Russ Harvey Consulting - Computer and Internet Services

Encryption

Protecting your data

Under Attack | Encryption is Necessary | Recommendations
Encryption Principles | Encryption Software

All trademarks, company names or logos are the property of their respective owners.

A red padlock and “Encrypted” is laid over a blue background showing zeros and ones.
End-to-end encryption keeps our personal data — like photos, messages, and notes — safe from hackers, surveillance, and misuse. When data is encrypted, all stored files, photos, and backups are converted into unreadable code, accessible only with a unique key.
Mozilla Foundation
Despite recent controversies, end-to-end encryption should not be weakened, the UK's data protection watchdog has concluded — while acknowledging that some additional measures are needed to mitigate the potential harms that can stem from the privacy-protecting technology.
ZDNET

 

Encryption Under Attack

Stand up for strong encryption. It matters.

Encryption is under attack — it is now treated as criminal activity by police, governments and corporations as well as how intelligence data is shared between countries.

Ministers from the ‘Five Eyes’ countries are trying to paint encryption as a dangerous or criminal activity. But in fact ordinary people depend on the encryption built into everyday services like banking and shopping to protect our privacy and security.

 

Our ability to use the Internet safely, securely and privately is under threat. Canada wants to create 'back doors' into encryption like some of our partner countries in the Five Eyes Alliance have already done. This weakens Internet safety for all of us. If we don't act, Canada could be next. We need a policy that explicitly protects our right to encryption.
— OpenMedia

This attack is not new. While many of the examples on this page are old, the problem — and its solution — remains the same. Encryption is necessary for privacy and security as well as to protect citizens from government overreach.

Government Attacks

Government agencies have already determined that we have no right to protect our privacy.

For some reason, Western democracies like Canada, United States, Australia and Europe are leading the demand for the end of personal encryption. We're told that the FBI, R.C.M.P. and other agencies need back doors to encryption protocols (or have encryption banned altogether). Authorities state that they are only targeting terrorists or child pornographers. Such claims are, at best, deceptive. These arguments go a long ways back in time.

Our private conversations, personal data, and digital security are under attack. Around the world, governments are escalating efforts to undermine encryption — the very technology that protects everything from your messages and photos to sensitive business and banking information. These attacks are being justified under the guise of safety — but in reality, undermining encryption makes everyone less safe.
Mozilla Foundation
Democracies around the world have long recognized that electronic surveillance power in the hands of government is a threat to open societies unless it is properly regulated by an effective legal system.

 

Many countries have enacted surveillance laws, but laws on the books alone to not protect privacy. A vibrant legal system with respect for the rule of law is necessary for privacy protection in the face of ever more powerful electronic surveillance technologies.
Journal of Cybersecurity
The websites and services we trust for shopping, socializing, and learning shouldn't be tools for surveillance. Yet, a new investigation by 404 Media has revealed that ShadowDragon, a U.S. government contractor, is exploiting publicly available data from websites and services like Etsy, Reddit, Tinder, and Duolingo — to fuel mass surveillance programs for U.S. government agencies like Immigration and Customs Enforcement (ICE).
Mozilla Foundation

These agencies want every encryption protocol (if it is allowed at all) to have a “backdoor” (i.e., special decryption made available to police and government agencies). These agencies already have the capability of unlocking virtually any device.

Back Doors to Encryption Unsafe

We cannot include “back doors” to encryption protocols that only authorized government agencies can use. Any back door is a potential exploit that can be used by criminals, hackers, foreign governments or anyone else to gain access to our personal information.

What do encryption "backdoors", "ghost keys" and "client-side scanning" mean?
  • Encryption "backdoors" are efforts to allow third parties (like governments) to access messages — supposedly only for "lawful" purposes. But any so-called backdoor creates a security vulnerability that could be exploited by… well anyone.
  • "Ghost Keys" is a similar idea, and would force services to modify their software and encryption keys to allow governments or law enforcement to secretly add themselves to an encrypted conversation. This would weaken their encryption and deceive users.
  • Client-side scanning (CSS) scans messages or files on your device before they're encrypted — comparing them against a secret database of prohibited content. While often proposed to combat crimes like the sharing of child exploitation material, CSS breaks the privacy promise of encryption and opens the door to broader surveillance.
And here's the thing you should know — these methods of weakening encryption don't just make access to your personal data easier for the "good guys". Once encryption is weakened, anyone with the right tools can exploit it. That means hackers could steal personal data, people can target activists and journalists, and foreign governments could spy on citizens in their own country, and beyond.
Mozilla Foundation
If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it.

