What tool can encrypt a laptop's data instantly when it's closed, and how do you set it up?

[sebastian]

I watched a TV show last night about a business owner in India who travels around Europe selling illegal medicine. When he was caught at London airport, he was sitting with his laptop but managed to close it.

At that moment, the entire machine was encrypted with 32-bit encryption, as they said in the show, and neither the police nor MI5 could open the computer without his password, which they never got.

What tool is that, and how do you set it up so that it locks the computer and encrypts all data the moment you close your laptop?

 

[JackAlabama]

I watched a TV show last night about a business owner in India who travels around Europe selling illegal medicine. When he was caught at London airport, he was sitting with his laptop but managed to close it.

At that moment, the entire machine was encrypted with 32-bit encryption, as they said in the show, and neither the police nor MI5 could open the computer without his password, which they never got.

What tool is that, and how do you set it up so that it locks the computer and encrypts all data the moment you close your laptop?

thats just standard encryption. While powered on, its decrypted, as soon as power off the hd is encrypted again. 32bit is not enough tho.

 

[Sols]

It comes built into most operating system nowadays. Windows BitLocker, Mac FileVault, and for example encrypted LVM for Linux. Check your system settings to see if it's already enabled. If not, enable it.

As long as you don't give them the key (password or whatever else you may use), your data is irretrievable from that device. Unless you're a very high profile target. If you have a persistent, real, and skilled threat, you might need to venture beyond what's built into your operating system.

In many cases when encryption is "broken", the data is just retrieved from another (often less secure) source. Approach security holistically, not just targeted at specific devices.

 

[jafo]

business owner in India who travels around Europe selling illegal medicine

Foolish move! Big Pharma doesn't care about encryption. They'll put him away without ANY evidence. I've seen it happen hundreds if not thousands of times. The Minnesota Attorney General investigated this ... and he got "sacked." Read this again: The Attorney General of a state in the USA. He got "sacked."

Source: Follow the money : the pharmaceutical industry : the other drug cartel. Minnesota Edocs: State Government Publications - Minnesota Legislative Reference Library

The "indictment" (if Big Pharma was weak): https://www.lrl.mn.gov/docs/2004/other/040640.pdf

Do NOT f*ck with Big Pharma, and if you do, your OPSEC has to be hermetically sealed!

PS. Follow @Sols advice. If you really want the best uncrackable one, Google "the one-time pad." I apply it, but there is NOTHING...even if they crack it with my key. I use it as a decoy! One never knows if they'll pull out "waterboarding decryption keys". It is at this moment that you need to hand over those "keys."

 

[mraleph]

I watched a TV show last night about a business owner in India who travels around Europe selling illegal medicine. When he was caught at London airport, he was sitting with his laptop but managed to close it.

At that moment, the entire machine was encrypted with 32-bit encryption, as they said in the show, and neither the police nor MI5 could open the computer without his password, which they never got.

What tool is that, and how do you set it up so that it locks the computer and encrypts all data the moment you close your laptop?

Encrypting entire machine with 32 bit encryption sounds like a TV presenter's understanding of the topic stemming from watching Impossible mission sequels

More plaussible is that they refered to 32 byte key lenght which is equal to 256 bits - an industrial standard for AES for instance, as stated

thats just standard encryption. While powered on, its decrypted, as soon as power off the hd is encrypted again. 32bit is not enough tho.

Whilst there are mechanism for instant encryption, they're mostly used during initial set-up such as RAID encryption, SED and some flash memory drives.

macOS may be comfortable, but I would not use it as well as anything Microsoft.

Somebody proposed encrypted LVM for Linux, which means LUKS. LUKS on LVM is not private as it gives storage layout whilst LVM on LUKS is more comfortable and private though not for every scenario.

That particular set-up makes that block device is encrypted with single passphrase/keyfile for LVM (logical volume managament) group and its volumes. A better option is to have two LVM groups - one for mounting /home encrypted on one block device and another for everything else under rootfs. If your threat model assumes some exotic characters, you may add filesystem encryption for /home (same nomenclature for macOS and Linux distributions).

As for triggering the wanted behavior, pay attention that different system states - screen locked, suspended to RAM, hybernate to disk, powered off - implying different security levels. Power and screen locking options are the ones you should be looking for in any O/S.

The highest effective security will be achieved if (laptop) system is powered off when lid is closed - in that case both (LUKS) decryption passphrase and user authentication is entered every time system boots. If you put UEFI passwords before bootstrap to O/S and disable external boot

 

[JohnnyDoe]

Cryptography is for sissies.
Real men use this: Patent for secure erasing of data

Ps. I decline responsibility for any damage that may occur from sitting on the activated device.

