Works well for me, but as always YMMV.

Is this a Mac? Because it has native encryption - FileVault2.

Nah, a pair of PCs with Win 7. Windows comes with BitLocker now but it's only for Ultimate, Enterprise, or Super Duper Edition (or whatever- I can't keep their SKUs straight)

SI

May I ask what is stored on the HD that is so sensitive?

May I ask what is stored on the HD that is so sensitive?

;)

May I ask what is stored on the HD that is so sensitive?

We just got a house so I have digital copies of the mortgage paperwork, will, some tax forms- those sorts of things. It's not a lot but it's enough to make us concerned. We could just go with paper copies for everything but there's also danger to that, too. We have lockable filing cabinets but if someone is in our house long enough, they'll be able to break into those, too. We figure the best thing is to have a single paper copy in the safety deposit box at the bank and a digital copy on the computer.

Also, I'm a little overly paranoid about what someone could do with my computer access. While I store very few (and I think all harmless) passwords in my browser, I worry what someone could do if they got my laptop. If there's some site I forgot about, that's access to Amazon, ebay, my credit card sites, etc- the nightmare it would take to clean up the identity fraud is enough to make me try to do an ounce of prevention to avoid the pound of cure.

SI

We just got a house so I have digital copies of the mortgage paperwork, will, some tax forms- those sorts of things. It's not a lot but it's enough to make us concerned. We could just go with paper copies for everything but there's also danger to that, too. We have lockable filing cabinets but if someone is in our house long enough, they'll be able to break into those, too. We figure the best thing is to have a single paper copy in the safety deposit box at the bank and a digital copy on the computer.

Also, I'm a little overly paranoid about what someone could do with my computer access. While I store very few (and I think all harmless) passwords in my browser, I worry what someone could do if they got my laptop. If there's some site I forgot about, that's access to Amazon, ebay, my credit card sites, etc- the nightmare it would take to clean up the identity fraud is enough to make me try to do an ounce of prevention to avoid the pound of cure.

SI

Stay tuned. Our company is working on a Dropbox-like service that uses PKI encryption, so you'd be able to store just the stuff you are worrying about encrypting there, and not have to deal with the hassle of encrypting your entire computer.

Stay tuned. Our company is working on a Dropbox-like service that uses PKI encryption, so you'd be able to store just the stuff you are worrying about encrypting there, and not have to deal with the hassle of encrypting your entire computer.

That's a major "fuck no" from me (others, YMMV). I don't trust the cloud any further than I can throw it with day to day stuff since, honestly, it is available at the drop of a hat by any number of bad actors. And I'm not talking about silly government surveillance (also a problem) but I have yet to run across a company that doesn't have some substantial holes in their security policy. So if it's something important enough that I'm considering encrypting my hard drive to protect, it's not going up into the cloud.

SI

How do you deal with disaster recovery if everything is local?

edit: nevermind. safety deposit box.

That's a major "fuck no" from me (others, YMMV). I don't trust the cloud any further than I can throw it with day to day stuff since, honestly, it is available at the drop of a hat by any number of bad actors. And I'm not talking about silly government surveillance (also a problem) but I have yet to run across a company that doesn't have some substantial holes in their security policy. So if it's something important enough that I'm considering encrypting my hard drive to protect, it's not going up into the cloud.

SI

That's the thing, only the key that you possess can unlock it. It gets encrypted on your computer before it ever leaves. So no man-in-the-middle attack. Even if someone is able to get access to the file in the cloud, they won't be able to unlock it unless they also have the private key that is on your computer (or ideally on a thumb drive or other portable storage that can be removed and locked up when not needed). Our company has no way of viewing the contents. And with a 2048 bit asymmetrical elliptic curve algorithm, it is in the thousands of years of CPU time to break the key. Of course, if there is a keylogger or something like that on your computer, then any encryption is moot.

This article from Ars Technica is a high level overview of the kind of encryption we are using, and we were recently issued a couple of patents on the work we've done.

A (relatively easy to understand) primer on elliptic curve cryptography | Ars Technica (http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/)

EDIT: We realize we face an uphill battle with the perceptions of no security in "the cloud".

That's the thing, only the key that you possess can unlock it. It gets encrypted on your computer before it ever leaves. So no man-in-the-middle attack. Even if someone is able to get access to the file in the cloud, they won't be able to unlock it unless they also have the private key that is on your computer (or ideally on a thumb drive or other portable storage that can be removed and locked up when not needed). Our company has no way of viewing the contents. And with a 2048 bit asymmetrical elliptic curve algorithm, it is in the thousands of years of CPU time to break the key. Of course, if there is a keylogger or something like that on your computer, then any encryption is moot.

This article from Ars Technica is a high level overview of the kind of encryption we are using, and we were recently issued a couple of patents on the work we've done.

A (relatively easy to understand) primer on elliptic curve cryptography | Ars Technica (http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/)

EDIT: We realize we face an uphill battle with the perceptions of no security in "the cloud".

This is actually my biggest fear, from a security perspective.

EDIT: As to the "no security in the cloud" point, you can see where that perception comes from. You issue the key, you issue the space- there is, in theory, a procedural way to crack it from your end if your processes are not ironclad and I have yet to see any that are. It takes a black hat to do it, but lots of places have them

SI

I, too, would not trust the cloud for anything personal, sensitive or valuable.

SI, been thinking about your list. I know of others as well as personal experience that your name, address, mortgage lender, credit card numbers, phone numbers and social security number are public records - some more readily available than others.

This is actually my biggest fear, from a security perspective.

EDIT: As to the "no security in the cloud" point, you can see where that perception comes from. You issue the key, you issue the space- there is, in theory, a procedural way to crack it from your end if your processes are not ironclad and I have yet to see any that are. It takes a black hat to do it, but lots of places have them

SI

No, we don't issue the key, you generate it on your local machine. Yes, we host the space, but without the key you generate the data in the space is useless.

I, too, would not trust the cloud for anything personal, sensitive or valuable.

SI, been thinking about your list. I know of others as well as personal experience that your name, address, mortgage lender, credit card numbers, phone numbers and social security number are public records - some more readily available than others.

You guys sound like grandmothers who stuff money in their mattress. You realize the risk of your laptop getting stolen is far greater than some hacker breaking into your google drive account assuming you have a decent password? You need to differentiate between transactional security like banks, retailers, etc., which is constantly getting hacked for a variety of reasons and storage security, which is not.

Well shit. I guess I picked the wrong day to buy some Legos at Target.

Back to the mattress with your money?

SI

Yes - but my Excel file tracking it is still in Dropbox!

Truecrypt has worked well so far. I get an occasional slowdown from time to time, but, in general- very little performance hit. Fairly idiot-proof, too

SI