In the last part of our article series, we discussed why user passwords are not sufficient to protect your data on a stolen device. In our third article, we will take a deeper look at the various encryption solutions offered by different manufacturers.
Let us have a closer look how operating system manufacturers deal with the options of data encryption. The handling of data encryption differs greatly.
Note. Apple and Google automatically encrypt the stored data in their current operating systems Android and iOS. However, the encryption is not only activated automatically, but is also completely transparent for the end-user.
This looks different when we look at standard computer operating systems. Due to the high market share of laptops with Windows and MacOS operating Systems, we will concentrate on those.
Apple offers the possibility to encrypt the stored data with the pre-installed program FileVault on all current MacOS devices. This application is available at no additional cost and can be activated with a few clicks. As with the Android and iOS encryption, the usage is completely transparent for the end user and not noticeable during daily use.
However, a different situation can be found with Windows. If we take a look at Microsoft’s operating system, we can see that companies often use the preinstalled tool BitLocker. An advantage of BitLocker is that it is generally possible to make the system encryption fully transparent, by using a hardware device called Trusted Platform Module (TPM). Due to this approach the user is not influenced in the everyday work.
Further BitLocker offers the possibility to increase the security by using an additional password. This will be requested when the operating system is started.
However, a big disadvantage of BitLocker is that the feature is not available within Home version of windows. This is the default version for private user. In order to make the encryption technology accessible for everyone, Microsoft has introduced a feature called Device Encryption since Windows 8.1. With this feature, it is possible to encrypt operating system drives in the same way as BitLocker. However, Microsoft has imposed some restrictions. In addition to extended hardware requirements, it is not possible to request an additional password when starting the operating system. Furthermore, the so-called recovery key, which can provide full access to the encrypted drive, is stored compulsorily either in a connected domain or via a Microsoft account at Microsoft. However, the first case only occurs in few cases for private users.
So, we can see that the two big operating system manufacturers in the notebook segment basically offer solutions that allow to encrypt the stored data. However, all of the solutions presented so far have a considerable disadvantage from a security point of view: They are not open source.
This means that the actual functionality and mode of operation of the tools is only known to the manufacturers themselves. External parties cannot easily check the source code. A general publication of the source code would enable experts to review the code and find possible implementation errors or security gaps and report them to the manufacturer. Furthermore, it would also be transparent to the outside world how the programs proceed and speculation about technically possible backdoors would be ended immediately.
Accordingly, publishing the source code would not only increase security, but also inspire confidence among users.
To overcome this problem, there is an increasing amount of third-party software that replaces the functionality of FileVault and BitLocker and tries to bring transparency into the field of encryption software through source openness. One of these applications is a program called VeraCrypt. What advantages VeraCrypt offers and what e2 Security has to do with it will be the subject of the next article of this series.
In the last article of this series, we looked at the different encryption systems that Microsoft and Apple offer to their users to encrypt data on mobile devices. We noticed that although implementable solutions are offered, there is one fundamental disadvantage: all solutions offered are so-called closed-source solutions. The source code remains with the manufacturer and is not made publicly available.
Although this approach offers a good opportunity to protect the intellectual property of the manufacturer, it has some disadvantages from a security point of view. For example, it is only possible for experts to check the implementation of the encryption algorithms to a very limited extent and to detect possible implementation errors at an early stage.
Third-party providers such as VeraCrypt are addressing this issue by offering independent solutions for encryption. One of these alternative solutions that is widely used in specialist circles is the VeraCrypt software. The goal of VeraCrypt is to provide a free open-source application that allows users to encrypt all kind of data on their devices.
Even though VeraCrypt sounds like the perfect solution, the usability of the application is not very handy for the average user, and it is therefore challenging for non-experts.
VeraCrypt was developed by IT security professionals focusing to overcome the before discussed security challenges. In consequence the usability of the solution was not a priority. To be as flexible as possible and to adapt the solution to one’s own needs, the developers offer numerous configuration options during the setup process. These range from the selection of the encryption algorithm to the selection of the hash algorithm to the selection of the so-called Personal Iterations Multiplier (PIM).
For experts, this diversity represents an opportunity to adapt the implementation to their own needs in the best possible way. Average users, however, are often overwhelmed with the selection of the correct settings and the technical descriptions. In order to make the software and thus also the use of free open-source encryption software usable for the broad masses, it is therefore necessary to increase the usability.
e2 Security, a professional company for cybersecurity and digital transformation programs, wanted to leverage the usage of VeraCrypt as best available open-source solution for encryption on the market and decided to support the further development of VeraCrypt project. In collaboration with the Ruhr-University-Bochum, e2 Security developed a revised user interface to increase the user experience by the set-up process on the configuration of security default settings. The user interface has been fundamentally re-designed and eased up to increase the user experience and usage by average users. The goal could be achieved by the great collaboration with the University and the consideration of research results in the areas of security and usability. Now, even non-technical users can set-up the required settings to complete the process successfully and with minimal effort. For this purpose, possible secure selections were predefined, and corresponding menus restructured. In order to keep the strength of VeraCrypt, an advanced options menu was introduced, which continues to provide the familiar customization options for experts. Thus, in our proposal to further develop VeraCrypt, we managed to significantly reduce both the complexity of the setup wizard while shorten the set-up process significantly.
VeraCrypt basically distinguishes between three different types of encryption:
- the encryption of operating system drives
- the encryption of non-operating system drives
- the creation of encrypted containers for individual files and folders
Because of the scope setting, we started to simplify the usage for the encryption of operating systems disk first. As soon as the new solution will be available for all users, we will investigate, if the new process will be accepted by the community to further simplify all other encryption options within VeraCrypt.
We, as e2 Security, are firmly convinced that two components are always required for a successful security measure:
First, a technically effective and secure implementation is mandatory. Second, the solution must be simple to use for the end users with little effort. The goal must therefore be to develop applications such as VeraCrypt easy and as simple as possible for everybody, to increase the user acceptance.
e2 Security would like to thank all those who supported the project. We would like to thank Pius Ganter for his preliminary work within his master thesis. Further we would like to give special thanks to Mounir Idrassi from the VeraCrypt Project, as well as, the Chair of Human-Centered-Security at the Ruhr University in Bochum, which provided us with the latest knowledge on user experience in the area of security and significant support in the implementation of the project.
An official pre-release version of VeraCrypt including the new interface is now available at: https://github.com/veracrypt/VeraCrypt/pull/957 . We are happy to receive any kind of feedback.