• BitLocker - Disk encryption. Disk Encryption in Linux

    Hello friends! Almost each of us has several files on our computer that require special protection.

    We need to create a kind of secret corner where you can store information, knowing that only you will have access to it. The TrueCrypt program will help us achieve this task.

    There are two main types of programs for storing such content: the first one makes files invisible to outsiders, the second one encrypts their contents. Specifically, in this article, I will tell you how to create a special partition on your hard drive that will be encrypted, hidden, and can only be accessed by entering a password.

    For example, I use this feature to store a database of passwords. In your case it could be any other important information or files that require reliable protection from the gaze of prying eyes.

    TrueCrypt is considered one of the best programs for data encryption. Despite the fact that its developers completely closed the project in 2014 (in my opinion, under pressure from special services, and the recommendation to switch to BitLocker is only confirmation of this), the functionality latest versions remains at a fairly high level.

    Using TrueCrypt tools, you will encrypt any files located on your PC, OS partitions, disks or removable media. You can also create a “secret container”, located, like a nesting doll, inside the first, poorly protected volume. The main role of such a container is that even if you have to give out a password to open the first container, you have an excellent chance of hiding the existence of the second one, which will contain your secret files.

    Installing TrueCrypt

    Download this free utility in the Downloads section for your operating system, you can from the website truecrypt.ch.

    There are no difficulties in installing the program; just use the default settings. Next, opening the already installed program, we will see a small window with standard interface, where there is a menu, work area with a list of volumes and buttons for performing basic tasks.

    The program interface on English. If this confuses you, just return to the utility download page and in the “Language Packs for TrueCrypt” section download the necessary language pack(V in this case- Russian). Perform Russification of the program.

    Russification of TrueCrypt

    Unzip the language pack and copy the “Language.ru” file to the folder with installed program(by default this is C:\Program Files\TrueCrypt).

    Before moving on to encryption, you need to understand the basic principles of the program.

    How TrueCrypt works

    The program's operation is based on sufficient simple principle. We create a file on the computer and give it a certain size. TrueCrypt program This file is encrypted, plus we put a password on it. As a result, we get a kind of container, the information inside of which will be encrypted.

    The program connects this container in the form virtual disk which will be displayed in Explorer and assign a letter to it. By mounting the disk and entering a password, you can use it as regular disk and drop into it, for example, new information that also needs encryption.

    Create an encrypted disk

    Following the prompts of the TrueCrypt Volume Creation Wizard, let's begin creating an encrypted disk. Click “Create Volume” and select “Create an encrypted file container”. Next, select “Regular Volume” and indicate where it will be located, click the “File” button.

    Let's say, in my case, it will be located on Drive C. In order not to arouse unnecessary suspicion, I recommend creating a file that looks like a multimedia one, that is, a file with the appropriate extension, for example, “cipher.avi”

    In this case, our future secret container will look like a regular video file, and even if it large size- this will not surprise anyone. Click “Next”, select the encryption algorithm and the size of this file (future container).

    We indicate the volume size, which will depend on what you will store. If this is a container with multimedia content (video, photo, audio), then the size should be appropriate.

    On next stage you need to set a password for this volume and select a file system. If the expected container size is more than 4 GB, then the file system is NFTS.

    Click “Mark” and see the message that the TrueCrypt volume was successfully created. The container has been successfully created and, as you understand, this is our originally created and disguised file - cipher.avi.

    Now our task is to connect this container as a virtual disk to the system. In the main program window, select the letter for the future disk and click the “File” button. We indicate the path to our container - cipher.avi.

    We enter the password and now the newly created encrypted disk should appear in our system.

    The disk has been created successfully. You can work with it as usual local disk: copy, move and edit necessary files. Since encryption occurs on the fly, the speed may vary, but this is only relevant for weaker systems.

    When we are finished working with the disk, we open TrueCrypt, select this disk and click “Unmount”.

    The next time we need to access this secret content, we launch the program, in the application window we click the “File” button and specify “cipher.avi”. Next, click “Mount” and enter the password. After entering the password, our encrypted disk will reappear in Explorer. We worked and dismantled it.

    The program allows you to encrypt not only files on your hard drive or on removable disk, but also the entire disk, partition or removable media. In addition, TrueCrypt can encrypt even an additional operating system and make invisible not only the existence of any files, but also the running additional OS. This function may be needed if you need not just to hide a couple of dozen files, but to classify a large amount of information, including the programs you use.

