The New Oil

The New Oil logo
Cybersecurity: Device Encryption

Device Encryption

Encrypting your devices is essential to protect them from unauthorized access. I recommend putting priority on encrypting devices that are easily portable. Phones should be encrypted as they get lost and stolen often and contain sensitive information (though if you followed my advice there should be less sensitive data on your phone than most people). Next are laptops, even if you don’t ever take them off your desk or out of the house. It’s easy for a thief to pick one up and take off with it, so they should be encrypted. The same logic goes for external harddrives, thumb drives, and and other similar devices. Finally, desktop computers. Encryption is free, so I recommend encrypting everything you can, just be careful not to forget your password and to keep diligent backups.

Encrypting phones is easy. Both Android and iOS are automatically encrypted if you assign a lock PIN, pattern, or other form of authentication. I recommended enabling this feature earlier. Encrypting desktops and laptops takes a little more effort. Mac devices come with a proprietary encryption program called FileVault. This is relatively secure and easy, so it should work for most people. Some Windows editions also come with an easy-to-use proprietary service called “BitLocker” that should work for those who have it. Most Linux distributions also offer the chance to full-disk encrypt your device with LUKS during installation, as well. If you have a Windows device without BitLocker, or if you don’t want to use a proprietary encryption software (or LUKS), then I recommend VeraCrypt. Veracrypt is a free, open source software that allows various forms of encryption. For most of my readers and in most cases, use “full disk encryption,” meaning that the entire device is encrypted completely.

Enabling Full Disk Encryption With VeraCrypt

  1. Select the “System” menu and then “Encrypt System Partition/Drive…”

    Screenshot
  2. Select “Encrypt a non-system partition/drive”.

    Screenshot
  3. Pick “Normal”.

    Screenshot
  4. Then “Encrypt the Windows system partition”.

    Screenshot
  5. Make sure the algorithms are set to AES and SHA-512

    Screenshot
  6. Select a good passphrase.

    Screenshot
  7. Move your mouse around randomly until the bar at the bottom is full and green, then click “Next”.

    Screenshot
  8. Click “Next”.

    Screenshot
  9. Select a location for the rescue disk.

    Screenshot
  10. Follow the instructions on this part and store the file and/or USB stick somewhere safe. Even something as simple as a routine update has the potential to go wrong and the only way to recover your data will be to decrypt the drive using this USB.

    Screenshot
  11. Once the Recovery Disk has been successfully verified, click “Next”.

    Screenshot
  12. Select a Wipe Mode. For most people, I believe 3-pass will offer the best blend of protection and speed. Be aware that the higher the number, the longer this can take (as explained on the next screen).

    Screenshot
  13. After that, you will be asked to let VeraCrypt test your system to ensure everything is compatible and working properly. When you click “Test”, your system will restart and you will be prompted to enter your encryption passphrase before your computer boots up. In most cases, if the test fails, your system will reboot and cancel the operation. In rare cases, you may need to use your Recovery Disk to fix any issues.

    Screenshot
  14. If the test was successful, VeraCrypt will automatically start after logging in and prompt you to begin the encryption process. Make sure you have made a good backup of your files just to be safe, then click “Encrypt” when ready.

    Screenshot
  15. VeraCrypt will begin encrypting your system. Depending on your device and the Wipe Mode, this may take a few minutes or a few hours or longer. If at any point you need to pause the encryption - like to shut down your device - you can hit the “Defer” button and safely resume the process at a later date.

    Screenshot

Encrypting External Disks With VeraCrypt

To encrypt external disks - such as backup drives - follow these steps:

  1. Select the “Tools” menu and then “Volume Creation Wizard”

    Screenshot
  2. Select “Encrypt a non-system partition/drive”

    Screenshot
  3. Select “Standard VeraCrypt Volume”

    Screenshot
  4. Select “Select Device”

    Screenshot
  5. Select the disk and partition you wish to encrypt

    Screenshot
  6. Select “Create encrypted volume and format it” (WARNING: this will wipe all the data already on your disk)

    Screenshot
  7. Select “AES” as the Encryption Algorithm and “SHA-512” as the Hash Algorithm

    Screenshot
  8. Verify that the disk size is correct (Note that it may be slightly smaller than the advertised space. In this example, my USB stick is advertised as a 16GB. This is normal.)

    Screenshot
  9. Select a good password or passphrase

    Screenshot
  10. Answer if you’ll need to store large files (such as video) or not

    Screenshot
  11. Move your mouse around randomly until the bar at the bottom is full and green, then click “Format.”

    Screenshot