Encrypt, Encrypt, Encrypt.
The freedom to keep personal data out of the hands of those that wish us harm is not a right, and that is why you need to choose secure data storage and good keys for that storage.
Truecrypt is by far the best open source tool that I have seen for encrypting individual files and entire hard drives. It works well on Windows and Linux OS and has manageable transfer rates. There are some strict rules however about intrusion to consider. The first thing to remember is that if someone can gain access to your box remotely they can access your encrypted hard drive. The encryption only works if for you when the drive is unmounted. If you think someone may gain remote access to your computer while your working you need more security, not better encryption. Even if you don't mount your hard drive regularly, the danger of remote attacks still means that keyboard hooks built into the kernel might betray your every keystroke. Once an intruder has that level of access it's easy enough to download your files, including your encrypted hard drive file and your keyfile.
Thus beyond keeping your computer secure from the internet there are three objects you must secure in order for your encryption scheme to work properly.
The first is your key file.
Your password is much too small to reliably encrypt gigabytes of data. Thus a keyfile is used to safely store, encrypt, the master key which can be megabytes in size. The password and the keyfile form the master key that unlocks the data. However, it's important to remember that the keyfile and password come together to produce the master key so it's vulnerable to this attack. If Eve gains access to Bob's system while the encrypted file system is not loaded, She can still get a hold of his keyfile. When someone has your keyfile, your master key is still safe, that is until they get your password. They've only stolen a locked box. Eve's advantage in downloading the keyfile is that if Bob changes his keyfile his master key remains the same. There is now a duplicate key in Eve's box! Thus, if Eve gets a hold of an old keyfile and the old password, she could compromise the system because she retrieved the master key. Simply changing your password and keyfile does not change the master encryption key. So remember, the priority is to keep the masterkey out of the hands of the intruder. If you give Eve a copy of the locked box, she is one step closer to having the master key. If you think you've been severely compromised, you have to create a new hard drive and copy all of the files over to this new hard drive. The simplest way to keep your keyfiles secure is to keep your keyfiles on a USB drive or cd only used at the mounting of the hard drive. You can even get creative and have a script that mounts the hard drive using the keyfile when you plug in the device. Like a key to your house or car, except with a 14 character password to boot. You can simply mount it then stick that 5$ 128mb USB drive on a shelf.
The second thing you need to secure is your encrypted drive. The advantage of the encrypted hard drive is that it is one singular file that unless complete is useless. This means that if we make our Hard Drive file large, it will be more difficult to steal remotely. One will have to have physical access to the machine.
The third and arguably most important is to keep your password secure. Also, it is important to mention that your TrueCrypt password needs to be very large. 20 or more characters. While it's possible to use a very strong 16 or 20 characters it is difficult to memorize 20 random characters. A common way around this problem is to find a good technical manual and a line that has capital and lowercase letters, numbers, and special characters like:
int *p = numbers + 2; // An iterator that starts at numbers[2]
Then roll a 20 sided dice (12) and chop off either the end or the beginning.
int *p = numbers + 2; // An iterator that starts a
Now you can put this book on the shelf and remember the pg number (300). After a while you will memorize the password. If your extra paranoid you should change it by then.
Required Further Reading:
http://www.truecrypt.org/
http://www.truecrypt.org/docs/
http://en.wikipedia.org/wiki/Salt_(cryptography)
http://www.truecrypt.org/docs/security-precautions.php
No comments:
Post a Comment