We bring to your attention an overview of the most popular hardware and software to encrypt data on an external hard drive.
Let's start with the simplest. Mac OS X has a built-in Disk Utility that allows you to create an encrypted disk image. You can also use third-party software to encrypt files or folders, such as Espionage, FileWard, StuffIt Deluxe. In addition, some backup applications offer encryption of backups out of the box.
These methods are good. But sometimes using software encryption is not the best option. For example, when you need to encrypt backups Time Machine. To protect such backups, you will have to do some tricky manipulations, because Time Machine does not support encryption. Conventional software will not help when you need to create an encrypted copy boot disk so that it remains bootable. Encrypted disks also have another limitation: they cannot be used on other computers (Mac or PC) without special software.
PGP Whole Disk Encryption for the Mac is one of those applications that allows you to encrypt the contents of a disk, which remains bootable and usable on Mac and PC. This is a great application, but to access information, PGP must be installed on each computer to which such a drive is connected. Also, if the disk is damaged, encryption may prevent data recovery.
If you need a universal solution that does not impose restrictions on disk usage, you should purchase a HDD with built-in encryption. The disk independently encrypts and decrypts data, so the need to install additional software absent. In this case, the disk can be used as a boot volume or for Time Machine. One caveat: if the drive's controller or other electronics fail, you will not be able to transfer data from the device (even with fully working mechanics) until full recovery HDD.
Encryption-enabled hard drives come in several types, depending on the decryption mechanism:
Hardware keys
Some manufacturers offer encrypting HDD boxes that are locked using a physical device. As long as the key is present (connected or near the disk), the disk can be read.
HDDs of this type: RadTech's Encrypted Impact Enclosures ($95), RocStor Rocbit FXKT drives and several devices from SecureDISK ($50+). All boxes have two or three compatible keys, which are connected to a special port on the device. SecureDISK offers RFID Security External Enclosure with an infrared key (the media must be nearby to use the drive).
Fingerprint scanners
If you are worried about losing physical media, then you can look towards HDD boxes with a fingerprint scanner. A few examples: MXI Security Outbacker MXI Bio ($419-$599) and LaCie SAFE hard drives ($400 for a 2GB model). (Some older models of LaCie boxes, 2.5″ format, do not encrypt data, but use less reliable locking in the firmware). These drives are easy to use and can store fingerprints of up to five people. It is worth noting that there are several techniques for deceiving the finger scanner (without the presence of the original finger).
Keyboard
($230-480) – encrypting disk boxes that do not require physical keys or biometric readers. Instead, the keyboard is used to enter a password (up to 18 characters). Using a keyboard instead of a physical key is convenient when the disk often passes between hands. The drives support a “self-destruct” feature that deletes all stored information after several unsuccessful password attempts.
There are many reasons to encrypt the data on your hard drive, but the price for data security will be a decrease in system speed. The purpose of this article is to compare performance when working with a disk encrypted with different means.
To make the difference more dramatic, we chose not a super-modern car, but an average one. A regular mechanical hard drive of 500 GB, dual-core AMD at 2.2 GHz, 4 gigs of RAM, 64-bit Windows 7 SP 1. No antiviruses or other programs will be launched during the test, so that nothing could affect the results.
I chose CrystalDiskMark to evaluate performance. As for the encryption tools I tested, I settled on the following list: BitLocker, TrueCrypt, VeraCrypt, CipherShed, Symantec Endpoint Encryption and CyberSafe Top Secret.
BitLocker
This standard remedy disk encryption built into Microsoft Windows. Many people just use it without installing it third party programs. Indeed, why, if everything is already in the system? On the one hand, it’s correct. On the other hand, the code is closed, and there is no certainty that it did not contain backdoors for the FBI and other interested parties.
Disk encryption is carried out using the AES algorithm with a key length of 128 or 256 bits. The key can be stored in the Trusted Platform Module, on the computer itself or on a flash drive.
