Lockdown: How to secure your PC without going crazy
Good digital security inevitably requires some hassle, but the size of that headache is really up to you. If you’re someone who wants to go all out with 64-character passwords, no Facebook account, and a second laptop that never connects to the Internet, because it houses all your deep, dark secrets, well, this guide is not for you.
This is a guide for practical folks. People who want a healthy amount of PC security (perhaps motivated by ongoing revelations about the National Security Agency and its surveillance activities), but with a minimum of hassles such as dealing with key fobs for two-factor authentication, juggling complicated passwords, and setting up email encryption. We can’t promise you a completely pain-free experience, but we will show you how to get up and running with a pretty good security setup that keeps your passwords, email, hard drive and sensitive USB drives as secure as possible without going overboard.
A strong password is the first, best line of defense
Good computer security and privacy begins with strong passwords. Sure, there are serious criticisms about how online services use passwords, and Apple may be trying to take biometrics mainstream with TouchID on the iPhone 5s, but for now passwords are still the best solution we have for keeping third parties away from our data.
The problem with passwords is that they should really be random, unique, and relatively long to be of any use. That’s where password managers come in: These programs help you generate random passwords and store them securely, allowing you to remember just a handful of gnarly 10-character random passphrases instead of 15 or 20.
KeePass and LastPass are both good, free password managers that are worth your time. KeePass is popular because it’s open-source, and it has a few nice features, like keylogging obfuscation and secure notes.
The problem with KeePass, however, is that it doesn’t have an online component to sync passwords across devices. That means you’d have to create a cloud sync setup yourself using Dropbox or another cloud storage service. You can read more about how to do that with our look at the third-party utility Dropbox Folder Sync, or by perusing the KeePass plugins library.
Another good alternative—and my personal favorite—is LastPass. Like KeePass, LastPass offers password generation and encrypted notes, but it also syncs your encrypted password database to the cloud so you can access it across multiple devices.
LastPass is available as a free browser plug-in, and you can also use the LastPass mobile app for $12 per year. Read all the technical details on the LastPass website.
Password managers are a relatively personal choice and will depend largely on your own needs and what level of trust you’re willing to put in a commercial company like LastPass or newcomer Dashlane.
Most of us prefer to use Web-based email apps like Gmail, because it’s faster and much easier to open a Web page than to fire up a desktop app. But when you need to keep your email private from prying eyes, an old-fashioned email desktop client combined with OpenPGP public-private key encryption is the way to go.
Email travels across the Internet as plain text by default, which means a determined snooper could intercept and read your message. Encryption helps combat this by making it nearly impossible for anyone but the recipient to decode your message. OpenPGP is an excellent open-source encryption system you can use to send encrypted email. Problem is, you can only encrypt email to people who are also using an implementation of OpenPGP. So if you plan on swapping ciphered mail with someone, make sure they are set up for this as well.
Encryption is also only as secure as the people using it. If someone decrypts your mail, copies it as plain text and forwards it on to someone else, the effectiveness of your encryption is broken. Malware can also ruin encryption by snatching data in a decrypted state. So remember that while encryption is definitely more secure than plain old email, it is not foolproof.
Finally, keep in mind that email metadata is never encrypted. So you won’t be able to hide the subject line or the email address of the person you’re corresponding with.
The first step is to download and install the Mozilla Thunderbird email client for the account you want to use for encryption and email signing. Thunderbird has a plug-in that makes it particularly easy to set up OpenPGP. (PGP’s inventor also recommends HushMail.) Next, download and install the OpenPGP key management software Gpg4win.
Creating your own key pair
Start Thunderbird, click the menu icon in the far right corner, and select Add-ons. In the next window that opens, search for
Enigmail and click Install. After Enigmail installation is complete, shut down Thunderbird and then open the program again.
Now you’ve got all the tools you’ll need to create your own key pair. Go back to the menu icon in the far right corner and select OpenPGP > Key Management.
When the Key Management window opens, select Generate > New Key Pair.
Now we’re just about to generate our first encryption key pair. Most of the default settings in this window should be fine. However, I would highly recommend creating a passphrase for your keys. If you don’t and one day Thunderbird decides to ask you for a password even though you don’t have one (it happened to me), you’ll be heading for a world of frustration.
When you’re ready to enter the fabulous world of OpenPGP email, click the Generate key button. After a few minutes, your key pair will be ready.
Once your key pair is done, Enigmail will suggest you create a revocation certificate. This is an extremely important step that I suggest you take: A revocation certificate is a simple file with the .ASC extension that you can use to invalidate your keys, should you forget your password or lose control of your computer.
Best practices say you should save the certificate to a USB thumb drive and then keep that thumb drive in a safe place.
Now that your key pair and revocation certificate are ready, you need to let the world know you’re accepting encrypted email. The best way to do that is to upload your public key to a keyserver where other users can find it—it’s sort of like a phone book for security-minded people.