 

[diatessaron]

Sounds like something that you only see in movies. What I can think of is that the laptop shuts down when the screen is closed and then the entire system is encrypted. That would be VeraCrypt but I haven't used it in 10 or so years and I don't know if it's still a thing.

 

[void]

veracrypt is a good conservative solution which is a bit more resource consuming
modern NVMe SED drive and use of sedutils before OS installation is the best choice in my opinion (unless one doesn't trust the vendor...)

 

[maxmoney]

What I can think of is that the laptop shuts down when the screen is closed

can you set that with all laptops ?

 

[daniels27]

can you set that with all laptops ?

Yes (unless the sensor is broken, can happen when you drop a MaBook on the floor). I think this is also the only safe way as technically, it would be possible to extract the decryption key if you just lock the computer.

I mean if you encrypt your hard drive, it remains encrypted all the time. But when you log into Windows, the TPM releases the decryption key, allowing you to access your data. It will remain in the memory as long as you are logged in. Hence, you will need to ensure to use a secure password and ensure that the data is on the encrypted partition / folder. C:\ won't do it.

 

[mraleph]

Cryptography is for sissies.
Real men use this: Patent for secure erasing of data

Ps. I decline responsibility for any damage that may occur from sitting on the activated device.

May be a good solution for some remote actions

Sounds like something that you only see in movies. What I can think of is that the laptop shuts down when the screen is closed and then the entire system is encrypted. That would be VeraCrypt but I haven't used it in 10 or so years and I don't know if it's still a thing.

TrueCrypt and its successor VeraCrypt are Microsoft Windows oriented. The nominal advantage is an ability to encrypt/decrypt running system. But, compared to integrated macOS and Linux encryption tools, it's far inferior to them.

VeraCrypt is a tool that has some superior solutions compared to any other - offering not only AES (RijnDael) but other cryptographic primitives as well and chaining them in a cascade (multiple encryption).

veracrypt is a good conservative solution which is a bit more resource consuming
modern NVMe SED drive and use of sedutils before OS installation is the best choice in my opinion (unless one doesn't trust the vendor...)

Yes, resource intensive on Linux as it's creating another overlay fs via FUSE. The main issue is that system encryption is available only for Microsoft Windows - for other O/S only non system volumes can be encrypted.

Considering that, LUKS is more efficient and integrated solution on Linux and for BSD derivatives, a native ZFS encryption may be used.

Vendor should not be trusted for SED.

can you set that with all laptops ?

Yes (unless the sensor is broken, can happen when you drop a MaBook on the floor). I think this is also the only safe way as technically, it would be possible to extract the decryption key if you just lock the computer.

I mean if you encrypt your hard drive, it remains encrypted all the time. But when you log into Windows, the TPM releases the decryption key, allowing you to access your data. It will remain in the memory as long as you are logged in. Hence, you will need to ensure to use a secure password and ensure that the data is on the encrypted partition / folder. C:\ won't do it.

It's controlled by O/S. For proper operational security, screen locking and suspension to RAM shouldn't be used as keys are stored in RAM. Only complete power cycle - with UEFI passwords - will achieve proper margin.

 

[jafo]

The highest effective security will be achieved if (laptop) system is powered off when lid is closed - in that case both (LUKS) decryption passphrase and user authentication is entered every time system boots. If you put UEFI passwords before bootstrap to O/S and disable external boot

#Bingo! 100% this!

I wrote something along these lines here:

Source: Do you still trust Proton Mail ? ? ?

@mraleph and @0xDEADBEEF and someone else (I can't remember the person now - be glad... the more I forget, the better the person is protected...no amount of waterboarding can make me remember something I don't know ) could probably collaborate and do a "how to" on this subject in the Mentor Group.

I, frankly, have been doing this for so long that I have a hard time articulating or explaining it. Sometimes, I can't even explain it to myself.

I think it can be of utmost importance for the forum if everyone becomes an impossible target. Nothing bothers the leeching scumbags more than NOT being able to justify stolen funds (they call it taxpayers' contributions, BTW) and NOT having anything to show for it. It's akin to spending their budget on the Powerball lottery but purchasing the numbers between 80 and 99. (IYKYK).

 

[mraleph]

#Bingo! 100% this!

I wrote something along these lines here: View attachment 6869
Source: Do you still trust Proton Mail ? ? ?

