Folks:
After the Microsoft Surface Book debacle I am ready to dip my toe back into the laptop market (upcoming trip to Hawaii where I need to get a lot of work done!). The new Dell XPS 13 2-in-1 seems to have some potential. I can use it to read a book on an airplane, type a report in a hotel room, set it up to run a slide show (tent mode), etc.
Back in 2011 I wrote “Why isn’t file encryption more popular?” and the question seems to be equally relevant today. Windows 10 Home doesn’t do it. Windows 10 Pro does, but does that even make sense to enable after the operating system has been installed?
What’s the practical consequence of having one’s laptop stolen? The criminals can mount the hard drive in their own computer and read all of the files, right? If you’ve got saved passwords in Google Chrome can they then use those passwords and cookies to shop at Amazon, transfer money in online banking, etc.? (this article says “not unless the criminals crack your Windows password”)
Using an eDrive would seem like the best solution but those don’t seem to be available as factory options from Dell. (And setting one up after the fact is not simple: article.)
Apple fans: How does Apple do this on their laptops? There is a separate OS partition that is never encrypted? And when the purchaser starts up the machine he or she is prompted for a password to use for unlocking the user files, which are subsequently encrypted?
Readers: What is the most sensible practical approach? Use Windows 10 Home and take the risk that someone grabs the laptop? If someone does, change a bunch of passwords using some other PC? Or Windows 10 Pro and Bitlocker and take the performance hit plus the hassle of entering a password all of the time? (though maybe the fingerprint reader on the new Dell eliminates that annoyance)
[All of my previous questions about the PC market remain live as well! Dell seems to be promoting primarily computers, including laptops, with mechanical hard drives. A SanDisk 480 GB SSD retails for $125. How could it ever make business sense for Dell to try to get a consumer to buy a machine that boots from a mechanical hard drive?]
For OSX, using FileVault2, the whole drive is encrypted except for the recovery partition. There’s a lot of technical specifics this overview doesn’t cover, but it is still informative: https://support.apple.com/en-us/HT204837
Way back in time, OSX would encrypt the user directory and mount it upon logon+decrypt.
I believe that is how OS X does it. There’s a disk encryption password you type in on boot, then there’s a login password that you type in to login. (it’s unix, so you shut it down as infrequently as possible) It used to be possible to have only 1 user’s stuff encrypted, but now they call it whole disk (although it obviously can’t be whole disk)
As far as I know, no one is very interested in the contents of my disk. (I use a password manager with real encryption for my passwords, in addition to the disk encryption)
Also, full disk encryption applies to a specific range of threats. Encrypting user directories to mount upon logon apply to a different, but overlapping range of threats. File-by-file encryption addresses threats that overlap them both.
The industry, for the sake of simplicity, has mostly converged on the solution that addresses the threat of a stolen workstation/drive. Full disk encryption covers the main compliance (HIPAA, PCI, etc, etc) concerns.
I have never observed any measurable performance hit with BitLocker on Windows or FileVault2 on OS X. In any case SSD is more important to focus on with respect to speed.
If the laptop you purchase has TPM chip installed (Macbooks do), then the encryption key is stored in the TPM chip. The only password/pin/swipe/fingerprint/face recognition input done is to login to your account, same as without any full disk encryption.
If there is no TPM chip, only then you get the inconvenience of putting in a credential at the boot to decrypt the disk.
I have not bought a laptop or desktop without TPM in almost 5 years. I pay for that.
OS X: I use a password manager (1Password) with a seriously-long unlock password and have it configured to sync the password vault to my other computer via dropbox. There’s only a relatively small number of files that I’m concerned about protecting (banking info, tax data, etc), so I have several encrypted disk images that I use for those (I’ve got about fifteen years of TurboTax tax returns in a 200MB encrypted disk image, for example). Every time I update/modify anything in any of those disk images, I backup the image to eight different backups (a RAID 5 array attached to my iMac, my MacbookPro, three USB memory sticks, an SDHC card, Dropbox and iCloud — yes, I’m anal, but have been scared one time too many when the original disk image somehow got corrupted). Also, every time I update one of the disk images I make a copy of it and rename it to include the date it was updated. I do sort of a manual Time Machine backup of those date-stamped disk image files. In addition, I have a Synology RAID 6 array hidden away in the house that everything gets backed-up to via cron jobs.