To do this, open the Key Management window again—if it isn’t already open—and select Keyserver > Upload Public Keys.
By default, Enigmail will suggest you upload your key to “pool.sks-keyservers.net.” That should be fine, since this isn’t actually a keyserver at all, but a hub that pools its database with multiple keyservers.You can change this by clicking on the drop-down menu. Another option, for example, is to upload directly to MIT’s keyserver.
You could also publish your public key on a personal website, Tumblr, or blog. To copy your public key, go back to the Key Management window, make sure the Display All Keys by Default checkbox is marked, and then highlight your email account once it appears. Next, right-click and select Copy Public Keys to Clipboard.
So you’ve generated a new key pair and published your public key. Now it’s time for a test run by sending a signed email to Adele, the friendly OpenPGP email robot.
Hold down the shift button on your keyboard and then click on the Write button in the top left side of Thunderbird. This will open a new message window without any HTML formatting. Adele can only handle plain text, so bold headlines, italics, and embedded links are out. In fact, for simplicity’s sake, it’s always easier to create encrypted email as plain text.
Next, fill out Adele’s email address, which is firstname.lastname@example.org. Create a subject line and message body with whatever you’d like to say. Then click the OpenPGP menu option, and make sure that only the “Sign Message” and “Attach My Public Key” options are selected. Hit Send, enter your password, and you’re done. In a few minutes, Adele should send you a reply to confirm whether your signing was successful.
Once Adele gives you the okay, you are ready for the world of encrypted email.
Encrypting your storage drives
Securing your email is great, but it won’t do you much good if anyone can get into your computer or external drives without much hassle. That’s where encryption for your storage drives comes in. One of the best tools you can use for this is the open-source solution TrueCrypt. In this example, we’ll show you how to encrypt a USB drive. Once you’ve got this method figured out, encrypting your entire hard drive isn’t substantially different—although it does involve a few extra steps.
First things first: Download and install TrueCrypt, then grab a USB drive you want to encrypt. Start TrueCrypt, then click the Create Volume button in the app’s main window. On the next screen, choose “Encrypt a non-system partition/drive” and click Next.
For the third step, select “Standard TrueCrypt volume” and click Next.
Now you have to find the volume to encrypt: Click Select Device, and a scary looking pop-up window will appear with a list of all the storage devices connected to your PC. It may look confusing, but just concentrate on the row to the right, which lists the storage capacity of each drive. That way you can’t go wrong by mistaking your 1TB external hard drive for a 4GB thumb drive.
In this case, we’re looking for the 2GB flash drive at the bottom of the list. Once you’ve selected the drive, click OK and then Next. Now TrueCrypt wants to know how you’d like to create your encrypted storage. By default, it should say “Create encrypted volume and format it.” This will erase all the data on your USB drive.
TrueCrypt is now going to show you the encryption and hash algorithm options for your locked-down device. The defaults are fine in this case. The final screen you’ll see shows the USB thumb drive’s storage size. As long as it’s reasonably close to the size of your USB drive, click Next once again.
Now, it’s time to create a password. If you choose a password with less than 20 characters, TrueCrypt will warn you that it isn’t secure. You can use a 20-character password if you want, but do you really want to enter a 20-character password every time you load a USB drive? Probably not.
Finally, we’ve made it to the last stage, where TrueCrypt begins creating a random number pool to encrypt your device. Move your mouse around in the window as randomly as you can for a few seconds to help TrueCrypt generate its encryption data, then click Format.
A few minutes later, you’ll have your encrypted drive.
Now you’ve got your encrypted USB drive, but to store data on it you’ll need to mount it with TrueCrypt. Go back to the primary TrueCrypt window. From the main menu at the top select Volumes > Select Device and choose your USB drive from that same technical window we saw earlier.
After that’s done, come back to the main window and select any of the drive letters you see. Personally, I always like to choose “X:”, but maybe you’re more of a “W:” or “Q:” person. It doesn’t really matter, just pick a drive letter that’s blank and then click Mount.
TrueCrypt will now ask you for your password, and that’s it. Your TrueCrypt volume is ready to use. Open up Windows Explorer, and you can use this thumb drive just as you normally would.
The only difference is that without a copy of TrueCrypt and your password (assuming it’s a strong, random password) it’s extremely unlikely that anyone would be able to read your data.
Wrapping up the crypt
Once you’ve set up your basic cryptography, you can expand your knowledge and try some advanced techniques. You could learn how to use Gpg4win to encrypt individual files, or transfer your PGP encryption keys to a second PC. How about creating a hidden operating system with TrueCrypt?
Cryptography and digital security can be complicated, but once you understand the basics of cryptographic tools, you could find all kinds of interesting uses for them.
LastPass generates passwords, plus syncs its encrypted password database to the cloud.