If TPM is used, then when the computer boots, the key can be obtained immediately from it or after authentication. You can log in using the key on the flash drive or by entering the PIN code from the keyboard. Combinations of these methods give many options for limiting access: simply TPM, TPM and USB, TPM and PIN, or all three at once.
BitLocker has two undeniable advantages: firstly, it can be controlled through group policies; Secondly, it encrypts volumes, not physical disks. This allows you to encrypt an array of multiple drives, something that some other encryption tools cannot do. BitLocker also supports GUID Partition Table (GPT), which even the most advanced Trucrypt fork VeraCrypt cannot boast of. To encrypt a system GPT disk with it, you will first have to convert it to the MBR format. This is not required with BitLocker.
In general, there is only one drawback - closed source. If you're keeping secrets from people in your household, BitLocker is perfect. If your disk is full of documents of national importance, it is better to find something else.
Is it possible to decrypt BitLocker and TrueCrypt
If you ask Google, it will find an interesting program called Elcomsoft Forensic Disk Decryptor, suitable for decrypting BitLocker, TrueCrypt and PGP drives. As part of this article, I will not test it, but I will share my impressions of another utility from Elcomsoft, namely Advanced EFS Data Recovery. It perfectly decrypted EFS folders, but provided that the user password was not set. If you set the password to even 1234, the program was powerless. In any case, I was unable to decrypt an encrypted EFS folder belonging to a user with password 111. I think the situation will be the same with the Forensic Disk Decryptor product.
TrueCrypt
This is a legendary disk encryption program that was discontinued in 2012. The story that happened to TrueCrypt is still shrouded in darkness, and no one really knows why the developer decided to refuse support for his brainchild.
There are only grains of information that do not allow us to put the puzzle together. Thus, in 2013, fundraising began to conduct an independent audit of TrueCrypt. The reason was information received from Edward Snowden about the deliberate weakening of TrueCrypt encryption tools. Over 60 thousand dollars were collected for the audit. At the beginning of April 2015, the work was completed, but no serious mistakes, vulnerabilities or other significant flaws in the application architecture were not identified.
As soon as the audit was completed, TrueCrypt again found itself at the center of a scandal. ESET specialists published a report that the Russian version of TrueCrypt 7.1a, downloaded from truecrypt.ru, contained malware. Moreover, the site truecrypt.ru itself was used as command center- commands were sent from it to infected computers. In general, be vigilant and do not download programs from anywhere.
The advantages of TrueCrypt include open source, the reliability of which is now supported by independent audit, and support for dynamic Windows volumes. Disadvantages: the program is no longer being developed, and the developers did not have time to implement UEFI/GPT support. But if the goal is to encrypt one non-system drive, then it doesn’t matter.
Unlike BitLocker, which only supports AES, TrueCrypt also includes Serpent and Twofish. To generate encryption keys, salt and header key, the program allows you to select one of three hash functions: HMAC-RIPEMD-160, HMAC-Whirlpool, HMAC-SHA-512. However, a lot has already been written about TrueCrypt, so we won’t repeat it.
VeraCrypt
The most advanced TrueCrypt clone. It has its own format, although it is possible to work in TrueCrypt mode, which supports encrypted and virtual disks in Trucrypt format. Unlike CipherShed, VeraCrypt can be installed on the same computer at the same time as TrueCrypt.
INFO
Having retired, TrueCrypt left a rich legacy: it has many forks, starting with VeraCrypt, CipherShed and DiskCryptor.TrueCrypt uses 1000 iterations to generate the key that will encrypt the system partition, while VeraCrypt uses 327,661 iterations. For standard (non-system) partitions, VeraCrypt uses 655,331 iterations for the RIPEMD-160 hash function and 500,000 iterations for SHA-2 and Whirlpool. This makes encrypted partitions significantly more resistant to brute force attacks, but also significantly reduces the performance of working with such a partition. How significant we will soon find out.
