I have an external hard drive that I once accidentally set to self-encrypt, a process I tried valiantly to stop once it had started, but failed.

In any case, the encryption process eventually finished, so the hard drive is ostensibly encrypted, but when I plug it in to use, the fact that it is encrypted appears to make no difference. I can still just plug it in and use it.

So what exactly is encryption? How should it manifest itself? Shouldn’t I have to… I don’t know… enter a password or something? I mean, if MI5 wanted to see all my past academic work (because it is so riveting), should they have to need a team of encryption breakers?

I don’t get it.

You just need the right #hashtags to read it.

Maybe the code is based on the hardware it was encrypted from – and so readable from that device?

If it’s in your head, it’s vulnerable – if you don’t actually know the code, intelligence agencies can’t waterboard it out of you.

My son is doing a degree in Maths and could probably explain this better, but on one of the open day we visited (Liverpool) the professor explained encryption, so here is my cack handed dad explanation. Imagine you get a number, a REALLY big number…say 300 digits long. Then you get another “random” number, also say 300 digit long. Multiply them together and you have an even bigger number.
Now if you have this even bigger number by itself, trying to work backwards to which two 300 digit numbers can make it is MASSIVE computer power requirement. So modern encryption relies on the sender having one of the 300 digit numbers, and the receiver having the other 300 digit number and the message carrying the even longer number.
Anyone intercepting the message will be able to take this bigger number needed to decode the message, but unless they have either of the 300 digit numbers OR lots and lots of computer power then they can’t decrypt.

What device is it?

I expect that the computer into which you plug it already knows the key.

Although whilst we are on the subject – my work computer asks me for a password as soon as it boots, which it then uses to decrypt the drive as it works. My Surface with W10 Professional uses bitlocker, and it doesn’t do this. I don’t put in my password until it’s booted. So how can the drive be encrypted?

Yeh plug the drive into a different computer, then see how far you get.

So how can the drive be encrypted?

Ah.. TPM – trusted platform module. It generates and stores encryption keys. I suspect that if SaxonRider is using his Surface, that’s what’s happening. If he plugs it into a different computer he’ll probably get asked for a password.

So how can the drive be encrypted

The keys are stored in the hardware.

Dry technical explanation here:
https://blogs.technet.microsoft.com/askpfeplat/2014/07/13/bitlocker-pin-on-surface-pro-3-and-other-tablets/

Edit: didn’t see your post, but yes, TPM.

My advice would be to get a copy of all the data you have on this external disk before it becomes irretrievable – then take your time to understand how it works before placing data back on it.

Are you willing to disclose the make and model of this device ? I’m sure there’s a simple explanation.

When you first used this storage device on your PC, did you have to install any software with it, or perform any sort of ‘key’ exchange ?

The part I don’t quite understand is how it is apparently encrypting the disk, yet hasn’t asked you to create a passphrase. Can you clarify what you mean by ‘self-encrypt’ as it’s highly unlikely it’s a true self-encrypting disk.

If you want a more gentle introduction to cryptography, try Simon Singh’s The Code Book.

Are you willing to disclose the make and model of this device?

Yes, it’s a Verbatim 53027 500GB hard disc. And molgrips is right: I’m using it on my Surface Pro.

Are you willing to disclose the make and model of this device?

I think, from the post, that the encryption is via the software (Windows 10 presumably) rather than any hardware-based encryption specific to the drive.

Is that correct OP?

Is that correct OP?

You’re asking me?!? I’m a flaky humanities nerd.

Actually, iirc, there was some sort of programme on the disc itself that I double clicked on a few months ago. This initiated the encryption process, and once it had started, there was no way to stop it. It actually took many weeks to finish, as I would pause the process as soon as I started up and the computer tried to read the disc.

One day I missed it, though, and the process managed to finish, thereby encrypting the disc completely. But, as I say, I have never had to do anything to the disc to read it. I just plug it into my Surface Pro, and it works. Which is why I wondered what encryption was actually all about.

Which is why I wondered what encryption was actually all about.

It is about making the text (for convenience but can be other things) unreadable without applying a conversion process to it.
Really weak encryption would be something like rot 13 where every character is shifted by 13 letters. So a becomes n which meanes fb hayrff lbh fuvsg vg onpx vg qbrfag znxr frafr.
It then gets more complicated and fun from there.

As others have said if you plug that drive into a different device they wont be able to find anything useful on it.

I have never had to do anything to the disc to read it.

The key has been automatically generated and stored *in the Surface Pro*.

If you plug it into another PC, it either won’t work or will ask you for a password.

I’m too tired to give a proper reply but,

If you want a more gentle introduction to cryptography, try Simon Singh’s The Code Book.

Everyone with a passing interest in encryption should read this, it’s brilliant. If nothing else, it explains why the government wanting to “ban encryption” is a folly.

I read an excellent explanation of double handshake encryption as it being like padlocking a box shut, giving someone the box, them adding their own padlock so there are two locks side by side, them passing it back to you, you removing your padlock and passing it back to them, and then finally them removing their padlock and opening it.

The box never travels unlocked and the keys do not have to travel either. Cunning.

I read an excellent explanation of this kind of encryption used for everything

You’ve just described public key encryption. If you want a wholly accessible explanation of this, along with why we need it, in what is ostensibly a Young Adult story you should read Cory Doctorow’s “Little Brother.” Wholly appropriately, the ebook is free from his site. http://craphound.com/littlebrother/download/

The key has been automatically generated and stored *in the Surface Pro*.
If you plug it into another PC, it either won’t work or will ask you for a password.

