At its simplest, encryption and decryption are the processes of using an algorithm to scramble and unscramble information. If you have your tax returns in a PDF file, you don’t want that file left unencrypted for anyone to find. Encryption turns data into a seemingly nonsensical mess unless you have the key or keys to decrypt it back into its original form.

You’ve been using encryption for years. Every time the little lock appears in your Web browser when you’re on an e-commerce site, the communication link between your browser and the site’s server is being encrypted so that the data will be useless to anyone who intercepts the communication. You might not have known you had it, but encryption has been built into PCs ever since the days of Windows 98. In Vista, simply right-click on a file or folder, select Properties, click the General tab, hit the Advanced button, and select Encrypt contents to secure data.

In this case, a password you supply helps to create the key that encrypts/decrypts the data. This is superior to simple password protection. "Brute force attack" software can methodically bombard a password prompt with letters and numbers until it finds the right password, but modern encryption algorithms, such as AES (Advanced Encryption Standard) now used by the U.S. government, are far more complex. One statement from the National Institute of Standards and Technology notes that a hypothetical machine able to crack a DES (Data Encryption Standard) key (the standard that came before AES) in seconds would still take approximately “149 trillion years to crack a 128-bit AES key.”

Windows and many other software packages can apply encryption to files, folders, and sometimes even the entire drive. Obviously, it’s best, in theory, to encrypt the entire drive so there are no loopholes. However, there are some potential drawbacks to software-based encryption. Some algorithms are weaker than others, meaning they’re easier to crack, so you need to know what you’re using. Some “full disk” software approaches don’t encrypt the entire disk. They can leave the master boot record, temporary files, and other items unencrypted. If a thief gains access to the drive and its host system, these unencrypted areas can be used to unlock the drive.

Not least of all, the computation needed to perform modern encryption can be massive—it takes more work to build a better safe. The more data being moved, the more computation is necessary, and AES can consume a large chunk of your CPU’s compute resources. In a laptop, this will translate into lower system performance, more heat, and less battery life.

The trick is to get the heavy work of encryption away from the CPU and into the drive. Hardware-based encryption does exactly this. A processor built specifically for cryptographic operations sits on the drive, encoding each bit of data as it comes in and decrypting it as it leaves. The CPU never has to lift a finger. Better yet, SEDs (self-encrypting drives) are immune to most if not all of the security cracks that plague software-based approaches. Single-user setup is remarkably easy, too, so don’t worry about needing to be an IT genius in order to protect your data.

Encryption In Action

Current-generation drives with hardware encryption, particularly those based on the Trusted Computing Group’s “Opal” specification, all work in similar ways, even though each vendor is free to tweak their own implementation. The central idea is that there is a “shadow” partition on the hard drive containing a tiny operating system and whatever applications are needed to manage the encryption. When booting, this shadow partition loads first. If encryption has been enabled, the user must supply his or her password in order to unlock the drive and proceed on to the regular drive partition, whereupon booting proceeds normally. In fact, the main OS has no idea it’s working on an encrypted drive. The operation is completely transparent.

To illustrate, let’s look at Maxtor’s BlackArmor USB hard drive. Upon connecting the BlackArmor, the blue LED near the top of the unit lights up and Vista pops up an AutoPlay box prompting you to Launch BlackArmor Manager, the security platform software installed on the drive. The Manager asks you to input the ID code on the back of the drive and supply a password. Interestingly, a little box indicates the strength of your password as you type it. We noticed that a short word of all lowercase letters was “very weak.” Adding numbers raised this to “weak,” and adding a capital letter graduated us to “strong.” After the password is set, you can add a password hint based on answering a question, such as your mother’s maiden name.

With setup completed, the drive unlocks and Windows registers the drive as a removable storage volume. Whenever power to the drive is cut, as when unplugging the USB cable, the encryption lock re-engages. Each time you plug the drive back in, Windows’ AutoPlay feature again prompts to either run BlackArmor manager or open the volume in My Computer. However, closer inspection shows that the volume (on the 320GB model we tried) is only 36.4MB. This is the shadow partition. To access the main storage area, you must launch Black-Armor Manager; unlock the drive; and open the volume in My Computer, which then registers as 298GB.

An internal SED works in much the same way. You could always buy one preinstalled in a new notebook, as from Dell or Lenovo. But let’s say you already have a fairly modern notebook with a regular 2.5-inch hard drive and you want to upgrade to a secure drive. You’d pick a new SED, such as Seagate’s Momentus 5400 FDE.3 or Hitachi’s Travelstar 5K500.B. You’ll also need an encryption manager, such as Wave Systems’ Embassy Trusted Drive Manager or WinMagic’s SecureDoc, as well as a tool for cloning your old drive’s contents over to the SED. (Apricorn’s DriveWire is incredible for this.) First, you clone the old drive to the new one. Next, swap the SED into the laptop and boot the system. Now, install the encryption manager and establish user accounts and passwords. That’s it. The whole operation (excluding cloning time) should take about 15 minutes. As with the BlackArmor, whenever power to the drive is cut, either through sleep modes or powering down, the drive automatically locks and will require authentication when power comes back.

Whether through an internal or external drive, implementing hardware-based encryption is easy and affordable. When weighed against the risks of not using it, having to take an extra 10 or 15 seconds to authenticate with each power-up seems a small price to pay for privacy and peace of mind.

by William Van Winkle