One of the few blogs I am reading regularly is the one by Bruce Schneier. In a recent entry, he mentions a new hard-drive, which provides full encryption of all contents. However, I think that encrypted container files have several advantages over fully-encrypted drives, like the one he is mentioning.
As a laptop user, I am certainly very much interested in securing the data on my drive. However, I have always viewed full drive encryption somewhat skeptically. I much prefer to use a software solution, which created an encrypted container-file, but which can be mounted like a file-system. Essentially, these programs install as drivers, which ask for a password and then make the file-system inside of that container file available to you, just like any other new drive. Under Windows, for example, a new drive with its own drive letter would appear. Everything stored in that drive is automatically encrypted. All of this happens completely transparently to the applications on your computer. Once you unmount the encrypted 'drive' again, the drive letter disappears and all you have left is that container-file, which is of course encrypted.
Some examples of these programs are DriveCrypt, or Jetico's BestCrypt. Personally, I use BestCrypt. I really like it, because my laptop is dual-boot: Linux and Windows. BestCrypt allows me access to the encrypted data from both sides, which is nice.
There are two key advantages, which I see with the encrypted container files:
- Backing up your important data is amazingly easy. In fact, for me a complete backup of all my e-mail, addresses, calendar and documents is done in a single drag-and-drop operation, without the need for any additional backup-management software. How? Just drop that single container file onto the office file-server, and it is all done. Since the file is entirely encrypted, it does not even matter if anyone else has access to it.
- I can give my laptop to tech-support, without having to give them the password to the encrypted partition. If your entire drive is encrypted then nothing will work, unless that password is provided. Even your own tech-support or system administrator will not be able to fix your machine or work on it, unless you stay with them to type in the password after every reboot, or if you tell them the password. And even more: The admin may come across some of the confidential information you have on your drive, while helping you. Since the drive is unlocked in its entirety, this is quite possible. However, with the encrypted partition / container-file, you just unmount that partition and all the confidential data disappears. The admin can work on your laptop all they want, they still won't see the data. Not even by accident.
For those reasons, I personally prefer the software solution with encrypted container files. I understand that there are possibly some things to consider, like the location of temporary files, for example. But with some care, those issues can be addressed.