通过加密软件(encryption software)保护计算机数据已成为许多企业和个人在笔记本电脑或USB闪存驱动器 上携带敏感信息的必要条件。不幸的是,许多人不加密他们的数据,因为他们太懒了,或者觉得数据被盗不会发生。很多人只是觉得他们的计算机上没有存储任何重要的东西,因此他们不需要加密。
无论您的原因是什么,加密数据都非常重要。无论您是否认为自己在计算机上存储了重要数据,总有黑客喜欢浏览您的文件、图片和数据,从而造成身份盗窃(identity theft)等危害。即使是像图片这样无害的东西,如果落入坏人之手,也会被以非常邪恶的方式使用。
在Windows 和 OS X(Windows and OS X)中加密您的硬盘驱动器现在是一个相当简单直接的过程,几乎任何人都可以做到,因此没有理由让您自己受到可能的攻击。在本文中,我将介绍如何使用Windows上的BitLocker和(BitLocker)OS X上的FileVault(Windows and FileVault)来加密您的数据。
以前,我曾写过关于使用一个名为TrueCrypt的程序,但该项目似乎已因各种原因停止。该程序曾是最流行的加密硬盘驱动器之一,但现在它不再受支持,我们不建议使用它。TrueCrypt 团队(TrueCrypt team)甚至推荐使用BitLocker,因为它几乎可以完成TrueCrypt能够做的所有事情。
Windows 上的 Bitlocker
在Windows Vista、Windows 7和Windows 8中,您可以通过启用(Windows 8)BitLocker来打开驱动器加密。在我们开始讨论如何启用BitLocker之前,您应该首先了解几件事:
1. BitLocker适用于Windows Vista 和 Windows(Windows Vista and Windows) 7的Ultimate 和 Enterprise 版本(Ultimate and Enterprise versions),以及Windows 8和Windows 8.1的(Windows 8.1)Pro 和 Enterprise 版本(Pro and Enterprise versions)。
2. BitLocker(BitLocker)中存在三种身份验证机制:TPM(可信平台模块(Trusted Platform Module))、PIN和USB 密钥(USB key)。为了获得最大的安全性,您希望使用TPM和PIN。PIN是用户在(PIN)启动过程(booting process)之前必须输入的密码。
3.不支持TMP的老电脑只能使用USB key 认证机制(authentication mechanism)。这不如使用带有PIN 的 TPM 或(PIN or TPM)带有(TPM)USB密钥的 TPM 或(USB key or TPM)同时带有PIN和USB 密钥(USB key)的 TPM 安全。
4. 切勿在纸上打印备份密钥并将其(backup key)存放(paper and store)在某处。如果有人,甚至是警察,可以访问该文件,他们就可以解密您的整个硬盘驱动器。
现在让我们谈谈实际启用BitLocker。在Windows(Windows and click)中打开控制面板(Control Panel),然后单击BitLocker Drive Encryption。
您将在主屏幕上看到所有分区和驱动器的列表。要开始,您只需单击打开 BitLocker(Turn On BitLocker)。
如果您有一台带有支持TPM的处理器的较新计算机,那么您就可以开始了,该过程将开始。如果没有,您将收到以下错误消息(error message):“此计算机上必须存在兼容的受信任平台模块 (TPM) 安全设备,但未找到 TPM。(A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found.)” 要解决此问题,请阅读我之前关于启用 BitLocker 时出现的此 TPM 问题(TPM problem when enabling BitLocker)的帖子。
按照该帖子中的说明进行操作后,您应该能够再次单击“打开(Turn)BitLocker ” ,并且不应出现错误消息。(error message)而是将启动BitLocker 驱动器加密设置(BitLocker Drive Encryption setup)。
继续并单击下一步(Next)开始。该设置基本上准备好您的驱动器,然后对其进行加密。要准备驱动器,Windows需要两个分区:一个小系统分区(System partition)和一个操作系统分区(operating system partition)。它会在开始之前告诉你这一点。
您可能需要等待几分钟C 驱动器(C drive)首先缩小并创建新分区。完成后,系统会要求您重新启动计算机。继续做吧。
在下一个屏幕上,您将选择您的BitLocker 安全(BitLocker security)选项。如果您没有安装TPM,您将无法使用PIN进行启动,而只能使用USB 密钥(USB key)。
系统会要求您插入U 盘(USB stick),此时它将在那里保存启动密钥(startup key)。接下来,您还需要创建一个恢复密钥(recovery key)。您可以将其保存到USB 驱动器(USB drive)、文件或打印(file or print)。最好不要打印。
在此之后,最终会询问您是否准备好加密硬盘驱动器,这需要重新启动。
如果一切顺利并且Windows能够从您的USB 记忆棒(USB stick)或TPM读取加密密钥,那么您应该会看到一个对话框弹出,告诉您驱动器正在被加密。
完成后,您的数据现在已安全加密,没有您的密钥就无法访问。同样(Again),重要的是要注意使用不带TPM的(TPM)BitLocker的安全性要低得多,即使您使用TPM,您也需要将它与PIN或USB 密钥(USB key)或两者一起使用才能真正受到保护。
