7 Whole-Disk Encryption Apps Put A Lock On Data - InformationWeek
Software // Enterprise Applications
09:06 PM
Connect Directly

7 Whole-Disk Encryption Apps Put A Lock On Data

TruCrypt, PGP, FreeOTFE, BitLocker, DriveCrypt, and 7-Zip provide remarkably strong, on-the-fly, encryption to keep your data secure from loss, theft, or prying eyes.

Few IT professionals need to be lectured about data security. All too frequently we hear of the theft or loss of a computer or hard drive with data stored in the clear -- without encryption.

TrueCrypt volume contents are indistinguishable from random data.
(click for image gallery)

Fortunately, on-the-fly data encryption is no longer some exotic, costly beast. Rather than just encrypting single files, some applications are able to create virtual disks, either within a file or directly on a partition, where everything written to the disk is automatically encrypted. On modern hardware, the overhead for encryption is minimal; you no longer need dedicated hardware to make this happen.

In this review I've looked at several programs for creating and managing encrypted volumes, from Windows Vista's own BitLocker encryption to PGP's full-blown desktop suite for encrypting e-mail and instant messaging. You can even get remarkably strong, well-implemented whole-disk encryption without having to pay for it -- although in a corporate setting, features like manageability or support are well worth paying for.

TrueCrypt 5.1a
Cost: Free / open source
Web site: www.truecrypt.org

TrueCrypt makes an incredibly strong case for being the first whole-disk or virtual-volume encryption solution to try out. Aside from being free and open source (two big pluses), it's full of smartly written usability and data-protection features and is an effective way to encrypt a whole system, including the OS partition.

TrueCrypt lets you use your choice of AES, Serpent, and Twofish algorithms, either singly or in various combinations ("cascades"), along with the Whirlpool, SHA-512, and RIPEMD-160 hash algorithms. The actual encryption can work in one of three basic ways: it can mount a file as a virtual encrypted volume; it can turn an entire disk partition or physical drive into an encrypted volume; and it can encrypt a live Windows operating system volume, albeit with some limitations.

Encrypted volumes can be protected with a password and optionally a keyfile for additional security -- for instance, a file on a removable USB drive, which lets you create a form of two-factor authentication. If you create a standalone virtual volume, you can use a file of any size or naming convention. The file is created by TrueCrypt itself and then formatted to ensure that it appears to be nothing more than random data.

TrueCrypt is designed in such a way that no encrypted volume or disk can be casually identified as such. There is no obvious volume header, required file extension, or other distinguishing mark. The one exception is encrypted boot volumes, which have the TrueCrypt boot loader -- but it wouldn't be impossible in future versions of the product to conceal the entire volume and use an external boot loader from a USB thumb drive or CD. On that note, it's also possible to create a self-encrypted USB drive which runs in "traveler mode" -- it contains a copy of the TrueCrypt executable and can be mounted and run on any Windows machine where the user has admin privileges.

TrueCrypt also includes what it bills as "plausible deniability" features, the most significant being the ability to hide volumes inside each other. The hidden volume has its own password, and there's no way to determine if a given TrueCrypt volume has a hidden volume somewhere in it. If you write too much data to the outer volume, however, there's a chance you can damage the hidden one -- but, as a protection measure, TrueCrypt optionally lets you mount the hidden volume as read-only when mounting the outer volume.

If you're using system-disk encryption, the actual encryption process takes a while, but it can be suspended and resumed on demand (you may want to do it overnight with the PC in a locked room), and the program insists on creating a rescue CD that can be used to boot the computer in the event of a disaster. (One disadvantage: you can't encrypt a Windows system that's dual-booted from a non-Windows bootloader.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 6
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll