2021 06 16                                                      SECURITY 

OK So far the new computer will have: 

• CPU: AMD Ryzen 9 5950X CPU, 16 cores & 32 threads 
• Motherboard: ASUS ROG Crosshair VIII Dark Hero, PCIe 4.0 and more 
• Windows 10 Pro, full version, USB 

  

But first some words about security: BitLocker is Microsoft's full-disk encryption facility, and it works. The computer must be and will be BitLocker compatible. It turns out that BitLocker has almost no impact on performance, even gaming performance, so that's not a downside. I think that the the mobo (motherboard) should probably have a header for a TPM (Trusted Platform Module), and the "Dark Hero" does. I'm not certain about actually using a TPM though, because I think that the CPU or the firmware may also provide the necessary BitLocker functions. If so, the separate TPM module would not be necessary. In fact, last I looked, new ones with the right updates were kind of hard to find. On a previous computer I enabled BitLocker with a tiny USB flash drive and no TPM. Important point: Even if the mobo is compatible and everything is in place, BitLocker doesn't have to be enabled. 

 

If you're not a BitLocker (or Microsoft) fan, or you don't have the Professional version of Windows, an excellent alternative is VeraCrypt, an open-source and thoroughly-audited facility which has both a full-disk encryption mode and a file-encryption mode. In fact, the best security may be found with a combination, where BitLocker is used to encrypt the whole disk, and the most precious individual files are further encrypted with VeraCrypt. Examples: A lawyer's client files, an engineering company's proprietary designs, the computer owner's social security numbers, bank accounts, and website logon passwords. I do use both BitLocker and VeraCrypt, plus several more. 

 

Please do not use the same password for BitLocker and VeraCrypt, or for anything else. That would entirely defeat the additional security. That's what a password vault is for, and there are some very good free ones.

 

In addition to BitLocker and VeraCrypt, there are other very useful encryption facilities. For example, I use Macrium Reflect to back up entire disk drives, and those output files can be encrypted. I'm sure that some of the competitive backup facilities can do the same. There is also a free and widely-used zipping app called 7Zip which is better than the Windows zipper in several ways, especially because its zipped output files can be encrypted. Here is a partial list of a few handy encrypting apps:

• BitLocker (requires Windows 10 Pro) 
• VeraCrypt (replaces TrueCrypt) 
• 7Zip 
• Macrium Reflect (or competitors) 
• KeePass (password vault, or competitors) 
• EFS (Windows "encrypting file system") 
• Lots more ... 

Macrium Reflect

Please PLEASE do not lose your BitLocker keys! Or your VeraCrypt passwords or PIMs, or any other encryption keys. There is likely no recovery except for your backups, and only then if the backups are UNencrypted or you know THEIR keys. Losing the keys is the same as a disk crash. Obviously, it's not a clever plan to keep the only copy of your encryption keys WITHIN the encrypted files. Please please write the keys on paper, or in a file within an UNencrypted DVD or flash drive, and keep that in a safe place, like a bank safe deposit box or your best friend's top dresser drawer, several miles away. Note: If you have more than one disk, you will have more than one key. You must save all of them. 

No matter what you think, the keys are not safe in the residence (or office) where the computer is located. Period.

 

Here is an only-slightly tongue-in-cheek list of risks to keeping the keys in the residence: Theft, computer virus, ransomware, fire, flood, lightning, hurricane, tornado, sinkhole, earthquake, termites, C-drive failure, other drive failure, smoked motherboard, smoked CPU, BitLocker failure, other encryption failure, Covid-19, another pandemic, asteroid impact, ultra-Plinean volcanic eruption, lunar cataclysm, black hole consuming the earth, gamma-ray burst, nuclear explosions, coronal mass ejection, sun going nova, or bad luck. 

 

The point is: Some of these could actually happen, and some WILL happen to some people who don't have their keys. Please don't be one of those. My residence is not safe, and neither is yours.

 

There is no rule against keeping the keys in multiple places. It's a really good idea. 

Backup is even (far) more important than encryption, and we have said little about it here. There is much more to be said about security, but saved for another time. 

The next post will get back to building a computer.

VeraCrypt Review

It works!  I recently switched to VeraCrypt from TrueCrypt, because TrueCrypt is now unsupported and rumor has it that technology was making TrueCrypt less and less secure.  I do not use Partition/Device encryption or System encryption, only Volume Encryption, meaning that specially-created "container" files in the normal unencrypted Windows environment are mounted as encrypted volumes exactly as if they were separate, encrypted disk drives.  I keep my personal and business files there, and I do it this way because it is simple, because backup of those container files is trivially easy, and because there is zero risk of a complete failure.

If you want to know more about Partition/Device encryption or System encryption, the information in this post may not help you.

A year ago I wrote about TrueCrypt Forks. I didn't like VeraCrypt then because it took a very long time, a minute or more, to open a container after entering the correct password.  This was by design - the VeraCrypt developer, Idrassi, by default uses hundreds of thousands of iterations in the key derivation function, contending that it helps protect against brute-force attacks, where a computer is automatically trying billions of password guesses.  He is right - this method of attack is becoming faster and more effective as computer power increases and multiple processors can be brought to bear.  However, I open and close encrypted volumes frequently and the defaults pushed my patience too far.

Happily, the current version of VeraCrypt, Release 1.17, offers a compromise:  If the password is 20 characters or more, VeraCrypt allows the user to bypass the defaults and choose a lower number of iterations by specifying a Personal Iteration Multiplier (PIM).  The minimum multiplier of 1 will still result in an iteration count 8 to 16 times greater than that used in TrueCrypt, with a very short delay, whereas multipliers in the range of 10 to 100 will increase security but will cause somewhat greater delays.  Those delays might still be acceptable, depending on the speed of the processor. I experimented with several different PIM values.

The PIM is a secret value, chosen when the container file is created, and it must be entered correctly as a separate parameter when the password is entered to mount an encrypted volume.  Therefore, though the PIM may be used to reduce the iteration count and make a brute force attack easier, it also effectively increases the password strength, making the attack more difficult again.

I use passwords of 20 characters or more anyway, so the PIM is a perfect compromise.  During the process of creating new volumes I did have to wait through some long delays, but now that the volumes are created and in place, the delays are quite acceptable.  PIM works.

Also interesting, VeraCrypt can actively coexist with TrueCrypt on the same system, running at the same time.  I created new VeraCrypt containers and copied the encrypted contents of the old mounted TrueCrypt volumes directly into the mounted VeraCrypt volumes with no problems.  During that process, none of the encrypted files were ever decrypted on disk.  That's cool - no disk wiping required.  Actually, VeraCrypt can mount most TrueCrypt volumes (though not my oldest ones), so the applications might not have to coexist, but it was slick.

I rarely use the TrueCrypt or VeraCrypt console, instead using command-line scripts (cmd.exe processor) to automatically mount and dismount volumes, create backups of volumes, copy volumes to the cloud and to other computers, and more.  Every script that worked with TrueCrypt still works with VeraCrypt, after just changing the run path.  It just works, no errors, no problems.

For a thorough, functional test I uploaded a 3 GB encrypted container full of files to the cloud, using both iDrive and CloudBerry, then downloaded that same file back to the desktop.  Using Microsoft's comp program, the files compared exactly with the original in each case.  Also, in each case, the downloaded encrypted container opened without issue, the true proof that the file was not corrupted.

I use VeraCrypt on two computers, a desktop and a laptop,  The desktop runs a clean install of Windows 10 (it once ran Vista), and the laptop runs Windows 10 upgraded from Windows 7.  Both have plenty of RAM and disk, with dual processors in the 2 - 3 GHz range.

My congratulations to Mounir Idrassi, the force behind VeraCrypt.  I'll be making a PayPal donation to the cause.

By the way:  I also downloaded CipherShed, intending to compare it with VeraCrypt.  However, the CipherShed installer informed me that I would have to uninstall TrueCrypt first.  Since I want to keep TrueCrypt around, I did not install CipherShed.