File Encryption, Security & More
Got a super new business idea you don't want your competitors finding out about? Let's shows you how to lock down your computer.
Cryptography is the art of protecting information from Interference by unauthorized third parties. This can mean keeping data confidential, or ensuring its integrity or authenticity.
Thanks to James Bond movies and TV programs such as Spooks, the word quickly conjures up images of spies meeting in darkened rooms, secret societies and clandestine government agencies with giant banks of computers.
Cryptography certainly plays a part in these situations. but it's far more commonly used in less exciting scenarios - for example it's a feature of online banking and it's how companies protect their customers' personal information.
It’s also, thanks to some great pieces of free and open source software, commonly used by private individuals who want to store bank details, account passwords and any other kind of digital data securely.
In this tutorial, we're going to show you three different ways to secure your data, each dealing with a set of circumstances that requires the application of novel techniques. The first will demonstrate how to secure the data kept on your PC, in case it ever gets lost or stolen.
The second will demonstrate how to secure data, for personal use, in a portable format. This is ideal if you need to carry sensitive data on a USB stick, or perhaps wants to back it up using Dropbox but don't trust its security.
The third will show you how to encrypt data that you want to share with other people. Using the same tools, you'll also be able to 'sign' digital information so that a recipient can confirm that it's from you, and not just someone pretending to be you.
Encrypt your PC
When it comes to protecting the information held on your PC, you 'II be surprised to learn just how thorough you need to be.
You could, for instance, just keep an encrypted file that contains all your passwords and think that you are secure. But how many of your passwords have secret reset questions, the answers to which are things like 'where were you born' or 'your wife's maiden name'?
And how many of you, whether intentionally or not, have the answers to questions like these stored on your computer, or in your browsing histories, in some unknown temporary folder in a dark corner of your system?
The point is, our computers contain such vast amounts of data, much of it we're not even aware of, that the only way to be certain anything is safe, is to make it all safe. That is, to encrypt your entire hard drive.
Fedora has by far and away the best support for this kind of encryption, so we'll be using it to demonstrate. To follow along, you 'II need to download the Fedora live CD from the website, and either write it to a CD or put it on a USB stick.
Fedora's installer makes it easy to encrypt your entire system - just put a tick in the box.
To implement this kind of encryption you'll need to securely wipe everything off the existing hard drives and then reinstall the system.
If you don't do this, a thief or cracker might be able to recover unencrypted data from your previous installation, bypassing your new security measures.
So, the first thing to do is back everything up. You can do this however you like, but attaching an external hard drive and using the file manager to copy the home folder is as good a way as any.
Make sure you inspect this backup carefully, as you're about to delete everything and your family will be very upset if you lose all the Christmas photos.
Once you've done that, you can securely erase all traces of the old data from the current hard drive. Boot the Fedora live CD and then launch a terminal. Into this terminal, we're going to enter the command below. It will delete everything there's no undo. no second chances - so be sure you're confident of your backup and what you're doing before you even begin to type:
su -c "dd if=/dev/random of=/dev/sda"
dd stands for disk dump, and all it does is copy the input file (if), byte by byte, into the output file (of). By specifying the input as /dev/random, a special file that contains an infinite amount of random data, and the output as /dev/sda, the first hard drive, we overwrite everything on it with random data. This not only deletes it, but makes it much harder for forensic data analysts to recover what was there before.
Now that all your old data has been securely erased, you can begin the work of rebuilding your system with encryption from the get-go.
While still running the Fedora live CD, launch the installation application. As you progress through the installation screens, you 'II eventually come to one that asks 'What type of installation would you like?' At the bottom of this screen, you'll see an option for Encrypt System. Select this, then on the next screen enter a secure password, and proceed with the rest of the installation as normal.
After installing Fedora with encryption enabled, you'll be prompted tor a password before it boots.
That's all there is to it. The Fedora installer will handle all the details, and when you reboot you'll be asked for the password before Fedora even begins its boot sequence. All that's left for you to do is restore your files from the backup and you'll be computing just as before, only much more securely.
If your data is very sensitive, I would suggest you to take professional it security solutions.
Portable encryption
For all the safety that encrypting your entire computer brings, there are times when you'll want to keep something sensitive on a USB stick, or perhaps back it up to your Dropbox folder for safekeeping. In these scenarios, having an encrypted hard drive is of little help.
Instead, you'll want to be able to create something a bit like an encrypted folder - something that can be copied from one computer to another, or attached to emails. There are lots of ways you can do this on Linux, many of which are built right into the OS. In this article, however, we're going to focus on TrueCrypt, which is available on Windows, Mac and Linux, making it the most portable and flexible option. TrueCrypt is a free, open source application, so just install it on all the systems that you're likely to use it with. It doesn't create an encrypted folder: instead, it creates a virtual disk within a file and encrypts this. Whenever you use TrueCrypt to decrypt the virtual disk, it will be presented in your file manager as an ordinary USB or hard disk.
This means that you can work in all your favorite applications, save your work to this 'disk' as you normally would, and enjoy the benefits of encryption without having to think about it.
While it's encrypted, it appears on your filesystem as an ordinary file. You can do anything with it that you would a normal file: delete it, copy it to a USB stick, and attach it to an email - whatever you like: the only difference is, to read its contents you'll need to use another copy of TrueCrypt and know the password.
Creating one of these 'encrypted virtual disks' with TrueCrypt is simple, really. Launch the application and. on the first screen that appears, press the Create Volume button. Immediately, a Volume Creation Wizard will appear which will walk you through the necessary steps. Most are fairly self-explanatory, but there are a few that merit some further explanation.