Among the advantages of VeraCrypt is its open source code, as well as its own and more secure format of virtual and encrypted disks compared to TrueCrypt. The disadvantages are the same as in the case of the progenitor - lack of UEFI/GPT support. It is still impossible to encrypt the system GPT disk, but the developers claim that they are working on this problem and such encryption will soon be available. But they’ve been working on this for two years now (since 2014), and when there will be a release with GPT support and whether there will be one at all is not yet known.
CipherShed
Another TrueCrypt clone. Unlike VeraCrypt, it uses the native TrueCrypt format, so you can expect its performance to be close to that of TrueCrypt.
The advantages and disadvantages are still the same, although you can add to the disadvantages the inability to install TrueCrypt and CipherShed on the same computer. Moreover, if you try to install CipherShed on a machine with TrueCrypt already installed, the installer offers to remove the previous program, but fails to cope with the task.
Symantec Endpoint Encryption
In 2010, Symantec bought the rights to the PGPdisk program. The result was products such as PGP Desktop and, subsequently, Endpoint Encryption. This is what we will consider. The program, of course, is proprietary, the sources are closed, and one license costs 64 euros. But there is support for GPT, but only starting from Windows 8.
In other words, if you need GPT support and want to encrypt the system partition, you will have to choose between two proprietary solutions: BitLocker and Endpoint Encryption. It is unlikely, of course, that a home user will install Endpoint Encryption. The problem is that this requires Symantec Drive Encryption, which requires an agent and a Symantec Endpoint Encryption (SEE) management server to install, and the server also wants to install IIS 6.0. Isn't it a lot of good stuff for one disk encryption program? We went through all this just to measure performance.
Moment of truth
So, let's get to the fun part, namely testing. The first step is to check the performance of the disk without encryption. Our “sacrifice” will be partition hard drive(regular, not SSD) 28 GB in size, formatted as NTFS.
Open CrystalDiskMark, select the number of passes, the size of the temporary file (we will use 1 GB in all tests) and the disk itself. It is worth noting that the number of passes has virtually no effect on the results. The first screenshot shows the results of measuring disk performance without encryption with the number of passes 5, the second - with the number of passes 3. As you can see, the results are almost identical, so we’ll focus on three passes.
CrystalDiskMark results should be interpreted as follows:
- Seq Q32T1 - sequential write / sequential read test, number of queues - 32, threads - 1;
- 4K Q32T1 - random write / random read test (block size 4 KB, number of queues - 32, threads - 1);
- Seq - sequential write/sequential read test;
- 4K - random write / random read test (block size 4 KB);
Let's start with BitLocker. It took 19 minutes to encrypt a 28 GB partition.
Continuation is available only to members
Option 1. Join the “site” community to read all materials on the site
Membership in the community within the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!
IN Lately Laptops have become very popular due to their affordable price and high performance. And users often use them outside secured premises or leave them unattended. This means that the issue of ensuring that personal information on systems running Windows is not accessible to outsiders becomes extremely pressing. Easy installation A login password will not help here. And encrypting individual files and folders (read about that) is too routine. Therefore, the most convenient and reliable means is hard drive encryption. In this case, you can encrypt only one of the partitions and keep private files and programs on it. Moreover, such a partition can be made hidden without assigning a drive letter to it. Such a section will appear outwardly unformatted, and thus will not attract the attention of intruders, which is especially effective since The best way to protect secret information is to hide the very fact of its existence.
How hard drive encryption works
The general principle is this: the encryption program makes an image file system and places all this information in a container, the contents of which are encrypted. Such a container can be either a simple file or a partition on a disk device. Using an encrypted container file is convenient because such a file can be copied to any comfortable spot and continue working with it. This approach is convenient when storing a small amount of information. But if the size of the container is several tens of gigabytes, then its mobility becomes very doubtful, and besides, such a huge file size reveals the fact that it contains some kind of useful information. Therefore, a more universal approach is to encrypt the entire partition on the hard drive.
