So, you’ve encrypted your texts on your phone and your emails in Mail.app, you’ve cloaked your browsing using VPN, set a password manager to manage your strong random passwords… and your computer gets stolen. Now all someone needs to access your info is your login for your machine. (You have set your machine to request a password to log in, right? RIGHT?)
Full disk encryption makes it impossible for someone to access your information on your computer without a password. If you are only using a user account password for protection, your hard drive can be compromised with the OS disk or booting into single-user mode (if you don’t know what that means, it’s ok. It’s just a way to recover passwords if you’re the forgetful type).
There’s a great article by Micah Lee in The Intercept outlining the basic issues and concepts about Full Disk Encryption. I won’t reproduce it here, but this passage is worth considering if you travel:
It’s worth noting that no one has privacy rights when crossing borders. Even if you’re a U.S. citizen entering the United States, your Constitutional rights do not apply at the border, and border agents reserve the right to copy all of the files off of your computer or phone if they choose to. This is also true in Canada, and in other countries around the world. If you plan on traveling with electronic devices, disk encryption is the only way you have a chance at protecting your data if border agents insist on searching you. In some situations it might be in your best interest to cooperate and unlock your device, but in others it might not. Without disk encryption, the choice is made for you: The border agents get all your data.
Here are some of your options for FDE for the hard drive in your desktop or laptop:
Multi-Platform Solutions:
VeraCrypt is a full-disk encryption utility that is based on TrueCrypt. PC Magazine has a detailed description of the product here. There are Windows, Linux, MacOS, Raspbian versions available here.
For Windows:
DiskCryptor is an open-source Full Disk Encryption program recommended by our friends at the EFF. It is password-based. If the EFF endorses it, we endorse it.
Bitlocker is the built-in encryption in Windows systems. It uses the TPM chip built into new Windows machines to make sure that no one has jacked the hard drive out of your machine and mounted it in another one in order to access the data. We also recommend using a PIN or (the most secure option) requiring a USB stick be present for the drive to decrypt itself. More on Bitlocker here
For Macintosh:
FileVault is the built-in encryption tool for your Macintosh computer. It couldn’t be simpler to use. Open System Preferences on your Macintosh, click on the Security & Privacy icon, and switch to the FileVault tab, and turn it on. This will encrypt the startup drive on your Mac. You will be offered the option to have your disk unlocked by your iCloud account. Again, Micah Lee:
I recommend that you don’t allow your iCloud account to unlock your disk. If you do, Apple — and by extension anyone Apple is compelled to share data with, such as law enforcement or intelligence agencies, or anyone who hacks into Apple’s servers and can steal its data — will have the ability to unlock your encrypted disk. If you do store your recovery key in your iCloud account, Apple encrypts it using your answers to a series of secret questions as an encryption key itself, offering little real security.
Instead, choose “Create a recovery key and do not use my iCloud account” and click Continue. The next window will show you your recovery key, which is 24 random letters and numbers. You can write this down if you wish. The recovery key can unlock your disk, so it’s important that it doesn’t fall into the wrong hands.
Hard to argue with that.
Once you reboot your machine, the OS will encrypt the drive and you will be asked to create a passphrase (this is different from the recovery key). Use something difficult to guess. Micah Lee has another great article about passphrases here. In that article, Edward Snowden is quoted as saying “Assume your adversary is capable of one trillion guesses per second.” Sobering.
For Linux:
You have to choose to encrypt your installation of Linux when you first set up your machine. If you’re like me, of course, you set up and burn Linux machines a couple of times a year. During the installation process for your Mint/Debian/Ubuntu, you’ll be asked if you wish to encrypt the disk. Click the appropriate buttons and enter a secure passphrase. (note: You’ll be asked to enter it each time you boot, BUT NOT WHEN YOU LOG OUT AND LOG BACK IN. Once you’ve completed the installation, any time your machine might be vulnerable to theft or confiscation, go ahead and power it down.)
When the machine goes to create your user account make sure you use a strong password. Make sure whatever variation your distro has of “Require my password to log in” is checked and that “Log in Automatically” is NOT checked. You may wish to also select the radio button that says “Encrypt my home folder” in case someone manages to get custody of your machine while it’s powered on. Then they cannot access your home directory by imaging the machine.
Please make sure, in all of these cases, that you use passphrases that you can remember. In the event of a lost password, it should be impossible to access your data. The only exception that I see is the 24 character rescue string generated by the Mac OS.