Is there a way to make my hard drive inaccessible to everyone but me?

11,067

Solution 1

It's enough to encrypt most sensitive files. A ZIP file encrypted with AES 256-bit and a good long password is nigh impossible to get into without the password. (Avoid using the legacy ZIP encryption known as PKZIP stream cipher/ZipCrypto - it is known to be weak.)

It's also possible to encrypt a whole partition, hiding everything in it. Truecrypt is kind of the de facto standard program for home (and some business) partition/image encryption. Probably the best thing about Truecrypt compared to tools built-in to the operating system is it's portable: there's a version for Windows, Mac OS X and Linux, which makes up the vast majority of consumer operating systems.

If you want to hide everything, you can encrypt the every partition in your system, including the one you boot from. It is not possible to read data from an encrypted drive without knowing the password/key. Thing is, the Windows operating system doesn't always support booting from an encrypted hard drive.* Truecrypt has what it calls system encryption. They've summarised it pretty well:

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.

So the Truecrypt boot loader will load before your OS and prompt you for your password. When you enter the correct password, it will load the OS bootloader. The hard drive is encrypted at all times, so even a bootable CD won't be able to read any useful data off it.

It's also not that hard to encrypt/decrypt an existing system:

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

*Various other operating systems support system drive encryption. For example, Linux kernel 2.6 and newer have dm-crypt, and Mac OS X 10.7 and newer have FileVault 2. Windows has such support with BitLocker, but only in Enterprise/Business/Server editions, and only in Vista and newer. As stated above, Truecrypt is more portable, but often lacks the integration necessary to encrypt system drives, Windows being the exception.

Solution 2

One phrase - Full Disk Encryption, preferably with a a nice, long, non dictionary key. You might also look at systems that do this with an external keyfile. Basically, since the entire system other than the bootloader is encrypted, short of a direct memory access attack - that is to say use a firewire or other device that has DMA to get memory contents and or to use a cold boot attack to get information. Twarting this is simple - just make sure the system is switched off, and battery removed just before you hand over the system. If its just a hard drive, both these attacks are improbable

I'd probably just give truecrypt a shot, use a VERY long, random password (length makes brute forcing harder, and randomness prevents a dictionary attack), and let him go to town with it. Alternately, some versions of windows have bitlocker - which is a strong FDE option built into windows. Likewise there's solutions for linux like luks and dmcrypt.

Or fill a disk with random data... and see how long before he figures it out ;)

Solution 3

You could "hide" the file within an image? This might throw him off - or at least take him a little bit of time to figure out. Possibly.

http://lifehacker.com/282119/hide-files-inside-of-jpeg-images

Solution 4

I agree with the other TrueCrypt answer. However, I have one important point to add - the plausible deniability feature of TrueCrypt. What that means is that TrueCrypt doesn't leave any positively identifiable signatures on the disks/files it encrypts. So, nobody can prove whether a set of bits on disk are random bits or encrypted data. This is so important that it had implications in a recent court case.

Solution 5

Many of the answers posted are good answers.

As an addition, you may want to look at an ~~asynchronous~~ asymmetric encryption tool like GnuPG. It's a bit more complicated than encrypting within a ZIP file because you are dealing with public and private keys. I think I might of heard of some University in Europe cracking this type encryption with very special circumstances. You would still want to put the passwords and keys on a usb drive, or somewhere other than the drive you will be giving the challenger.

Additionally, I once had a professor tell me that if you want something absolutely hidden, re-encrypt the encrypted file with a new set of keys. That way, if the first level encryption is somehow decyphered, the attacker wouldn't know it because everything would still appear encrypted.

Hope this helps.

View more solutions

11,067

F1234k

Updated on September 18, 2022

Comments

F1234k almost 2 years
Let me give you some backup story first: A computer technician challenged me to give him my laptop and ask him for any piece of information that I wanted to "hide" in my hard drive. He claimed that he would be able to retrieve anything, no matter what I do to hide it.

Since I do not appreciate absolute statements like: "and there is nothing you can do about it", I started thinking about this in my head. I realized that a very secure Operating System would not cut it, since he does not need to boot from this specific hard drive in order to find things in my hard drive.

The generic question here is:

Is there a way to completely secure all data in a hard disk? (I do not need detailed explanation on how to do it, I just need you to point me to a direction; I can read more about it myself)

Specifically, I suspect that I may need:
- An Operating System that is very secure and possibly encrypts all the data that it stores (no idea if such thing even exists).
- If the above does not exist, is there a way to manually encrypt the data in my hard drive and still be able to boot from that hard drive?
In general, I want to make the hard drive as least accessible as possible to anyone that is not me (= knows a specific password/key), so any solutions are welcome.
Dan D. about 12 years

Or even inside program binaries crazyboy.com/hydan
tvdo about 12 years

But if you lose the flash drive or leave it behind somewhere? Oh dear... By the way, he said hide information, not files.. subtle difference, since encrypted information is essentially hidden. And it's theoretically possible to break any encryption.
Bon Gart about 12 years

Someone says I can find you anywhere you hide if we play Hide and Seek... and this pisses you off so much that you have to change the game to TAG where they need to touch you in order to win. What if your hard drive crashes... Oh Dear. And encrypted information is locked away, not hidden. If you need a key, it is locked. If he found the encrypted file, does that mean he found the information? Did he ever say he had to be able to VIEW the information, or just FIND it?
Yamikuronue about 12 years

