Question: Let me give you some backup story first: A computer technician challenged me to give him my laptop and ask him for any piece of information that I wanted to “hide” in my hard drive. He claimed that he would be able to retrieve anything, no matter what I do to hide it.

Since I do not appreciate absolute statements like: “and there is nothing you can do about it”, I started thinking about this in my head. I realized that a very secure Operating System would not cut it, since he does not need to boot from this specific hard drive in order to find things in my hard drive.

The generic question here is:

Is there a way to completely secure all data in a hard disk? (I do not need detailed explanation on how to do it, I just need you to point me to a direction; I can read more about it myself)

Specifically, I suspect that I may need:

  • An Operating System that is very secure and possibly encrypts all the data that it stores (no idea if such thing even exists).

  • If the above does not exist, is there a way to manually encrypt the data in my hard drive and still be able to boot from that hard drive?

In general, I want to make the hard drive as least accessible as possible to anyone that is not me (= knows a specific password/key), so any solutions are welcome.

Answer: It’s enough to encrypt most sensitive files. A ZIP file encrypted with AES 256-bit and a good long password is nigh impossible to get into without the password. (Avoid using the legacy ZIP encryption known as PKZIP stream cipher/ZipCrypto – it is known to be weak.)

It’s also possible to encrypt a whole partition, hiding everything in it. Truecrypt is kind of the de facto standard program for home (and some business) partition/image encryption. Probably the best thing about Truecrypt compared to tools built-in to the operating system is it’s portable: there’s a version for Windows, Mac OS X and Linux, which makes up the vast majority of consumer operating systems.

If you want to hide everything, you can encrypt the every partition in your system, including the one you boot from. It is not possible to read data from an encrypted drive without knowing the password/key. Thing is, the Windows operating system doesn’t always support booting from an encrypted hard drive.* Truecrypt has what it calls system encryption. They’ve summarised it pretty well:

?

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.

So the Truecrypt boot loader will load before your OS and prompt you for your password. When you enter the correct password, it will load the OS bootloader. The hard drive is encrypted at all times, so even a bootable CD won’t be able to read any useful data off it.

It’s also not that hard to encrypt/decrypt an existing system:

?

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.


*Various other operating systems support system drive encryption. For example, Linux kernel 2.6 and newer have dm-crypt, and Mac OS X 10.7 and newer have FileVault 2. Windows has such support with BitLocker, but only in Enterprise/Business/Server editions, and only in Vista and newer. As stated above, Truecrypt is more portable, but often lacks the integration necessary to encrypt system drives, Windows being the exception.