Data / HDD encryption

[Mat99]

Hi folks!

I'm a photographer, I do a lot of commercial work as well as private projects. I have double backup of my photos at home and one external as well and that works fine for me. But last week a friend of mine (a photographer as well) told me something that got me really worried. He was burgled, someone broke into his house and stole everything really. Including his PC and external drives. Now the main concern here is not missing data, we both use external company for additional storage, but access to all those thousands of images that were stolen. That really got me thinking, it would be a DISASTER if all my images would get stolen and were "out" on the market. I have quite a lot of "sensitive" stuff, that should never be revealed to the public.
So, finally, here's my question: can someone recommend what would be the best way to protect/encrypt my data?

I currently have one 1TB "work drive" in my system. I then have another 1TB drive in there as my main "Backup". I have SyncToy setup once a day to sync both drives. I then have a third 1TB drive in external enclosure, connected via eSata and another SyncToy task that syncs the Backup drive and this drive once a week. This drive is synced with remote drive once a month.
So my main thing is to secure my 2 internal and 1 external drive.

I've read about and tried TrueCrypt, but I'm not sure if that's the best way. What worries me, is the fact it uses encrypted volume with all my stuff in it, and if there's one little error in the volume, I loose all my stuff, not just one file.
Another concern is syncing the drives. Can you even sync an encrypted data?

So, does anyone know of a good way to protect the data?

TIA!!!
Mat

 

[blackangst1]

I believe TC will be your ideal solution. It doesnt matter what encryption method you use, there is always a possibility of losing your data. Thats why you always have backups Also, your sync tools should work fine. Once you have your encrypted volume or container mounted, the OS treats it as a regular drive. Even if you have two encrypted volumes mounted, your sync tools will simply look at the drive letters you assign and sync as normal. Once sync is done, unmount and go.

 

[Mat99]

Thx for reply Blackangst1!

I've been playing with TC for a while now, it does seem to work nicely.
But my main concern is the possibility of an error in a single file corrupting the whole volume :S That sounds scary to me. I was hoping for something that would treat one file as one file (one image as one image) so if there's an error in one, I only loose that file and not the whole volume/drive/hdd :/
I know I have backups, but still. If an error occurs once a year, no problem, but once a month or once a week.. :/

Well, one vote for TC then
I hope I get some more responses from people that use something for the same purpose as I need it for.

 

[blackangst1]

If Im understanding you...lets say you have 100 pics in your TC container. One is corrupt. Are you thinking this would make the container inaccesable? If so, that isnt true.

 

[n0cmonkey]

Bit defender, True crypt, pgp. They're all fine. You don't have to encrypt a whole drive. You could split your work into groups and encrypt those groups individually.

 

[Mat99]

@ blackangst1: well, yeah. If I have a container sized 1TB, OS sees it as one file, so if that "file" corrupts, I loose everything. Right?

@ n0cmonkey: I would actually prefer to encrypt the whole drive. My "Work" drive is divided in 3 parts: Web, Design and Photo. I'd prefer to encrypt everything. Either as one drive or as three parts.

 

[sourceninja]

You don't have to do file container encryption with truecrypt. You can encrypt entire drives. Windows will see them as unformatted, but truecrypt will know what they are and mount them just fine.

My company uses truecrypt on every notebook we issue. We have not had any issues with corruption.

Honestly, any good encryption has risks. So backup often. Maybe consider getting some kind of offsite backup service.

 

[Modelworks]

In addition to true crypt there is something else you can do with stuff that is very important to you. Make a folder with the files. Download Quickpar
http://www.quickpar.org.uk/

Par is a parity system. Basically what that means is if you build a par set and any file becomes corrupted or even missing, the par files can be used to recover that file. So if one becomes corrupt or two, all depends on the number of par files you made, you will not lose them. Also consider using rar/zip to compress the files into a single file and use its in built functions to add recovery options. In that way you do not have to encrypt an entire volume. Just rar/zip up the files, put recovery options on, and add a password.

 

[blackangst1]

You don't have to do file container encryption with truecrypt. You can encrypt entire drives. Windows will see them as unformatted, but truecrypt will know what they are and mount them just fine.

