The Safest Way to Protect Sensitive Computing Files
Using an external hard drive with its own encryption program offers the best data security.
One solution is to encrypt the sensitive files. But this can be asking too much, technically, for the computer user, many of whom are not techies. Then too, there's human error: someone can just forget to encrypt a sensitive file.
The ultimate in protection is often thought to be whole disk encryption (a.ka. full disk encryption).
Someone I know, who works for a large company, was recently assigned to encrypt their laptop hard disk with a software-based whole disk encryption product. The software runs very early in the startup process and encrypts/decrypts everything on the hard disk.
There is no possibility of forgetting to encrypt a file and no burden on the computer user to do anything differently while using the computer. If the computer is lost or stolen all the files are encrypted.
What's not to like about whole disk encryption?
Surprisingly, a lot.
The Downside To Whole Disk Encryption
For one thing, you've placed all your eggs in a single basket. Any problem with the whole disk encryption software renders the entire computer useless.
The person I mentioned earlier almost had this happen to them. During the boot process one day, the screen froze, displaying the message "boot guard loading."
Fortunately, in this case simply turning the computer off and back on again got it going. But if the problem hadn't gone away on its own, the cost to the company and the employee would have been huge.
When you chose a whole disk encryption application, you're making a big bet on the competence and timeliness of the tech support from the vendor. Not to mention the ongoing cost of tech support.
In the worst case, the only fallback position would be to restore the hard disk using a prior image backup. How many people or companies do you know that regularly make image backups?
Hard drives also fail, typically a sector at a time. Most sectors on a hard drive can go bad without a fatal impact. The exception is the MBR and probably some internal to the file system. Being dependent on a software application to boot up your computer just adds more sectors to the list that can't fail.
Even if the whole disk encryption software works perfectly, if it's stored on a hard drive sector that goes bad, the computer is useless until the hard disk is replaced.
While the protection offered by whole drive encryption is widespread in terms of files, it is, at the same time, limited to when the computer is turned off (or possibly hibernating). If someone swipes a laptop while it's sleeping, they can access the sensitive files.
Thus, anyone who works in an office gets no protection during the workday when they step away from their computer.
One whole disk encryption product that I looked into does protect the computer when it's hibernating. But even here, we're back to depending on the computer user to place the machine in hibernation every time they step away from their desk.
Is that realistic? I'm not sure if other whole disk encryption products offer protection during hibernation.
Another problem with whole disk encryption comes up when a computer needs to be worked on by a tech support person. If the repair person is given the password, they have access to all the sensitive files. Not good.
I recently wrote a trio of articles here about scanning for viruses and other assorted malicious software (malware) from outside the infected operating system. It's a great approach and one that's all too necessary.
It's also impossible on an encrypted hard drive.
Whole disk encryption also complicates disk imaging. For example, I'm a big believer in segmenting my operating system and applications in one partition and my data files in another partition. I make image backups of the OS partition and file oriented backups of the data partition.
But, this may not a viable approach on an encrypted hard drive. Getting a straight answer on this from the vendor of either the imaging program or the whole disk encryption program is likely to be difficult. And, there may be multiple answers because some imaging backup programs run from inside the operating system while others run from a bootable CD.
Upside to External Hard Drives for Security
Consider storing sensitive files on an external hard drive. Not just any drive of course, but one like Lenovo's ThinkPad USB Secure Hard Drive which uses hardware based whole disk encryption.