The first is the option to select a Hidden TrueCrypt Volume on the first screen of the wizard. This hides an encrypted volume within another encrypted volume.
TrueCrypt's wizard is a simple way to create an encrypted virtual disk - but you might want to see our extra comments for further advice.
This might sound strange, but it can protect you from blackmail: if someone tries to force you to reveal your password, you can tell them the password for the visible one, but they won't be able to see (or access) the hidden one very helpful.
Other screens that deserve extra comment are:
- Encryption Options : Unless you have very specific requirements, you can leave these as they are and rest assured your data will be safe.
- Volume Size : As TrueCrypt impersonates a physical disk; you need to give it a fixed size. Make sure you allow enough space for all the files you might want to store.
- Volume Password : Choose a secure password. See later in this post information on Encryption and Passwords for further guidance.
- Format Options : Choose FAT if you want to use it on Windows and Mac as well as Linux.
Accessing encrypted files
Starting from the main screen again, press the Select File button and select the encrypted volume you created in the Volume Creation Wizard. After that, you'll be returned to the main screen, where you can press the Mount button in the bottom-left of the window. TrueCrypt will then ask for the password you set in the wizard, and it will also ask for your administrator password.
Once you've given it all of this information, the encrypted volume will then appear in the list at the center of TrueCrypt main screen. If you now open your file manager, you should also see it listed alongside your other USB and hard disks. At this point, you can use it just like you would any other disk.
When you've finished with the volume, you'll need to return to TrueCrypt and select Dismount, or turn off your computer. Once it's dismounted, the volume will appear as a plain file, which can be manipulated in the usual ways. To read its contents again, just open it with another copy of TrueCrypt.
TrueCryprs main screen lists all of your mounted volumes, making it easy for you to manage everything.
The final encryption technique is how to encrypt a file you can securely share with friends or colleagues, using public key encryption. We'll be using GPG and Seahorse, so make sure you have these tools installed. You'll also want the Seahorse plugins package for integration with your file manager.
That brings us to the end of this tutorial, and with your new found skills you should be able to keep your data much more securely. There is, however, much more to cryptography and file security than we've discussed here. If you're serious about keeping your communications safe, then you'll need to go on and do more reading. A good starting point is the GNU Privacy Handbook. While it focuses on GPG and public key encryption, it also introduces many of the topics that are important for applying symmetric encryption systems, such as key length.
Public key vs. Symmetric
There are two major types of encryption systems: public key and symmetric, each of which is better suited to different scenarios.
Symmetric simply means that there's only one encryption key - only one password that's used to both encrypt and decrypt the data. It's the type of encryption that we used to encrypt our entire computer, and that TrueCrypt uses too.
If you're only encrypting the data for yourself, it works excellently. But if you want to share data with others, symmetric encryption faces a major problem: you have to be able to exchange the key or password securely. If someone else gets hold of it, then encrypting the data in the first place was pointless.
Public key encryption uses two keys - one for encrypting the data and the other for decrypting it. The idea is that if you want to send some sensitive data to me, you use my public key to encrypt it. This public key is then useless for decrypting the data again - the only way to do that is with my private key, which only I have.
This way, you can send information to me and we never have to find a secure way to share a key. This makes it ideal for sharing encrypted data and for authenticating who sent something, as they can 'sign' it with their private key, and this can be confirmed using the public key. We cover this type of encryption in the final section of this article, where we look at GPG and Seahorse.
Encryption and Passwords
Working through this tutorial, you may have noticed that everything we've encrypted has relied on passwords to lock and unlock the contents. This means that, even using strong encryption, without a strong password it's completely useless. To help you overcome this shortcoming, here are some tips on creating strong passwords.
- Don't use a password that's based on a dictionary word. Even if you think you've been extra fiendish by replacing some of the letters with punctuation marks and numbers, it's still easy for crackers to guess.
- Make the password as long as possible, and use as many different types of characters as you can. Every extra character in length massively increases the amount of time it will take for a cracker to guess it.
- Make it easy to remember. If you write it down or store it in an insecure location, it's a worthless password.
For instance, J!n is easy to remember and uses a good selection of characters but is much too short - it would take less than a second to crack. ((((((J!n)))))), on the other hand, would take a few hundred thousand centuries to crack using today's technology.
It's important that you come up with your own scheme for padding the password, and you shouldn't use the same password more than once.
Step-by-step: Encryption for sharing
Creating keys
Both you and the person you want to share encrypted files with need to create your key pairs. In Seahorse, go to File > New and then select PGP Key. Follow the wizard.
Export public keys
You and your friend then need to export your public keys to share with one another. Select the key you want to export, and then go to File Export in Seahorse. Make a note of where the key is exported to.
Exchange public keys
The next step is to exchange public keys with your friends. It's best to do this in person, so copy your exported key to a USB stick and take it to a meeting. Then, in Seahorse, go to File > Import and select your friend's key.
Encrypt a file
Open the file manager, and right click on the fi le or folder you want to encrypt. Select Encrypt from the menu that appears, and then select your friend's key.
Send the file
A new file will appear, with the extension .pgp. This is the encrypted file, which you can now safely send to your friend using whatever means you choose.
Decrypt the file
When your friend receives it, they can look at it in the file manager, right click it and choose Open With Decrypt File. As soon as they've entered their password, the file will be available for them to look at.