My company uses truecrypt on every notebook we issue. We have not had any issues with corruption.

Honestly, any good encryption has risks. So backup often. Maybe consider getting some kind of offsite backup service.

This. What I was trying, and failed, to say lol

 

[Mat99]

Yes, I know I can encrypt the whole drive (doing this as I type; for test purposes), BUT the same problem remains. If there's one error, one corruption, I can't access anything on the whole drive, correct? I've read loads of posts on TC forum and saw loads of horror stories.. people lost the password, TC won't recognize the drive, corruption found can't decrypt, etc, etc..
So I'm still worried to encrypt my whole 1TB drive with all my stuff on it, to act as a single file/drive. :/ I hope you know what I mean.. if I had every single file individually encrypted, I'd lose one file if something went wrong, not the whole drive with everything :/
The main problem here is accessing the encrypted drive in the first place, I know once I'm in, it acts as a normal drive and one file is one file.. but the access part is the problem/concern. If something goes wrong there.. and apparently it does go wrong from time to time, as other users have posted in TC forum... :/
I do/would have 3 copies of all the data on 3 individual drives, 2 internal and 1 external.. so there is some safety there. If one drive gets corrupted or something, I could format it and copy the stuff from one of the other two drives back onto it.

Yeah, I am leaning toward TC.. don't really see any other option.

A bit OT but let's say I will use TC.. what would be the best/fastest way to encrypt my stuff? Would it be better/faster to encrypt in place (can I even do that? Win XP pro) without moving the data or to move the data on another drive, encrypt the first drive, then move the data back onto it?



TIA!
Mat

 

[Oakenfold]

I use winzip to encrypt for sensitive content / archival purposes. I'm not familiar with TC so I can't say how it compares but it sounds like TC is more for entire drives. I've only used Winzip to encrypt a few GB's of data at a time and it can be a pain if you are trying to work from an encrypted archive (maybe that's my goofup and I should change the compression to 0 while I'm working from the archive).

The one thing that I can say is I've seen errors happen and it only seems to be related to the individual file, not necessarily the entire .zip. You might look into and confirm that however as I am not knowledgeable on the technical aspects of how it works (i just use it and this is my personal experience..).

 

[blackangst1]

Yes, I know I can encrypt the whole drive (doing this as I type; for test purposes), BUT the same problem remains. If there's one error, one corruption, I can't access anything on the whole drive, correct? I've read loads of posts on TC forum and saw loads of horror stories.. people lost the password, TC won't recognize the drive, corruption found can't decrypt, etc, etc..
So I'm still worried to encrypt my whole 1TB drive with all my stuff on it, to act as a single file/drive. :/ I hope you know what I mean.. if I had every single file individually encrypted, I'd lose one file if something went wrong, not the whole drive with everything :/
The main problem here is accessing the encrypted drive in the first place, I know once I'm in, it acts as a normal drive and one file is one file.. but the access part is the problem/concern. If something goes wrong there.. and apparently it does go wrong from time to time, as other users have posted in TC forum... :/
I do/would have 3 copies of all the data on 3 individual drives, 2 internal and 1 external.. so there is some safety there. If one drive gets corrupted or something, I could format it and copy the stuff from one of the other two drives back onto it.

Yeah, I am leaning toward TC.. don't really see any other option.

A bit OT but let's say I will use TC.. what would be the best/fastest way to encrypt my stuff? Would it be better/faster to encrypt in place (can I even do that? Win XP pro) without moving the data or to move the data on another drive, encrypt the first drive, then move the data back onto it?



TIA!
Mat

As has been previously mentioned, there's ALWAYS a risk with encrypting. Doesnt matter what product you use. Thats why its important to have regular backups (encrypted of course).

