I work for myself, and my 'work' laptop is also my 'everything' laptop. I'm belatedly realising I need to do better at IT security - and specifically thinking of encryption, so if I lose the laptop, at least the essentials are protected. It's an Asus laptop (helpfully, no TPM settings in BIOS, even though Windows says it's TPM ready), with an SSD and W11.
Bitlocker could be an option, but even getting Device Encryption working seems a long shot given the error messages W11 is throwing. And frankly deleting my entire drive, turning on encryption, and then doing a clean install of everything, is a bit much right now.
So I'm wondering about partition/ container type encryption - putting all the datafiles into that so they're encrypted when not in use. But I know next to nothing about it, how practical it is/ how it'll affect performance/ etc etc.
Sooo.... any pointers/ guidance/ recommendations?
What exactly are you protecting against? Define the risk.
If you lose your laptop, where are your backups?
And frankly deleting my entire drive, turning on encryption, and then doing a clean install of everything, is a bit much right now.
On the upside, Bitlocker is a tickbox, it's not 20 years ago.
On the down, it's only on Pro / Enterprise versions of Windows.
Backups are around - cloud, NAS, HDD etc. Encryption is mainly that my work files are probably not something I'd want easily accessible to any scrote who nicked my laptop.
The other downside of Bitlocker is it's a ballache. "PCR7 not binding", "Un-allowed DMA-capable garble garble"; TPM is available but not actually available in any BIOS setting I can find - it's all way beyond the average consumer ability to align the tickboxes just so, so that MS software will actually do what it's damn well supposed to
It depends on what you encrypt. You can encrypt the whole PC or you can encrypt specific bits.
A third party app like Veracrypt seems to be pretty reliable for files, folders, partitions and devices, or you could go to Linux and have full disc encryption, although some people only recommend encrypting at "Home" (User) folder level.
The other downside of Bitlocker is it's a ballache. "PCR7 not binding", "Un-allowed DMA-capable garble garble"; TPM is available but not actually available in any BIOS setting I can find - it's all way beyond the average consumer ability to align the tickboxes just so, so that MS software will actually do what it's damn well supposed to
Well, yes, but,
You're enabling security features. Those messages are saying that there's a problem which is preventing it from being as secure as it could be. Outdated UEFI, third party untrusted layers, that sort of thing.
It may well be non-trivial to resolve - it's certainly not something I'd undertake without it being in front of me - but the alternative is the equivalent of spending £100 on a secure ABS lock for your front door and having a thumb turn on the back of it.
In any case,
Encryption is mainly that my work files are probably not something I'd want easily accessible to any scrote who nicked my laptop.
It's unlikely that your average scrote is going to be interested in your work. Your pr0n stash, maybe. If someone's pulling the drive and mounting it in a donor machine to access your data, you're being actively targeted and that's a different scenario from "I left my laptop on the train."
Yeah, I'm leaning towards encrypting specific bits; using something that works in a relatively straightforward way in Windows. Reddit suggests Veracyrpt is pretty popular, but I'd be happy going for something less focused on power users(?).
If your work files are sensitive why are they on your laptop and not on your work's servers/cloud behind your work's firewall/security where you access and work on them. Work is then also responsible for backups etc. This is always how I've worked for many years now - downloading stuff onto laptops, personal or otherwise - is a big no no.
Apologies if the terminology above is not 100% correct but I'm primarily a finance rather than IT person - but you get the gist
...cause work is me, and the work IT department is me! 😆
Also cause I work wherever; I haven't had a proper holiday for years, but I have done work in lots of very interesting places!
If your work files are sensitive why are they on your laptop and not on your work's servers/cloud behind your work's firewall/security where you access and work on them. Work is then also responsible for backups etc.
There may well be locally synced copies even when working from the cloud, really this is a big fat "it depends."
The OP states that he works for himself, so there is no "your work's [technology] or [policy]" here.
Fair enough.
Fair enough.
I know it's going to be a budget question, but is buying a second device for "work" an option? That way you can buy new, get a later model TPM, choose a Windows edition that has Bitlocker support and just encrpyt the nuts off that one.
You can choose to use Windows Hello with the higher tiered editions, meaning your device will have a device certificate on it that it can use to authenticate to other services, etc. It also means you can go with a shorter PIN than the recommended (for me at least) long (12+ chars) password that lower editions have to use.
The biggest thing I recommend these days is to make sure all your accounts have some sort of MFA on them. If the service supports it, put it on. That might not help much if your laptop gets stolen, but it might minimise the risk that your FB account suddenly starts sending pr0n to your friends.
What's the bios/firmware status on your laptop? I've seen TPMs not work properly due to low edition firmware before.
Personally, I'd be sorting the hardware issues out first, then, with a onedrive /365 subscription I'd be enabling bitlocker. MS365 has a decent store for recovery keys because that notepad file you think you've stored safely will be inconveniently missing at 5mins to a meeting on a Thursday. It really is just a tick box in the OS. It's good enough for CESG consultants (now NCSC) to accept, is low overhead and is technically fully supported by MS. The whole shebang can be MFAd by Microsoft authenticator (ok that bit is $hite). We had some third party tools for encryption, they're now all gone and enterprise wide we rely on bitlocker and its the same story across many of my customers.
Veracyrpt is pretty popular, but I'd be happy going for something less focused on power users(?).
If you are considering Veracrypt then I assure you that it's easy enough with a step-by-step explanation of the options as you go.