 

And while it might temporarily be a secret, it's a fragile secret. Backdoors are one of the primary ways to attack computer systems.
Bruce Schneier 2016
“We need to choose between security and surveillance,” Schneier told the summit audience.

 

It's just not possible to build electronic devices that keep data secret from everybody except, say, government officials trying to track the movements of terrorists.

 

“Everybody gets to spy or nobody gets to spy.”
Chris Baraniuk on BBC

Government Rules Compromise iCloud

When you read about nude photos and private information being stolen and posted on the Internet, demonstrates the fallacy of safe back doors to encrypted data:

So what's the difference between iCloud and the iPhone?

 

The iPhone, as DOJ puts it, is “warrant proof”, whereas the data stored in iCloud is warrant friendly, and was designed with this in mind.

 

Data in the iCloud is encrypted and heavily protected by Apple, but the encryption is escrowed in a way that Apple has complete access to the content so that they can service law enforcement requests for data.
Jonathan Zdziarski
Adding backdoors isn't so much a question of adding a secure door to the walls of a stone castle. It's like adding extra holes in the walls of a sandcastle.
Motherboard

Any backdoor can be abused by those entrusted with access:

In 2017, 22 law enforcement employees across California lost or left their jobs after abusing the computer network that grants police access to criminal histories and drivers' records, according to new data compiled by the California Attorney General's office. The records obtained by EFF show a total of 143 violations of database rules—the equivalent of an invasion of privacy every two and half days. Unfortunately, 53 violations resulted in no action being taken at all.

 

While specific information about the nature of the violations is not recorded, the Attorney General has outlined a variety of behaviors that would qualify as misuse. These include querying the database for personal reasons, searching data on celebrities, sharing passwords or access, providing information to unauthorized third parties, and researching a firearm the officer intends to purchase.
Electronic Frontier Foundation 2017

The “Terrorist” Argument Invalid

Banning encryption (or other modern communication technologies) because it could potentially be used by terrorists is unreasonable. Encryption is not the only tool used by criminals or terrorists.

Criminals have used telephones and mobile phones since they were invented. Drug smugglers use airplanes and boats, radios and satellite phones. Bank robbers have long used cars and motorcycles as getaway vehicles, and horses before then.

 

And while terrorism turns society's very infrastructure against itself, we only harm ourselves by dismantling that infrastructure in response — just as we would if we banned cars because bank robbers used them too.
Bruce Schneier

Which of these public resources should be restricted or removed?

The Child Porn Argument

The threats of child pornography being assisted by encryption is a widely-used argument. No one wants to be seen as “standing with the child pornographers.”

Child exploitation is a serious problem, and Apple isn't the first tech company to bend its privacy-protective stance in an attempt to combat it. But that choice will come at a high price for overall user privacy.

 

Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly-scoped backdoor is still a backdoor.
Electronic Frontier Foundation
In summary, while the Minister of Public Safety has asserted that encryption enables child predators and abusers to conduct crimes with impertinence, this position is not supported by the facts on the ground.

 

But instead of addressing existing policy deficiencies, or gathering and presenting robust evidence to support the government's position that encryption poses an intractable problem, the Minister has instead irresponsibly indicated support for weakening the communications of all Canadian residents, businesses, and government officials.
CitizenLab 2019

While encryption may slow down or place some challenges in such investigations, there are better options than weakening encryption for everyone in order to make it easier to catch a few criminals.

The Threat of “Going Dark”

Government agencies continually warn about “going dark” (losing access to data necessary to keep us safe). This blatantly untrue. Never before have governments had more access to data about our activities. We've gone from personal and business files locked in filing cabinets (requiring a warrant to gain access) to storage “in the cloud” (which sounds a lot safer than it is).

The history of the Clipper chip is instructive.

The FBI used the same arguments in 2015 about the ability of criminals to “go dark” unless a back door was included. Concerns about privacy and widespread surveillance caused it to fail. Few used Clipper because no one trusted it.

Understanding the Implications of Weaker Encryption

Most people don't understand the implications of disallowing or weakening the use of encryption to protect our data.

