Protecting computer data with encryption software has become an obvious necessity for many businesses and individuals storing sensitive information on their laptops or USB drives. Unfortunately, many people do not encrypt their data because they are too lazy or think that data theft will not happen. Many people just feel like there is nothing important on their computers and therefore they don’t need encryption.
Whatever your reason, encrypting your data is very important. Regardless of whether you think you are storing important data on your computer or not, there are hackers who would like to view your files, images, and data in order to do harm, such as identity theft. Even such a harmless thing as images can be used for the most evil purposes if it falls into the wrong hands.
Hard drive encryption in Windows and OS X is now a fairly simple and straightforward process that almost anyone can do, so there is no reason to leave yourself vulnerable to potential attacks. In this article, I’ll walk you through using BitLocker on Windows and FileVault on OS X to encrypt your data.
I previously wrote about using a program called TrueCrypt, but it looks like the project has been terminated for various reasons. The program was one of the most popular for hard drive encryption, but now that it is no longer supported, we do not recommend using it. The TrueCrypt team even recommends using BitLocker, as it can do just about anything TrueCrypt could do.
Bitlocker on Windows
On Windows Vista, Windows 7, and Windows 8, you can enable disk encryption by enabling BitLocker. Before we get into how to enable BitLocker, there are a few things you should know:
1. BitLocker works in Ultimate and Enterprise editions of Windows Vista and Windows 7, and Pro and Enterprise editions of Windows 8 and Windows 8.1.
2. BitLocker has three authentication mechanisms: TPM (Trusted Platform Module), PIN, and USB key. For maximum security, you want to use TPM plus a PIN. The PIN is the password that the user must enter before the download process.
3. Older computers that do not support TMP can only use the USB key authentication mechanism. It is not as secure as using a TPM with a PIN or TPM with a USB dongle or a TPM with a PIN and USB dongle.
4. Never print the backup key on paper or store it anywhere. If someone, even the police, can access this paper, they can decrypt your entire hard drive.
Now let’s talk about actually enabling BitLocker. Open Control Panel in Windows and click BitLocker Drive Encryption.
You will see a list of all your partitions and drives listed on the home screen. To get started, all you have to do is click “Turn on BitLocker”.
If you have a new computer with a TPM capable processor, you’re done and the process will begin. Otherwise, you will receive the following error message: “This computer must have a Trusted Platform Module (TPM) compatible security device, but no TPM was found.” To fix this, read my previous post about this TPM issue when BitLocker is enabled.
After you follow the directions in this message, you can click “Turn on BitLocker” again and no error message will appear. Instead, BitLocker Drive Encryption installation begins.
Go ahead and click Next to get started. The installation basically prepares your drive and then encrypts it. Preparing a Windows disk requires two partitions: one small system partition and one operating system partition. He will inform you about this before starting work.
You may have to wait a few minutes for the C drive to shrink first and create a new partition. When finished, you will be prompted to restart your computer. Let’s do it.
After Windows restarts, BitLocker Setup should automatically appear with a check mark next to the drive setting. Click Next to begin the actual encryption of the hard drive.
On the next screen, you will be able to select your BitLocker security options. If you don’t have TPM installed, you won’t be able to use the PIN to start up, only the USB dongle.
You will be prompted to insert a USB stick where it will save the startup key. Then you will need to create a recovery key as well. You can save it to a USB stick, file, or print. Better not to print.
After that, you will finally be asked if you are ready to encrypt the hard drive, which will require a reboot.
If all goes well and Windows is able to read encryption keys from the USB stick or TPM, you should see a pop-up dialog informing you that the drive is being encrypted.
Once completed, your data is now securely encrypted and cannot be accessed without your keys. Again, it’s important to note that using BitLocker without a TPM is much less secure, and even if you’re using a TPM, you’ll need to use it with a PIN, USB dongle, or both to be truly secure.
It’s also worth noting that while you’re logged in, the keys are stored in RAM. If you put your computer to sleep, the keys can be stolen by experienced hackers, so you should always turn off your computer when you are not using it. Now let’s talk about FileVault on OS X.
FileVault in OS X
FileVault on OS X provides the same functionality as BitLocker on Windows. You can encrypt the entire drive and a separate boot volume will be created to store unencrypted user authentication information.
To use FileVault, you need to go to System Preferences and click on Security & Privacy.
Now go to the FileVault tab and click the Turn On FileVault button. If the button is disabled, you need to click the little yellow padlock in the lower left corner of the dialog box and enter your system password to make changes.
You will now be asked where you want to store the recovery key. You can save it to iCloud or get a recovery key code and then store it in a safe place. I highly recommend not using iCloud, although it’s easier, because if law enforcement or a hacker needs to break into your computer, all they have to do is access your iCloud account to remove the encryption.
You will now be prompted to restart your computer and when OS X logs back in, the encryption process will begin. You can go back to the Security & Privacy section to see how the encryption is progressing. You should expect your computer to slow down slightly in the 5 to 10% range. If you have a new MacBook, the impact may be less.
As mentioned earlier, all full disk encryption can still be hacked because the keys are stored in RAM while you are logged in. You should always shut down your computer, not put it to sleep, and you should always turn off automatic login. Plus, if you use a pre-boot PIN or password, you have maximum security, and even technical experts will find it extremely difficult to hack into your hard drive. Have questions, leave a comment. Enjoy!
–