Twenty years ago, this particular discussion would not be necessary for 99.8% of the population.  We dealt with forms, statements, and everything was filed away in boxes or cabinets including our birth certificates and our family photos.  Today, all of that has changed.  The digital revolution has impacted almost every aspect of our lives.  People now take digital photos instead of using film.  Music is kept on the computer and on MP3 players instead of in a CD or cassette case.  Bank statements, payment transactions, and all other types of information are usually available in some form of digital file whether Word, PDF, or something else.  Digital is king, and it's time to accept it.

Along with accepting it, you need to also learn about it's conveniences as well as its perils.  Never before has it been so easy to store and retrieve data about your every day life.  People make purchase online, scan their tax returns for safekeeping, and make bill payments via the internet.  The downside to having information stored this way is that if proper precautions aren't taken, your data could easily be recovered by others.

Let's say, for instance, you decide to sell that old laptop on E-bay, and you get a tidy sum for it and pat yourself on the back.  Weeks later, you find out that someone retrieved personal information about you and used it to commit identity theft or some other nefarious act.  You might be scratching your head and wondering how that happened.  You deleted the files, right?  You made sure they were deleted before you put the laptop up for sale.  So, what gives?  Here's an explanation for those that aren't familiar with how the storage process works.  For those that already know, you can skip ahead.  Remember the old way that books were cataloged in the library?  You went to the big wooded card bin and searched for a book.  Once you found the card, it told you the number of the book so you could find it in the right aisle and on the right shelf.  That's basically how information storage works on a computer.

If you set fire to a particular card describing a book's location, you might destroy the card, but the book is still sitting there back in the stacks.  The same thing happens when you "Delete" a file.  Your computer simply deletes the index/location information of the file, but the actual file is still sitting there on your hard drive.  Now, since the computer thinks the file is gone, eventually, another file may get written on top of that old file.  But, until that time, the file is still sitting there waiting to be recovered, which is fairly easy to do.  Are you with me so far?  Now, it gets even better.  Even if your computer does eventually write a new file on top of the old one, the old one can still be recovered by persons with the right software or hardware.  There are tools that are available that will allow an indivual to simply peel away the top layer to see what was written in the old file.  Pretty slick, huh?  Were you aware that was a possibility?  Now, think about this little pearl.  Those same tools, or other ones, can actually peel away several layers of files to see what was written in the file at the bottom.  Not good.

As you can see, this presents a bit of a problem.  Using the normal delete process on your computer does not get rid of sensitive information like credit card numbers, passwords, tax returns, and the like.  That's why you need to use a utility that will "wipe" your hard drive to completely eliminate all sensistive information.  "Wiping" or "scrubbing" is simply a process that will write the hard drive area where your file was (or all the "open" space on the drive) with either random data or 0's and 1's.  With most utilities, you can choose the number of times you want to write on the drive.  The more times you write on the area, the harder it is for the information to be retrieved.  I believe the DOD standard is at least seven passes, and there are some utilities that will allow up to fifteen passes.  I think fifteen is a bit of overkill, and it's important to remember that the more passes you choose, the longer it takes for the process to complete.  If you've got a big hard drive and choose fifteen passes, you're going to wait for hours--possibly days for it to get finished.  But, it's up to you to determine which level of security you are most comfortable with when it comes to your personal data.

This is not one of those doomsday, it'll never happen scenario.  There are stories every day about people who buy used electronics like cell phones, laptops, and home computers and found personal information about the previous owner.  So, it's important to make sure you have completely erased all of your data.  But, an even better option is to make sure that your raw personal data never hits your hard drive in the first place.  That's where encryption comes into play.  Encryption is a very controversial topic since it gives users a vast amount of power to protect their personal information.  This is not something that identity thieves or governments like.  In fact, for a while, the D.O.D. tried to have encryption listed as "munitions" because they did not want the general public to have the ability to exercise such measures with their information.  However, by that time, it was like trying to get toothpaste back into the tube.  A man named Phil Zimmerman had developed and released a program called P.G.P. (Pretty Good Privacy) for free on the internet.  In no time, thousands of users had downloaded it and started using it as part of their daily routine.  Mr. Zimmerman faced a lot of legal issues and underwent a significant amount of hardship for making this software readily available to the public.  However, it was too late to stop its propogation on the net.

