Click here to learn how we cope with Spam

Is Encryption Worthwhile?

Does UK Law Require Encryption of Business Information?  My understanding is that sensitive personal information on laptops, and portable backup disks should be encrypted.  There is no legal requirement to encrypt data stored securely on desktop machines.  Use Google to search for precise information.
However, if a computer is stolen, and the information it contains mis-used, your reputation may be seriously damaged.  You (or your customers) may become the victim of identity theft.
If the computer is stolen, even if nothing happens, there is the serious stress created by wondering if the information will be misused!  If you're on holiday, the thief may now know where you live.
Perhaps encryption seems like a lot of work, when the risk of disaster is so small.  But if the worst happens, it will take weeks to undo the damage.  Every day my staff spend a couple of hours putting stock in and out of the safe.  And that time is essential to keep my business secure.  Because we do it we haven't had an attempted break-in in years.  Encryption is just as essential for keeping your business and personal data secure.
I lack the expertise to make a final judgement as to whether any system will stand up to a determined attack.  I have no idea where to turn to gain expert advice.  However I have not heard any criticism of the systems I'm recommending here, apart from the points against them that I raise.

Security Options Available

About Passwords

I refer repeatedly to passwords.  I will discuss how to generate a strong password later.  But for security, the ideal password should be approximately 64 characters long.  If entered from the keyboard, 20 characters is the minimum for reasonable security.  That is why I finally chose Truecrypt for my laptop, because you can store the password on a usb stick, easier and more reliable than entering it on a keyboard.  Also the laptop I really wanted did not include Microsoft Windows encryption.

Password protect the hard disc.

You'll need a different password from the one which you use to log on.  Gives quite a high level of protection.  However a Google search revealed a number of companies who will recover the password - at a price.  Note this is not an encryption system, but the results are comparable.  However it does always require that you enter 2 passwords when starting the computer.  If you're going to that amount of effort I feel that a third-party encryption system may be more secure.

Microsoft's encryption

As built into Windows XP Pro, Vista Business and Ultimate, and Windows 7.
Very simple to set up and use.  Believed to be very secure.  Seems to have very little effect on the computer speed.  Completely transparent to the user.  Unfortunately the key is the password you use to log on to Windows (which is probably not long enough to be totally secure).  Encrypted files cannot be shared across the network nor with other users of the same computer.  Folder and file names can be viewed by users who do not have access rights.
If you choose this option, ensure you have a very strong password, about 20 characters long.  Encrypt all document and picture folders, and ensure Outlook .pst files are encrypted, they are not in the documents folder.

Obtain third-party encryption.

I finally selected TrueCrypt and will describe its setup later.  Many other systems are available, however TrueCrypt seemed ideal for my purposes.  TrueCrypt is sold as freeware, I do hope that business users will make some donation for such a useful utility.
Benefits. Passwords can be very strong because Truecrypt can use a file on a usb stick, making it impossible for anybody to access files.  Folder and file names are hidden until the password is entered.
Warning: Loss of the password would be a disaster (obviously).  Good backup strategy is essential.  As with all security, it's essential that a business can recover without too much inconvenience to customers.

Backups

I use Winzip.  Encrypt the backup with its built-in encryption system (selecting the strongest option AES 256).  The password can be stored on the same computer as the files you are encrypting onto a portable medium, but never store the password on the same backup medium as the backup file.  However ensure you have a separate copy of the password not on the computer.  Without that you would never be able to restore your lost files if the original computer is destroyed.

Encryption Will Not Protect You from:

Employee dishonesty.  Once the computer is switched on, files can be accessed by staff, although Windows encryption does offer some protection.
Robbery with violence. If somebody demands with threats your passwords, encryption really won't help.  Actually TrueCrypt does have a system to hide the encrypted file in a folder alongside encrypted but meaningless files, which will look as if they are the secure files at a quick glance.  However if threatened with violence I'm not certain that anybody (at least the type of person who is reading this page) is going to stand firm and not reveal the true passwords, nor the wisdom of refusing to reveal the information under such threats.

TrueCrypt

An encrypted file will be written to the location you choose on your hard disk.  Its extension does not matter. So you can disguise it as, say, a video.  However I suspect that any hacker with the expertise to crack TrueCrypt will be able to identify the file quite quickly.
When you open TrueCrypt, you can then 'Mount' that file.  It will then appear as a partition of your hard disc. Sosftware can access it freely.  Files can also be shared across the network.

Password protection.

You can use a keyfile, stored on a USB memory stick (or elsewhere).  TrueCrypt will automatically write one for you, or you can use any file like a JPEG provided it s more than 64 characters long.  Do alter the properties of the keyfile to Read Only.  The file extension does not matter, so it can be used to disguise the file.  Be careful that you have a copy of the file stored somewhere safely (very definitely not on the computer you are protecting).
In addition, or as an alternative, you can enter a password on the keyboard in the usual fashion.
If you can be certain that the computer and the USB stick will never be carried by the same person, then the keyfile on its own may well be adequate.  I sometimes travel with my laptop on my own, so I would be carrying both the laptop and a USB stick. Therefore in my case I must also use a password for extra security.

