Quarantine Computer Maintenance #1 — Device Encryption
Many people around the world are voluntarily or pseudo-voluntarily spending as much time at home as possible right now due to the global coronavirus pandemic. A theme that has sprung up lately is learning new skills, experimenting with cooking or baking, finally getting into a new hobby, etc.
Why not spend some of that time doing some of the regular maintenance computers and devices that often goes neglected? This is a wonderful time to catch up and build good habits.
First things first: make a backup! If that’s something that isn’t done regularly (or at all …) and isn’t a skill you possess, use Google. There a plenty of articles out there to help do it correctly and get an automated system in place.
The topic of today’s discussion, however, might sound like a little more than “routine maintenance” at first. Encryption is often seen as something complicated that lives solely in the realm of advanced computer users and paranoids.
Not true! Both MacOS and Windows 10 offer easy and convenient ways to enable encryption and it’s something every user should have turned on. It’s not so much about making sure that spies can’t access your files as it is making sure that just anyone who walks by can’t get their hands on them. Once we’ve gone over the basics of why encryption is important, we’ll go over how to enable it properly and make sure that you’ve got the information you need to be able to recover your data should you forget your password — a step which is frequently overlooked.
Like most topics in computing, encryption gets very complicated, very fast, the deeper you want to examine its inner workings.
Fortunately, on a surface level, it’s not too difficult to understand.
The basic idea is that when data is stored on your computer’s disks, it’s generally stored by default without encryption. What this means is that anyone who happened to have temporary physical access to your computer could pull out the hard drive, copy it, put it back, and you’d never have any idea all your files were now in someone else’s possession as well.
Another downside to not having your computer encrypted are situations where it’s stolen. This is more or less the same situation as above, except now you’d probably be aware (at least eventually) that your computer and its files were elsewhere, since they aren’t where you left them.
In both of these cases, without encryption it’s possible for someone to read virtually every file on the disk. From viewing your photographs to reading your Word documents; viewing your internet browsing history to possibly recovering passwords; reading emails stored in Apple Mail or Outlook (which is all of them, usually) to listening to your entire music collection.¹
Something that’s often overlooked though is that it opens up your Dropbox, Google Drive, Microsoft OneDrive, etc. to anyone who has physical access to the computer.
This is counterintuitive for many because in order to view those files normally you have to be logged in to the service. They’re password protected, right?
Not once they’re on your computer they’re not. Once you install the Dropbox application and log in, it downloads a copy of everything to your computer and keeps those files in sync with the ones that are up in the cloud behind password protection.²
What that means is that while someone on the internet couldn’t just open your Google Drive folders without having your Google account information, someone who has copied your unencrypted hard drive or stolen your computer gets a copy of all the files as they were at the last time of syncing with the server. If you’re like most people and leave the sync client running while your computer is on, they’ll have access to all the files in your cloud storage as they were the last time your computer was on and connected to the internet.
That’s not good!
It’s especially not good if you happen to share files with other people. Perhaps your family has a shared photo album where family members upload their vacation photos, or maybe you have a work folder synced up and there’s proprietary company data there. While you may have thought things were secure even though your computer is stolen because you need a password to access them online, you don’t need one to read them off of an unencrypted hard drive.
The most common argument I hear against encryption, aside from it being complicated (it’s not), is that it’s only for people who have things they need to hide. Well, perhaps you’re the sort of person who really wouldn’t mind if every document and photo you have on your computer was suddenly available to someone who stole it. There’s even some truth to that — what would they want with that information anyways?
There are a lot of things that can be done with seemingly innocuous data. A thief could find a list of your contacts on the computer and begin a phishing campaign, pretending to be you and asking them for money, passwords, etc. They could find your calendar information and track you down. They could go through that memoir you’ve been secretly writing for years and use it as a word list to guess your password. That chapter where you mentioned your mother’s maiden name, your first dog’s name, and your favorite band? Yeah, now they can reset your passwords and hijack numerous online accounts.
