How to Encrypt Your Windows Device

DiskCryptor is an open-source encryption suite that supports whole-disk encryption. In this how-to we will walk through installing DiskCryptor on your Windows machine. Before continuing, be sure to read the guide Keeping Your Data Safe. (This how-to focuses only on how to actually use DiskCryptor—the guide Keeping Your Data Safe describes why you would want to use encryption and some of its limitations.)

Installing DiskCryptor

First, download DiskCryptor by going to https://diskcryptor.net/wiki/Downloads clicking the “installer” link, and saving the file to your computer.

Once the file has been downloaded, launch it by double-clicking. Click “Next,” then accept the license by clicking “I accept the agreement” and clicking “Next.” Click “Next” again three times to accept the defaults (or alter them if you wish), and then click “Install.”

After DiskCryptor installs, click “Finish” to restart your computer. (If you choose not to restart right away, you will still have to restart before you can use DiskCryptor.)

Using DiskCryptor to encrypt your entire computer

By encrypting your entire computer, you can make it much more difficult for anyone to access any files on your computer if it is taken when it is powered off. Unlike when you encrypt specific files, they won’t even be able to tell what files you might even have on your computer. To encrypt your entire computer (also called “full-disk” encryption or “system” encryption), perform the following steps.

1. Start DiskCryptor (via the Start Menu, shortcut on your desktop, etc.).

2. In the “Disk Drives” list, highlight your drive (usually labeled “C:”) and then click the “Encrypt” button on the right.

3. Accept the defaults by clicking “Next,” and then clicking “Next” again.

4. Choose a secure password and enter it in the “Password” and “Confirm” fields, and then click “OK.”

5. Note that the encryption process may take some time. Once it has completed (the progress tab in the bottom of the window has disappeared), restart your computer.

Congratulations! Your computer is now encrypted!

As before, keep in mind that many of the warnings in the section on general File and Disk Encryption apply. In particular, keep in mind that malware could defeat your encryption by waiting to copy files off of your computer until after you’ve booted it up and entered the password. Similarly, remember that your data is only protected when the computer is off—if an adversary gets access to your computer while it’s on, in sleep mode, or even hibernated, there are several techniques they can use to extract your data.

Enable BitLocker win 7, 8, 8.1

You can use BitLocker to encrypt an entire fixed drive, such as the local drive Windows is installed on or an internal data drive. For removable flash or external USB drives you can use its younger brother, BitLocker To Go. First let’s take a look at how to enable BitLocker on a local hard drive.
To encrypt an entire drive, simply right-click on the drive and select Turn on BitLocker from the context menu.


Next you’ll need to choose a secure password that will be used to access the drive.

You’re prompted to store the recovery key which is used in the event you lose your password or smartcard. If you store it as a file make sure that it’s not on the same drive that you’re encrypting.

Confirm you want the drive to be encrypted then wait until the process is complete. The amount of time it takes will vary based on the size and amount of data on the drive.

To access the encrypted drive you’ll need to enter in the password to unlock it.

The drive icon will change to show it’s encrypted with BitLocker, where the gold lock indicates it’s locked up and the gray lock is displayed after you have unlocked it.

Use BitLocker on a Drive Without TPM
What happens if you get this goofy error…and what is a TPM anyway? TPM stands for Trusted Platform Module which is a microchip in a computer that supports advanced security features. It’s where BitLocker stores the encryption key. If you have a drive that doesn’t have a compatible TMP then you’ll need to use the following steps and have a flash drive.

Enter in gpedit.msc in the search box of the Start menu and hit Enter.

Under Local Computer Policy navigate to Computer Configuration \ Administrative Templates \ Windows Components \ Bit Locker Drive Encryption \ Operating System Drives and double click on Require additional authentication at startup.

Enable the feature and check the box next to Allow BitLocker without a compatible TPM, click Apply and Ok, and close out of Local Group Policy Editor.

Go back to the hard drive you want to encrypt and turn on BitLocker. A restart will be required to prepare the disk, and at this point make sure the flash drive is plugged in.

After the restart you’re prompted to use the startup key on the flash drive every time you start the computer.

Select the drive you want to use to store the key.

TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited

Replacing the MBR to get the machine to do something before booting the operating system is pretty well know – every full disk encryption software product uses that trick, as does every boot loader, boot manager, or partition manager I can think of. I think even some disk imaging software uses code run via MBR changes. But still, using that mechanism to then run something which subverts the disk interrupt driver (aka again every full disk encryption product), to load his own payload as Windows boots is clever.

Unfortunately though, Peter seems to have taken offence to a perceived snub by the authors of  Truecrypt (an open source full-disk-encryption software), who in short told him that he’d discovered nothing new, and that any prevention methods put in place by software to detect his rootkit could of course, be detected and circumvented by said rootkit, so were thus pointless.

