Of the rest, I’m currently testing an Acer laptop that has a fingerprint scanner but no TPM chip, and a friend has recently bought a low-cost Lenovo laptop that includes the same and has the same ommission.  Neither of my tablets have any kind of TPM and neither does my smartphone or any other smartphone or tablet that I’ve tested.

A TPM chip is one that stores encryption keys that allow you to securely encrypt the contents of the full hard disk or SSD in the machine.  The TPM chip works in conjunction with operating system solutions, most well known being Bitlocker in Windows Vista and Windows 7, to unlock those drives on a passcode, use of a physical hardware key, contactless smartcard or automatically on log-in.  They can prevent that data from ever beaing read if the operating system is reinstalled or if the hard disk is physically removed, as the encryption key is tied to the TPM chip, which is physically undetachable from its host motherboard.

On my own laptop I use Bitlocker to encrypt all my files and data and, while it’s far from perfact still, it gives me the peace of mind I need that coupled with a very strong 10+ digit Windows password, nobody but me can ever gain access to my files.

The downside of facilities such as  Bitlocker is they’re only currently supported in the Enterprise and Ultimate editions of Windows, a problem I sincerely hope Microsoft will rectify with Windows 8, as I’ve only once been sent a laptop with Windows 7 Ultimate on it, and that was the afore-mentioned Acer that didn’t have a TPM chip anyway.

Of the laptops that include fingerprint readers, I can assure you these things are pretty useless and people soon stop using them.  Also what’s the point of just having secure access to Windows when it’s still simple to pop the hard disk out and plug it into another machine.

The situation with tablets is different, most of the time anyway, with bespoke flash storage modules that can’t be plugged into another computer and where the password can only be bypassed by flashing the machine.  With Windows 8 tablets coming next year this advantage may quickly disappear though in favour of more traditional mini-SSDs with larger capacities on board.

My argument is that, certainly on laptops, ultraportables and netbooks, but also and perhaps to a slightly lesser extent, tablets, smartphones and even desktops, TPM chips should now be everywhere and encryption should be simple and intuitive if not completely automatic and seamless (as it is on some new high-end hard disks).  The amount of data we all have and carry around with us now is incredibly valuable, not just to us but also to others.  With the prices of TPM chips at an all-time low, I really can’t see why we’re not seeing ubiquity here in the way they are implemented.

The software solutions will also need to drastically improve to make them much easier to understand and use.  We can’t still be in a position a year from now though where TPM chips are still only found on high-end business laptops costing more than $1,000.

I would never recommend anybody ever use EFS however and here’s why.  I’m extremely good with backups, I tell people all the time to make sure that they have adequate backups of their files and documents and I practice what I preach.  I use Windows Live Mesh to synchronise my documents, music and pictures between my main desktop and my laptop.  My main desktop then backs everything up to a second internal hard disk and also an external NAS (Network Attached Storage) drive.  I then have a secondary NAS drive which I keep off-site which I bring back every month or so to update the backup on that.  This is the way I recommend everybody does backups; though USB hard disks are just as effective as NAS drives and much cheaper.

I’ve lost files that I’ve backed up with EFS however, not only on my own computer but also on the NAS drives.  In fact I’ve only used EFS twice in the last ten years on my own computers and on both occasions I’ve lost files and documents.  I therefore cannot recommend you ever encrypt your files with this Windows feature.

The problems occur because EFS will encrypt any file that resides on an NTFS formatted disk, the default formatting option for XP, Vista and Windows 7 and also for the vast majority of USB hard disks and some NAS drives.  Unfortunately, because of incompatibilities with some differing versions of EFS files can end up scrambled and unrecoverable.  This wouldn’t happen on a USB hard disk but I found it occur on my NAS box.  This means that if something goes wrong and you need to recover the backup from the drive, even the appropriate EFS key, that you would clearly have backed up and kept safe, won’t unlock the files.  They will simply be lost and gone forever.

There’s no way to know on what devices the EFS file scrambling will happen either.  With non-EFS supported devices, ie those that aren’t formatted with NTFS, Windows will ask if you “want to copy the files without encryption” and will decrypt them on the fly.  Unlike BitLocker however, which just encrypts the hard disk, EFS encrypted files remain encrypted when copied off the machine to another NTFS formatted disk.