A piece of information != a file. Information would be gained by reading the contents of a file. Having the file but not being able to read it means the information inside is still hidden.
Rippo about 12 years

True crypt is what I have used and very happy with it
Chad Harrison about 12 years

This is otherwise known as steganography.
emory about 12 years

"I once had a professor tell me that if you want something absolutely hidden, re-encrypt the encrypted file with a new set of keys." is wrong for most cryptosystems. Consider ROTn. Encrypting ROTn(ROTm(x))=ROT{m+n}(X). The attacker won't even realize you did ROTn(ROTm(x)) but instead directly try to figure out m+n. There is no added security.
Chad Harrison about 12 years

@emory Interesting to note. Guess professors are people too. I think I understand what you are getting at. I'll check into that.
Bon Gart about 12 years

I get it that you and Bob feel that "information" does not equal "file". Tell me. What exactly did the computer technician in this question think information meant? Did he mean to say "file"? Does he equate the two? You don't need super encryption. You could simply break this "information" down into small chunks, convert it to hex, and create directories in C:\Windows named those hex chunks. If you make them 32 characters long, they will appear to be normal directories. Only you know that if you translate the names back you have your information.
Nathan Long about 12 years

One caveat when encrypting an existing unencrypted drive: if it's solid state, it may not be re-writing over the same sectors, because it varies them to extend the disk's life. So data on a solid state drive is really only safe if it was encrypted from the start.
josh3736 about 12 years

"Thing is, most operating systems don't natively support booting from an encrypted hard drive." -- that isn't even remotely true. Windows has BitLocker, Mac has FileVault 2.
tanantish about 12 years

Ah, random data :D Just like that bit in Cryptonomicon (more detailed reference not included cause it'd spoil one of the fun bits..)
emory about 12 years

Better yet, remove the hard drive before giving it to the computer technician. If you give the hard drive along with the laptop there is no way to guarantee that you can access the hard drive which is part of the title premise.
Ben Voigt about 12 years

@Josh: Those are the operating systems with the most users, not most operating systems.
tvdo about 12 years

@josh3736 while I did overlook those, BitLocker is only available for Enterprise and Ultimate 7, and Server 2008. That's leaving out Home, Professional and XP. That makes up a large proportion of users and operating systems. Macs may have actually done this properly.
josh3736 about 12 years

@BenVoigt, that's a bit of a ridiculous argument to make. "Sure, the OSes used on 3/4 of desktops natively support FDE, but BeOS doesn't!"
josh3736 about 12 years

@Bob, it's true you need the top-end edition of Windows 7 (or Vista) to use BitLocker, but the point is the OS does support FDE, it's just not enabled in the down-level editions. (I believe the down-level editions can mount BitLocker drives in read-only mode, however.)
tvt173 about 12 years

Looks like the 5th amendment in the US might protect you from not giving out your password outsidethebeltway.com/… this one specifically mentions TrueCrypt privacycast.com/…
user about 12 years

GnuPG is not asynchronous, it's assymetric (in its default mode). It also supports conventional (symmetric, same-key) encryption.
user about 12 years

Also, I imagine that the professor was referring to encryption algorithms a little more sophisticated than simple substitution ciphers. If you take a plaintext P, then encrypt it with (say) AES first with key K1 and then encrypt the resulting ciphertext with AES and a different key K2 (C = AES( AES(P,K1), K2 ), K1 ≠ K2) the resulting ciphertext will not have any resemblence to, say, the output of AES(AES(P,K2),K1) (key order reversal). This property does not hold for simple substitution ciphers such as ROTn.
Eugene Seidel about 12 years

Can you still have a dual-boot system (Windows and Linux) if you use Truecrypt system encryption? Is there a webpage out there that addresses this specific question?
tvdo about 12 years

@EugeneSeidel They would have to reside on different drives if you are using full disk encryption, and you would have to somehow get the Linux bootloader (GRUB) to chainload the Truecrypt one. The Linux drive would have to be encrypted separately, since Truecrypt doesn't have system encryption support on Linux (silly me, I did not notice before answering). Linux does offer native encryption, however. You should ask another question, or perhaps try this thing.
tvdo about 12 years

@josh3736 Yea, I didn't actually do all the research at the time of answering. It's been corrected now (Windows is probably in the minority in not offering full native support, and I count "just not enabled" as not having it, since you can't use it). Read only is useless in terms of full system encryption.
Eugene Seidel about 12 years

@Bob Thank you for replying. The Askubuntu answer is... well, terrifying (to me at least) but I will revisit there occasionally to look for updates.
vsz about 12 years

Or security through obscurity?
Chad Harrison about 12 years

@MichaelKjörling Thanks for the correction on asymmetric. I knew it was a-something, and sometimes I struggle my recall. ;)
Chad Harrison about 12 years

I would be interested to know what court case that was.
anjaly about 12 years

Here's the link ca11.uscourts.gov/opinions/ops/201112268.pdf Gist: TrueCrypt users cannot be compelled to divulge their passwords. 5th amendment applies.
drxzcl about 12 years

Are you using a CPU with hardware support for AES, such as intel Sandy Bridge?
Ivan Kastorsky about 9 years

Also Volume Shadow Copies forensicswiki.org/wiki/Windows_Shadow_Volumes