Yes, it’s a sad truth that Trojans and rootkits are nasty little things which, because they tend to run first, also have the ability if they are clever to subvert anything which goes looking for them (to hide themselves). The only way to reliably detect them is to compare an “in band” and “out of band” analysis of the system – the two should of course agree, but if something is hiding itself “in band”, the out of band scan will show it up.

Both McAfee (RootKit Detective) and SysInternals (RootKitRevealer), as well as others provide tools to do exactly this kind of detection, and of course, with a reputable AV/Malware product on your machine in the first place, the only way Stoned Bootkit is going to get a hold on your machine is if someone physically puts it there – Writing to the MBR from within Windows is an incredibly privileged operation, and easy to block (that’s why there are hardly any MBR viruses any more).

Peters’ frustration of TrueCrypts apathy to his discovery went so far as to entice him to perhaps unwisely blog about their ambivalence – his entry “TrueCrypt Foundation is a joke to the security industry, pro Microsoft” is a work of art in itself, but more worthy perhaps are the viewers comments, most incredibly constructive and encouraging – very unlike the usual flame wars which follow unpopular cryptographic discussion. Two gems from commentators called Thomas and Christian respectively come to mind:

    What the TrueCrypt Foundation wanted to tell you is, that your attack is actually nothing special. Its a root kit, which in fact just doesn’t start with windows but at the first point when its possible, the MBR. Well, “root”-kit is the correct word, because “root” means it runs under administrator privileges. A basic rule in computer security (yes, TrueCrypt tried to explain that) are that someone who already _has_ administrator privileges on your computer (and so is able to install your/any rootkit) has _full_ access to it. That is a fact which was known way before your bootkit. In fact, its known since computers exists.

    Still you have made a great job! Your program will alert many people who think they made their PC secure by installing TrueCrypt and still keep working with an admin account where they should not. You prove that a security policy is indispensable, because admin privileges will give malicious software the ability to tamper with the installed security software.

Yes, it’s a sad fact that, as the old adage goes “If you let your machine out of your sight, it’s no longer your machine”.

NOTE: Some people have already asked me if McAfee Endpoint Encryption for PC’s or SafeBoot Device Encryption for PC’s is vulnerable to this kind of attack. As I say above, this is not really an attack – Stoned Bootkit can’t suck the data off your machine unless you allow it to be installed, then you yourself login. But, of course IF you allowed such to happen, then yes, Stoned Bootkit could put some malware on your machine. The mitigation of course is to use a good AV/Malware solution and to not leave your machine in such a place where Stoned Bootkit could be introduced.

Although Peter has not written a specific exploit for the McAfee/SafeBoot drivers (and it would be significantly harder to do than TrueCrypt due to the fact we are closed source and that we have MBR rootkit detection built in, which Peter would also have to bypass), it’s not beyond the possibility (in theory) that he could, or that someone has already done so. I’d like to think that your AV/Malware detection product would pick this up though very quickly. Rootkits are not too hard to find once you know what you are looking for.

"Evil Maid" Attacks on Encrypted Hard Drives

Earlier this month, Joanna Rutkowska implemented the "evil maid" attack against TrueCrypt. The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. Basically, the attack works like this:

Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then shuts it down.

Step 2: You boot your computer using the attacker's hacked bootloader, entering your encryption key. Once the disk is unlocked, the hacked bootloader does its mischief. It might install malware to capture the key and send it over the Internet somewhere, or store it in some location on the disk to be retrieved later, or whatever.

You can see why it's called the "evil maid" attack; a likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. The same maid could even sneak back the next night and erase any traces of her actions.

This attack exploits the same basic vulnerability as the "Cold Boot" attack from last year, and the "Stoned Boot" attack from earlier this year, and there's no real defense to this sort of thing. As soon as you give up physical control of your computer, all bets are off.

    Similar hardware-based attacks were among the main reasons why Symantec’s CTO Mark Bregman was recently advised by "three-letter agencies in the US Government" to use separate laptop and mobile device when traveling to China, citing potential hardware-based compromise.

PGP sums it up in their blog.

    No security product on the market today can protect you if the underlying computer has been compromised by malware with root level administrative privileges. That said, there exists well-understood common sense defenses against "Cold Boot," "Stoned Boot" "Evil Maid," and many other attacks yet to be named and publicized.

The defenses are basically two-factor authentication: a token you don't leave in your hotel room for the maid to find and use. The maid could still corrupt the machine, but it's more work than just storing the password for later use. Putting your data on a thumb drive and taking it with you doesn't work; when you return you're plugging your thumb into a corrupted machine.

