Is anybody using full disk encryption at home on their main pcs and servers? If so, what do you recommend and why?
There seems to be lots to choose from, so I'm looking for your experience if you are on Windows. I'm leaning towards TrueCrypt, but I'm happy to be directed to something else, and would consider reasonably priced for home use commercial products. I'm biased against Bitlocker but if enough sing its praises I'd consider it. |
drive encryption is good if necessary, but remember the performace overhead and the extra layer of difficulty if things go wrong
|
I used true crypt on a partition in windows 7.
Basically you start truecrypt mount the partition and type in your password and then a new drive shows up. |
Is anybody using full disk encryption at home on their main pcs and servers? If so, what do you recommend and why? I use Truecrypt for FDE on my laptop with Win7 x64. I started off with a mechanical drive and then moved to an SSD. Flawless on both. Also passes TRIM commands, so for an SSD the performance won't degrade as you fill the drive. Just make sure that: a) your CPU supports hardware AES so that there is almost no performance hit from the processor b) if using an SSD, stay away from Sandforce (Intel, OCZ, Corsair use them) as those drives use compression for their performance. If you encrypt a Sandforce drive, the compressibility approaches zero and you'll get an insane penalty in performance. I went a Crucial drive as they don't use compression. Samsung may be similar but it's worth researching first. i7-2670qm with Crucial M4 256GB before truecrypt: http://users.on.net/~deadsimple/images/sa.png After Truecrypt system-disk encryption enabled. Still awesome performance (apart from the "4K QD32 scenario" which is rare in real-life): http://users.on.net/~deadsimple/images/sb.png last edited by parabol at 15:54:15 25/Aug/12 |
I used true crypt on a partition in windows 7. Regular Truecrypt encryption within Windows is not relevant to full-disk encryption sorry. FDE is very low level and asks for a password at a DOS-style login prior to Windows being loaded, and serves up unencrypted sectors. Very different to regular volume/container encryption. drive encryption is good if necessary, but remember the performace overhead and the extra layer of difficulty if things go wrong As I've hinted, with hardware AES (any modern CPU from the last year or two) on a non-compressing SSD .. I'd be surprised if anyone could tell the real-world performance difference between FDE on or off. Also as with any drive, you should be running regular backups if the data is valuable to you - incremental style backups recommended. Also .. don't buy into the "AES 256bit encryption" that current SSDs are claiming to support internally. They are implemented so poorly (e.g. max 8 letters for password, or master key PRINTED ON THE HARD-DRIVE'S STICKER that can bypass your password) that there are boot ISOs out there that can crack some HDD passwords very easily. Truecrypt/Bitlocker style encryption is much more secure in comparison. last edited by parabol at 15:56:38 25/Aug/12 |
unless you're into some seriously illegal s***, why would you even bother on a home computer? I couldn't even imagine myself encrypting my computer if I used it for work purposes, just back s*** up remotely in case of theft.
|
wow, even in this age of information people still ask questions like this? ^^
|
why would you even bother on a home computer? Identity theft is a big reason. If someone steals your computer the data on it in the right hands could be worth orders of magnitude more than the hardware itself. OP: Many moons ago I used to work for a mob that sold a commercial full disk encryption product. These days I wouldn't bother buying anything, TrueCrypt is really quite good. |
why would you even bother on a home computer? Not sure about you, but on my home PC I store: * Personal photos and videos * Personal, financial and identity documents and scans thereof. * Logged in passwords/sessions of browser and other software * Serial numbers and keys of installed software As mentioned, the identity theft part is a big deal. Also you'd be scrambling to change all of your passwords, assuming you can remember every single site you'd logged into ... I couldn't even imagine myself encrypting my computer if I used it for work purposes, just back s*** up remotely in case of theft. On my laptop that I take into work I have a heap of the company's IP and correspondence on there. Definitely would not want that accessible if someone steals my laptop. This is completely unrelated to backups, that you should be doing anyway in parallel anyway (in my case my backups are encrypted automatically by Macrium Reflect - adding another layer of protection). I understand some people might not care about their photos leaking online, but I thought the other aspects (especially identity/financial documents) were really obvious stuff? it's like when I used virtual machines for internet banking.. that lasted a couple of weeks Not sure why you'd use a VM for net-banking? That shows more of a misunderstanding of what you're doing and why ... Doesnt windows 7 ultimate have bitlocker available for full o/s disk encryption? Comes with Win7 Ultimate which is the most expensive. Most laptops/computers have Win7 Home and the majority of the remainder probably have the Professional version installed. the only thing I encrypt is portable drives.. i That's very good practice. I'm surprised by the number of people storing really critical and potentially compromising stuff on a usb stick or hdd without a care in the world if someone yanks it. last edited by parabol at 16:52:12 25/Aug/12 |
Years ago I trialled Credant which was pretty poor, had a few unrecoverable systems from it and support was not very helpful. Went to TrueCrypt instead, and I've used this on a number of systems for years without problems. And as parabol said performance is not an issue, I've put it on systems where the primary task is to play games and the end users don't notice (except that they need to type a password in to boot up). I don't know what the support is like though, but that is only because I have never needed to use it.
|
I use TrueCrypt, but thank you parabol for that very informative post, will check out in due course!
|
Just a follow on, there's an article around today doing a cost analysis of FDE for businesses, Calculating the Cost of Full Disk Encryption. From the /. post:
After doing all of the math, Ponemon found that the cost of FDE on laptop and desktop computers in the U.S. per year was $235, while the cost savings from reduced data breach exposure was $4,650. |
there's an article around today doing a cost analysis of FDE for businesses A company that sells an FDE product sponsors a study that finds FDE is useful. News at 11 :) |
I went with TrueCrypt.
Doing the system drive was too easy, the issue I had was with a new 3TB drive. To encrypt the drive there has to be no partitions on the drive. When you make a drive GPT it automatically creates a tiny partition at the start (127MB), so you can't then use TC full disk encryption with it, you have to go with the file option. You can fully encrypt an MBR disk, but MBR only goes to 2TB, you end up wtih an MBR partition that's 2 TB and 700MB unpartitioned. |