The R.C.M.P. were trying to take down an organized crime ring but were stymied by the criminals using encrypted Blackberry phones. So Blackberry provided the back door to let the police close down that crime ring. That provision of access to a specific set of Mafia-owned phones compromised most Blackberry users — those not on their own corporate network.

The Canadian phone maker helped police access BlackBerry messages with a key that decrypts, or unscrambles, communications sent from one phone to another, according to reports from Vice. It's essentially the encryption backdoor that companies like Apple have said they don't want to create.
CNET
According to privacy expert Christopher Parsons from Canadian security research hub Citizen Lab, the RCMP may still have the ability to read anybody's encrypted BlackBerry messages, as long as the phone isn't linked to a corporate account.
Vice

What If Police Had Total Access

What if police had permanent access to everything you own including your home, your car, your business — all without a warrant or needing to justify those actions in front of a judge. Would you feel safe?

Imagine for a moment that everybody's front door has the same key. Now imagine that the police have a copy of that key, and can saunter into your living room to poke around your belongings while you're out, and without your knowledge.
Vice

That is essentially the access to your data that a back door to encryption protocols provides, especially if there is no judicial oversight required.

Learning More

For a more in depth discussion see:

Data Encryption Moves Mainstream

Microsoft made encryption easier with BitLocker Drive Encryption and the Encrypting File System, but only for some versions. This capability can be obtained by installing third-party software. But how secure is that encryption software?

Snowden Reveals Massive NSA Access

Edward Snowden, a former contractor for the NSA, revealed that NSA has back doors into virtually all operating systems and commercial encryption software — realtime access into anybody's computer was a reality.

Terrorism Threat Exploited

Governments and corporations are using the threat of terrorism to spy on their own citizens without any independent judicial oversight. They changed the laws that protect your privacy which made such regulations ineffective.

Everything they have is a state secret, but nothing of yours is. It is this morally-bankrupt status that Snowden felt compelled to reveal. When asked questions about programs by Congress, the NSA and CIA lie, often reinterpreting standard terminology to their advantage (i.e., they feel they can collect information without a warrant and haven't broken any laws just because no one has examined it yet). They'll state that a certain code-named program “doesn't do that” without revealing that another does.

Obviously the same tactics would hardly keep you safe from legal prosecution in similar circumstances. (Can you imagine a thief getting away with claiming innocence because he hadn't yet spent the money he stole?) This makes the NSA and CIA “above the law” because it is impossible to hold secret courts accountable.

The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.
Bruce Schneier
[T]he one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection — basically, a technology that allows the agency to hack into computers.
Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World by Bruce Schneier

CIA Tools Frightening

WikiLeaks released a list of CIA Hacking Tools. Many of these are frightening, mostly because you and I are likely the target of these intrusions. The danger of maintaining these tools is no longer a theory. Several of these tools were stolen from the spy agencies and released into the dark web where cybercriminals and hackers use them to infect our computers with ransomware and other malicious software.

One of these tools is Weeping Angel which allows the CIA to hack your smart phone or smart TV and listen in on you without your knowledge or permission — even if it is turned off.

Everyone is Hacking

The assumptions that only the “good guys” are using these tools is ignorant. We now live in a world where anyone has access to these tools at the cost of both individual privacy and national security.

This has weakened the Internet everywhere as well as the attractiveness of U.S. technology overseas.

Encryption is the Only Defense

The only self defense from all of the above is universal encryption. Universal encryption is difficult and expensive, but unfortunately necessary.

 

Encryption doesn't just keep our traffic safe from eavesdroppers, it protects us from attack. DNSSEC validation protects DNS from tampering, while SSL armors both email and web traffic.

 

There are many engineering and logistic difficulties involved in encrypting all traffic on the internet, but its one we must overcome if we are to defend ourselves from the entities that have weaponized the backbone.
Nicholas Weaver 2013

SSL is no longer sufficient for email encryption (you need to use a current version of TSL instead).

Return to top

What Can You Do? Five Recommendations

Don't be fooled that your communications are uninteresting — that only the “bad guys” are targets.

“We need to choose between security and surveillance,” Schneier told the summit audience. It's just not possible to build electronic devices that keep data secret from everybody except, say, government officials trying to track the movements of terrorists.

