Every now and then we read in the news that a celebrity (or politician) has accidentally shared a nude selfie (or worse, had their nudes leaked). In light of a certain celebrity accidentally showing his ‘captain’ to America (and the rest of the world) a couple of weeks ago, I figured it’s a good time to write a how-to piece on securing information on your computer.
I’m not going to wade into the morals of having nudes on your devices, “you do you”, as it were. I’m also not going to go into managing your mobile phone pictures, suffice to say that most operating systems have a “Hidden” gallery – be sure to use that… The fact of the matter is, we all have some kind of information we want to keep securely, be it financial, confidential, business, identity related, or, *ahem* otherwise.
At the very least, you want to use secured containers on your computer for the eventuality that your laptop / computer / hard drive needs to go in for recovery or repair. My career started out in desktop support and retail computer repairs, and I can tell you that there are unscrupulous technicians out there that do not think twice about going through your hard drive to see what’s there (I have also seen technicians fired and prosecuted for copying files off computers in for repairs). You need to operate under the thought that someone with low ethics will at some point have access to your computer, and then what?
Now I’m not talking about Full Drive Encryption (also known as FDE). In this article I’m going to talk about containers. FDE is great in terms of theft, but if someone has access to your computer (like a technician) and they have your password, FDE is pretty redundant. Containers, on the other hand, are effectively encrypted folders on your computer that need to be unlocked separately to anything else on your machine.
I’ve included instructions on Windows’ BitLocker, and Mac’s encrypted images (click to jump to the instructions). In principle, both methods are identical, it’s just the steps that change. If you’re running Linux, I’m going to make the bold assumption that you are technically proficient enough to create your own encrypted containers already…
Creating a container with Windows Pro (BitLocker)
The following instructions are specific to creating a container in Windows 10 Professional edition, however, you can use the container on Windows Home after the fact. Also, most of this instruction set takes place in Disk Management, which can do some serious harm to your partitions if you select the wrong things – I accept no responsibility for your partitions or actions in this console…
Open Disk Management by right clicking on the Windows Start icon, and selecting “Disk Management”
In Disk Management, select the “Action” menu, and then “Create VHD”. This creates a virtual hard disk on your current drive in the form of a VHDX file.
In the window that opens, select a location to store your virtual drive and set the size of your drive according to what you need to store. Change the format to VHDX, and select Fixed Size or Dynamically Expanding.
Fixed size means that the file will immediately fill the full size that you specified above. This offers higher performance than a dynamically expanding drive, and I’d recommend this option for encryption. You can select Dynamically Expanding if you like, this means that your container will expand up to the size specified. This makes it easier to copy across devices, but has a performance knock. I’m also skeptical about the reliability of running encryption within a dynamically expanding container.
You’ll see that a new disk appears in Disk Management as “Unallocated”.
Right click on the disk number on the left, and select “Initialize Disk”.
GPT partitioning should be the default, and that is just fine. Select “OK” in the initialise disk window.
You’ll notice that the disk changes to “Online”. Right click on the “Unallocated” section, and select “Create New Simple Volume…”
Follow the wizard with all the default settings to create the volume and map it to a drive letter. Once your container is mapped to a drive letter, you can close Disk Management (phew).
Now, head on over to “This PC”, and you’ll see a new drive has appeared. This is your encrypted container. We now need to encrypt it. You will need a separate unencrypted drive or flash disk for this next part, or a Microsoft account to save your recovery key.
Right click on the new container (in my case, E:), and select “Turn on BitLocker”.
Select “Use a password to unlock the drive”, and enter a password of your choice. Please ensure this is a secure password, and specifically NOT a password you have used for anything else. If you make this password the same as your Windows login, you’ve totally defeated the point of the encrypted container. Select “Next”.
When prompted to save your recovery key, you can print, save it to a file, or to a Microsoft account. I’d suggest saving to a file or your Microsoft account. You cannot save this file to an encrypted disk, so it’s likely you’ll need a flash drive to complete this step. Select Next once you’ve saved your recovery key. Do not lose this! You will not be able to recover your encrypted container without it (if something goes wrong).
Follow the subsequent wizard as follows: select “Encrypt used disk space only”, select “Next”, select “New encryption mode” (unless you want to access this disk from older versions of Windows), then click “Next”. Finally, select “Start Encrypting”.
Once encryption completes, you’ll have an encrypted drive in “This PC” (showing a small padlock). From here you can copy files to and from the drive.
Once you have completed your copies, you can detach the drive by right clicking on it and selecting “Eject”.
To reconnect the drive in future, go to the file you created right in the beginning of this instruction set, right click, and select “Mount”.
It will give you an error – this is because the disk is encrypted and can’t automatically open. At the same time, you’ll get a password prompt on the top right of your screen to unlock the drive where you can enter your password. Once entered, the drive will open automatically.
Creating a container with Mac Catalina
As with Windows, this instruction set takes place in Disk Utility, which can do some serious harm to your partitions if you select the wrong things – I accept no responsibility for your partitions or actions in this console…
To access Disk Management, open “Finder” and select “Applications”. Within “Applications”, open “Utilities”, and then “Disk Utility”.
Once Disk Utility has loaded, you need to select the “File” menu, then “New Image” > “Blank image”
Mac OS is great, in that everything you need is self-contained in one window. In the new image window, enter the file to save as, where you wish to store the container, what you wish to name the container, the size you wish for it to be, and the format. Max OS Extended should be just fine.
In the last section, change Encryption from “none” to “128-bit AES encryption (recommended)”. As soon as you do this, you will be prompted for a password. Do not lose this password, and do not make it the same as your login password (that defeats the point of the whole exercise).
Once you have chosen your password, select “Save”. A DMG file will be created in the location that you chose. To mount the container, open it as you would any file, and a password prompt will appear. On entering the password, the container will mount and display on the desktop / in Finder. I would not recommend saving the password to keychain.
You can now copy files to the container! Once you are done, control-click on the container, and select “Eject [name]”.
And that’s a wrap!
We all have files that we need to protect, and there are folks out there that would like to get hold of your files. Make no mistake, files have value, even if just for ‘extortionary’ means. Celebrities have had hard-drives cloned, files removed, and been blackmailed by the perpetrators. This also happens to individuals. Protecting your most precious files in secure containers can really help in the event that your computer has to be out of your hands for an upgrade or repairs. Wherever possible, I would recommend completely wiping your device (be it mobile or otherwise) before handing over to technicians. Restoring from a backup is much less hassle than dealing with blackmail.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.