@mraleph and @0xDEADBEEF and someone else (I can't remember the person now - be glad... the more I forget, the better the person is protected...no amount of waterboarding can make me remember something I don't know ) could probably collaborate and do a "how to" on this subject in the Mentor Group.

I, frankly, have been doing this for so long that I have a hard time articulating or explaining it. Sometimes, I can't even explain it to myself.

I think it can be of utmost importance for the forum if everyone becomes an impossible target. Nothing bothers the leeching scumbags more than NOT being able to justify stolen funds (they call it taxpayers' contributions, BTW) and NOT having anything to show for it. It's akin to spending their budget on the Powerball lottery but purchasing the numbers between 80 and 99. (IYKYK).

Computing device without battery and permanent/persistent storage may not be a reasonable solution. Encryption can be ultimate protection - LVM on LUKS outside and fs encryption for specific volumes.

Networking is a problem - whatever standard or technology is used - NIC has unique identifiers and obfuscation on that level should be done. Yes, MAC address can be changed and even IMEI/MEID spoofed.

But, activities should be segregated by virtual instances with separate networking options.

First and second network hop should always be under your control - afterwards, you may use any commercial or open-source tools - any VPN and TOR.

 

[incognitbro]

Depends on what OS you use but would simply be a matter of making lid close=shutdown, this assuming your system is encrypted when you start it.

 

[JohnLocke]

At that moment, the entire machine was encrypted with 32-bit encryption, as they said in the show, and neither the police nor MI5 could open the computer without his password, which they never got.

So none of you guys who know better than me think that this is possible? There is no encryption that MI5 can't break if they want? I'm asking because I'm curios.

My trust still is in Veracrypt but I read here it isn't that safe.

 

[mraleph]

So none of you guys who know better than me think that this is possible? There is no encryption that MI5 can't break if they want? I'm asking because I'm curios.

My trust still is in Veracrypt but I read here it isn't that safe.

VeraCrypt is safe. But, can't be used for boot and system volume encryption on Linux, macOS and BSD derivatives. It's current limitation is usage for either Microsoft Windows FDE (full disk encryption) or non system volume encryption on other O/S.

Modern cryptography is based upon mathematical problems that require significant computational resources. Not even NSA and GCHQ can readily solve them. What is done is that cryptographic implementations are perfidiously bad and flawed but not the actual primitives. The state of the art will be degraded when quantum computation become available - but only asymmetric encryption will probably be broken.

 

[JohnLocke]

Okay, then I read it right in a book about Panama Papers - and it is still a good way to encrypt partitions on a hard drive which you don't want anyone to see if they don't have the password.

But you're right it can't be used for the purpose OP ask for.

 

[mraleph]

Okay, then I read it right in a book about Panama Papers - and it is still a good way to encrypt partitions on a hard drive which you don't want anyone to see if they don't have the password.

But you're right it can't be used for the purpose OP ask for.

VeraCrypt's volumes are great for inline encryption - after LVM on LUKS - for partitions and data that needs additional margin.

Microsoft and Apple products, no

 

[0xDEADBEEF]

First and second network hop should always be under your control - afterwards, you may use any commercial or open-source tools - any VPN and TOR.

This is an invaluable tip and something anyone seeking maximum privacy should consider. Controlling at least 2-3 hops helps mitigate the risk of your VPN provider or any Tor entry node tracing your original IP. If they try to track your connection, they'll be lost by the potential number of ephemeral connections used.

But let me say something else, and I cannot stress this enough: do not travel with sensitive data on disk. As @jafo has mentioned before, once authorities start bringing the big guns and force you to hand over any keys, it's much better to have nothing on your disk. If data is really needed, just transfer it at destination.

@wellington mentioned that he was 'frisked' at an airport, and fortunately, all important documents were stored elsewhere. Otherwise, his competitive edge could have been compromised. So, always store personal and sensitive data in an environment you control.

Use LUKS for encryption and be ready to overwrite your headers in case of an emergency. By googling this you will find out that this can be automated with basic shell scripting. If you want to encrypt files/directories I can also recommend gocryptfs, but only use those kind of solutions after you have got FDE in place, as already mentioned by @mraleph .

 

[void]

for 95% of cases SED drive is the right solution - totally transparent and efficient, no expertise needed

for serious use (intellectual property protection, strategic business information, investigative/political stuff, and criminals of course...) on Windows I would add Veracrypt on top of SED as it supports cascaded encryption algorithms and hidden volumes for plausible deniability

on Linux ZFS would be my choice number one

I would never touch an Apple product