Beginning many years ago, I started the process of going completely paperless with regard to retirement accounts, banking accounts, medical records, taxes and bills. At this point, all my accounts are online - other than the medical bills, which, apart from Quest Diagnostics, haven't seemed to have caught up with the times. Although most people go paperless as a means of "saving trees," my primary motivation for the switch is the ability to download all the information, so that it can be organized and searched in preparing and reconciling personal taxes and accounting. Everything I need is on my computer, and I can find it in a matter of seconds. It's a great system, except...
Since my primary computer is a laptop (which I use on the vanpool during my daily commute), I have been concerned about what would happen if somebody stole my laptop. Although it is usually quite secure, it could be stolen when I occasionally take it with me outside of work or if there were a break-in at my home. The criminal (or the person who bought the stolen laptop) would have complete access to all my personal accounts and medical records. So, it has been a worry of mine for some time. So, how do you secure data so that it cannot be accessed if your laptop is stolen?
Leo Notenboom, from Ask Leo, has a nice newsletter that discusses computer technology, and has been recommending TrueCrypt, a free data and drive encryption program. There are a couple of ways of using the program. One is to create an encrypted file location that contains all your encrypted files. In order to access the encrypted container, you must enter a password. The second way is to encrypt an entire drive, which was of interest to me, since I keep my documents on a second drive within my HP laptop. After trying to figure out how to encrypt a drive by running the software, it became apparent that the method of encrypting an entire drive was not a trivial task. TrueCrypt's documentation was not well written, and even Google had a difficult time trying to find the "trick." However, I eventually found it and determined that I could encrypt the entire data drive "on the fly," although I had to assign the encrypted drive a new drive letter. So, I encrypted the drive and restarted the computer. The first thing that happened upon booting into Windows Vista was that the system reported that drive F (the old drive letter of the data drive) was not formatted, and wanted to know if I wanted to format it now. Yikes! Although I knew not to format the drive, it was possible that when one of my kids or wife used the computer, they might give the wrong answer and delete all my data. A second problem was that Windows Vista kept reporting that drive F was unavailable (since it has changed to another drive letter. Worse than this was that TrueCrypt itself was unable to mount the encrypted drive on multiple occasions. However, you could mount the drive by retrieving the information from the volume headers. However, with these multiple problems, it was clear that TrueCrypt's drive encryption feature could not be used reliably with Windows Vista. So, I looked for information on how to unencrypt an encrypted drive. To my shock, there wasn't any way to do it other than reformatting the entire drive. So, I had to erase my data drive and restore the data from a backup.
I still wanted to encrypt my data, so I started searching for another drive encryption program. To my surprise, Microsoft has its own encryption program, BitLocker, which is available to users of Ultimate versions of Windows Vista and Windows 7. Since I had purchased my laptop with the Ultimate version of Windows Vista, I decided to give it a try. Ideally, BitLocker runs on computers that are equipped with a Trusted Platform Module (TPM) hardware device. However, it is possible to use the program on a non-TPM computer by using a USB key (my case). In using BitLocker, the system sets up a small bootable partition on your hard drive in order to boot a minimal part of the operating system. Microsoft provides a tool to easily add this partition. Once this is set, you can encrypt your operating system drive (usually C). In non-TPM computers, BitLocker saves a boot key to a USB device and provides a very long password that you are to save in case you lose access to your USB key (ideally, you will make more than one copy!). After encrypting the OS drive, you can encrypt any other drives on the system. All other drives use the same encryption key, although they have their own recovery passwords (in case you need to access those drives from another computer). The system works very well for me, since I keep the USB key on my keychain, which is almost always separate from the laptop. Whenever the computer boots or comes out of hibernation/sleep, you must engage the USB key to access the computer. If the computer is stolen, nobody can access the drives or the data on them without the USB key. You need a key to start your car. Why not use one to start your computer? Well done, Microsoft!
TrueCrypt is not a program you should use to encrypt a drive on a Windows Vista machine, since it presented numerous problems, not the least of which was the OS trying to format the drive whenever the computer booted into Windows. I haven't tried it on Windows 7, but would be surprised if it didn't have similar problems. People who have used TrueCrypt's encrypted container approach have not complained about these kinds of catastrophic problems, so if this works for you, you might want to try it. However, like any other password-based system, it is only as secure as your password is a good one. However, Microsoft's BitLocker was much simpler to use and has worked flawlessly for the last several months. If you are considering getting a Windows laptop, I would seriously consider buying it with Windows 7 Ultimate, which is the only version that includes BitLocker. This way, you can encrypt your personal data so that it is not available, should your laptop be stolen.
Last Modified November 20, 2009