» Sun May 13, 2012 11:31 am Sections:
Day 1: http://www.gamesas.com/topic/1337235-data-privacy-day-day-1/
Day 2: http://www.gamesas.com/topic/1337699-data-privacy-day-day-2/
Day 3: http://www.gamesas.com/topic/1338134-data-privacy-day-day-3/
Day 4: http://www.gamesas.com/topic/1338605-data-privacy-day-day-4/
Day 5: http://www.gamesas.com/topic/1339018-data-privacy-day-day-5/
Day 6: Set up OpenVPN on Windows and Final Remarks
The goal, as always, is to make you more informed about your data and your privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good Password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after this summer, I think we are all familiar with that)
Not much has changed as far as encryption goes from a year ago. The main difference is for Mac OS X users due to an upgrade to FileVault included in OSX 10.7. The only other noteable thing was a small chink in AES has been found, but it is impractical to use due to the sheer effort it takes (taking millions of computers millions of years to break using the flaw). It's just an interesting note.
File Encryption
File encryption is the ultimate in data privacy and security. There are many encryption tools out there, but for the purposes of discussion here I will only talk about TrueCrypt. TrueCrypt offers many advantages over other options, including BitLocker. In being cross-platform, it makes recovery in any situation possible. Other encryption schemes may offer advantages over TrueCrypt (for example, if interested in TPM), so it may not necessarily be the right choice for you.
There are three basic encryption options, as well as the choice between hidden and non-hidden volumes. These options are: an encrypted file container, an encrypted non-system partition or drive, and an encrypted system partition/drive (this last option is currently only available on Windows). Two-factor authentication is also available through the use of keyfiles, though it isn't an option for system encryption (but two-factor authentication still can be achieved).
Encrypted file container: This option is the simplest to implement. You create a volume that appears to be a normal file (you can make it any filetype you want), but when you mount it with the proper password (and/or keyfile) it reveals the truth. You can make it a hidden volume for even added privacy/security (a would-be attacker may uncover the outer volume in one way or another, but the hidden volume remains secure). The disadvantage to making an encrypted file container is it is relatively simple to just copy the file container to a removable drive where the attacker can try and crack it at their leisure without you being aware of it (a keyfile would drastically lower their ability to succeed, if the keyfile and file container are not stored in the same location).
Encrypted non-system drive/partition: This option is relatively simple to implement. The advantage is it looks like just unallocated disk space to the untrained eye, and, in the case of removable storage, the user would be prompted to format it before use. Of course in removable storage you must be careful to not format it yourself. Once again the use of a hidden volume and keyfile can be used for increased privacy/security.
System drive/partition Encryption
SSD users: Please note that there is currently no way to verifiably securely wipe an SSD short of drive destruction. As such I highly recommend encrypting SSDs.
This one is a bit more advanced than the earlier options, but offers significantly greater security and privacy as well. On your system there are temporary files and various files tied to programs that make it hard (though not necessarily impossible) to seamlessly use file containers or encrytped non-system drives/partitions to protect their contents from prying eyes. For example, say you stored your IM logs, program profiles, and bookmarks in an encrypted file container. It would be relatively simple to accidentally start up the program those files are related to without unencrypting the container, which could either cause instability or write new files to an unencrypted area. System drive/partition encryption allows for seamless encryption of all system/program files you want out of prying eyes. You can make it a hidden volume if you choose: http://lifehacker.com/5554136/hide-your-entire-operating-system-from-prying-eyes.
Unfortunately keyfiles do not work with system encryption, but you can still get two-factor authentication. Before you encrypt the system, you will be prompted to create a recovery disc in case anything goes wrong, which you can use to restore the TrueCrypt boot loader, boot into the encrypted system, restore the original system loader, or permanently decrypt your system. By restoring the original system loader, or installing a new boot loader to the MBR (such as GRUB2), you would be required to boot from the rescue disc, making a two-factor authentication setup (you must know the password, and you must have the recovery disk). This can be further streamlined if your computer can boot from USB by loading a USB drive with the recovery disk. http://stdout-dev-null.blogspot.com/2010/02/truecrypt-rescue-disk-on-usb.html.
Dual-booting is complicated for Linux-Windows (Windows-Windows can be simply done through the use of the hidden operating system feature), but not impossible. You can do the above and have GRUB2 written to MBR and use the CD/USB to boot into Windows, or you can force GRUB2 to install to the root (or boot) partition. http://pzolee.blogs.balabit.com/en/2010/07/grub2-and-truecrypt-windows-linux-dual-boot-system/.
If Linux is already installed, simply restore GRUB2 from the TrueCrypt rescue disc, boot into it, force GRUB2 to install to your root/boot partition, and then reinstall TrueCrypt Boot Loader to the MBR from the rescue disc. If you are using the two-factor authentication method, all you need to do is restore GRUB2. Since you don't need TrueCrypt on the MBR, GRUB2 can happily rest there.
If Linux isn't already installed, make sure you have the necessary unencryped partition to install it to. You cannot partition a TrueCrypt encrypted volume, so the partitioning for Linux needs to be done before encryption (or if you have a non-system partition/drive already, you could further partition that). Encrypt Windows with TrueCrypt and install the Linux distro of your choice. After installation force GRUB2 to the root/boot partition and restore TrueCrypt to the MBR (once again, this last step can be skipped if you are going to use the two-factor authentication method for TrueCrypt).
Linux can also be encrypted. Many distros offer options to encrypt Home at install. Full encryption, including root, requires more work and generally not included as options from live CD install. Just look through the distro documentation for dm-crypt/LUKS or Google your distro along with those terms and you will find a guide on how to do it.
Mac OS X offers built-in full-system encryption in the latest version, 10.7 Lion through Filevault 2. Apple posted excellent instructions on how to do this on their website, http://support.apple.com/kb/HT4790. Older versions of Mac OS X could only encrypt their home directory. Once again, http://docs.info.apple.com/article.html?path=Mac/10.6/en/8736.html.
There is one disadvantage to system encryption: it will slow down your OS. This is mitigated with a good hard drive and a modern processors that has AES-NI when using just AES encryption -- to the point it is negligible to unnoticable. Currently most i5s and newer i7s (the entire i5 and i7 line for Sandy Bridge) support it as well as AMD's Bulldozer line, but still something you should be aware of.
Further reading:
http://www.truecrypt.org/docs/?s=keyfiles
http://www.truecrypt.org/docs/?s=hidden-volume
http://www.truecrypt.org/docs/?s=rescue-disk
With that, you can properly encrypt your important data and keep it from prying eyes.
