Protecting my hard drive?

Discussion in 'Computer Security' started by Mama Bear, Sep 15, 2005.

  1. Mama Bear

    Mama Bear Guest

    Is there a low cost way to password protect my hard drive, so that
    if it was stolen along with my computer, no one could access it?
    Something not too hard to log in with when I start it up though?

    I have Systemworks 2005 but don't think there's anything in there
    for this.
     
    Mama Bear, Sep 15, 2005
    #1
    1. Advertisements

  2. I think encryption's the key ( excuse pun ).
    Once someone has access to your computer's internals it's pretty much
    all over bar the shouting - but if the data is securely encrypted then
    all they really have is a nice new computer.

    There are quite a few freeware apps that you might find useful. I use
    Blowfish Advanced CS to encrypt my sensitive data, and there are other
    good encryption programs out there. Some people prefer to use
    encrypted drives or 'containers'. Both systems will work for you, it's
    just a matter of preference/convenience.

    Blowfish Advanced can make use of 'job files', which essentially act
    like DOS batch files. You can set up a series of encryption/decryption
    tasks that run from a shortcut on your desktop.

    Regards,
     
    Stephen Howard, Sep 15, 2005
    #2
    1. Advertisements

  3. Mama Bear

    nemo_outis Guest


    There are a number of encryption schemes. Roughly they may be divided
    into:

    1. File-at-a-time encryption and decryption (sometimes extended to
    whole folder/directory trees)

    2. Partition/container schemes where the files are held in a single
    large file or a whole partition on one of your drives. The
    partition/container iis usually mapped as a drive letter (e.g., "H:")

    3. Encryption of the whole boot partiton/HD (including the operating
    system).

    By far the best encryption technique (uncommon for type 1 but usual for
    types 2 and 3) is OTFE (on-the-fly encryption). This mean that the file
    is never decrypted to plaintext form and stored on the hard drive;
    instead the file (or portions of it) are decrypted ONLY to memory (RAM)
    as needed (it's all transparent to the user). This ensures that the
    decryption program leaves no traces of plaintext around on the HD.
    (However, **other** programs, including the OS, may make plaintext
    copies, etc and leave recoverable bits around in places like erased tmp
    files, the swap file, registry references, the MFT, etc. - commonly
    called "leakage.")

    Scheme 3 (encrypt everything but a tiny boot stub) is the most secure
    since there is no chance of "leakage" as described above - **everything**
    on the HD is fully encrypted all the time.

    With scheme 2 and especially scheme 3 it is **essential** to have backups
    (made before you experiment and regularly thereafter). While the
    encryption programs from reputable software houses are pretty robust, if
    anything goes wrong with encryption (esp type 2 & 3) you could find
    **all** your data unrecoverable.

    For the Type 1 scheme, stuff like Windows native EFS (on NTFS
    partitions/drives) works OK (but is a bitch to configure correctly so you
    don't sabotage yourself).

    For Type 2 there are a number of commercial programs, but I recommend
    Truecrypt (just as good functionally as any of the others, free, and
    open-source).

    For Type 3 there are again a number of programs ranging from free
    Compusec, through DCPP, Safeboot Solo, Safeguard Easy, Winmagic, Pointsec
    and others. My preference is Safeboot (but, alas, it is no longer
    available). Compusec works well and you can't beat the price (free!)

    For security needs up to "medium-duty" I would suggest a type 2 scheme
    using Truecrypt. Type 3 schemes work well but newbies can easily shoot
    themselves in the foot, they require discipline to use correctly, etc. -
    but they do offer great heavy-duty protection.

    Regards,
     
    nemo_outis, Sep 15, 2005
    #3
  4. Just to add a point there, speed, for full drive including operating
    system encryption there will be a slow down as every read from or write
    to the drive has to go through the encryption scheme. I have to say that
    in my experience so far this is not an issue, on a 1Ghz machine with
    512Mb ram and ordinary IDE drives. There must be a slow down but it is
    not one that I can say I notice. At this time I have done no benchmarks.
    Should also add I'm using an AES 128 bit encryption, others will likely
    vary in performance. For a gateway/router machine or a machine that is
    not running heavy duty processes it would hardly matter at all I would
    think even on a lower spec machine.
     
    Ray Vingnutte, Sep 15, 2005
    #4
  5. Off the cuff, why would someone want to whole disk encrypt a
    router/gateway? It's likely going to be running 27/7 so data is in the
    clear if it's compromised anyway, if it goes down due to power failure it
    won't come back on line by itself, and it's really not doing much that
    someone can't see from outside the network anyway.

    Or were you just talking in general terms of load levels and using
    "router" as an example?
     
    Jeffrey F. Bloss, Sep 15, 2005
    #5
  6. Mama Bear

    traveler Guest

    It shouldn't be compromised if a good harware firewall that protects
    every port is protecting the LAN connection, any thought's?
     
    traveler, Sep 15, 2005
    #6
  7. Yeah just generalizing, but then again some form of encryption may be
    useful on such a machine. Logs in /var for example, I saw a post
    recently about privoxy logging and although I have privoxy logging
    turned off it is on my gateway along with tor and the like. Perhaps an
    encrypted partition for /usr/local where one may have programs that one
    may prefer not to advertise should the machine get stolen or whatever.