I think you may be misunderstanding how TC works based on this comment:

if I had every single file individually encrypted, I'd lose one file if something went wrong, not the whole drive with everything

When you use TC, it doesnt encrypt every file individually but rather creates a container to put all your docs in. Yes, it encrypts on the fly. In other words, you drag anything into the container, its now encrypted. Thats quite different than having say a large folder with hundreds of encrypted things inside. Once TC is closed, or unmounted, you cant see whats inside. All you see is one container or drive (however you decide to do it). If you have a 1TB drive fully encrypted, with say 250 items inside, and one of those (or 10 for that matter) becomes corrupted, it doesnt affect the rest of the data. You just have one (or 10) bad files. The only way you would lose the entire thing is if you forget your passkey, your header becomes corrupted (which can be recovered BTW if you set it up right), or something like that.

Can the entire container or drive become corrupted? Sure, but its pretty rare. But again thats why you should back up. If you have say a 1TB drive, maybe what you can do is have two 500gig containers. One as your main, one as your backup. Then periodically drag and drop what you need into the backup.

Regarding what youre reading on TC forums, well...I sent you a PM. ot gonna put that on a public board.

 

[sourceninja]

Exactly, even if you are not encrypting anything, you still need to have regular backups of your data. Losing the encrypted container should not be a concern because you should have at least a week old backup to revert to.

 

[Mat99]

Thx guys!

@oakenfold: winzip is not an option. I need encryption for my working drive (which I access daily) as well, not just backups.

@blackangst1: I do understand how TC works, I've actually read the whole manual
My point was, I still have all the files inside one container/drive, so if that container/drive gets corrupted I loose everything. As opposed to using file by file encryption, like I use PGP for some of my other more sensitive files, where if one file gets corrupted I only loose that file. But like you said, it rarely happens that you loose the whole container, so fingers crossed

I think I'll go with the TC after all. I did find two other programs that got some high marks: http://www.freeotfe.org/ and http://diskcryptor.net/index.php/Main_Page but TC looks more popular.
I can't split my drive into two containers, have around 650GB of data on 1TB drive.
So I'll set it like this:
INTERNAL 1TB WORK DRIVE - TC
INTERNAL 1TB BACKUP DRIVE - TC (daily copy of work drive)
EXTERNAL 2TB BACKUP DRIVE - TC (weekly copy of internal backup drive)
So I'll have 3 copies of my stuff, hopefully, that's enough to avoid data loss.

@sourceninja: I'll have 2 backups, so that should be enough.. hopefully

 

[Mat99]

Thx guys!

@oakenfold: winzip is not an option. I need encryption for my working drive (which I access daily) as well, not just backups.

@blackangst1: I do understand how TC works, I've actually read the whole manual
My point was, I still have all the files inside one container/drive, so if that container/drive gets corrupted I loose everything. As opposed to using file by file encryption, like I use PGP for some of my other more sensitive files, where if one file gets corrupted I only loose that file. But like you said, it rarely happens that you loose the whole container, so fingers crossed

I think I'll go with the TC after all. I did find two other programs that got some high marks: http://www.freeotfe.org/ and http://diskcryptor.net/index.php/Main_Page but TC looks more popular.
I can't split my drive into two containers, have around 650GB of data on 1TB drive.
So I'll set it like this:
INTERNAL 1TB WORK DRIVE - TC
INTERNAL 1TB BACKUP DRIVE - TC (daily copy of work drive)
EXTERNAL 2TB BACKUP DRIVE - TC (weekly copy of internal backup drive)
So I'll have 3 copies of my stuff, hopefully, that's enough to avoid data loss.

@sourceninja: I'll have 2 backups, so that should be enough.. hopefully

 

[Modelworks]

If the files are important enough also consider making an offsite backup. I know many people who backup regularly to external drives, dvd, etc. But they put the backup on the shelf in the same room as the pc. If something like a fire/tornado , hopefully not, occurs then you not only lose the property but all your data too.

I recommend at least once a month take a backup to a friends home or family.

 

[sourceninja]

I use crashplan for offsite backups. My friend and I each bought a 1tb drive and keep it hooked to our home computers. Then we installed crashplan. Crashplan does automatic diff based backups to either their payed service, or anyone you want to share your 'code' with. It allows you to provide your own key for encryption, so there is no way my friend can ever read my data, and no way I can ever read his. In this way we each have offsite backups.

It also allows you to setup multiple targets, allowing you to have a backup to a computer in your house or a USB drive, then backup offsite to a friend or two, and their payed service if you want.