There are many different programs for these purposes. But the most famous and reliable is considered TrueCrypt. Since this program has open source codes, this means that there are no vendor-provided backdoors that allow access to encrypted data through an undocumented “back door.” Unfortunately, there are speculations that the creators of the TrueCrypt program were forced to abandon further development and pass the baton to their proprietary counterparts. However, the latest reliable version, 7.1a, remains fully functional on all versions of Windows, and most users use this version.
Attention!!! Last current version- 7.1a ( Download link). Do not use the “cut down” version 7.2 (the project was closed, and on the official website of the program they suggest switching from TrueCrypt to Bitlocker and only version 7.2 is available).
Creating an encrypted disk
Let's consider the standard approach when encrypting partitions. To do this, we need an unused partition on your hard drive or flash drive. For this purpose, you can free one of the logical drives. As a matter of fact, if there is no free partition, then during the process of creating an encrypted disk, you can choose to encrypt the disk without formatting and save the existing data. But this takes longer and there is a small risk of losing data during the encryption process if the computer freezes.
If the required partition on the disk device is prepared, you can now launch the TrueCrypt program and select the “Create new volume” menu item.
Since we are interested in storing data not in a container file, but in a disk partition, we select the “Encrypt non-system partition/disk” option and the usual type of volume encryption.
At this stage, the aforementioned choice appears - to encrypt the data in the partition or format it without saving the information.
After this, the program asks which algorithms to use for encryption. For domestic needs there is no big difference - you can choose any of the algorithms or a combination of them.
Only in this case it is worth considering that when using a combination of several algorithms, more computing resources are required when working with an encrypted disk - and accordingly, the read and write speed drops. If your computer is not powerful enough, then it makes sense to click on the test button to select the optimal algorithm for your computer.
The next step is the actual process of formatting the encrypted volume.
Now all you have to do is wait until the program finishes encrypting your hard drive.
It is worth noting that at the stage of setting a password, you can specify a key file as additional protection. In this case, access to encrypted information will be possible only if this key file. Accordingly, if this file is stored on another computer in local network, then if you lose a laptop with an encrypted disk or flash drive, no one will be able to gain access to secret data, even if they guessed the password - after all, there is no key file either on the laptop itself or on the flash drive.
Hiding an encrypted partition
As already mentioned, the advantage of an encrypted partition is that it is positioned in the operating system as unused and unformatted. And there is no indication that it contains encrypted information. The only way to find out is to use special programs in cryptanalysis, skilled in high degree randomness of bit sequences to conclude that the section contains encrypted data. But if you are not a potential target for the intelligence services, then you are unlikely to face such a threat of compromise.
But for additional protection from ordinary people, it makes sense to hide the encrypted partition from the list of available drive letters. Moreover, anyway, accessing the disk directly by its letter will not give anything and is only required if the encryption is removed by formatting. To unpin a volume from the letter you are using, go to the “Control Panel” section “Computer Management / Disk Management” and call context menu For the desired partition, select “Change drive letter or drive path...”, where you can remove the binding.
After these manipulations, the encrypted partition will not be visible in Windows Explorer and others file managers. And the presence of one nameless and “unformatted” partition among several different system partitions is unlikely to arouse interest among outsiders.
Using an encrypted drive
To use an encrypted device as a regular drive, you need to connect it. To do this, in the main program window, click right click mouse on one of the available drive letters and select the menu item “Select device and mount...”
After this, you need to mark the previously encrypted device and specify the password.
As a result, the Windows browser should display new disk with the selected letter (in our case it is drive X).
And now you can work with this disk like with any ordinary logical disk. The main thing after finishing work is not to forget to either turn off the computer, or close the TrueCrypt program, or disable the encrypted partition - after all, as long as the disk is connected, any user can access the data located on it. You can unmount the partition by clicking the “Unmount” button.