P.G.P. was actually designed to allow people to securely encrypt emails between individuals, and there are still several variants of it being used today including GnuPGP.  There's a little bit of a learning curve to it, and takes a little bit of study to understand how to use it and how it actually works, but it's worth the time and effort just to get a handle on the process.  Though I tried it out to see how it works, I never really put it into use because I never felt that I had any data in my emails that I was worried about others intercepting.  I don't put social security numbers or bank account numbers or anything like that in emails, so I wasn't much worried about that particular aspect.  But, with the number of sites that provide passwords, security questions, and other information in emails, it might not be a bad idea to put this process in place.  But, I would think most people are like me, and aren't really worried about their emails to friends and their grandmothers being scanned and exploited.

However, when you get closer to home, on your own personal computer, that's where I think that encryption really helps protect the individual.  Because, at home (or on your laptop) you're more likely to have critical information about yourself or family members on your computer's hard drive.  As mentioned earlier, it could be bank account numbers, medical information, tax returns, old love letters, or whatever else you can imagine.  By using an encryption program, you put yourself in a better position with regard to security in a couple of way.  First, you might not always remember to securely erase files.  By encrypting them, even if someone other than yourself gets ahold of the information, they don't have the password to access it.  Second, most modern encryption programs do what's called "on-the-fly" encryption, which means that your raw information never even touches the hard drive.  All of your information is encrypted before it's actually recorded to the drive.  So, even if you don't securely wipe your drive of sensitive files, it won't much matter because it's encrypted anyway.   Something to think about.

So, how does it work and where do you get ahold of good, solid encryption software?  Well, there are a number of vendors that sell various programs that encrypt your information in a variety of ways and at different security levels.  My advice to you is that you purchase none of them, and here's why I say that.  Commercial encryption software cannot be relied upon because you don't know who made it, where it was developed, and whether or not they've installed a secret "back door" for themselves or another group or entity to use.  Commercial software companies almost always never reveal their programming code, so that means you or others can't study the code to see if a back door exists.  Another reason I wouldn't purchase commercial encryption software is there is a piece of software out there right now that is probably the most powerful program you will find, and it's absolutely free.  It's called TrueCrypt, and it will do just about anything any person or group would need done with encryption software when it comes to securing sensitive information.  TrueCrypt is also open-source software that was developed by a number of individuals who publish the programming code to anyone that wants to review it.  That means it's a completely open and transparent piece of code that can be inspected and relied upon not to have any of those secret back doors.  You can trust in the knowledge that only you will have access to your private information.

TrueCrypt works in a number of ways and does several things very well, but we'll look at the first and simplest process so you can get a basic understanding of how it works.  Once you install TrueCrypt on your computer, it will let your create a "Vault" on your hard drive where you want to store your critical information.  Depending on the amount of information you want to store, you can specify the size you would like, whether it's 5GB, 10GB, or even 50GB's of space.  During the vault creation process, you also choose the password you would like to use.  This is tougher than it sounds.  To be really secure, you don't want to just use a word or a birth date.  That's too easy.  Even a phrase is not really secure enough because that could be broken with a dictionary attack.  A dictionary attack is a program that will try words and combinations of words to try and crack your password.  The most secure password is one that's just a completely random string of letters, numbers, and special characters.  The tough part is being able to remember a password like that since it's completely random.  Hope your memory is good!

