InfoSec 101: Disk Encryption

Securing your data versus an adversary with physical access to your devices

December 23 2019


Strong encryption keeps families safe

In this article and guide we will discuss the whys and hows of securing your data versus an adversary that has physical access to your computing and data storage devices (desktops, laptops, cell phones, removable storage media, etc.).

Table of Contents

Why Encrypt Your Data?
Data Seizure and Analysis
"Deleted" Data May Be Recoverable
How Secure Is Built-In Encryption?
Cell Phones: Android and iOS
Useful Software
Best Practices
Bringing Data Across the Border


Disclaimer: No part of this article is intended to serve as legal advice in any capacity, and the technical information provided comes with no warranty or guarantee whatsoever. In some countries it may in fact be illegal to encrypt your data, and many countries have complex laws pertaining to crossing their borders while in possession of encryption technology. Some countries also have laws that allow law enforcement officials to compel individuals to reveal their encryption keys or passwords on demand. It is wholly your responsibility to understand and comply with any laws that may apply to yourself and your encrypted devices.

Why Encrypt Your Data?

Encrypting your data is about securing the privacy of your thought. Our computing devices are externalizations of our minds, our interactions with them are a part of our thinking, and the data they contain are like memories.

Someone who has unfettered access to your data storage devices can thus analyze your thinking, your behavior, and your memories. Not only that, but because our computing devices connect with other people's computing devices over our networks, they can analyze who you have been thinking with, and maybe even what you were thinking about together, thus a failure by one individual to secure their data can also lead to a violation of another individual's privacy of thought.

Encryption translates data into an unintelligible form. Anyone without the decryption key (ideally) cannot derive any meaningful information from the encrypted data, and anyone with the key can translate the encrypted data back into the original unencrypted form.

The following text is this sentence encrypted with my PGP public key:

hQIMA1+UvoQmHwCRAQ//eek6AmMTBHCkAPb7wFO4Ardta45s8bOUFM83YAqy/2jNU4SrNU6obRwRz7Hq0vbV9K3ELDkhMnkNf/+8nO8z1SHhj6adpkJeEDa5urldSmiU9lePRZiGiYCAzFk7gRWMrNtG3jCfJuaIXoJkSYVfzo1cwM/x8aIl/yF7Iyi5uDzk2viUuSszuaIz/Fq+drWa+iC1J5mz1vBepP0uPXsCznUiTjbJPN/vIc2+54kEk4Re58RvDI8fJPgnVoI/AlttNkAmAkKh5qfWgxxJHWDOG1l9lTJZ+8dvoW0cLPmoCvhUW/v/97W/6Dumh4Iua3D6GfXIibZojzMeebXYnKz0vqx3IxOiUjj2SP1rGoNHfDvE9S9r/GGaHsZgeuyu7eVtM3syFDC5xGGNryJQNOla9FKk0JMKJLfl/LL7eg2c9dbAJP/dV5bJAcI8XYBV3S6+UhywALJ0+7s6TVqWBJz0fWOQZHDPKbtdctTwbEAqZmKhfdsedU0DSZqQGi42kfbbh9CGu7viwVnjbb998NORm6wFYnj3ytXoZg/xDatMCkZSsv2qNzz/1FrfA5lnqcU96tzmq9hASkPU+ZOQQV4EfqQxPPXs857G2hQznIPbj5fsS4MWhUXj4mZdhMbJfpmnYw7pO6DpZxoULf+kJGDFTr/hyaHU8P9VSdKjWfLVL/vSgwGG0XMASAFm8bBfg+23R7M/VFJYSjG75lMG5Zcl9YCfLeq6G4DBLuUsP3GJP0gzmcQ/g/Y3JKK79OfbkIY+3QEsm6Xe8PIzLm72fb6NEXuOVdQBjoiJOTr/l6UY+lNUiHrkF+6fTgqH0orXATwbXtZZ2W6Yjaq0sWYwXsOKV93gz1Qh=Nu2H

You can use software to encrypt the data on your data storage devices, such as the drives inside of your desktop and laptop computers, mobile devices, and removable storage devices. Doing so will prevent any of your data from being readable by anyone without the password or key, even if they physically capture your device and subject it to cutting-edge digital forensic analysis.

Data Seizure and Analysis

Knock knock! Meme police!

It is now commonplace for law enforcement to seize all of an individual's computing and data storage devices (and sometimes even the devices belonging to their family members) when an individual is suspected of having committed a crime.

In 2018, a teenager in Nova Scotia Canada was arrested while walking to school [archive], and 15 police officers proceeded to raid his parents' home and seize all his and his entire family's computing and data storage devices. He was charged with "unauthorized use of a computer" for writing a simple script that automatically downloaded documents from Nova Scotia's freedom-of-information portal in order to save himself the time of downloading each publicly available file individually.

In December of 2019, the RCMP arrested two men in Quebec [archive] who are suspected of posting threats of violence directed at Justin Trudeau on Facebook. All of their electronic devices were seized, and were without a doubt sent to be analyzed in a laboratory for incriminating evidence of any kind.