There are other problems with EFS too and these include metadata.  The EFS system, for reasons I’ve never been able to ascertain, is incompatible with the metadata you add to certain file types, pictures and photographs especially.  Not only will it strip out the metadata from these files, it will modify the files in such a way as to prevent you from adding the metadata back in afterwards, effectively making the file useless to you if this is how you like to organise your photos and pictures.

All of this comes from my own personal experience and it shows how even technical experts can be caught out by hardware and software incompatibilities and faults in, seemingly secure Windows features.  I would not recommend you ever use EFS.  If you have a laptop or desktop machine with a TPM chip and a copy of Windows Ultimate or Enterprise, use BitLocker.  If not the excellent TrueCrypt is a free utility that comes highly recommended by security experts worldwide.

If you have a laptop computer with a TPM chip then using BitLocker to encrypt the content of your hard disk is a very worthwhile activity, especially for work computers where you may be carrying sensitive personal data on staff or customers, or where any data you are carrying will be subject to local data protection regulations anyway.

Bitlocker is easy to use too, you just go into the BitLocker option in the Windows Control Panel, select your hard disk(s) you want to encrypt and, if your computer has  TPM chip, turn it on.  But what atre the problems and pitfalls of using BitLocker?

Bitlocker will work very effectively and silently in the background and you won’t even realise it’s there.  This can cause problems should something go wrong with Windows and you need to either restore it from a backup, or reinstall it completely.

When you encrypt your disk with BitLocker, Windows will prompt you to store a copy of your encryption key on a USB pen Drive.  There are good reasons for this and it’s wise to keep a copy of the encryption key on that Pen Drive and keep the drive itself somewhere safe but handy.  Obviously if you’re taking a laptop out and about you shouldn’t keep the Pen Drive with you at all times where it could be stolen with the laptop, this is almost as bad as having no encryption at all.

If you need to restore Windows from a backup image however Complete System Restore in Windows will ask you for a copy of the encryption key before it can work with your hard disk(s).  It will happily look on Pen Drives and find the appropriate keys.  Without these keys the restore process simply won’t work at all, neither will any the startup repair options in Windows 7.

When you come to reinstall Windows the problems will be worse.  Before you can do this it is extremely wise to completely decrypt your BitLocker-protected drives; a process that’s probably best left running over-night.  You can create yourself all types of security problems if you try to reinstall Windows 7 over a partition that’s already encrypted, or if you wipe the original partition and recreate it and have a second partition or disk for files.

A BitLocker encrypted disk is tied to the boot loader of a Windows installation, and it is this that it looks for to check it’s not been modified before the TPM chip releases the decryption key.  It would be too easy to reinstall Windows and then find you no longer have any access to your files and data because they’re encryped and not backed up in an unencrypted form somewhere safe.

Backups are essential when you are dealing with any form of file or disk encryption, even Windows EFS (Encrypted File System) which I personally hate as it strips useful metadata out of files when it compresses them for reasons that make no sense.  You should always make sure there is at least one fully unencrypted backup copy of your files stored in a secure location.

I would also recommended keeping a copy of your encryption key in a safe location, perhaps Microsoft’s SkyDrive service.  It wouldn’t even matter here if hackers gained access to your account and downloaded the keys, as without physical access to the computer they relate to, the keys are completely useless to them.

So while BitLocker is a fantastic idea and one that I use on my own laptop paired with a fingerprint scanner, you need to be very careful when putting it into implementation.

There have always been a huge variety of hard disk wiping packages available from third-parties, but did you know that Windows 7 has it’s own free in-built tool for securely erasing, not just whole hard disks, but specific folders as well?

The cipher.exe tool has been around for years now and is used for managing the EFS (Encrypted File System) feature that preceeded Bitlocker and was first introduced with Windows 2000.  It’s run from the Command Prompt (as an Administrator).

With Windows 7 though Microsoft have added a new switch to the tool, and it’s one you should definitely use with care!

 The command is Simply cipher /w x:\folder where you would substitute x:\folder for the location you want wiped, for instance your D:\ drive or your C:\Users\Mike Halsey\Music folder.

This will write a series of 0s, 1s and then random characters to every sector of the drive or folder to securely erase the data that’s stored there.  Believe me, if you do this casually you’re not going to get your data back afterwards.

Microsoft say that this feature is here for clearing empty folders and drives that need to be erased, and it’s an excellent way to save money on expensive third-party software.

So the next time you’re upgrading your hard disk, don’t waste your money, just cipher the thing instead.