 

“Everybody gets to spy or nobody gets to spy.”
Chris Baraniuk on BBC

The NSA is spending incredible amounts of money to ensure that it can see into your computer, compromise your network and to record your phone calls, then storing the information for later study.

In NSA surveillance: A guide to staying secure, Bruce Schneier listed five pieces of advice:

  1. Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
  2. Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you're much better protected than if you communicate in the clear.
  3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.
  4. Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
  5. Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

I strongly recommend reading the entire article for the context and to understand what Schneier is saying.

Your Voice is Needed

Do your part to make the Internet a safer place by ensuring that these misleading arguments don't compromise ecommerce and your privacy by banning encryption.

These petitions sponsored by the Mozilla Foundation are a beginning:

Return to top

Encryption is Necessary

Not that many years ago, data encryption was relatively unknown to most consumers. Many realized that governments and corporations used this protection, but why did they need it?

In today's world of hacking by criminals and spying by governments, it is important that we protect our most important documents from being stolen, or if stolen, to prevent their being used to perform identity theft.

Consumers now regularly use encryption in their daily lives. Without encryption banking, credit card transactions, e-commerce and the filing of our taxes online would be unsafe.

Access to strong, uncompromised encryption technology is also critical to the economy. In a technological environment marked by high financial stakes, deep interdependence, and extraordinary complexity, ensuring digital security is of critical importance and extremely difficult.

 

Encryption helps to ensure the security of financial transactions and preserves public trust in the digital marketplace. From sensitive financial information to dating sites to health records, technology companies hold the key to the most intimate details of our lives.

 

The cost of a security breach, theft, or loss of customer or corporate data can have devastating impacts for both private sector interests and individuals' rights. Weakening the very systems that protect against these threats in order to facilitate government access would constitute irresponsible policymaking.

 

Access to strong encryption encourages consumer confidence that the technology they use is safe, and that the companies they entrust with their data will not be improperly deputized by the state.
CitizenLab 2018

Connect Only to HTTPS Sites

Only connect to sites that are encrypted with HTTPS (HTTP over TLS), especially if you're logging into a site or sharing personal information. Learn more about HTTPS…

There are still a large number of sites that have not bothered to purchase a security certificate (or use the “Let's Encrypt” free service) including some linked from this site. While many of these sites are legacy sites that are no longer maintained, a surprising number are current government or non-profit sites (e.g., BC Transplant which only enables HTTPS on certain pages).

My recommendation is that you take care in connecting to such sites based upon their reputation and whether you NEED to access information there. Be very careful when signing in and never use a credit card on a site without encryption because it is susceptible to “man-in-the-middle” attacks where your data could be stolen.

Enable HTTPS-Only Mode in Firefox and other modern browsers. This will provide a warning when visiting a site that is unencrypted.

Privacy

Encryption is necessary to protect our privacy. However, demands for a “back door” (extraordinary access) for governments or police is a massive privacy and security failure. There is no way to make such exceptions available only to the right authorities. Once the back door is compromised, everyone is vulnerable.

[A]s a technological tool, encryption is extremely important, even essential, for the protection of personal information and for the security of electronic devices in use in the digital economy.

 

Unfortunately, the crux of the problem springs from the fact there is no known way to give systemic access to government without simultaneously creating an important risk to the security of this data for the population at large. Laws should not ignore this technological fact.
Privacy Commissioner of Canada

Mozilla has a series of advocacy videos that can help you to better understand issues like privacy and encryption.

Journalists, Whistle-blowers, Dissidents

Encryption also protects those vulnerable to persecution such as those working against human rights, political and corporate abuses.

Encryption tools are widely used around the world, including by human rights defenders, civil society, journalists, whistle-blowers and political dissidents facing persecution and harassment…

 

It is neither fanciful nor an exaggeration to say that, without encryption tools, lives may be endangered. In the worst cases, a Government's ability to break into its citizens' phones may lead to the persecution of individuals who are simply exercising their fundamental human rights.
Office of the United Nations High Commissioner for Human Rights

Data Breaches Reveal Poor Security

Corporations or governments have suffered massive data breaches revealing the personal data of millions while protecting their own data with encryption.

One example is the Yahoo breach which initially reported 500 million accounts were breached in 2013. Now we know that all 3 billion Yahoo accounts were affected including Yahoo Mail, Tumblr, Flickr and Fantasy Football.