Results
Using the TrueCrypt program will allow you to encrypt your hard drive and thereby hide your private files from strangers if someone suddenly gains access to your flash drive or hard drive. And the location of encrypted information on an unused and hidden partition creates an additional level of protection, since the uninitiated circle of people may not realize that secret information is stored on one of the partitions. This method of protecting private data will do in the vast majority of cases. And only if you are being targeted with the threat of violence to obtain your password, then you may need more sophisticated security methods, such as steganography and hidden TrueCrypt volumes (with two passwords).
This is the fourth of five articles on our blog dedicated to VeraCrypt, it examines in detail and gives step-by-step instruction, how to use VeraCrypt to encrypt a system partition or an entire disk with the Windows operating system installed.
If you are looking for how to encrypt non-system HDD, encrypt separate files or an entire USB flash drive and want to learn more about VeraCrypt, check out these links:
This encryption is the most secure since absolutely all files, including any temporary files, hibernation file (sleep mode), swap file and others are always encrypted (even in the event of an unexpected power outage). The operating system log and registry, which store a lot of important data, will be encrypted as well.
System encryption works through authentication before the system boots. Before your Windows starts booting, you will have to enter a password that will decrypt the system partition of the disk containing all the operating system files.
This functionality is implemented using the VeraCrypt bootloader, which replaces the standard system bootloader. Boot the system if the bootloader is damaged hard sector disk, and therefore the bootloader itself, can be done using VeraCrypt Rescue Disk.
Please note that the system partition is encrypted on the fly while the operating system is running. While the process is ongoing, you can use the computer as usual. The above is also true for decryption.
List of operating systems for which system disk encryption is supported:
- Windows 10
- Windows 8 and 8.1
- Windows 7
- Windows Vista (SP1 or later)
- Windows XP
- Windows Server 2012
- Windows Server 2008 and Windows Server 2008 R2 (64-bit)
- Windows Server 2003
Step 1 - Encrypt the system partition
Launch VeraCrypt, in the main program window go to the System tab and select the first menu item Encrypt system partition/drive (Encrypt system partition/disk).
Step 2 – Selecting Encryption Type
Leave the default type Normal (Ordinary) if you want to create a hidden partition or a hidden OS, then pay attention to the dedicated additional features VeraCrypt. Click Next
Step 3 – Encryption Area
In our case, it is not fundamentally important to encrypt the entire disk or just the system partition, since we have only one partition on the disk that takes up all the free space. It is possible that your physical disk is divided into several partitions, for example C:\ And D:\. If this is the case and you want to encrypt both partitions, choose Encrypt the whole drive.
Please note that if you have several physical disks installed, you will have to encrypt each of them separately. Disk with a system partition using these instructions. How to encrypt a disk with data is written.
Select whether you want to encrypt the entire disk or just the system partition and click the button Next.
Step 4 – Encrypt Hidden Partitions
Select Yes if your device has hidden sections with your computer manufacturer's utilities and you want to encrypt them, this is usually not necessary.
Step 5 – Number of Operating Systems
We will not analyze the case when several operating systems are installed on the computer at once. Select and press button Next.
Step 6 – Encryption Settings
Selection of encryption and hashing algorithms, if you are not sure what to choose, leave the values AES And SHA-512 default as the most powerful option.
Step 7 - Password
This is an important step; here you need to create a strong password that will be used to access the encrypted system. We recommend that you carefully read the developers' recommendations in the Volume Creation Wizard window on how to choose a good password.
Step 8 – Collecting Random Data
This step is necessary to generate an encryption key based on the password entered earlier; the longer you move the mouse, the more secure the resulting keys will be. Move the mouse randomly at least until the indicator turns green, then click Next.
Step 9 - Generated Keys
This step informs you that the encryption keys, binding (salt) and other parameters have been successfully created. This is an information step, click Next.
Step 10 – Recovery Disk
Specify the path where it will be saved ISO image recovery disk (rescue disk) you may need this image if the VeraCrypt boot loader is damaged, and you will still need to enter the correct password.