During the password creation process, Truecrypt will also ask that you move your mouse around in a random fashion.  This allows the program to "salt" your password choice with other random data to make it even more secure.  Once this is done, you let Truecrypt take over and after a short period, your vault is now in place.  The vault is very easy to use.  You simply make your vault active by selecting it and assigning a drive letter to it in the Truecrypt program.  After you do that, Truecrypt "mounts" your vault so that it looks like a separate hard drive.  You click on that hard drive icon, and you are now in the vault area where you can retrieve and store data like you would with your regular hard drives.  You can copy, cut, and paste just like with any other Windows process.  It's not complicated at all.  That's it!  That's all you have to do to have a secure place to store your personal information.  But, one important thing to remember is that you must remember your password.  If you forget it, you will not be able to access the files in the vault.  You won't be able to contact a company to help you out, either.  They can't get you into your own vault.  And, it's probably best not to write your password down on a notepad beside your computer.

But, that's not all that TrueCrypt does.  There are some people that want even more protection.  Maybe they're worried about Windows swap files, temporary files, cookies, or their browser history.  Even though their critical information is safe, maybe they don't want someone to know that they have resorted to online matchmaking or they want to be sure that no residual pieces of their critical information can be found in any of their system files.  TrueCrypt has an answer for those people as well, and it's a doozy!

TrueCrypt will actually allow an individual to encrypt their entire system from stem to sterm, including the actual operating system.  That means that at the moment the computer is switched on, your password is required to go forward with the boot-up procedure.  There is no way to by-pass this password request either.  You can't hit any of the Function buttons to get around it.  In essence, the entire hard drive and all of its contents is one big encrpted package.  This is different than the vault we talked about before because the vault is kind of a lock-box you can store on your hard drive with the rest of your programs and files.  Encrypting your entire system means that nothing on your computer can be accessed.  Period.  Full end stop.  Of all the options, this is by far the most secure method of protecting your private information.  Not only can the third party not access your vault on a hard drive, they can't even get the system to boot up and work at all if you use the whole-drive encryption method.  It truly is an amazing and powerful way for people to take charge of protecting their own information, and it doesn't require a doctorate in mathematics to get it to work.  It's a particularly attractive option for those people that travel with their laptops for business since this method will keep third parties from opening email programs and accessing confidential or proprietary company information.

That said, the whole-drive encryption process is a little more risky, because you're no longer working with just your vault which is just a piece of your hard drive.  You're locking up everything on your computer including programs, browsers, applications, and everything else you can think of.  So, if you lose or forget your password, you are absolutely hosed.  You just lost your copy of Photoshop or Audition, and any other expensive software that only able to be used on one computer.  So, think about it carefully before you employ this method of encryption.  It's not a step to be taken lightly.  If you do forget your password, the only thing you can do is reformat your entire hard drive and wipe out everything in the process.  I'm not trying to scare you, but I want you to be informed.  It's not a hard program to use in the least, but you have to remember your password!   There is another potential advantage to whole-drive encryption as well.  I say potential, beause I haven't seen conclusive evidence of it.  But, Steve Gibson, of the Gibson Research Center, stated that his computer's processing speed improved by up to 9% when using TrueCrypt's whole-encryption funcationality.  Usually, the encryption process can take a hit on system resources with similar programs, but he actually reported an improvement in processing speed.  He said that he tried it a couple of times and got the same results.  That was more than a year ago, and I haven't heard anything about it since, but it's another possible advanted that would make this method well worth considering.

With all of that functionality, TrueCrypt can also be used other ways as well.  It can be used to create vaults (discussed above) on CD's or DVD's just like on hard drives.  It can be used in similar fashion for USB Thumb drives, which are very popular today for their convenience in allowing people to transport data back and forth between home and work.  The advantage is using TrueCrypt on these different media is having secure back-ups of your information off-site.  For instance, what happens if your home or business burns to the ground along with your personal computer?  You've lost everything that was stored on it.  However, by using TrueCrypt, you can store your critical information on a DVD and you can either keep it in a safe deposit box or send it to your attorney or another family member to hold for you.  It doesn't hurt you in the least to do this since noone can read the information on the disc without your password.  So, you don't have to worry about a third party having a second copy of your private information when you're trying to be prudent about having backups available off-site.

