Encryption – It’s Not Just For The Paranoid
Recently I purchased a few external hard drives for backup purposes, and the first thing I did with them was to encrypt them using TrueCrypt. When I mention this to people, I generally get a sorta weird look. Sort of a “If you aren’t doing anything illegal [which I’m not, if you care], why do you need to encrypt your drives?”. While one could use encryption for nefarious reasons (and claim 5th amendment rights against forced decryption), there are a number of reasons why encryption of even non-sensitive data (i.e. my music collection) makes sense.
First, let’s talk about the costs of doing this. Using TrueCrypt, my product of choice (and a proven and secure open-source solution), the cost in dollars is $0. TrueCrypt is free, and runs on pretty much any operating system. The only other cost is time. On my computer, I was able to encrypt an entire 1 TB drive in just under 12 hours. To read or write files to this drive, I must mount it in TrueCrypt (Which takes about 5-10 seconds), and unmount it when I’m done (5-10 seconds). The speed of data writing/reading is a bit slower, however since I’m storing files there (and not doing video editing), it’s a negligible difference.
So those are the costs – a few seconds here and there, and an initial 12 hour investment if you want to encrypt an entire 1 TB drive (Encrypting smaller drives, or creating encrypted ‘containers’ (which look like files but act as small encrypted drives within a drive) takes less time).
And here are the benefits:
- Peace of Mind with Offsite Backup. You’ve probably heard before that you should keep a copy of your data ‘offsite’. This means, practically, ‘not in your home’. While online services are out there that can do this, for large chunks of data that you want to keep handy, the easiest way I know to do this is to keep a copy at your office or place of business. If that won’t work, your car (assuming it wouldn’t get burned up in the same fire that got the house), or a friend’s / parent’s house would also work. (Fireproof safes, while a good idea, shouldn’t be your only line of defense. Even if they protect the data, it might take days or weeks post-fire to get into them, so a true offsite solution maintains data security and data availability).So you have your offsite location picked out, and you have your external hard drive sitting there. Great. Now just schedule a task or calendar appointment to remind yourself to back up to it regularly, and you’re good to go – right? Well, maybe not. Most of us don’t have exclusive control of our workplaces. While we might have desk drawers that lock, or private offices, someone else usually has a key or can easily obtain one (If you don’t believe me, check out this site that will sell you any desk key you want, provided you can give them the number from the outside of the lock. Not exactly hard to get information!). Now imagine that someone gets into your desk, finds your external hard drive, and decides to power it up. Now they have access to your files, and while you might not have anything all that important in them, do you really want a stranger to have unbridled access to those files? They could peak at your resume, your vacation photos, your home movies, any backed up emails, word documents, budgets, etc… Nothing that will cause you to go to jail or compromise state security, but still – unsettling stuff.
- No Worries When Obsolescence occurs. So eventually that shiny 1 TB (or 2 TB, or 3 TB or whatever) drive is going to seem just as great as a 100 GB drive did 5 years ago. When that happens, do you really want to go through all the work to securely erase all of your personal information off of it? Or are you content to throw it out and let someone access everything because all you did was a quick format? If the data is encrypted in the first place, it’s never in danger or in need of secure deletion, provided the key is unretrievable by the finder.
- Got company data worth legal action over? Have you ever signed a Non-disclosure agreement? Ever read the fine print about what a company could do to you if you ‘leak’ out any of their information / databases / lists of customers / etc…? No one intends to break a NDA, however one of the most unfortunate ways one could be broken is through unencrypted hard drives. If you’re storing company backups with your own (because, say, you’re the IT guy at a small shop and it’s just easier to have a copy of the backup for piece of mind), then you need to secure it. Otherwise, bad things could happen.
- What’s the downside, exactly? So I’ve just made three good arguments for keeping your data secured. I told you that it takes me about 5-10 seconds to open my encrypted drive, and that read/write speed isn’t greatly impaired (If you’re encrypting a system partition, you might take care to use just 1 level of encryption with TrueCrypt, such as simply AES, since it’s secure and reasonably fast). So really, what is the excuse for not using some form of encryption? Remember, if someone gains access to your data, you can’t simply tell them “Sorry, I was ignorant and too busy to secure this stuff – can you please delete it and give me a second-chance?”.
So there you have it – some very good reasons why you might want to take a bit of time this week and encrypt your backup hard drives. It’ll give you some piece-of-mind, if nothing else.