Even more than that though, while you may be fine with all your information being on display, the people who have shared documents with you — your friends, family, employer, etc. — may not be. Once you’ve accepted a file from someone you take a certain amount of responsibility for it and perhaps your cousin doesn’t want his honeymoon snaps from Aruba getting out. Or maybe your employer doesn’t want that finance Excel sheet you’ve been working on getting out. Even if there’s absolutely nothing harmful anyone can do with it, people deserve to have their desire for privacy respected.
It should be clear at this point that encrypting your computer’s drives is an important basic protection against thieves and others who may want to get at your information. The odds someone is going to sneak into your home and clone your hard drive are probably small. The odds your spouse who’s going to divorce you soon, your housemate who wants to play a prank, or anyone you know and trust doing it are much higher — it’s the same as with murder: it’s usually a friend or loved one who does it. That’s how trust works.
So, let’s get to work enabling encryption on your computer!
The process for MacOS and Windows only takes a few minutes to set up and then will run in the background as it goes through and copies all your old unencrypted data into an encrypted format. Once it’s encrypted it cannot be read by anyone who doesn’t have your password or the recovery key.³
An Important Note: During this process you will be given a recovery key. This is a long and annoying string of characters and numbers. Its purpose is to allow you to unlock your data if you forget the password you used to encrypt it. Because you can change the encryption password but not the recovery key, this is basically a back-door. Also, because your data is now encrypted, if you forget both the recovery key and the password, your data will be unrecoverable.
Let’s repeat that: if you forget both your password and your recovery key, your data will be unrecoverable. It’s gone, garbage, you’ll almost certainly never get it back without paying experts a lot of money to try and even then it’s a gamble. So don’t forget them!
An Equally Important Note: The recovery key will always unlock your drives and the data on them, so in addition to not losing it, you should also keep it secret. Don’t print it out and leave it sitting on the desk next to the computer or — I’ve actually seen this done more than once — tape it to the side of the computer. If you’re going to do that then you may as well just write your password down too and if you do that, there’s no sense in encrypting in the first place.
You thought I was actually going to walk you through enabling things, didn’t you?
I’ll do you one better. I’m going to link you to the guides published by Windows and Apple, which are the definitive sources of information on how to do this. They’re clearly written, succinct, and kept up to date by the maintainers of the operating system so you never have to worry about getting outdated information.
There are two things we just discussed that you need to be absolutely sure you pay attention to when you’re following these guides:
- Make sure you print out the recovery key, or write it down (and triple check you wrote it down correctly!) so that your data can be recovered even if you forget your password.
- Make sure you keep the recovery key somewhere you’ll remember and be able to find it, but also somewhere that isn’t so blatantly obvious anyone could find it.
If you’re using MacOS (previously known as OS X) then congratulations on choosing a superior computing product, and here is Apple’s guide to enabling their disk encryption system, known as FileVault.
https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac
If you’re using Windows 10 then let me offer you my condolences. Here’s the link for setting up Microsoft’s disk encryption system, known as BitLocker.
https://support.microsoft.com/en-us/help/4028713/windows-10-turn-on-device-encryption
And that’s that! Hopefully you can find 20 minutes during this pandemic to make sure your computer is safe and secure. You deserve the peace of mind.
Footnotes:
¹ Alright fair enough, in this case DRM may save you, but really what do you care if someone’s listening to your music? It’s just an example.
² To be pedantic here, that’s only the default behavior. Many services offer the ability to only download copies of files you’ve recently worked with, in order to save space. I know of virtually no one who makes use of that feature because it’s a real pain when you’re trying to get to a file you haven’t used in a week and you’re not connected to the internet (think: on an airplane).
³ Unless they’re a very clever hacker, or they have a lot of time and processing power on their hands, or they’re a state-sponsored intelligence group like the NSA. If you are worried that a state-sponsored government agent or agency will want to look at your files then please find a different guide to encryption because what’s on offer from MacOS and Windows is really not going to help you out at all. Veracrypt is an okay place to start.
