One thing that’s come out of the GDPR questions I’ve seen is around encryption. Since under GDPR you are obliged to take ‘reasonable’ security precautions it’s definitely worth talking about, but is a bit more general than focused purely on GDPR.
In practical terms with encryption we are either talking about whole-disk encryption, or a secure volume. You may even have both. It’s important to note that while whole-disk encryption will help protect your data in the event of theft or losing a computer, it won’t help against someone breaking in while the computer is switched on using malware or similar. This is because with your whole disk encrypted, it is decrypted while your computer is switched on to make it usable.
So why encryption rather than setting permissions so that only you can see things? Simply put those permissions really mean very little – they are applied by the operating system, and work only as long as the operating system is running. It is very easy to extract a hard drive, plug it in to another machine, and ignore the permissions completely. Or just boot off an external disk and do the same. Encryption makes sure that only those with the secret required can get access to the data.
If you are using some versions of Windows, or using Linux and have it set up in a certain way, encrypting your whole system is very easy. If you’ve got the option of using BitLocker, enable it. If you’re installing Linux, probably worth setting up encrypted LVM right at the start so you can largely ignore it (except for trying very hard not to forgot your password and have to start over).
Again on Windows you can apply more limited encryption (encrypted folders, etc) through your normal file manager. That sort of folder encryption isn’t necessarily ideal, but is easy to set up and better than nothing.
In either case it’s vitally important to remember your password. The whole point of encryption is that it can only be accessed with the password – if there’s another way to get in then it is less secure. If you forget the password, that data is essentially gone (unless your encryption tool is really, really bad).
If you don’t have a handy built-in option, or if you want a different tool, the general recommendation these days is for VeraCrypt. There are a lot of expensive tools out there which are fine, but as well as being well-respected VeraCrypt has the added bonus of being open source. This means that it’s demonstrably secure, as all the code is visible and regularly checked by people looking for holes, and that it’s free. It’s also a very capable, easy to use tool.
There are plenty of tools out there, and tutorials on all of them. I’m trying to give simple practical advice here though, so will stick with VeraCrypt and how to use it to encrypt your whole disk, and create secure volumes for more sensitive data.
First thing’s first, and I will repeat this multiple times as it is important, before trying any of these things back up your machine in full. If something goes wrong with encryption, such as mistyping the password when you are setting it, you will not be able to restore it without a backup. That backup should be to an external drive or something else separate from your computer, as you really don’t want to discover it’s been encrypted along with everything else right when you need it.
Creating a small encrypted store
To start off simple we’ll use VeraCrypt to create a small encrypted volume to put our especially sensitive data. In most cases, this will be all you need. If you really want to be secure then you can have different stores for different clients or categories of data, and mount them as you need them rather than having everything in one place.
I’ll put together a full video exploration of VeraCrypt options once I’m back at a proper computer, but I’m meant to be on holiday now and my desktop is quite far away. Instead you get a quick walkthrough of creating an encrypted store, which covers most use cases anyway.
First, after you’ve downloaded and installed VeraCrypt (it can work on Windows, Mac and Linux – no excuses), run it. You don’t have any encrypted volumes yet so there’s not much to see, but this is where we can create one.
Once you have your encrypted area, go back to the main window and choose Select File. Navigate to wherever you stored it and select it. Then click Mount. You’ll be asked for your password, and when you enter it successfully your new encrypted volume will appear as if it’s an external disk. Save anything you want to it, or open anything previously saved from it, and Unmount it when you’re done.