Illegal memes being seized

In Canada, the police are allowed to send your devices to a computer forensics lab to try to crack your password used to encrypt your devices, but they aren't allowed to force you to hand over your password [Canadian border guards however are, see below]. A 2010 case in the Quebec Court of Appeal stated that any evidence obtained as a result of a password being compelled from an individual by law enforcement is inadmissible, as it's considered an act of self-incrimination and thus violates the Canadian Charter of Rights and Freedoms.

Some law enforcement officials have however recently begun proposing that Canada's laws should be changed so that they can compel suspects to hand over their encryption keys or passwords, arguing that there exists legislative precedent in both the UK and New Zealand. RCMP Chief Superintendent Jeff Adam even tried to draw a bogus comparison between handing over your encryption keys and submitting to a roadside breathalyzer test, when in reality it would be more akin to submitting to being put into a machine that can read your mind, revealing the history of your thoughts as far back as your memory will allow.

"Deleted" Data May Be Recoverable

It should be noted that simply deleting a file on your computer does not guarantee that the data is actually gone. In many cases, the data could be recovered using digital forensics software.

This is because on many operating systems, when a file is deleted, the location of the file on the storage device is simply marked as 'usable' space, meaning that if the operating system needs a place to write new data it might choose that location and overwrite the "deleted" file. However, until that overwriting occurs, the "deleted" file's data still exists on the data storage device, and could potentially be recovered.

One solution to this problem is to securely erase the files you want gone for good, using software such as BleachBit. Secure file erasure software of that nature works by ensuring that the location of the file on the data storage device is overwritten with random data or zeroes (or both), so that recovery should be impossible.

A better solution is to encrypt your data storage devices, so that digital forensics software cannot be used in the first place to try to recover deleted files. However, if an adversary manages to crack your encryption password, they could try to recover files that were "deleted" from the device, so be sure to securely erase any highly sensitive files even if the device they're stored on is encrypted.

How Secure Is Built-In Encryption?

"You can totally trust me with your data, bro." - Bill Gates, Ultra-Globalist

Any encryption is better than none at all, but it would be wise to avoid the default offerings of the globalist mega-corporations if at all possible.

Microsoft's BitLocker that is included with Windows may in fact be compromised by the authorities, and was inexplicably weakened as of Windows 8.

Apple's FileVault is probably better, but there was a strange attack that allowed a running system to access a FileVault encrypted disk using a user's Apple ID credentials.

Both BitLocker and FileVault also share one disturbing thing in common: Users are presented with the option to store a backup encryption key in the cloud (on Microsoft's or Apple's servers, respectively). One could imagine a scenario in which Apple or Microsoft would relinquish the keys when served with a warrant.

In 2016, the FBI got a judge to demand that Apple furnish them with tools to help them brute-force an encrypted iPhone's password. Apple publicly refused, then the FBI announced that they had unlocked the iPhone in question with the help of an "anonymous third party". So make of that what you will.

Android uses dm-crypt (a part of the Linux kernel) to do full disk encryption, which provides good security. However, be aware that in 2016, a security researcher developed a method for performing offline brute-force attacks on some models of Android phones. This does not mean that the encryption technology itself is compromised, but it does mean that law enforcement may have tools to try to crack your Adroid phone's full disk encryption password.

Cryptsetup + LUKS on Linux appears to be excellent. Begin using it straight away.

Cell Phones: Android and iOS

Cell phones are a security nightmare and you should not use them to store any highly sensitive data. They are perhaps the most advanced mass surveillance technology ever designed. That being said, iOS and some Android devices have built-in disk encryption that can be enabled, and if you own a cell phone you should definitely enable it.

With regards to iOS, it was already noted above that at least one US government agency has been putting pressure on Apple to help them compromise the security of iPhones, and that there now exist special tools which can help brute-force the encryption password on (at least some models of) iPhones.

It is known that at least some models of Android phones can be subjected to brute-force attacks, so it is best to assume that law enforcement could conduct such attacks on your Android phone.

Note that the weakest link with regards to disk encryption is (nearly always) the passphrase that is used. If your phone has encryption enabled, but the password used to encrypt the disk is nothing more than a 4 digit pin code, then if tools are developed that enable brute-forcing the password on your model of phone, it will be cracked within seconds. It's essential that you use a long/high quality password to encrypt your mobile device.

If you need to ensure that some files you deleted are permanently gone from your mobile device, search the app store for "file shredder" and "wipe free space" apps. After you securely erase all the free space, proceed to enable full disk encryption.

Useful Software

VeraCrypt

VeraCrypt is the continuation of the TrueCrypt project. It is an application for Linux, Windows, and Mac OS X that can be used to encrypt and mount whole disks, disk partitions, and file containers. It can also be used to create hidden encrypted volumes, including hidden operating system partitions. For Windows systems, it can be used to fully encrypt the entire system disk, meaning that Windows will not even boot without your encryption password being entered when your computer is booted up, and not a single file will be readable on your system disk until you enter your password.