What actually prompted all of that activity is what happened in 2006 when I was on a three-week road trip to Utah, Nevada and California. At the time I kept a copy of all of my “important” data on a USB memory stick that I always carried around in my pocket. I spent a night in Las Vegas and when I got back to my hotel room from a walk up the strip to see the Bellagio fountains, I discovered that there was a USB-memory-stick-size hole in the pocket. Luckily the only thing I lost was a pen, but it was a real wake-up call about carrying around all my important data on an unprotected memory stick. My brother told me about encrypted disk images and that’s what I’ve used ever since. Because of that I’ve never felt the need to use FileVault. I tried it for a while but turned it off.
I have no idea if Windows 10 supports encrypted disk images.
On Windows, use BitLocker, it will encrypt your existing files, and on Windows 10 it’ll also not write unencrypted blocks after you start encrypting. It’ll eventually get around to encrypting the OS, but turn on BitLocker (I think you have to reboot right away) before you start copying files to it and logging in to things.
BitLocker should also only be decrypting the drive after a TPM measured boot sequence, which I expect has been audited more thoroughly than any particular drive that supposedly encrypts itself.
The threat model for unencrypted drives is kind of dire, modern SSDs basically can’t be wiped, so a lost/stolen unencrypted laptop will (potentially) give up any file that was ever on it.
Also I don’t believe Macs have TPM chips at all, FileVault always uses a password, and does software verification only, with no measured boot.
If your only concern are the passwords, you might be better off using a cloud-based password manager (such as lastpass), and change its master password from another device as soon as your laptop gets stolen.
This discussion https://discussions.apple.com/thread/4905937 claims
“Apple has not included TPM in its hardware for years. It was not used for anything when they did.”
Wikipedia agrees: https://en.wikipedia.org/wiki/Trusted_Platform_Module#Availability
Abhay what leads you to believe differently?
I’m pretty sure the passwords are not accessible on a recovered drive; Google would need to be very foolish to not encrypt their storage. However, there will of course be plenty on that drive you’d rather not lose.
Truecrypt was once the standard for full-disk encryption, and VeraCrypt has taken the project over, and seems to be the standard today.
Boxcryptor is also a good option for adding an extra layer of encryption on local + cloud stored files. Encrypted disk images are good too, but a mess if you want cloud syncing as every small change generates a “new” file to be uploaded the size of the entire image. And if you’re extra paranoid, BoxCryptor even encrypts file names.
Patrick, I am probably wrong about Apple having secure hardware store for OS X. I must extrapolated from their iPhone secure boot design.
On OSX, even if you don’t use whole-disk encryption, application sensitive info (browser site passwords, auto-fill values, etc.) are stored in the “keychain”, which is a system file encrypted with your login password. So, bare passwords are never stored.
There are also spinner drives that have whole drive hardware encryption, though I don’t know whether Dell offers them.
http://www.seagate.com/tech-insights/protect-data-with-seagate-secure-self-encrypting-drives-master-ti/
One nice feature is that in order to wipe the drive (e.g. when you sell the computer) you just need to reset the hardware password and the entire contents are unrecoverable (except maybe to the NSA). You don’t need Hillary to come over with a cloth to wipe your drive.
windows also offers its own encryption:
http://www.howtogeek.com/234826/how-to-enable-full-disk-encryption-on-windows-10/
lastly, laptops are always harder to work on than desktops but for most laptops switching out the hard drive is only a matter of a couple of screws. Buy a usb enclosure https://www.amazon.com/Tool-free-Inateck-External-Enclosure-FE2004/dp/B00JQTO8TU/
and the SSD of your choosing
, swap the spinner drive to the enclosure (when you are done you will now own a “free” backup drive), install the SSD in the drive bay, boot from the old drive and run some drive imaging cloning software . It will take a while but only the first few minutes have to be attended.