How to have better data security than the UK Government - use TrueCrypt
Monday, January 21, 2008
Update 9th March 2008: Truecrypt 5 was released last month. It can now carry out whole disc encryption amongst a host of other enhancements. The BBC reported this week on research from Princetown University showing that the contents of RAM memory (including encryption keys) can be recovered for up to several minutes after the power to a computer is turned off, thus enabling a disc to be decrypted. The implications of this are explained on the Truecrypt website. The important point to note is that in everyday practice, (as opposed to controlled laboratory conditions) this is a very very small risk given that the RAM only retains the information for minutes after the power is off, and providing (on Windows) that Sleep, Hibernation and System Restore are disabled on your laptop, so it cannot be rebooted with data in RAM. A thorough discussion on this topic with the Princetown researchers is also available.
This data retention in RAM memory has been known about for several years, and some commentators claim that the presentation of phenomenon is being over dramatized in order to attract further funding. For example:
“Also, it is slanderous to call this a “flaw in encryption software”. This has nothing to do with disk encryption software in specific, and telling people to “check with the maker of your disk encryption software to find out how to protect yourself” as is done at the end of the video, is sort of like telling people to call Toyota to complain about potholes. It smells like someone needed to prove they’re worthy of their grant, or is fishing for new ones.”
Original Post: Oh dear, another shed load of personal data has been lost by a UK Government institution. First of all in October 2007 it was Her Majesty’s Revenue and Customs copying a database with 25 million peoples details onto a CD and sending it by snail-mail from HMRC offices in Gateshead to the National Audit Office in London. It never arrived. The £25,000 reward is peanuts compared to what criminals would pay for the information. Then last week the Royal Navy had a laptop stolen from a car. The laptop contained a database with details of 600,00 forces personnel including passport numbers, National Insurance numbers and bank details. It has now been revealed that two similar laptop thefts have taken place since 2005. The head of the Civil Service has today told Whitehall staff not to remove laptops with sensitive data from their offices. What a shambles!
Data security experts have been queuing up outside news studios to say that these digital disasters were just waiting to happen, because the powers that be just don’t get it when it comes to data security. Large centralized databases, sloppy procedures, inadequate training. badly advised management…The term encryption has now entered the mainstream media, so everyone now knows that these databases could have been rendered totally inaccessible to criminals if they had been encrypted before leaving their secure office environment. If highly paid government employees are failing to encrypt data, we might be excused for thinking encryption must be a complicated or expensive process - a dark digital art, the domain of nerds and spooks. Well I have some good news for you. It isn’t.
A short rant
Maybe part of the blind spot the authorities have with encryption is that the UK Government has cited the decryption of hard drives as an argument for increasing the time terrorist suspects should be held without charge. We are being sold the idea that encryption is something used by bad guys and terrorists and needs to be undone by good guys and MI6. If civil servants, Navy pen-pushers, priests and primary school teachers were seen to be using it routinely, (which they should be, given the fact that they all hold personal data about other people on portable computers) then the Government’s propaganda might be undermined.
TrueCrypt
So you want easy and free encryption? - use TrueCrypt - www.truecrypt.org. It is open source and available for Windows, Linux and soon, Mac OSX. It is easy to install and use and it can encrypt, and even hide, encrypted data on hard drives, CD’s and USB memory sticks.
I won’t go into too much technical detail here, as it’s all on the TrueCrypt website in extensive documentation, but for me the great thing about TrueCrypt is that it creates a virtual encrypted disk within a file (located anywhere on your hard drive) which it then mounts it as a real disk, with a drive letter.
So on my laptop I’ve allocated 20Gb of the total 80Gb as a TrueCrypt file which now acts like a separate Drive Z, (although I could have chosen any available drive letter). After logging into Windows I am asked for my TrueCrypt password (greater than 20 is recommended - I use a memorable phrase). Only then does Drive Z actually exist and the data “come to life”. Without the encryption password, no matter how the drive is accessed, scanned or recovered, the data on Drive Z is utterly scrambled and totally unrecoverable. The same would apply to a CD, DVD or USB memory stick.
As I drop a file into my Drive Z it is encrypted on the fly, in other words, in real time as it transfers. As I move a file out of Drive Z it is decrypted. I can also work on files in Drive Z in just the same way as on any unencrypted drive. I have the same setup on my office computer, and on this drive I store my customer details invoices and letters. I even run my email programme from that drive and store 8 years of email correspondence there. Thanks to TrueCrypt I know that should my computers be stolen, nothing more sensitive than my mp3 collection could be copied.
The Data Protection Act
Webs Wonder, like most other businesses holding customer information, is on the UK Data Protection Register. I am legally obliged to look after customer details and I could be prosecuted if I fail to do so. Encrypting information means that if my laptop does get stolen or lost, my data isn’t compromised, so I don’t have to explain myself to the Information Commissioner, or go through the expensive and embarrassing process of informing hundreds of customers that their passwords might be in the hands of criminals, then setting new passwords.
Thank you TrueCrypt.
More information on TrueCrypt
- Visit the TrueCrypt website
- Download TrueCrypt from this page
- Make a donation to the TrueCrypt project
- Listen to a useful webcast discussion on TrueCrype on Security Now. Right click to download or click to listen to the 18Mb mp3
- Watch this YouTube video on how to use TrueCrypt. (This isn’t me folks).
- Here is another video tutorial from YouTube in how to use TrueCrypt on a USB memory stick.
If data security is this easy, why can’t our Government do it?
Comments
Jeremy, I would be slightly less cavalier than to say “the data on Drive Z is utterly scrambled and totally unrecoverable.” In 2001 (and I haven’t heard any more about it since then) a quantum computer was built which succeeded in factorising the number 15 using Shor’s algorithm. Hmm… 5 x 3. Not a massive achievement but a demonstration that it can be done. If a large scale quantum computer could be built which could then factorise much larger numbers, then all existing encrypted data is vulnerable!
Estimates vary as to the feasibility of such a computer being built - ranging from “in the foreseeable future” to “never in the lifetime of this universe” so you pays your money and takes your choice ;-)
John Sutton
↑ Back to top ↑
Comments: You can't create an account on this blog, but If you would like to make a comment or contact me, please do so using this form. Please state if you would not like it to be published here.
