16

There were similar question like How to secure a laptop against thieves.

But my question is different

I have family images, documents, some personal videos, etc (aound 500 GB).

I have backups. So even if my laptop were stolen I can get all my data.

But my data should not go to others. I have currently set a Windows password... But a thief can boot my laptop via Linux and then can access the files.

So what can I do to protect my data even if my laptop is stolen?

psmears
  • 496
  • 3
  • 8
I am the Most Stupid Person
  • 281
  • 3
  • 11
  • 13
    encrypt the whole partition – Ipor Sircer Dec 04 '17 at 10:38
  • 3
    Assuming your laptop does not contain the latest nuclear war details then encrypting the hard drive should be sufficient enough to deter people from getting into your files because it is much easier to just reformat and re-install Windows in the eyes of the thief. – MonkeyZeus Dec 04 '17 at 13:22
  • Use [Large Capacity Thumb Drives](https://www.newegg.com/Product/ProductList.aspx?Submit=Property&Subcategory=522&N=100007960%20600416960%20600564984%20601294610&IsNodeId=1&IsPowerSearch=1)? Expensive but portable. Can't get data off of your laptop... if the data isn't on your laptop. – WernerCD Dec 04 '17 at 14:18
  • @WernerCD Portable HDD (and I mean the truly portable ones, not the one requiring a power outlet) are a lot cheaper and can be about as big as normal HDD. Probably a better alternative. –  Dec 04 '17 at 18:28
  • Esentially, there is not much you can do if someone has physical access and knows what they are doing. However, the consensus in the security world is ENCRYPTION WORKS. Heed the encryption advice and learn how to implement it properly. I do not use encryption but I personally just just minimize my mobile data profile. Data is available mobily, but the data is not primarily, if at all, stored on the mobile device. The more important it is, the less it is available mobily, not even cloud in some cases. We use both a personal (e.g. Resilio Sync) cloud and hosted (e.g. Dropbox) cloud. – Damon Dec 04 '17 at 19:07
  • Encrypt with two layers. One at boot filesystem level and one OS level for your user. If you are feeling really paranoid add a few extra layers with truecrypt or similar software. But just make damn sure you know all passwords reeeally well. – mathreadler Dec 04 '17 at 21:42
  • @Mast yeah, my link was thumb drives - and a 1TB USB HDD/SDD is going to cost less than a than a 1TB thumb drive. A USB [Samsung SSD 500gb](https://www.amazon.com/Samsung-T3-Portable-SSD-MU-PT250B/dp/B01AVF6UQQ?th=1) is only 200. I was thinking 500gb thumb drives but should have considered the bigger but only slightly less portable versions that aren't an arm and a leg for 500gb+. – WernerCD Dec 05 '17 at 13:04

2 Answers2

39

Encrypt you hard disk.

On Windows you can do it using Bit Locker and on Linux there is also a native tool to encrypt the hard disk.

jcbermu
  • 17,278
  • 2
  • 52
  • 60
  • 5
    Likewise on a mac it's a built in feature called FileVault - see https://support.apple.com/en-gb/HT204837 on how to enable it. IMHO it should be on by default on all systems these days. – Ralph Bolton Dec 04 '17 at 12:17
  • 5
    Also encrypt your backups, there's nothing more silly than an impenetrable computer with unencrypted backups all over the place. – zakinster Dec 04 '17 at 15:04
  • 1
    Alternative freeware: VeraCrypt –  Dec 04 '17 at 15:40
  • 4
    @zakinster Encrypting the laptop and encrypting the backups are two completely orthogonal solutions, to protect from different threats. – pipe Dec 04 '17 at 15:57
  • 3
    @pipe when the backup is an HDD that lies in the front pocket of the laptop case or in the first drawer under the desktop computer, that may very well be a second attack vector for the very same threat. As for the solutions, most (BitLocker, FileVault, VeraCrypt, etc.) can handle both full disk *and* external backup encryption. – zakinster Dec 04 '17 at 16:07
  • 2
    @zakinster that's not a backup.... that's an accident waiting to happen. That said, encrypting any copies of the data are a good idea however it's not within the scope of the question. – djsmiley2kStaysInside Dec 04 '17 at 16:37
  • 2
    I don't encrypt my backups. I want those backups accessible, even if I've passed away, lost my memory, or the bits have rotted. The backup disks are under lock and key. **Your threat model may vary from mine.** – dotancohen Dec 04 '17 at 19:21
  • Isn't Bitlocker for Windows Pro versions only? Or am I thinking of folder encryption? – Reactgular Dec 04 '17 at 19:28
4

In addition to encrypting the hard disk (which should be the primary answer), you can also minimize exposure by relying more on resources stored elsewhere. Use cloud storage, or connect to a VPN for files stored at your workplace, rather than saving them directly on the device. A remote desktop services environment is also very good for this.

This reduced data loss exposure from device theft is one reason (among several) businesses have been so willing to move to cloud environments. I also know of at least one large business that is transitioning to Chromebooks for this reason. They still have a primarily Windows environment where the Chromebooks just connect to RDS for everything. Suddenly a lost device is much less of a big deal for them; it's only $200 to replace the device and there's no significant data breach risk.

You can also get remote management tools for laptops that will do lockouts and even encrypt or destroy data after the fact, but these are much less robust. It's too easy to just remove a hard drive from a laptop and plug it in as a guest in a different system. Then the lockout tool never runs and you can exfiltrate whatever data you want.

Joel Coehoorn
  • 28,098
  • 14
  • 88
  • 133
  • 1
    +1 for putting everything in cloud storage. The best way to protect your data in case of laptop theft is for it to **not be stored on the laptop in the first place!** – Eric Seastrand Dec 04 '17 at 20:20
  • 1
    However, significant thought and design has to be put in to architecting safe, secure and legally compliant cloud storage for devices not storing data locally. There's been too many embarrassingly large breaches involving private datasets leaked out to the public recently that might never have happened in an offline storage scenario. – Chris Woods Dec 04 '17 at 20:55
  • 1
    @Eric: what if the cloud service gets hacked? – mathreadler Dec 04 '17 at 21:55
  • The OP is worried about third parties getting access to his data, and your solution is to upload the data to a third party. – Jörg W Mittag Dec 04 '17 at 22:05
  • 2
    @mathreadler While a real concern, and something that does happen, it actually happens a lot less often then laptops being stolen. Also, cloud is one option for not storing data on local laptops. I also mention RDS and VPN, which aren't exactly 3rd party. – Joel Coehoorn Dec 04 '17 at 22:28