Another glaring example is the 2022 LastPass security breach. In this case the breach was caused by an employee accessing critical company data using a home computer that contained vulnerable software — essentially creating a virtual back door that was exploited by hackers.

Data Used to Be Safer

At one time most people only had a desktop computer, which is stationary and, unless you haven't secured the location, is not particularly vulnerable. Computers only left home (or the office) when going to the repair shop.

Data Locked Up

Most documents were transmitted using snail mail, courier or fax. Otherwise they were store in locked offices, often in locked filing cabinets.

Few were connected to the Internet. Those that were connected did so temporarily via a telephone modem (dialup) so online interactions were relatively brief.

Today's Connected Devices

Today's computers are always connected to the Internet when powered on and most of that software is talking to the Internet at some point whether it be to validate activation, to send analytics or simply to enable features. For example, Microsoft 365 is a cloud-based subscription product which has replaced the old office software installed from a CD.

Mobile More Vulnerable

Mobile devices (smart phones, tablets and laptops), on the other hand, are designed for mobility and therefore more likely to be used in unsecured locations at least part of the time. Today's mobile devices contain a lot of personal information — often as much as our offices and their filing cabinets used to hold. Most of these devices are continually connected to the Internet.

Every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route, is in the hands of a system whose reach is unlimited but whose safeguards are not.
— Edward Snowden

Mobile devices, as well as the USB-connected storage devices like the portable hard drives and thumb drives we use to backup, store and transfer data, are at greater risk for loss or theft because they are portable.

Outdated Privacy Laws Based Upon Physical Storage and Delivery

Privacy laws were developed long before the Internet was widely used. Documents were normally stored on paper in locked file cabinets (or at least not accessible without physically entering the premises). Electronic delivery was via fax machines.

The government could only legally intercept mail while in transit, even with a warrant. Email was only stored for a short time on remote servers. People would download the mail from the server onto their computers after which it was automatically deleted from the mail server.

Electronic Storage Today's Reality

Today's reality is different. Information has gone online and our data is permanently stored in massive online databases controlled by others. However the old laws haven't been updated for the twenty-first century and governments are taking advantage of that weakness to spy on their citizens by interpreting files stored online as being “in transit.”

The assumptions used by the old laws should no longer apply.

Modern operating systems like Microsoft Windows 11 and ChromeBooks store a great deal of your information online unless you change defaults. Our smartphones carry more data than we used to have in our filing cabinets at home. Your email remains permanently “in the cloud” if you're using webmail services like GMail, Outlook.com or your ISP's webmail service rather than downloading then deleting it from the server.

Mass Data Collection Easier

Bulk collection of data is much easier and less costly than ever before. Instead of having to travel to a physical location and provide a warrant to view paper documents, they are contained on a server accessible from anywhere in the world, protected only with a username (generally a publicly-known email address) and password.

So much of our lives are now lived online that today's investigative powers and technologies bear resemblance to the imaginations of science fiction authors in decades past. It is both easier to access information about individuals today than ever before and — because we generate and leave behind so much information — to retroactively determine what they were doing, with whom, where, and at what times. Such capabilities were unimaginable fifteen years ago, though they are not evenly accessible to all Canadian agencies. Many of these powers raise their own significant democratic and civil rights concerns, and constitute issues in their own right that extend far beyond the scope of this report. Nevertheless, it is undeniable that the potential investigative capacities of Canadian agencies are more extensive than at any time in history.
CitizenLab 2018

Border Searches

The rules governing border searches also predate personal computers, smartphones and online storage of our documents. Most people carried only the documents essential to their travel when crossing borders. When crossing a border, the government had the right to review any documents you had in your possession, including those in your briefcase.

Governments have abused antiquated laws that permit them to search through papers to apply to our phones, computers and online accounts (if our devices are connected to these accounts when we're searched). It is even common practice for border personnel to copy the entire contents of these devices, supposedly as a deterrent to terrorism. Your smartphone includes more personal information than anyone ever carried over any border in the past.

Encryption is the Answer

If the documents on our devices were encrypted those documents would not be easily read.

Just as an envelope prevents anyone from reading a letter while it's traveling through the mail, encryption stops snoopers from viewing the content of your emails and searches, and prevents hackers from getting access to your sensitive information.
Google

Return to top

Encryption Principles

While your computer's security software may protect your data while it is running normally, your hard drive can be removed and the data collected by placing it into another computer or by using various utilities.