    Then again you could use a separate log server, up to the individual I
    guess there's a lot of possible scenarios for different setups.
     
    Ray Vingnutte, Sep 15, 2005
    #7
  8. Mama Bear

    Mama Bear Guest

    By encrypted drives or 'containers', do you mean that it encrypts
    the whole drive as a container? Does that slow everything down a
    lot?
    I need the whole thing to be transparent, and hopefully fast
    enough where it doesn't slow my system way down.
     
    Mama Bear, Sep 15, 2005
    #8
  9. Mama Bear

    Mama Bear Guest

    A lot of this is WAY over my head. I'm not doing a server anyway,
    just wanted something fast and transparent, so in case a burglar
    ever gets in and steals my computer, they wouldn't get my whole
    computing life since 1989 handed to them.
     
    Mama Bear, Sep 15, 2005
    #9
  10. Mama Bear

    Mama Bear Guest

    Oh, this thread also reminds me of an idea that I've had for awhile
    now, but don't have the technical knowledge to setup myself. It
    would make a good business though.

    Sell encrypted file space on a remote server. Call it something
    like "Data Vault". Have the server located in a bank vault
    somewhere and certify that. Run it with a secure encrypted web link
    or something like that, so people could upload their sensitive and
    critical data to the "Data Vault".

    That way if their home computer was ever stolen, they would at
    least have a backup copy off site that they could restore from.

    People with DSL would find it more useful because of the speed.
     
    Mama Bear, Sep 15, 2005
    #10
  11. That is the sort of thing that got me looking at selinux. It would seem
    that it is very very difficult to compromise a machine with selinux
    setup correctly. There is report I came across on google of at least one
    person putting an selinux enabled machine on the net and then giving
    out the root password and inviting people to log in and try and
    compromise the machine. As far as I'm aware no one has, compromised it
    that is.
     
    Ray Vingnutte, Sep 15, 2005
    #11
  12. Sorry, things to tend to drift somewhat, What Nemo Outis outlines above
    should give you some pointers as to what might be best for you. You say
    you would like to stop someone accessing your drive rather than
    specific sets of files so maybe a full blown drive and operating system
    encryption setup would be suitable for you.

    Which to use is another long story I expect. If it's just general basic
    security then any of the full drive techniques would be adequate I
    think.

    Don't go trying it out on your main setup first though just in case you
    make a mistake during setup. If you can practice using a separate drive
    and setup then fine do that first. When you are happy it all works well
    then try it on your normal setup. At the very least make a backup first
    of your data just in case.
     
    Ray Vingnutte, Sep 15, 2005
    #12
  13. Mama Bear

    traveler Guest

    Have a look at this, I saw it posted on the net, it's a free full
    edition if you only want the password featured program:

    http://www.ce-infosys.com/CeiHome.asp
     
    traveler, Sep 15, 2005
    #13
  14. Mama Bear

    nemo_outis Guest

    ....snip...

    Yep, that's the free compusec I was referring to in my recent post.

    Regards,

    PS Incidentally, good though the program is, they should be shot with a
    ball of their own shit for making their website asp-centric.
     
    nemo_outis, Sep 15, 2005
    #14
  15. Mama Bear

    Mama Bear Guest

    I have a removable backup drive on a plug port. I use Ghost to
    backup to it, then unplug it and hide it, so if my computer ever
    gets stolen, at least I could just plug in that drive and retain
    it all. I just don't want someone stealing it and having access
    to my writings, my passwords, etc. Things they could cause me
    extreme grief with.

    So I need something low cost, that would make it extremely hard
    for someone to get anything from my drive if they stole the
    computer.
     
    Mama Bear, Sep 15, 2005
    #15
  16. Mama Bear

    Mama Bear Guest


    But that's a Linux system?
     
    Mama Bear, Sep 15, 2005
    #16
  17. Absolutely, then go for it
    A lot of this stuff is free so it may cost you nothing, I'm assuming you
    are using windows which means I'm of little help to you. what I remember
    of my windows days is very likely way out of date now. Above all I'm
    fairly new to all this hard drive encryption stuff too ;-)
     
    Ray Vingnutte, Sep 15, 2005
    #17
  18. Yep sorry again, I'll shut up.
     
    Ray Vingnutte, Sep 15, 2005
    #18
  19. It's not that it's harder to compromise so much as it's harder to wreak
    havoc if you manage it. SELinux doesn't do much of anything to address the
    application specific exploits crackers use to gain access, as much as it
    does restrict what those applications can access, and consequently, what
    an attacker can access if they crack one.
    ???

    If you have root you can simply disable selunix, send the reboot command,
    and log back in when it comes back on line. But if you have root, why
    bother? You can do whatever you want.
     
    Jeffrey F. Bloss, Sep 15, 2005
    #19
  20. Mama Bear

    Mama Bear Guest

    Yeah, XP Home edition.
    :)
     
    Mama Bear, Sep 15, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.