File Privacy Basics for Hard Drives

Michael J. Ross

This article was published by Nomadtopia Collective, on their website.

If you own one or more computers, then on their hard drives you probably store a variety of personal files, none of which you would want a stranger accessing. They consist of the types of personal files that immediately come to mind — such as photos and videos of family and friends, account statements downloaded from the websites of your bank and broker, image scans of passports and other important documents. But they also consist of highly sensitive files that people often neglect to consider or don't even know exist — such as password manager database files, web browser cached images from adult websites, URLs of dating sites saved in your web browser's history.

Various snoops would like to gain access to your private files, and their profiles depend on your unique situation. For instance, if you are a college student living on campus, you may have a nosy roommate who can see when you leave your computer unattended and logged in. If you work away from home during the day, a thief breaking in could easily steal your computer. If you are traveling internationally — especially through countries hostile to your own government — then immigration agents and foreign intelligence officers may try to gain access to your computer's contents. This is true even for Americans returning to the United States.

So it would behoove you to know how to prevent anyone else from examining any of the files on your computer, or at least those that you deem too personal for public consumption. In this article, I will consider the leading options for encrypting entire volumes or partitions, for computers running macOS, Windows, or Linux.

FileVault

Any relatively new Mac desktop or laptop — running Mac OS X version 10.3 or later, up to the latest macOS — can use FileVault, the built-in disk security program made by Apple. It provides state-of-the-art encryption, using the AES cipher with 128-bit blocks and a 256-bit encryption key. The newer version, FileVault 2, utilizes as its encryption passphrase the user's system login password, thus doing away with the separate master password utilized by the predecessor version.

FileVault on OS X El Capitan
Figure 1. FileVault on OS X El Capitan

If the user system login password has been lost, then apparently access to the files can be regained using the 120-bit numeric FileVault recovery key, which the user can optionally store with Apple, so they could provide it to the user in the case of catastrophic loss.

To enable FileVault on your Mac computer, go to System Preferences > Security & Privacy > FileVault. Click the padlock icon, enter an administrator name and password, and click the "Turn On FileVault" button.

BitLocker

For machines running Windows Vista or later versions, Microsoft offers BitLocker, which features comparable whole-disk encryption, as well as the same level of AES encryption, as that of FileVault.

BitLocker in Windows 10
Figure 2. BitLocker in Windows 10

Unlike FileVault, BitLocker allows encryption of non-operating system volumes. This can be a significant advantage for travelers flying out of airports where they might be required to turn on their laptops — thereby presumably demonstrating that it is not an explosive device — but also required to login. In such a scenario, security officials and thieves could gain access not only to the user password but also all of the files on the operating system volume. One would want to have all sensitive files on a separate, encrypted volume.

Unfortunately, BitLocker is not available on Windows 10 Home, the consumer-grade edition that is the most common one preinstalled on preconfigured PCs. To make use of the program, you must either start off with one of the other editions or upgrade to it.

To enable BitLocker on your Windows computer, log into a Windows administrator account. Go to Settings > Update & Security > Device Encryption. If device encryption is turned off, select Turn On.

VeraCrypt

While BitLocker and FileVault are certainly robust and well-supported solutions recommended by many security professionals, they do have some downsides. Firstly, their source code is proprietary and thus its integrity has only been checked by the software engineers of the respective company. Secondly, the US federal government has for many years been putting pressure on those two companies to provide US intelligence agencies with back doors, to access the files of targeted individuals without their knowledge. While all of the evidence suggests that the two companies have resisted such efforts, there is no guarantee that they will continue to do so in the future.

If you are running Linux, or you are running macOS or Windows and don't want to trust those vendors, then your best option is to use VeraCrypt. It was derived from the highly-regarded TrueCrypt, which was audited by independent encryption experts (unlike BitLocker and FileVault). Later, VeraCrypt too benefited from a full audit.

VeraCrypt main screen
Figure 3. VeraCrypt main screen

Similar to its competitors, VeraCrypt can be used for full-disk encryption, provided you are willing and able to create a recovery disk, in case you forget the decryption password. But unlike FileVault, it can also create a standalone encrypted file container, which opens up the possibility of backing up such a container on the Internet (e.g., using one of the many popular cloud services).

It offers additional encryption methods, including Serpent and TwoFish. Furthermore, you can hide a non-disclosed encrypted volume inside of another encrypted volume whose existence you might be forced to disclose — useful for deniability. Possibly the biggest disadvantage of VeraCrypt is that non-technical users may find it more difficult to understand and use, versus BitLocker and FileVault, as they are built into their respective operating systems and thus provide a more seamless experience.

Regardless of which file encryption program you choose for your own needs, be sure not to make the most common mistake of all — not protecting your files whatsoever.