Data encryption works by encrypting the files, folders or even whole drive. This protection is not dependent upon the operating system's security — it works even if someone removes your hard drive.

The Downside

However, if your drive becomes corrupted or if you lose the encryption key the data will be unrecoverable, even by you. Frequent backups become your only source of recovery in this situation and they must be physically secured to protect the previously encrypted information these backups contain.

What's Best?

Which solution is best depends upon the nature of the information on your computer and how it is used.

If you encrypt the entire drive of your laptop this ensures that all your data is safe if the computer is lost or stolen (even if the drive is removed for data extraction).

Alternatively, if only certain folders contain vulnerable information, you can simply protect those folders.

How Does It Work?

While it isn't essential to know everything about what happens when your data is encrypted, the basics will help you to implement encryption.

Drive encryption protects systems at rest, not systems in use. Thus it will protect that laptop if someone steals it from you — by preventing attackers from reading the data. But if you are using that laptop, encryption will not stop attackers from phishing your users, obtaining passwords, and gaining entry.

 

Think of BitLocker as a check box on an insurance form, not an actual protection. Thus when booting issues occur and BitLocker asks you for a recovery key, you must have a process to recover that key, then get it into the hands of users or IT staff that need it. You must replace that BitLocker key you just handed out with a new one. Don't forget that last step.
Susan Bradley

Usually encryption software requires you to login to use the encrypted information (or when opening certain folders if only specific folders are encrypted).

Once you have done this, operating the computer should be the same as it is with an unencrypted computer.

Performance

On modern computers with sufficient RAM and other resources, the overhead of running this software should be minimal. Older computers may suffer slowdowns or jerky operation if there are insufficient resources to run the encryption software properly.

Use Quality Passwords

The security of this solution is dependent upon the quality of your passwords. You should take a moment to review the qualities that make a good password and you'll want to ensure your password isn't compromised.

Return to top

Encryption Software

There are a number of good encryption solutions. Pretty Good Privacy (now owned by Symantec) was one of the original products.

EFAIL Encryption Issue

Thunderbird and AppleMail are vulnerable to the EFAIL encryption vulnerability giving the attacker access to your encrypted emails. Learn more… The solution is to turn off internal encryption and use external encryption.

Back Doors are Dangerous

Cryptkeeper Vulnerable

Cryptkeeper's vulnerability is a simple back door that unlocks everything without knowing the user's decryption key.

The Linux encryption app Cryptkeeper has a rather stunning security bug: the single-character decryption key "p" decrypts everything.
Bruce Schneier

The revelation of a simple back door shows why it is a mistake to accept government agencies' demands for such access. While these back doors would surely be more sophisticated, once they are revealed or exploited they make us all vulnerable even if the security failure is suddenly widely reported and corrected.

Governments Weaponized Vulnerabilities

Government agencies collect such software vulnerabilities as weapons and software vendors remain silent about known weaknesses hoping that they'll remain unknown. Such assumptions have too often proved wrong and long-known vulnerabilities have been exploit by both criminals and foreign governments. Everyone would be better off if the software was fixed before problems occurred and before vulnerabilities became public.

Folder Encryption Solutions

SafeHouse Explorer

SafeHouse Explorer is a free encryption solution for disks and memory sticks.

Cypherix

Cypherix has a number of products including corporate solutions.

WinMagic Encryption Solutions

WinMagic provides simple and seamless security that protects data and people without getting in the way.

Drive-Encryption Solutions

TrueCrypt

TrueCrypt is no longer secure and has been discontinued.

You should choose another encryption solution and are free alternatives to TrueCrypt, but you should investigation potential problems with any solution and follow vulnerability reports.

Bitlocker

As mentioned earlier, Bitlocker is not recommended by Bruce Schneier (see recommendation 5) because it is more likely to have a NSA back door:

[I]t's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered.

FreeOTFE

FreeOTFE is a discontinued free, open source, "on-the-fly" transparent disk encryption program for PCs and PDAs that allows you to encrypt the entire drive.

Return to top

More About Encryption

These sites have useful information on encryption:

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/encryption.html
Updated: May 2, 2025

Copyright © 1996– | Privacy | Navigation | RHC Design