Remember when we talked about P.G.P. earlier?  Well, that encryption method was developed for securely transmitting email.  P.G.P. is an asymmetric cypher and works exceptionally well for that purpose.  However, P.G.P. is not a very good option for file encryption because it is a very slow process and would utilize too many system resources to get the job done.  Typically, emails are just text, and text can be contained in a very small file, and P.G.P. is actually focused more on verifying the user rather than just the content.  So, it doesn't take a lot of work to get that encrypted.  Whereas, other types of files that you'll want to make private could be more voluminous and much bigger in size.  That's where the beauty of symmetric cyphers come into play.  Symmetric cyphers are much more efficient and streamlined in comparison to asymmetric cyphers.  I won't get into all of the details because I don't really understand all of it, and it would be too hard to explain.  However, I'll provide some reference material at the end of the article where you can go and get as in-depth as you like.  Suffice to say, symmetric cyphers were designed specifically for encrypting files rather than encrypting transmissions.  There are a number of symmetric encryption algorithms out there, and TrueCrypt will give you the option of which you would like to use.  TrueCrypt offers the most current encryption algorithms including AES (Advanced Encryption System, also known as Rijandel), Serpent, and Twofish, none of which has ever shown any weaknesses to any type of attack.  In fact, the description of how long it would take for every computer on the plant to break just one of these algorithms is utterly amazing.  But, if you're a tin-foil-hat-wearing kind of person, TrueCrypt also lets you encrypt your data in multiple sequences such AES-TwoFish-Serpent, or Serpent-AES-TwoFish, and so forth.  To me, that's just way overboard, and not really necessary.  256 Bit AES, by itself, is phenomenally strong and will work on its own for absolutely anyone.  But, feel free to sequence-encrypt to your heart's content!

Yes, I think there's a little bit of wanna-be spy in all of us, and to me, the concept of encryption is fascinating.  It actually dates back thousands of years, but it's much more common place today, and with good reason.  With the digital age, our privacy and the security of our data is in more peril than ever.  Never before has there been such ready access to people's private information as there is now, especially when you consider the number of database out there cross-referencing material to collate information about everyone possible.  So, while the topic is fun and a little mysterious, it is also very germaine to the world we live in today.  Becoming aware of and understanding these types of topics make you better prepared to take steps to protect yourself and others in your family.  Identity theft is rampant these days, and all it takes is a few numbers, a date of birth, and someone could ruin your credit record and/or impact your life signifcantly.  I urge you to take the time to put these methods to work for you.  I think you'll feel more secure in the long run, if you do.

References:

Steven Gibson has several podcast episodes available about encryption and about TrueCrypt available on his weekly Security Now show.   You can subscribe to Security Now via Itunes.  You can also dowload the podcasts from his website GRC  Besides the podcasts, Mr. Gibson also provides transcripts of his shows so you can pore over everything if you have that level of interest.  

The espisodes that deal with basic encryption knowlege and/or TrueCrypt include show numbers  30, 31, 33, 34, 35, 41, 107, 115, 123, 125, 133, 181, and 183.  Besides these particular episodes, there are other shows that deal with other types of encryption for things like browser security, internet anonymity, VPN's and tunneling, and secure authorization on websites.  His show and his site is a wealth of information, and if these types of topics interest you, I strongly encourage you to dig into the material he has provided.

In addition to the information GRC provides, there is also a page where you can generate your own cryptographically strong passwords.  You can find the password generator here.

http://www.schneier.com/  Bruce Schneir is a recognized expert in the field of cryptography and developed Two-Fish and Blowfish.

www.truecrypt.org

We did an article that's somewhat related over at Woods Monkey when we talked about Corsair's Survivor USB Drive.  If you transport data on one of these drives, this article may be worth checking out as well.