    TrueCrypt has truly enormous capabilities, and in this article I introduced you only to its most popular disk encryption function. Remember that any actions with system files and sections carry within them potential threat loss of functionality operating system. Before working with TrueCrypt, I recommend creating a backup copy of the OS. Also, when performing all actions, carefully read the explanations and additional instructions.
    That's all for now. I hope you found it interesting. See you in a new article.

    Hello Friends! In this article we will continue to study the systems built into Windows designed to improve the security of our data. Today it is Bitlocker disk encryption system. Data encryption is necessary to prevent strangers from using your information. How she will get to them is another question.

    Encryption is the process of transforming data so that only the right people. Keys or passwords are usually used to gain access.

    Encrypting the entire disk prevents access to data when connecting your hard drive to another computer. The attacker's system may have another operating system installed to bypass the protection, but this will not help if you are using BitLocker.

    BitLocker technology appeared with the release of the operating system Windows Vista and was improved in Windows 7. Bitlocker is available in Windows 7 Ultimate and Enterprise versions as well as in Windows 8 Pro. Owners of other versions will have to look for an alternative.

    Without going into details it looks like this. The system encrypts the entire disk and gives you the keys to it. If you encrypt system disk then the computer will not boot without your key. The same thing as apartment keys. You have them, you will get into it. Lost, you need to use a spare one (recovery code (issued during encryption)) and change the lock (do the encryption again with other keys)

    For reliable protection, it is desirable to have a trusted platform on your computer. TPM module(Trusted Platform Module). If it exists and its version is 1.2 or higher, then it will manage the process and you will have more strong methods protection. If it is not there, then it will be possible to use only the key on the USB drive.

    BitLocker works as follows. Each sector of the disk is encrypted separately using a key (full-volume encryption key, FVEK). Used AES algorithm with 128 bit key and diffuser. The key can be changed to 256 bit group policies security.

    When encryption is complete you will see the following picture

    Close the window and check whether the startup key and recovery key are in safe places.

    Encrypting a flash drive - BitLocker To Go

    Why should you pause encryption? So that BitLocker does not block your drive and do not resort to the recovery procedure. System parameters (BIOS and boot partition contents) are fixed during encryption for additional protection. Changing them may block your computer.

    If you select Manage BitLocker, you can Save or Print the Recovery Key and Duplicate the Startup Key

    If one of the keys (startup key or recovery key) is lost, you can recover them here.

    Manage encryption of external drives

    The following functions are available to manage the encryption settings of the flash drive:

    You can change the password to unlock it. You can only remove a password if you use a smart card to unlock it. You can also save or print the recovery key and enable disk unlocking for this computer automatically.

    Recovering disk access

    Restoring access to the system disk

    If the flash drive with the key is out of the access zone, then the recovery key comes into play. When you boot your computer you will see something like the following:

    To restore access and Windows boot press Enter

    You will see a screen asking you to enter your recovery key.

    When you enter the last digit, provided the recovery key is correct, the operating system will automatically boot.

    Restoring access to removable drives

    To restore access to information on a flash drive or external HDD, click Forgot your password?

    Select Enter recovery key

    and enter this terrible 48-digit code. Click Next

    If the recovery key is suitable, the disk will be unlocked

    A link appears to Manage BitLocker, where you can change the password to unlock the drive.

    Conclusion

    In this article, we learned how to protect our information by encrypting it using the built-in BitLocker tool. It's disappointing that this technology is only available in older or advanced versions of Windows. It also became clear why this hidden and boot partition 100 MB in size when setting up the disk using Windows.

    Perhaps I will use encryption of flash drives or external hard drives. But this is unlikely since there are good substitutes in the form cloud services data storage such as DropBox, Google Drive, Yandex Drive and the like.

    We bring to your attention an overview of the most popular hardware and software to encrypt data on an external hard drive.

    Let's start with the simplest. Built into Mac OS X Disk Utility, which allows you to create an encrypted disk image. You can also use third-party software to encrypt files or folders, for example, FileWard,. In addition, some backup applications offer encryption of backups out of the box.

    These methods are good. But sometimes using software encryption is not the best option. For example, when you need to encrypt backups Time Machine. To protect such backups, you will have to do some tricky manipulations, because Time Machine does not support encryption. Conventional software will not help when you need to create an encrypted copy boot disk so that it remains bootable. Encrypted disks also have another limitation: they cannot be used on other computers (Mac or PC) without special software.

    is one of those applications that allows you to encrypt the contents of a disk, which remains bootable and usable on Mac and PC. This is a great application, but to access information, PGP must be installed on each computer to which such a drive is connected. Also, if the disk is damaged, encryption may prevent data recovery.