此外,值得注意的是,当您登录时,密钥存储在RAM 内存中(RAM memory)。如果您让计算机进入睡眠状态,那么精明的黑客可能会窃取密钥,因此您应该在不使用计算机时始终将其关闭。现在让我们谈谈OS X中的FileVault。
OS X 中的文件保险箱
OS X中的 FileVault提供与Windows中的BitLocker相同的功能。您可以加密整个驱动器,并创建一个单独的引导卷(boot volume) 来存储未加密的用户身份验证信息(authentication information)。
要使用FileVault,您需要转到系统偏好设置(System Preferences)并单击安全和隐私( Security & Privacy)。
现在单击FileVault选项卡,然后单击打开 FileVault(Turn On FileVault)按钮。如果该按钮被禁用,您必须单击对话框左下方的黄色小锁并输入您的系统密码(system password)才能进行更改。
现在将询问您要将恢复密钥(recovery key)存储在哪里。您可以将其存储在 iCloud 中,也可以获取恢复密钥代码(recovery key code),然后将其存储在安全的地方。我强烈建议不要使用 iCloud,即使这样更容易,因为如果执法部门(law enforcement)或黑客需要闯入您的计算机,他们所要做的就是访问您的 iCloud 帐户以删除加密。
现在您将被要求重新启动计算机,当OS X重新登录时,加密过程(encryption process)将开始。您可以返回安全和隐私(Security and Privacy)以查看加密的进度。您应该预计计算机性能(computer performance)会受到轻微影响,速度会降低 5% 到 10%。如果你有一台新的MacBook,影响可能会更小。
如前所述,所有全盘加密仍然可以被破解,因为在您登录时密钥会存储在RAM中。您必须始终关闭计算机而不是使其进入睡眠状态,并且您应该始终禁用自动登录。此外,如果您使用预启动PIN 或密码(PIN or password),您将拥有最高的安全性,即使是技术取证专家也很难破解您的硬盘。有任何问题,发表评论。享受!
How to Encrypt Your Hard Drive for Free
Securing computer data through enсryption software has becоme a clear necеssity for many businesses and individuals carrying sensitive information on their laptops оr USB flash drives. Unfortunately, mаny people do not encrypt thеir datа becauѕe they’re too lazy or feel data theft won’t happen them. Α lot of peoрle simply feel they don’t have anything аll that important stored on their computer and therefore they don’t need encryption.
Whatever your reason may be, encrypting your data is very important. Whether you think you store important data on your computer or not, there are hackers out there who would love to browse through your files, pictures, and data to do harm like identity theft. Even something as innocuous as pictures can be used in very evil ways if in the wrong hands.
Encrypting your hard drive in Windows and OS X is now a fairly simple and straight-forward process that pretty much anyone can do, so there’s no reason to leave yourself open to possible attacks. In this article, I’ll go through using BitLocker on Windows and FileVault on OS X to encrypt your data.
Previously, I had written about using a program called TrueCrypt, but it seems the project has been discontinued for various reasons. The program had been one of the most popular for encrypting your hard drive, but now that it is no longer supported, we don’t recommend using it. The TrueCrypt team even recommends using BitLocker as it can do pretty much everything TrueCrypt was able to do.