The real defense here is trusted boot, something Trusted Computing is supposed to enable. But Trusted Computing has its own problems, which is why we haven't seen anything out of Microsoft in the seven-plus years they have been working on it (I wrote this in 2002 about what they then called Palladium).

In the meantime, people who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe. It protects against someone confiscating or stealing their computer and then trying to get at the data. It does not protect against an attacker who has access to your computer over a period of time during which you use it, too.

TPM Vulnerabilities to Power Analysis and An Exposed Exploit to Bitlocker

Power analysis. a side channel attack. can be used against secure devices to non?inyasiyely
extract protected information such as implementation details or secret keys. We have
employed a number of publically known attacks against the ELSA found in TPMs from ?ve
different manufacturers. We will discuss the details of these attacks and provide insight into how priyate
TPM key information can be obtained with power analysis. In addition to conventional wired power
analysis. we will present results for extracting the key by measuring electromagnetic signals emanating
from the TPM while it remains on the motherboard. We will also describe and present results for an
entirely new unpublished attack against a Chinese Remainder Theorem implementation of ELSA that
will yield private key information in a single trace.

The ability to obtain a private TPM key not only provides access to data.
but also enables us to circumvent the root?of?trust system by modifying expected digest values in sealed
data. We will describe a case study in which modi?cations to Microsoft's Eitlocker metadata
preyents software?level detection of changes to the BIDS.

Don’t Want Your Laptop Tampered With?

If you’re traveling overseas, across borders or anywhere you’re afraid your laptop or other equipment might be tampered with or examined, you’ve got a new secret weapon to improve security. Glitter nail polish.

Don’t laugh. It works.

Security researchers Eric Michaud and Ryan Lackey, making a presentation at the Chaos Communication Congress on Monday, highlighted the power of nail polish – along with metallic paints and even crappy stickers – to help people know when their machines have been physically tampered with and potentially compromised.

“Government agencies have so much money, they can build their own custom procedures,” said Ryan Lackey, founder of the CryptoSeal VPN service. “But if you’re a private person who travels to a country to do work, you have to take your stuff.”

Physical tampering with machines, whether by governments, corporate competitors or data thieves looking for bounty, is a growing problem. Businesspeople traveling to China in particular have reported problems with data theft and hardware tampering. While drive encryption, strong passwords and software-based measures might keep causal thieves out, traveling offers many ways for prying eyes to physically compromise a laptop, Lackey and Michaud noted. Border areas can be especially dangerous, as authorities can confiscate a laptop or cell phone to “examine” it, then return it with the drives imaged or malware installed. Once at a destination, many travelers lack the option to carry their laptop at all times. This raises the risk of attackers breaking into a hotel room to steal data or compromise machines.

Short of keeping a machine with you 24/7, there is little you can do to be absolutely sure these things don’t happen, the researchers said. If there is a serious question, they advise against traveling with sensitive data and wiping or simply discarding potentially compromised devices upon returning home. But those extreme measures don’t help you while you’re actually on the road, making it critical to know if your machine has been compromised.

Some travelers affix tamper-proof seals over ports or chassis screws. But these seals can in fact be replicated or opened cleanly in minutes by anyone with even minimal training, Michaud and Lackey said. They instead advise borrowing a technique from astronomers called blink comparison. Here’s where the glitter comes in.

The idea is to create a seal that is impossible to copy. Glitter nail polish, once applied, has what effectively is a random pattern. Once painted over screws or onto stickers placed over ports, it is difficult to replicate once broken. However, reapplication of a similar-looking blob (or paint stripe, or crappy sticker) might be enough to fool the human eye. To be sure, the experts recommend taking a picture of the laptop with the seals applied before leaving it alone, taking another photo upon returning and using a software program to shift rapidly between the two images to compare them. Even very small differences – a screw that is in a very slightly different position, or glitter nail polish that has a very slightly different pattern of sparkle – will be evident. Astronomers use this technique to detect small changes in the night sky.

By taking the picture with a cellphone that is kept with you at all times, you can be reasonably sure the original picture hasn’t been tampered with or replaced. In order to guard against typical user forgetfulness, the experts recommend using a two-stage remote verification system. Such a tool would require that two pictures match exactly, for example, before allowing the user to log in to a potentially vulnerable system such as a VPN.

“This makes it non-skippable by users,” said Michaud, CEO of Rift Recon. “If the user doesn’t do the check, it doesn’t work.”

The pair said they will within a few months release an inexpensive tool that will support this two-step verification system. Such machine-assisted verification was necessary to help travelers overcome their own mistakes, they argued.

“Users are lazy,” Michaud said. “It’s really unlikely that we’re going to build a system based on users making the correct security decisions all the time.”