If you are using Windows, VeraCrypt full disk encryption will provide you with the greatest protection versus an adversary that has physical access to your computer. You should consider encrypting your system with VeraCrypt immediately.


KeePass

KeePass is a multiplatform password manager that stores usernames and passwords in an encrypted file. It also has a built-in random password generator that can be used to generate secure passwords. It is a very bad idea to reuse passwords between accounts and services, so consider using an application like KeePass for securely storing your login credentials, particularly for online services.


BleachBit

BleachBit is an application for Linux, Windows, and Mac OS X that can be used to either securely erase individual files or the free space on a given disk partition. It also has options to securely erase the cache files of various specific applications, such as the most commonly used web browsers.


DBAN - Darik's Boot And Nuke

DBAN is a program that runs from a bootable disk image that can be used to securely erase entire drives. You can securely wipe a single drive, or even use its special "autonuke" mode to wipe every drive that is connected to your machine. It has several different algorithms for securely wiping data, though in almost all cases it should be sufficient to simply select the option to write zeroes to the drive, which will accomplish the task in the least amount of time. You can use an application like UNetbootin to create a bootable USB drive using the DBAN ISO file.


Best Practices

Before you encrypt a device, unless you are using VeraCrypt's in-place encryption feature, securely erase it using DBAN or BleachBit, otherwise under some circumstances it may be possible to recover files that were stored on the device before you encrypted it.

As noted above, if your device is seized by the authorities, they will likely send it to a lab in order to try to crack your encryption password. For this reason it is paramount that you choose a very strong passphrase with which to encrypt your disks.

Do not reuse a password from some other credentials to encrypt your disks, create a new passphrase. You should never type your actual disk encryption passphrases into a web browser, however you can use this online tool to get a general idea of how long it would take to crack your passphrase by typing in another passphrase of similar length and complexity.

Permanently memorize your passphrases, otherwise you will lose all of your data. Passphrases should only ever be shared with other people you trust on a very strict need to know basis -- that is, if they don't actually need your passphrase, there is no reason whatsoever to share it with them.

When Ross Ulbricht (AKA 'Dread Pirate Roberts', the operator of the original Silk Road) was arrested, the authorities waited to swoop in on him until he was working at a library with his laptop powered on and decrypted.

If you are going to be away from your computer for any length of time, or you are transporting your laptop from one location to another, shut it down completely rather than just putting it to sleep. That way, if your computer is seized by an adversary the contents of the disk(s) will be protected by your encryption passphrase, rather than just by your screen lock password.


Bringing Data Across the Border

Ho there, traveler! Gonna need to see those illegal memes :^)

In Canada, border guards have been given special legal authority [archive] to compel individuals to hand over their passwords or encryption keys so that the contents of their devices can be rummaged through in search of illegal contraband or evidence of wrongdoing. If a traveler refuses to hand them over, the guards may seize their devices and ship them to a computer forensics lab to attempt to crack their passwords.

Of important note, Canadian border guards may search your devices for what is termed "hate propaganda", an ill-defined category of media that "promotes hatred against an identifiable group" by potentially including words or images that make:

(a) allegations that an identifiable group is to blame for serious economic or social problems;

(b) allegations that an identifiable group manipulates media, trade, finance, government or world politics to the detriment of society;

(c) allegations that an identifiable group is inferior or superior to another group; and/or

(d) allegations that an identifiable group weakens or threatens society, in whole or in part.

Since it's difficult to determine just what exactly would qualify as "hate propaganda", and since allowing a stranger to pore over your private thoughts stored on your devices would be an obscene violation of human dignity, it is best to simply not give them the chance to do so. Consider the following options:

1. Do not bring any computing device with you at all, but instead buy a cheap used laptop or cell phone at your destination, which you could also sell before you return home -- remember to securely wipe your data beforehand!

2. Securely wipe you device's data storage, optionally do a fresh install of your OS, and then don't use it or transfer any data to it at all. That way if it's inspected at the border (including the agents potentially making a full copy of your device's data storage for analysis at their leisure) there is nothing to analyze. Reinstall your OS once you reach your destination, if necessary.

3. For laptops or desktops: Remove the data storage (e.g. hard disks and solid-state drives) and bring a live OS bootable optical disc or USB drive along. If desired, acquire and install a hard disk once you reach your destination.

4. For laptops or desktops: Use Veracrypt to set up a hidden operating system. When asked to unlock your computer, enter the password for the dummy operating system. There is currently no known way that it can be proven there is a hidden OS (provided you follow the security requirements and precautions -- note that you cannot use some SSDs), even if they copy your entire disk and do cryptanalysis on it (though they could still try to crack your password).

Before you leave home, create an encrypted Veracrypt container file, fill it with your data that you want to have access to, and then upload it to a remote server that you can download it from once you reach your destination. If it's small enough, you could even email it to yourself using a webmail account, and then all you have to do to get your data once you're across the border is log into your webmail and download the attachment to your computer.

Remember to securely wipe your devices' data before you cross the border on your way back home!