A while back, Popular Science asked me to identify the Best New Security Technology
. At the time I simply couldn't think of anything, and they've long since published their issue filled with Best New ____ Technology
I finally thought of something - self-encrypting mass storage
. This can be anything from an encrypting USB drive - the IronKey
if you like theatrics - to a self-encrypting hard drive like Seagate's Momentus
line of laptop drives.
While I also rely heavily on software drive encryption (TrueCrypt
) I wish that all
my hard drives had full disk encryption (FDE). If all drives had FDE, I could recycle drives (i.e. give them to my kids) just by erasing the key. Instead, I have to hook each drive up to an idle machine for a day or so to run a wiping process.
So FDE isn't just for security paranoids and folks hogtied by compliance regulations. They're useful for everyone. That is, assuming that the vendors make it easy to use them.
FDE products arguably "came of age" last winter when an industry consortium published standards for self-encrypting hard drives. The down side - for these drives, at least - is that they haven't made it into the commercial mainstream yet. I looked at self-encrypting drive options last summer when buying a laptop. They are only available for a small subset of laptop products.
Actually, I'm not convinced that removable USB drives are any better than TrueCrypt
software encryption in practice. If you have a few gigs or less of sensitive information (tax forms and home finance files, for example) then a TrueCrypt "virtual encrypted disk" file easily does the trick. If it's 4 gig or less, you can move the file around on a USB drive. If it's much larger, you run into trouble with FAT file system restrictions, which haunt most USB drives. This is, however, a personal choice that depends on the fact that I've installed TrueCrypt just about everywhere I go.
Marcus Ranum showed me TrueCrypt several years back, and it's been my mainstay ever since the Mac version appeared. I generally use it with virtual devices - files that I can mount as drive-like devices, whose whole contents are encrypted. The latest versions support system drive encryption for some versions of Linux and Windows. Arguably you can use that as a substitute for drive encryption.
Personally, I'd prefer FDE for a couple of reasons. First, vendors are spotty about their software encryption coverage. Older Windows systems only provided encryption on "business" and "super duper" versions, and not even on the "premium" home versions. The Macintosh will do encryption or it will do Time Machine back-ups, but it won't do encrypted Time Machine backups. FDE will require some OS support, but not nearly as much as is required by improved built-in encryption.
Second, and related to this, added crypto in the OS will make the OS even more bloated, and provide another point of failure. This is one reason why I hesitate to use TrueCrypt's system drive encryption.
Third, built-in encryption promises to be more portable than software encryption. I can plug my IronKey into Windows, Mac, and Linux systems and still read my files. I don't have to install anything ahead of time. In fact, the IronKey contains a plaintext partition with "mount" program executable files to run on these platforms. So far it's been trouble free. While I have similar luck with TrueCrypt, it's because I've already installed TrueCrypt just about everywhere.