    If you need universal solution, which does not impose restrictions on disk usage, it is worth purchasing a HDD with built-in encryption. The disk independently encrypts and decrypts data, so the need to install additional software absent. In this case, the disk can be used as a boot volume or for Time Machine. One caveat: if the drive's controller or other electronics fail, you will not be able to transfer data from the device (even with fully working mechanics) until full recovery HDD.

    Encryption-enabled hard drives come in several types, depending on the decryption mechanism:

    Hardware keys

    Some manufacturers offer encrypting HDD boxes that are locked using physical device. As long as the key is present (connected or near the disk), the disk can be read.

    HDDs of this type: RadTech’s ($95), RocStor and several devices from ($50+). All boxes have two or three compatible keys that connect to a special port on the device. SecureDISK offers with an infrared key (the media must be nearby to use the disk).

    Fingerprint scanners

    If you are worried about a loss physical media, then you can look towards HDD boxes with a fingerprint scanner. A few examples: MXI Security ($419-$599) and LaCie ($400 for a 2GB model). (Some older models of LaCie boxes, 2.5″ format, do not encrypt data, but use less reliable locking in the firmware). These drives are easy to use and can store fingerprints of up to five people. It is worth noting that there are several techniques for deceiving the finger scanner (without the presence of the original finger).

    Keyboard

    ($230-480) – encrypting disk boxes that do not require physical keys or biometric readers. Instead, the keyboard is used to enter a password (up to 18 characters). Using a keyboard instead of a physical key is convenient when the disk often passes between hands. The drives support a “self-destruct” feature that deletes all stored information after several unsuccessful password attempts.

    Two types of authentication

    At least one product offers a combination of a physical key (in the form of a smart card) and a built-in keyboard in a compact disk shell. This option is for hard protection disk is the most reliable, since to access information the user must have a key and know the secret password.

    To prevent unauthorized access to the system and data, Windows 7/10 provides the ability to set a password, including a graphic one, but this method of protection cannot be considered particularly reliable. Local password account can be easily reset third party utilities, and most importantly, nothing prevents you from accessing the file system by booting from any LiveCD with a built-in file manager.

    To truly protect your data, you need to use encryption. The built-in BitLocker function will also work for this, but it’s better to use third party programs. For a long time TrueCrypt was the data encryption application of choice, but its developers shut down the project in 2014, saying the program was no longer secure. Soon, however, work on it was resumed, but with a new team, and the project itself received a new name. This is how VeraCrypt was born.

    In fact, VeraCrypt is an improved version of TrueCrypt and it is this program that we suggest using to protect your information. In the above example, we will use VeraCrypt “to the maximum”, encrypting with its help all hard disk with system and user partitions. This encryption method has certain risks - there is a chance, albeit very small, that the system will not be able to boot, so we advise you to resort to it only when you really need it.

    Installation and basic setup of VeraCrypt

    The VeraCrypt installation procedure is no different from installing other programs, with only one exception. At the very beginning you will be asked to choose between installation modes Install or Extract.

    In the first case, the program will be embedded in the OS, which will allow you to connect encrypted containers and encrypt yourself system partition. Extract mode simply unpacks executable files VeraCrypt, allowing it to be used as a portable application. Some functions, including disk encryption with Windows 7/10, become unavailable.

    Immediately after launch, go to the menu Settings – Language, since by default the program is installed in English.

    Disk encryption

    Despite the apparent complexity of the task, everything is very simple. Select the “Encrypt system partition/disk” option from the “System” menu.

    In the wizard window that opens, select “Normal” as the method (this is enough), the encryption area is the entire disk.

    Upon completion of the search for hidden sectors (the procedure may take for a long time), indicate the number of operating systems and...

    encryption algorithm (it’s better to leave everything here as default).

    Note: If Windows stops responding while searching for hidden sectors, force restart your PC and skip this step next time by selecting “No.”

    Create and enter a password in the fields.

    Moving the mouse randomly, generate a key and click “Next”.

    At this stage, the program will offer to create a VRD - recovery disk and burn it to flash or optical media.

    When the screen prompts you to run a system encryption pre-test, click Test.

    You will need to restart your computer. After turning on the PC, the VeraCrypt bootloader screen will appear. Here you will need to enter the password you created and PIM - the number of encryption iterations. If you have not entered PIM anywhere before, just press enter, the option value will be set to default.

    After a few minutes, Windows will boot into normal mode, but the Pretest Completed window will appear on the desktop - preliminary testing has been completed. This means you can start encrypting. Click the "Encrypt" button and confirm the action.

    The encryption procedure will start. She might take long time, it all depends on the size of the disk and how full it is with data, so be patient and wait.