Bitlocker on Windows
In Windows Vista, Windows 7 and Windows 8, you can turn on drive encryption by enabling BitLocker. Before we get into how to enable BitLocker, there are a couple of things you should know first:
1. BitLocker works on the Ultimate and Enterprise versions of Windows Vista and Windows 7 and on the Pro and Enterprise versions of Windows 8 and Windows 8.1.
2. There are three authentication mechanisms in BitLocker: TPM (Trusted Platform Module), PIN, and USB key. For the greatest security, you want to use TPM plus a PIN. The PIN is a password that has to be entered by the user before the booting process.
3. Older computers that don’t support TMP can only use the USB key authentication mechanism. This is not as secure as using TPM with a PIN or TPM with a USB key or TPM with both a PIN and a USB key.
4. Never print a backup key on paper and store it somewhere. If someone, even the police, can get access to that paper, they can decrypt your entire hard drive.
Now let’s talk about actually enabling BitLocker. Open the Control Panel in Windows and click on BitLocker Drive Encryption.
You’ll see a list of all your partitions and drives listed on the main screen. To get started, all you have to do is click on Turn On BitLocker.
If you have a newer computer with a processor that supports TPM, you’re good to go and the process will start. If not, you’ll get the following error message: “A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found.” To fix this, read my previous post on this TPM problem when enabling BitLocker.
Once you’ve followed the directions in that post, you should be able to click on Turn On BitLocker again and the error message should not appear. Instead, the BitLocker Drive Encryption setup will start.
Go ahead and click Next to get started. The setup basically prepares your drive and then encrypts it. To prepare the drive, Windows needs two partitions: one small System partition and one operating system partition. It will tell you this before it begins.
You might have to wait for a few minutes while the C drive is first shrunken down and the new partition is created. After it is finished, you’ll be asked to restart your computer. Go ahead and do that.
On the next screen, you’ll get to choose your BitLocker security options. If you don’t have a TPM installed, you won’t be able to use a PIN for startup, but only a USB key.
You’ll be asked to insert a USB stick at which point it will save the startup key there. Next you’ll need to also create a recovery key. You can save it to a USB drive, to a file or print it. It’s best not to print it.
After this, you’ll finally be asked if you’re ready to encrypt the hard drive, which will require a restart.
If all goes well and Windows is able to read the encryption keys off your USB stick or from the TPM, then you should see a dialog pop up telling you that the drive is being encrypted.
Once completed, your data is now safely encrypted and cannot be accessed without your keys. Again, it’s important to note that using BitLocker without TPM is a lot less secure and even if you use TPM, you need to use it with a PIN or with a USB key or with both to be truly protected.
Also, it’s worthwhile to note that while you are logged in, the keys are stored in RAM memory. If you put your computer to sleep, the keys could be stolen by savvy hackers, so you should always shutdown your computer when you’re not using it. Now let’s talk about FileVault in OS X.
FileVault in OS X
FileVault in OS X provides the same functionality as BitLocker does in Windows. You can encrypt the entire drive and a separate boot volume is created to store user authentication information unencrypted.
To use FileVault, you need to go to System Preferences and click on Security & Privacy.
Now click on the FileVault tab and click on the Turn On FileVault button. If the button is disabled, you have to click the little yellow lock at the bottom left of the dialog and enter your system password in order to make changes.
Now you will be asked where you want to store your recovery key. You can either store it in iCloud or you can get a recovery key code and then store it in a safe place. I would highly recommend against using iCloud, even though that is easier, because if law enforcement or a hacker needs to break into your computer, all they have to do is get access to your iCloud account to remove the encryption.
Now you’ll be asked to restart your computer and when OS X logs back in, the encryption process will begin. You can go back into Security and Privacy to see the progress of the encryption. You should expect the computer performance to be slightly impacted in the range of 5 to 10% slower. If you have a new MacBook, the impact may be less.
As mentioned earlier, all full-disk encryption can still be hacked because the keys get stored in RAM while you’re logged in. You must always shut down the computer instead of putting it to sleep and you should always disable automatic login. In addition, if you use a pre-boot PIN or password, you’ll have the most security and it will be extremely difficult for even technical forensic experts to crack into your hard drive. Have any questions, post a comment. Enjoy!