Jeez. So I guess I really should take all the files I want to have access to, and re-save them somewhere else then. 😯

Pretty sure there should be an option somewhere to unencrypt the drive, but without knowing exactly what program it was it is hard to advise you.

You’ve just described public key encryption

Not really, there’s a bit more to PKI than that, the box and padlock analogy only requires private keys.
It would be more like PKI if person B distributed padlocks that only he had the key to and person A used that padlock on the box (but this still falls well short of the PKI mechanism). I guess the authentication part could be provided by person A using a second padlock that somehow only they could have closed but anyone can open using a key person A has publicly distributed (but using padlocks in an encryption analogy like this makes my brain hurt).

Jeez. So I guess I really should take all the files I want to have access to, and re-save them somewhere else then.

I’d expect there’d be a way to unlock it from another computer, otherwise as you say it’d be a bit pointless.

Having googled it a bit, it seems there’s a bitlocker control panel item that you can use to unlock drives that were encrypted on a different PC.

I’d expect there’d be a way to unlock it from another computer, otherwise as I say it’d be a bit pointless.

Depending on how it was done (sounds a bit like bitlocker) generally you would have a recovery key or be able to download a recovery file. However if they werent paying attention during that encryption phase might be a pain to get that.

Not really, there’s a bit more to PKI than that, the box and padlock analogy only requires private keys.

Its referring to the SSL handshake as opposed to encryption as such.

Will most likely be Windows built in encryption. Modern systems have hardware support for it and Windows 10 systems ship with it turned on and encrypts the main drive. Known as Device Encryption.

For conspiracy theorists, out of interest it applies to those who use a Microsoft account to log in and it’s said the keys are uploaded to their servers. It’s intended for recovery purposes supposedly.

Then you have BitLocker in the pro/enterprise editions of Windows. That lets you encrypt any drive or partition, including external drives. It is based on the TPM chip so which will generate and store the key so it’s not required when using the drive on the same device. Make hardware changes to the device and it might force you to use a password. Likewise when you use it on another device.

I’ve used Device Encryption and BitLocker, but I’ve always had to a use a passphrase with them, hence the reason I think the OP needs to move his data back onto the Surface, and setup the external drive again – at which point I’d hope he is prompted to create a passphrase (I’m almost guessing he did this before but didn’t realise/forgot it).

Sure, the cryptograph mechanism may be built into hardware on the Surface (and not via software residing on the external drive), but that shouldn’t prevent the external drive data being accessed when plugged into another computer/tablet, provided that the correct passphrase is known. Otherwise you’d lose all your data if the Surface died or was lost – which is arguably just as likely to happen with the storage device – so why double the risk of data loss? Bitlocker encryption of portable storage devices isn’t supposed to be ‘tied down’ to an individual computer. If there is an option to do this (and I’ll understand its merits) I wouldn’t advise it. Stick to normal BitLocker encryption (or VeraCrypt) and use a passphrase – keep the storage device portable.

I take it Veracrypt is what eventually became the successor to Truecrypt? (I understand it’s based on the last version but IIRC there were a few forks)

VeraCrypt is a fork of TrueCrypt and supposedly audited to address known vulnerabilities in TC, but the original concern by the anonymous authors of TC that led to them advising people to stop using it, is undetermined. I’d be concerned that despite the audits there’s a well hidden back door in there.

Not that you could necessarily trust Microsoft to not have back doors in theirs either.

On top of that, VC/TC is a red flag to authorities to indicate you are likely hiding stuff of interest, as it’s the “plausible deniability” aspect of it that’s used primarily by criminals.

BitLocker encryption just indicates you probably have personal or corporate data encrypted.

On top of that, VC/TC is a red flag to authorities to indicate you are likely hiding stuff of interest, as it’s the “plausible deniability” aspect of it that’s used primarily by criminals.

“Oh, that? It’s my porn collection, I don’t want the wife finding it.”

Some drives are encrypted by default because it takes no effort to do if it has hardware encryption (i.e. there’s a chip in there taking your data and encrypting it as quickly as the disk can write, which in an SSD is very quick).

The ones we use then have several options as to how well protected the key is, the first level is basically leaving they key in the door (it’s on the drive), plug it into a PC and the PC can see all the data. It then goes up from there, leave the key under the mat (in the disk BIOS, which may or may not make much effort to hide it), on the PC, or another piece of hardware (e.g. the key is on a USB stick, that itself is encrypted and password protected).

The encryption bit is actually the easy to understand part (it’s just multiplying data by numbers), the hard bit is then hiding the key in such a way that it’s usable.

The really useful bit for us though is if we want to wipe a disk’s information all we have to do is delete the key. So when it comes to erasing and formatting drives between jobs the SSD (which have hardware encryption) take seconds each and the information on the disk just becomes garbage with a new key, the magnetic drives take hours because it has to write a whole disk of zero’s!

it has to write a whole disk of zero’s

Doing well up until then 😉

this explains public key encryption quite nicely (although as explained above your machine isn’t really doing this)

http://www.bbc.co.uk/programmes/p04vqrwy

I’m technically a cryptographer*. Simplest answer is its a process of changing data using an algorithm and a special key – the combination of which make it mathematically improbable to guess or derive the source data without that exact key. Or something like that, it’s been a while.

*i did pure maths and comp sci and wrote crypto algorithms for a job.

thisisnotaspoon – nice explanation that 😉

I think the OP doesn’t need to worry about what encryption is…it’s key management that’s the issue.