It's a great piece of software.

 

[Mat99]

We're getting a bit OT here, but anyhow..

I do use external service for my most important files (around 10GB), but not for all my files (750GB+). It's simply not practical. Even with broadband connection, it takes a LONG time to upload 30-50GB that I do in a month.
I was planning to encrypt one external drive and give it to a friend, then sync it once a month or something.

I checked out that Crashplan software and it does look interesting. I'll probably use it in the future. Thx for the tip.

 

[theevilsharpie]

You said that you're using XP Pro, so you can also use Windows EFS. EFS encrypts individual files, so if you're concerned about using an encryption product that uses a single large container, EFS may better meet your needs.

EFS uses your Windows account credentials to generate the encryption key, so if you decide to go that route, make sure you use a secure password. Also, make sure you backup your EFS encryption certificate.

 

[Jjoshua2]

Yah I was wondering why no one was talking about using the NTFS encryption or Vista's Win7 new one.

 

[sourceninja]

Yah I was wondering why no one was talking about using the NTFS encryption or Vista's Win7 new one.

Personally, encryption I can't audit is encryption I can't trust.

 

[Jjoshua2]

could you explain it a little more? Are you saying those two encryptions aren't as provably secure as TC?

 

[theevilsharpie]

Personally, encryption I can't audit is encryption I can't trust.

Even if you could audit it, how do you know the hardware is processing the encryption in a secure manner :hmm:

could you explain it a little more? Are you saying those two encryptions aren't as provably secure as TC?

Sourceninja is attempting to argue that open source encryption applications like TrueCrypt are more trustworthy than proprietary encryption applications because the source code is available for review, making it less likely to contain malicious code.

However, this argument fails to account for a number of facts:

• Even though the source code is available, few people have the skills to competently audit the security of the entire application. Even fewer people are willing to do so voluntarily.
• Even if the source code is provably secure, there's no realistic way to ensure that the hardware is capable of maintaining the security of the code during execution.
• With regards to Microsoft, claiming that open source encryption is more secure than built-in Windows encryption simply because it's open source is incorrect, as the source for Windows is available for review.

 

[blackangst1]

Based on the OP, single file encryption is in no way a good option. Maybe thats why it hasnt been brought up?

 

[sourceninja]

Even if you could audit it, how do you know the hardware is processing the encryption in a secure manner :hmm:



Sourceninja is attempting to argue that open source encryption applications like TrueCrypt are more trustworthy than proprietary encryption applications because the source code is available for review, making it less likely to contain malicious code.

However, this argument fails to account for a number of facts:

• Even though the source code is available, few people have the skills to competently audit the security of the entire application. Even fewer people are willing to do so voluntarily.
• Even if the source code is provably secure, there's no realistic way to ensure that the hardware is capable of maintaining the security of the code during execution.
• With regards to Microsoft, claiming that open source encryption is more secure than built-in Windows encryption simply because it's open source is incorrect, as the source for Windows is available for review.

I'm not attempting to argue anything. I'm saying I personally don't trust encryption to a company that will not let me verify and compile myself the source. Does that mean their encryption isn't good? Nope. Does that mean they are working with the government to put in back doors? Nope. It just simply means I don't trust it.

In terms of windows. MS source being available is a sort cry from being open. I can't compile it myself to make sure nothing was stuck in the binary beyond the source I had access to, and if I do read it I risk every project I work on being considered 'tainted'. Further more, I just spent 6 minutes trying to find a link to get the windows 7 source code for free and came up empty handed.

Further more, you seem to be implying that because you can't verify one part of the trust chain (your hardware, which is debatable) then you shouldn't bother verifying anything. At that point, why bother with encryption at all? Although your basic message is true. If you want real encryption, you need to not only verify your encryption program, but the algorithm, the operating system, and the hardware.

In the end you need to decide what level of security is good enough for you. For me, using encryption programs I can compile myself, verify the source if I choose, and an operating system where I can do the same is good enough. For you, maybe that is overkill. Does it mean I have a higher level of security then you do? Nope, but it does mean I have a higher level of security that I can verify if I was to choose to do so.