Friday, 20 April 2012

Free encryption tools

Encrypting personal data is a sensible thing to do. If you computer is lost or stolen then at least your sensitive files are not at risk of being abused.

There are a number of common ways to do this:

  1. Encrypt each file, one file at a time, manually.
  2. Create a bundle of files in one archive and encrypt the archive.
  3. Automatically encrypt all files placed into a specific folder/directory.
  4. Automatically encrypt all files placed into a virtual hard disk.
  5. Encrypt the entire hard disk, or portions of it.

Each of those options has its benefits and downsides. All can be achieved for free. Free encryption has been available for a long time but it is frequently hard to use.

PGP/GPG

Pretty Good Privacy (PGP) and GnuPG (GPG) aren't suitable for consumers simply because, even with the optional graphical interfaces, the very concepts that they rely on are not trivial to understand. They also usually involve both the sender of secrets and the receiver being equally competent.

Anyone can understand the idea that you can password-protect a file. Public key encryption is a little harder to understand and explaining it usually involves analogies involving Bob, Alice and Eve.

PGP/GPG are really useful tools. They just aren't that easy for regular users to handle.

PGPdisk

This fantastic tool allows you to create an encrypted archive that appears as an extra hard disk e.g. F:\

Any files placed into this disk are encrypted automatically and transparently. The user can act as if using a standard internal or USB drive. In fact you can place the archive on an external drive, which is quite a sensible thing to do.

Unmount the disk and the files are locked. Unlocking the files involves entering a password for the archive or for the private key (if you used it to create the archive).

You can also create self-decrypting archives. This means that the files are bundles into one Exe file. Send this to someone who knows the password and they can extract the files without owning a copy of PGPdisk. The downside to this is that you have to let them know the password in a secure way.

PGPdisk used to be free but this changed and you had to buy the commercial version of PGP to obtain it. Since Symantec bought PGP it's not clear to me whether or not it is still available at all. Free versions for Windows and Mac are still available from the PGPi website, but these are pretty ancient versions.

Windows EFS

Windows Encrypting File System, which is available on the more expensive versions of Windows XP, Vista, 7 and (soon) 8 is very easy to use but it has some significant problems too.

These include the ease with which users can lock themselves out of their computers and data, the complication of backing up an encryption certificate and the fact that the files are not protected while the user is logged in. This means that malware can steal data, even if the thief who stole your laptop cannot.

There is also some confusion over what happens when you copy encrypted files to other disks.

Here's an example of EFS going horribly wrong in a home environment. I encrypt some folders on my laptop. The laptop is shut down and the files are safe. I forget my password and boot the laptop using a password reset tool such as the Offline NT Password & Registry Editor. While I can access all of the unencrypted files, I have sadly lost access to the encrypted ones forever (unless I made a backup of my encryption certificate).

In a similar way, a vandal with access to the laptop could reset the password using the bootdisk mentioned above and then just walk away, having locked me out of my encrypted files.

Businesses and technical users will be aware of the need to backup the encryption certificate and should be able to cope with corrupted systems. They probably also have full, unencrypted backups. The same is unlikely of most home users.

TrueCrypt

The TrueCrypt software provides a relatively easy way to encrypt files, and has some very advanced features. However, it's interface is not as intuitive as some would like.

One really useful feature is its ability to fully encrypt the hard disk, including the boot partition. Anyone who does this will have some technical knowledge and interest, which is just as well because forgetting your password would be disastrous!

Sophos Free Encryption

Sophos Free Encryption provides a similar feature to to one that is provided in PGPdisk. This allows you to create self encrypted archives, a bit like password-protected Zip files.

Winzip, 7z and other password-protected archive tools

It is perfectly possible to store files in password-protected Zip files. This is the quick and easy way to achieve some level of privacy, although it is less convenient that using more transparent tools such as PGPdisk, TrueCrypt or EFS.

For example, finding files on your hard disk is easy when you can use Windows' search tools, Google Desktop or some other method. Searching inside encrypted Zip files, or creating catalogues of them, is a non-trivial task for regular home users.

Some older versions of Zip tools have a vulnerability that allows passwords to be recovered very easily using a variety of free or inexpensive tools.