The last week however revealed that Bitlocker’s encryption after all was not as secure as everyone thought back then. Not one but two methods of attacking a Bitlocker encrypted system were revealed both even working if a Trusted Platform Module is available in the computer system.

The Fraunhofer institute discovered the first attack form which requires physical access to the computer system. It makes use of the fact that Bitlocker does carry out an integrity check of the system but not of the bootloader. The attack therefor replaces the bootloader that can record the user’s pin in unencrypted form. The system would then automatically reboot and replace the fake bootloader with the original one.

The second attack was reported by security company Passware who have added the ability to recover Bitlocker keys in a matter of minutes to their flagship product Passware Kit Forensic version 9.5. This second method requires physical access to the target computer system as well to get hold of a memory image of that computer system to run the recovery.

Both of these attacks and the methods that have been posted earlier that attacked True Crypt required physical access at some point. Two methods even required that the system is active or was active shortly before the attack for it to be successful.

True Crypt on the other hand is open source and a cross-plattform application which gives it the advantage if a user works with Windows, Linux and Mac systems.

The performance impact of both encryption software programs is neglectful on modern desktop computer systems. Netbooks, which are usually powered by Atom or Celeron cpus on the other hand, are not as powerful as desktop PCs.

I ran some benchmarks on an Atom N260 Netbook. For BitLocker, I chose three different encryption algorithms. For TrueCrypt, I chose only the fastest algorithm according to its built-in benchmark.

The results on a tested Atom 260 netbook are that Bitlocker performs better than True Crypt. The first chart shows the transfer rate in Megabytes on a system without encryption and on a computer system with either Bitlocker or True Crypt encryption. Both have a noticeable impact on the computer system.

The second chart shows the performance loss compared to a system running no encryption.

True Crypt did perform worse in the test. The author did not fail to mention on the other hand that the difference in performance was not noticeable during tests. Alexander comes to the same conclusion

As you can see, TrueCrypt performs worse. The default BitLocker algorithm (AES 128 bit with diffuser) is 12% faster. If you use the same algorithm in BitLocker and TrueCrypt, BitLocker is even faster by 14%. So switching to TrueCrypt in order to increase performance is a bad idea. But in defense of TrueCrypt I have to say that the difference is hardly noticeable; running encryption on a netbook makes it slow whether BitLocker or TrueCrypt is used.

To sum it up. Both security programs slow down netbooks noticeably but the difference in performance between the two programs is not noticeable even though it is existing. (via 4Sysops)

Microsoft has therefor created a solution for this problem by introducing the Bitlocker To Go Reader so that the data on the portable device can be read in operating systems that are not supporting Bitlocker. Microsoft’s solution is the Bitlocker To Go Reader, a software program compatible with Windows XP, Windows Vista and Windows 7 that can be used to decrypt the data on a Bitlocker encrypted removable storage device.

Bitlocker To Go Reader is added to the removable storage device when it is encrypted. The program will automatically be displayed if autoplay is enabled on the computer system when the user connects the removable storage device that has been encrypted with Bitlocker To Go. A right-click on the device and the selection of autoplay or a double-click on the drive icon in Windows are the other options to display the Bitlocker To Go Reader window.

The user only needs to enter the password the data was encrypted with to decrypt and access it on the other operating system. An alternative to encrypt file systems, removable storage devices and other data is the open source software True Crypt which we have reviewed in the past. True Crypt offers the advantage of encrypting and decrypting data not only in Windows but also Linux and Mac OS.wp-image-19416″ />

There is however a way to enable Bitlocker encryption even if the computer does not have a TPM chip. The following method will enable Bitlocker and should work in the upcoming Microsoft operating system Windows 7 as well.

• Run [gpedit.msc] by either clicking on the Windows Vista Start Menu button or by using the shortcut [Windows R]. This will open the Group Policy Editor.
• Locate the following menu: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption
• Enable the Advanced Startup Options by double-clicking on Control Panel Setup to display the advanced options.
• Click on Enabled and check the Allow Bitlocker Without A Compatible TPM Checkbox.

A click on OK will enable Bitlocker on computer systems without Trusted Platform Module chips. It is from then on possible to save the Bitlocker encryption key on an external storage device like an USB stick or Flash memory card. This key is essential for accessing the encrypted partitions. There is no way of accessing the encrypted partition or hard drive if the storage device gets damaged or lost.