Using the Software

Useful help files are available online.  The brief information here does not duplicate their help, but adds to it.  I'm only covering problems which took time to resolve.
If you have decided to use a keyfile, when you first open TrueCrypt click on the menu option keyfile to create a keyfile or set a default keyfile location.  Setting a default location speeds up opening your encrypted folder (just insert the usb stick and Truecrypt will know you're ready to open the encrypted file), but could be helpful to a hacker.  I normally leave it set, but might delete the path if I am concerned about security - for example travelling on my own with the laptop.
In Truecrypt terminology Mount means to open an encrypted file and mount it to look like a partition on the disk.
While I'm not expert enough to give advice on encryption I'd recommend AES256 as the minimum standard.  If your processor can handle it you might like to combine 2 encryption systems.  However I don't know how much such a step increases the level of security.
On the main program window note the option to 'Never save history.'  It's ticked by default.  Unticking it will save time because you won't have to browse for the encrypted file each time you want to open it, but could possibly be useful to speed up a hacker's work.  Again normally to save time and if I'm certain the keyfile is separate from the computer, I leave this option unticked, then opening the encrypted file is very quick.
After preparing your encrypted partition, ensure Office programs (as well as all the other programs you use) look in it when opening files. Watch out for Outlook, which writes to its own (hard to find) location.  Ensure its .pst files are moved to the encrypted location.  I also think it's worthwhile to ensure all pictures are encrypted;  they may reveal clues about your identity.
If, as is likely, your computer can go into hibernation, do ensure that under Settings/Preferences >Dismount all when:Entering power saving mode is selected;  otherwise the password/s will be written to your hard disk.

Writing and Remembering a Secure Password

Too often the only protection a password will give is that the hacker is likely to die laughing as he cracks it!
If your password is a name or in the dictionary, it's useless.  Of course that's the first thing they'll test for (software makes the task quick and easy).  Even fiendish ideas like passw0rd (replacing the O with zero) are so well known as to be useless.
A password must look like a random sequence.  The only way of cracking this type of passwords is by brute force, testing every possible combination of characters.  The longer the password the more possible options.  A computer can test many millions of possibilites each second, so a password must be long to offer any protection. Any password, given enough time, can be cracked.  However (using today's computers) the universe will end before a 64 character password is cracked!  Check other resources for a guide on how long it takes to recover a lost password, and you will see how much faster a dictionary word can be recovered.
TrueCrypt advise it should be 20 characters or longer, which should be suitable for several years if computer speed increases at its current rate.  That's one reason I use a keyfile (which is 64 characters long) as well as a password entered on the keyboard to open my Truecrypt file.  Unless the keyfile is stolen with the computer I can be confident my files are still secure.  But this extra password entered from the keyboard will make life that bit harder for the hacker, even if they have the keyfile.  Do note that as computer processing power increases, passwords will have to become even longer to remain secure.
So how can we hope to remember a complex password.  Here's an example I prepared earlier.  It's not hard to remember.  Note it's not as long as it necessary for total security, it's just an example.
This is the password: THriS05^11#smotPp
Let's see how it works. Take the expression The rain in Spain stays mainly on the Plain. Use the initial letters, retaining uppercase as shown and we get TriSsmotP.  A random password is hard to crack and can be only attacked by brute force (i.e. testing of all possible combinations).  Each letter in this password could be one of 52 (upper or lower case letters of the alphabet).
Now we'll add a date so that the poor hacker has to test for numbers as well (now 62 possibilities for each character), I chose Guy Fawkes night (05/11)!  And inserted it after the S of Spain.  This gives us TriS05/11smotP.
Now we add some non-alpha numeric characters and change the separator in the date.  There are an awful lot of these characters on your keyboard so now we are making life really hard for a hacker.  You'll have to remember them but it is not that difficult - all my staff have to do this.  We now have TriS05^11#smotP To make life simple (!) I inserted the carat character as a break in the date and the hash at the end of the date.
To make matters worse, we must use a different password for every location, either a file, our Windows password, or a website.  Otherwise if a site is hacked (and it does happen) all the passwords are compromised.  Identify a name (file name, computer user name, or website) for each location we need to password protect.  So let's add extra characters using Google as an example.  Take the first 2 letters 'Go,' take the next letter of the alphabet for each and it becomes 'Hp.' After the first T we enter the capital G, and the last character is the second, p.   It may look complicated, but after entering a few times, it is easy to remember.
This is just an example, you'll have to use your own phrase, date etc.  Otherwise if a hacker is reading this, he'll know how to crack your passwords!

The Usual Disclaimers

I am a jeweller, not a software expert. If you are protecting really sensitive data you should seek expert advice.  Do not rely on the information given here.
All information on this page is correct to the best of my knowledge and belief.  However I cannot accept any responsibility for errors.  You are strongly advised to cross check advice here before making any decisions.  You alone are responsible for any decisions you make based on the guidance here. Seek expert advice before making decisions, I am not an expert.
But if an 'expert' starts telling you that I've over-stated the need for security, be wary.  Google searches will show how many businesses sell software to reveal passwords.  Do not under-estimate the need for precautions.

Martin Rees, Jeweller and Pawnbroker Member of the National Association of Goldsmiths