Aug 17, 2011
tom

Preparing laptops for theft

Question

With a number of laptops out there the likelihood of one being stolen is high. What methods, preferably free, can be used to secure the data on the computers? The laptops do not have any special hardware on them, and generally keep their user data in a dropbox folder. One small step taken is to have the the dropbox folder encrypted by Windows 7. Any additional suggestions are greatly appreciated. The data in the dropbox folder is sensitive.

Answer

Having your “dropbox” folder encrypted is a good first step. I use a dedicated TrueCrypt partition for data, and use two passwords on the laptop — one for Windows login, and another for the TrueCrypt data partition. One weakness here is that browser history, last opened file names, and many other potentially interesting kinds of user data are left unencrypted.

You can supplement this with a ‘phone home’ solution like Prey. I think it’s debatable how much this would help against a professional information thief, but at least it gives the appearance of doing something active about recovering the laptop.

You can also encrypt the full boot drive. There are pros and cons. On the plus side, full drive encryption is comprehensive, nothing is accidentally left unencrypted. On the negative side, a small software or hardware malfunction can lead to a OS reinstall.

Tom’s Hardware recently compared TrueCrypt and BitLocker from Microsoft, but not some of the competition. IMHO the article misses the point a bit; speed is not a significant differentiator between the two, but BitLockers stronger support for enterprise deployment and key maintenance is.

Edit: Great comments below, thanks Warner, nedm & Maxwell. As for the “Evil Maid” attack, I know of this attack, but it’s not stopping me from using TrueCrypt. If an attacker can repeatedly get physical access to a PC, then any security measure can ultimately be defeated. The question is, would it be economical to mount an attack, relative to the expected value of the stolen good. For most companies, I think TrueCrypt full disk encryption would make an attack uneconomical (cost of one criminal to make mutiple break-ins etc). The common thief would simply wipe the harddrive and sell the laptop as a stolen good. If that’s not good enough for you, then have a look at BitLocker, or better yet PGP’s Whole Disk Encryption with two-factor authentication — or stop using laptops. :-)

Related posts:

  1. What do you do about staff and personal laptops?
  2. Folder Redirection and Offline Files make for 1 hour logons on laptops
  3. Should laptops be put away at night?
  4. ZFS: preparing for future drive additions
  5. Can anyone see why dropbox won’t execute in a text only install on ubuntu server using a system user account?

Leave a comment