    Note: if the disk has an encrypted EFI partition, which is typical for the latest versions of PCs, at the beginning of encryption you may receive a notification “It looks like Windows is not installed on the disk...”. This means that such a disk cannot be encrypted using VeraCrypt.

    Once the entire contents of the disk is encrypted, the VeraCrypt bootloader window will appear every time you turn on the computer and each time you will need to enter a password; there is no other way to access the encrypted data. With disk decryption everything is much simpler. All you need to do is run the program, select the “Permanently decrypt system partition/disk” option in the “System” menu and follow the wizard’s instructions.

    The privacy and security requirements of a computer are entirely determined by the nature of the data stored on it. It’s one thing if your computer serves as an entertainment station and there’s nothing on it except a few toys and a daddy with photos of your favorite cat, but it’s quite another thing if the hard drive contains data that is a trade secret, potentially of interest to competitors.

    The first “line of defense” is the login password, which is requested every time you turn on the computer.

    The next level of protection is access rights at the level file system. A user who does not have permission privileges will receive an error when attempting to access files.

    However, the described methods have one extremely significant drawback. They both operate at the operating system level and can be bypassed relatively easily with a little time and physical access to the computer (for example, by booting from a USB flash drive, you can reset the administrative password or change file permissions). Complete confidence in the security and confidentiality of data can only be obtained if you use the achievements of cryptography and securely use them. Below we will look at two methods of such protection.

    The first method considered today will be Microsoft's built-in crypto protection. Encryption, called BitLocker, first appeared in Windows 8. It cannot be used to secure an individual folder or file; only encryption of the entire disk is available. From this, in particular, follows the fact that it is impossible to encrypt the system disk (the system will not be able to boot), store important data in system libraries The “My Documents” type is also not allowed (by default they are located on the system partition).
    To enable built-in encryption, do the following:

    1. Open Explorer, right-click on the drive you want to encrypt and select “Enable BitLocker.”
    2. Check the box “Use a password to unlock the disk”, create and enter a password twice that meets the security requirements (at least 8 characters long, must have lowercase and uppercase letters, it is advisable to enter at least one special character) and click the “Next” button. We will not consider the second unlocking option within the framework of this note since smart card readers are quite rare and are used in organizations that have their own information security service.
    3. In case you lose your password, the system offers to create a special recovery key. It can be attached to your account Microsoft records, save to a file or simply print on a printer. Select one of the methods and after saving the key, click “Next”. This key should be protected from strangers because it, being an insurance against your forgetfulness, can become a “back door” through which your data will leak.
    4. On the next screen, choose whether to encrypt the entire drive or just busy place. The second point is slower, but more reliable.
    5. Select an encryption algorithm. If you do not plan to migrate the disk between computers, choose a more durable one newest mode, otherwise - compatibility mode.
    6. After configuring the settings, click the “Start Encryption” button. After some waiting, the data on your drive will be securely encrypted.
    7. After logging out or rebooting, the protected volume will become inaccessible and a password will be required to open the files.

    DiskCryptor

    The second cryptographic utility we are considering today is DiskCryptor - free solution with open source code. To use it, use the following instructions:

    1. Download the program installer from the official website using the link. Run the downloaded file.
    2. The installation process is extremely simple; it consists of pressing the “Next” button several times and finally rebooting the computer.

    3. After rebooting, launch the DiskCryptor program from the program folder or by clicking on the shortcut on the desktop.
    4. In the window that opens, click on the disk to be encrypted and click the “Encrypt” button.
    5. The next step is to select an encryption algorithm and decide whether you need to erase all data from the disk before encrypting it (if you do not plan to destroy information, be sure to select “None” in the “Wipe Mode” list).
    6. Enter the decryption password twice (it is recommended to create complex password so that the “Password Rating” field has a value of at least “High”). Then click "OK".
    7. After some waiting, the disk will be encrypted. After rebooting or logging out, to access it you will need to launch the utility, click on the “Mount” or “Mount All” button, enter the password and click “OK”.

    The undoubted advantage of this utility compared to the BitLocker mechanism is that it can be used on systems released before Windows 8 (even those removed from Windows 8 are supported). Windows support XP). But DiskCryptor also has several significant disadvantages:

    • there are no ways to restore access to encrypted information (if you forget your password, you are guaranteed to lose your data);
    • Only password unlocking is supported; the use of smart cards or biometric sensors is not possible;
    • Perhaps the biggest disadvantage of using DiskCryptor is that an attacker with administrative access to the system will be able to standard means format the disk. Yes, he will not gain access to the data, but you will also lose it.

    To summarize, I can say that if your computer has an OS installed starting with Windows 8, then it is better to use the built-in functionality.

    Read more: