These are tips on securing your files on a laptop or desktop.
Full-disk encryption makes it nearly-impossible for someone to inspect the contents of your laptop (or desktop) while it is turned off.
Most full-disk encryption solutions do not protect your laptop while it is turned on. Make sure that your laptop is turned off when going through airport security or a border crossing.
Below are some full-disk encryption solutions for different types of laptops:
VeraCrypt is one of the most powerful encryption tools on the market. It is free to use and the project is developed in the open, allowing independent security researchers to audit it. If you read below, VeraCrypt also has a powerful feature to hide the existence of an operating system from computer forensics experts.
Another option for Windows laptops is BitLocker, a proprietary solution from Microsoft. Because BitLocker is proprietary, its source code cannot be audited for backdoors that might allow governments to decrypt your laptop without your password. If this concerns you, stick to using VeraCrypt. BitLocker is typically not available for the "Home" editions of Windows--instead requiring the "Pro" or "Enterprise" editions.
When you set up FileVault encryption on a Mac laptop, it asks if you want to back up your encryption key to iCloud. This may prove useful if you lose your encryption key, but backing up the key to iCloud gives law enforcement or another adversary a way to unlock your laptop.
LUKS is a tool to encrypt hard drive partitions used by Linux computers. It is easiest to set up when you are installing a Linux desktop distribution for the first time. Like VeraCrypt, LUKS is a free and open-source tool that computer security experts can audit.
Remember, if your laptop is turned on, the contents of the disk can be read--even if you have enabled encryption and a password. To benefit from the advantages of full-disk encryption, you must have turn off your laptop before you encounter authorities.
Computer security expert Bruce Schneier has detailed a process for crossing airport or border security while deliberately forgetting the encryption password.
VeraCrypt's full disk encryption is only for Windows machines, but VeraCrypt can create encrypted files or drives that are accessible across multiple operating systems.
VeraCrypt's documentation offers instructions on creating encrypted filesystems. If you want to make your volumes accessible across Windows, Mac OS X, and Linux, choose one of the following filesystems:
- FAT32. This filesystem can be read by almost any operating system on Earth, but it cannot store files larger than four gigabytes.
- exFAT. This is a filesystem developed by Microsoft as a successor to FAT32. It is supported in the latest versions of Windows, Max OS X, and most desktop Linux distributions. However, exFAT support may not be available on older operating systems.
VeraCrypt can also create Hidden Volumes, where you have an encrypted file or drive with two passwords--a decoy password you can give away if you are being coerced, and a real password that gives access to the hidden volume. VeraCrypt hides these volumes in such a way that a computer forensics expert can detect the decoy volume, but not the hidden volume contained within.
If you encrypt your hard drive with traditional encryption, your adversary might simply coerce you into giving them the password. VeraCrypt Hidden Volumes (mentioned above) are a solution, but you might accidentally leave evidence of your hidden volume on your operating system when accessing it.
To solve this, VeraCrypt can encrypt your entire operating system with hidden volumes. The feature, called Hidden Operating System, works by creating two operating systems on your computer:
- The decoy operating system. This operating system is detectable under forensic analysis, but the contents are encrypted and only readable to someone with the password.
- The hidden operating system. This operating system is hidden within an encrypted area of the hard drive. A forensic analyst cannot distinguish the existence of this operating system from the encrypted data of the decoy operating system. The hidden operating system has its own encryption password. Typing in this password when the laptop boots up is the only way to identify the hidden operating system's existence.
Your adversary may know that VeraCrypt has the ability to create hidden operating systems, but you can credibly state that you use VeraCrypt without this feature--and that the decoy operating system password is the only password you have to give.
Flash drives can contain malware, which might immediately execute when plugged into a laptop.
Computer hackers commonly drop interesting-looking flash drives where targets might find them and plug them into a computer. This tactic is highly effective because it doesn't use the Internet and thus bypasses the network security controls in place at major corporate and government computer networks.
If you need to load files from someone else into your computer, you have several options:
- If the other person is far away, try email or a file-sharing app like Dropbox. However, this requires you to be connected to the Internet, which could help de-anonymize you.
- If the other person is nearby, try Bluetooth File Sharing or a proprietary protocol like Apple's AirDrop. You can do this without either the source or destination computer or phone being connected to the Internet, but having your Bluetooth or Wi-Fi radio turned on still represents a security risk.
Even if you are not actively browsing the Internet, many computer programs periodically "phone home" to remote servers to collect updates:
- Email clients may phone home to automatically fetch new emails.
- Various computer programs may phone home to check if you are using the program with a valid license key.
- Various computer programs send information about your computer when they crash or experience an error.
- Malware may phone home in order to reveal your location or send your files to computer hackers.
Even if you are using Tor or another proxy, many of these programs connect directly to the Internet and reveal your location to whoever is on the other end.