Save the recovery disk image to removable media(for example a flash drive) or write it to optical disk(recommended) and click Next.
Step 11 - The recovery disk is created
Note! Each encrypted system partition requires its own recovery disk. Be sure to create it and store it on removable media. Do not store the recovery disk on the same encrypted system drive.
Only a recovery disk can help you decrypt data in case of technical failures and hardware problems.
Step 12 – Clearing Free Space
Clearing free space allows you to permanently remove previously deleted data from a disk, which can be recovered using special techniques (especially important for traditional magnetic hard drives).
If you are encrypting an SSD drive, select 1 or 3 passes; for magnetic disks we recommend 7 or 35 passes.
Please note that this operation will affect the overall disk encryption time, for this reason, refuse it if your disk did not contain important deleted data before.
Don't choose 7 or 35 passes for SSD drives, magnetic force microscopy does not work in the case of SSDs, 1 pass is enough.
Step 13 – System Encryption Test
Perform a system encryption pre-test and see the message that the VeraCrypt boot loader interface is entirely in English.
Shan 14 – What to do if Windows does not boot
Read, or better yet, print out the recommendations in case what to do if Windows does not boot after a reboot (this happens).
Click OK if you have read and understood the message.
BitLocker is a built-in technology operating systems WindowsVista (Proffessional/Enterprise), Windows 7 (Ultimate), Windows 8/8.1 and also in some server versions such as Windows Server 2012 and Server 2008 R2.
BitLocker allows you to completely encrypt the entire storage medium, it can be a built-in HDD or an external hard drive, USB drive or SD card is also a separate volume, for example, local disk"D:\".
Once BitLocker is installed, access to the storage media will be password-only on all computers to which the device is connected. Thus, if you lose a BitLocker-encrypted storage device, the likelihood that your files will be managed by another person is reduced to almost zero.
If you lose or forget the password to an encrypted media, then in this case the password can be recovered using the recovery key. A recovery key must be created before BitLocker encryption begins. Without this procedure, you will not be able to start encryption.
The key itself can be obtained in several versions. Save it in a regular “txt” file, then put the file away from prying eyes. If you have modern computer, then you have the option to store the key in the platform module (TPM). You can also save the key in account Microsoft.
How to encrypt a USB drive using BitLocker?
Insert the USB drive and open Explorer, then right-click on the desired drive and select “Enable BitLocker” in the context menu
After a short initialization of the drive, you will be asked to select a method to unlock the drive. For the purposes of this article, the default method is used - use a password.
Next, select the key archiving method. Three options were offered, of which “Save to file” was selected. Save the file with the recovery key on your desktop, rename it and move it to a more secure location.
Encrypt only occupied space. In this case, the entire drive will not be encrypted; only the information that has already been written to the disk will be encrypted. This item is worth choosing if there is little information, then the encryption process will be much faster.
Encrypt the entire disk. In this case, the entire disk space will be encrypted. The encryption process may take several hours. This option is recommended if the drive is completely full.
Wait until the encryption process is completed without disconnecting the drive from the computer, as the files may be damaged. If a failure occurs during the encryption process or the power is simply turned off, then the next time you turn on the computer, encryption will continue from the same place.
The next time you connect the drive, its icon will look like a closed padlock, which means that this disk successfully encrypted.
When you try to open the disk using the usual action, a window will appear in which you need to specify a password to unlock the disk.
If the password is entered correctly, the disk will be opened as usual in Explorer, and you will be able to work with files as usual.
After simple steps, your drive has reliable protection. In case of theft or loss, you do not have to worry about your information; unauthorized persons who do not know the password will not be able to access the files.
This article provided instructions on how to encrypt a USB drive using BitLocker. But this is not the only possibility of this technology.
Using BitLocker you can prevent files from being copied from your PC to external devices storing information, thus protecting yourself from theft of files from your own computer.
Loading...
