Encrypt All Hard Drives!

Hard drive showing plattersIf you have the technical interest to read this, you probably do a lot of your finances with your personal computer. Taxes, monthly budgets, check printing (on those rare occasions), and tracking numerous accounts – computers are far better than people at handling such details. A typical personal computer, or smart phone for that matter, contains company names, account numbers, login credentials, and everything else an identity thief might need. This is reasonably safe as long as you don’t lose your device and/or its hard drive.

But when you replace your computer or hard drive, or (God forbid) someone steals it, your intimate financial details are “out there” unless your drive is encrypted.

The better smartphones (notably Android and iOS) will encrypt everything on your phone if you use the right settings. Use them. Most desktop/laptop vendors also let you do this: Microsoft with BitLocker and Mac with FileVault. Do it. And don’t lose your passphrase!

Why encrypt?

Some technically savvy people will say “Never mind. I’ll just wipe my drives before I discard them.” Let me be skeptical:

  • It takes hours – and hours – and hours – to wipe a multi-terabyte hard drive. This is indeed a “start and forget” task, but you must plan to finish it before you can discard the drive.
  • If your hard drive fails, the failure will probably keep you from wiping the drive yourself. Maybe the failure is thorough enough to protect your data from recovery, but you just won’t know.
  • If you own a laptop, encrypt it. No excuses.

Doing the Encryption

Smart phones usually connect the encryption process to phone locking and unlocking. Set up your phone to use a “lock code” or “password” or whatever the vendor calls it. The phone will then allow you to enable encryption.

If there’s a risk you might forget the lock code, write it down on a piece of paper and put it in your wallet. At some point you’ll have memorized the code perfectly, and you can discard that piece of paper.

Laptops and desktops usually have a “wizard” to step you through the process. The block-by-block encryption often takes place in the background, so you can keep using your computer as the hard drive is encrypted. Apple’s Time Machine backup system lets you select drive encryption when you start using a new drive for backups. Use it!

The wizard will ask you to choose a “passphrase.” This is essentially a memorable sentence that should include some punctuation. Remember exactly how you spelled, capitalized, and punctuated the sentence. You may want to copy it down on a piece of paper and keep it in your wallet.

That paper in your wallet

Some security experts insist that such things should never be written down. There are hard-and-fast rules against writing such things down in some environments. You should follow the rules you are obliged to follow.

If you have a choice, however, write it down and save it. You will pick a harder-to-guess code or passphrase if you don’t have to memorize it blind. Writing it down helps you memorize something you’d otherwise forget. Peeking at it occasionally helps you remember it with perfect accuracy.

Most risks to your encrypted data don’t include someone searching for your passphrase. Most risks arise from the black-market value of new technology, or from someone reusing your old hard drive.

Discarding an Encrypted Hard Drive

If an encrypted hard drive fails or is stolen, we rely on its passphrase to keep others from our data. We can protect our data further by wiping away all of the crypto management data on the drive. This should make it impossible to recover your encrypted data.

We wipe away the crypto management data by installing a new, empty, encrypted file system on the drive we want to discard. We don’t need to reinstall the whole OS, we just need to erase and rebuild an empty file directory using a new and different encryption key. Use a different passphrase to encrypt the new file system. This is easy for external hard drives, but may pose a challenge if you’re passing along a laptop or erasing a desktop system’s drive.

Erasing the system drive is relatively easy on the Macintosh. You restart the system and hold down “Command R” when the reboot tone chimes. Hold it down until the Apple appears. This takes you into the Recovery system which does not rely on your existing, installed system. The Recovery system includes the Disk Utility. Use the Utility to erase your system hard drive, and reformat it Encrypted. Use a different passphrase. You don’t need to remember this passphrase – the next owner can reformat the encrypted drive without it.