by Dustin Sklavos

Securing Your Data With Software

Recently I put together a brief article on data security and encryption for removable flash drives. Companies like SanDisk had a major loophole in their security software exposed, bringing up the question of just how reliable software-based encryption is for securing your data as opposed to using more costly hardware-based alternatives like IronKey's flash drives.
That said, there's that word again: costly. Unless you're in enterprise where money is going to be less of an issue, you're likely going to find yourself barking up software-based encryption's tree.
The most important thing to understand is that nothing is foolproof. Saying something can't be hacked or cracked is the quickest way to get it hacked or cracked, and the entertainment industry's repeated Pyrrhic victories with digital rights management should be proof enough of this.
In fact, as I write this, the Trusted Platform Module – a piece of hardware installed on some motherboards to facilitate hardware-based full-drive encryption – has actually been hacked. It wasn't easy, and the TPM has been around for a while, but this exists as proof that just about anything can be hacked or cracked with enough effort applied to it. Thus the big question becomes: just how much effort needs to be required to bypass the security? The man who hacked the TPM had to use chemicals and tiny needles to play with the core of the chip itself.
As far as encryption goes, at the most basic level there are two ways to get past it: brute force and circumvention. Brute force involves trying keys until one works, while circumvention will typically try to find some way to either get the key, spoof the key, or otherwise take the key out of the equation. And that's really the major difference between hardware and software-based encryption: hardware is generally going to require more than tooling around (again, see the TPM hack above), while software is much more accessible to circumvention.
Of course, Average Joe is unlikely to have access to the software tools required to do a proper hack, and that's what makes software-based encryption satisfactory for most people. If you're in the situation of having to carry fairly important data on you that you wouldn't want someone else to get access to – and this includes not just USB flash drives but laptop hard drives as well – then one of these options may be what you're looking for.
The first big option available is BitLocker, which is included in the Enterprise and Ultimate editions of Windows Vista and Windows 7. BitLocker provides a means of fully and transparently encrypting hard drives, and in Windows 7 also allows for encryption of USB flash drives.
A major point to make, however, is that BitLocker isn't entirely hardware-independent. Most implementations require the inclusion of a TPM chip on the motherboard, although BitLocker can also be designed to use a USB flash drive as a physical “key” where you plug the drive into the system at boot, thus unlocking it and allowing operation.
If you don't have Windows 7, this might be a good incentive for you to ugprade to the Ultimate edition, as BitLocker can also be used to encrypt removable USB flash drives in Windows 7.
There are other software-based solutions like TrueCrypt, which are free to download and use. TrueCrypt creates an encrypted volume on a drive that must be accessed through software. TrueCrypt itself is open source, but there are also many proprietary software options available for those that need encryption. Whether or not security software that is open source or proprietary is more secure is a touchy question best left off the table at this level, as it tends to touch off the kinds of arguments you typically only experience from politics or religion.
Nonetheless, there are a frankly alarming number of ways you can encrypt your data; Wikipedia provides an exhaustive list of encryption software options for those interested in doing further grunt work.
If anything, my big message is that if you need to encrypt your data, there are ways to do it in software, and that though software-based encryption is by default going to be more vulnerable than hardware-based encryption, it's not necessarily a bad solution. When choosing a means of securing your data, think of it in the same situation that you'd choose a means of securing your home or your car or your office: you're generally not going to be installing retinal scanners at every access point of your house and steel bars to prevent intrusion. Think about the people you're specifically trying to keep your data from and then choose accordingly.
Casual thieves who are just looking to make a quick buck off of stealing your laptop or flash drive may not even actually try to look at the contents. If they do, they may just browse out of curiosity or even try to find a means of stealing your identity cheaply. These casual thieves aren't likely to possess the means necessary to break through stronger encryption schemes or use software to sniff the system RAM for the key, so something like TrueCrypt may be more than adequate under the circumstances. 

If you're genuinely concerned about laptop security, Windows 7 Ultimate and a computer with a TPM chip are going to be the way to go. But for most flash drive users, some basic software encryption should be plenty. 

Discuss This Story