Monthly Archives: February 2008

Whole Disk Encryption

My laptop is one of the IBM (Lenovo) Thinkpads which includes a fingerprint reader and TPM chip which can be used to both unlock the system at boot and log on to Windows using software supplied with the computer. One thing that the supplied software does not do but something that I’ve been interested in doing is whole disk encryption (something also called by a few other names depending on the vendor and software.

You can learn more about whole disk encryption in this article written by Bruce Schneier a couple of months ago or from the Wikipedia article. Essentially the idea is to encrypt the entire hard drive rather than a small subset of files. Obviously this does not protect the files while the computer is operating but is especially useful if you have a laptop (something prone to being stolen) and want to ensure that if someone stole it the data on it would be useless. While some free utilities such as TrueCrypt have allowed you to encrypt entire volumes they have not allowed you to encrypt the boot drive, at least not when using the Windows operating system. You see the trick with encrypting the boot drive is that you need to unencrypt it for the system to boot so a driver must be loaded at boot time which will prompt the user for a password and thus unlock the key allowing the drive to be unencrypted and the system booted. Until recently there were no free or open source programs which allowed you to do this with the Windows OS (solutions for Linux were available).

In the span of just over a month that has all changed. In December a Russian security consultant released the open source program DiskCryptor (and on SourceForge) which allows you to install a Windows driver (which can be renamed for extra obscurity) which will encrypt your drive and also allow you to install a boot time driver onto the disk which allows for the encryption of the boot volume. The encryption algorithm and container is TrueCrypt compatible so if need be you can access the drive by putting it in another computer which has TrueCrypt installed and mount the volume (with the appropriate password of course). This is an especially nice touch as it ensures some kind of compatibility between the open source projects and makes data recovery from an otherwise dead system a bit less problematic. I’ve been successfully running DiskCryptor on my laptop boot drive for several weeks now and have found the program works as advertised though there is essentially no help file or other documentation so you have to learn the program by playing around with it and looking at menus.

Later today TrueCrypt plans to release version 5.0 of their popular open source encryption software which among other things promises to include a boot driver for Windows systems which will allow the encryption of the boot drive. I plan to try out this software once it becomes available. I am excited to see that there will be two open source solutions to whole drive encryption and look forward to improvements in one or both of the programs.

A few things to note. Neither of these solutions (as far as I’m aware) supports the TPM chip and fingerprint reader in my laptop. This means that you need to enter a separate password to unlock the hard drive in addition to unlocking the computer. It also means that the encryption is all taking place in software and utilizing CPU cycles and slowing down drive access times. While I haven’t noticed a pronounced effect in my usual word processing and Internet browsing on this system I can see that this might be problematic for a media or gaming intensive situation. Hopefully advancements to these solutions will allow for better integration with hardware acceleration and authentication to improve this situation.