Comments: TruCrypt, PGP, FreeOTFE, BitLocker, DriveCrypt, and 7-Zip. These encryption programs provide exceptionally reliable real-time encryption functions to ensure data security, avoid data loss, theft, and spying. Few IT professionals still need training on data security, but we often hear about the theft or loss of computers or hard drives, truCrypt, PGP, FreeOTFE, BitLocker, DriveCrypt, and 7-Zip. These encryption programs provide exceptionally reliable real-time encryption functions to ensure data security, avoid data loss, theft, and spying. Few IT professionals still need training on data security, but we often hear that computers or hard disks are stolen or lost, and data in plaintext format is stored, not encrypted. Fortunately, real-time data encryption is no longer a singular and costly technology. Some encryption programs can not only encrypt a single file, but also create virtual disks in the file or even directly on the partition. Any data written to the virtual disk is automatically encrypted. In modern hardware, encryption requires a very low cost. dedicated hardware is no longer required for encryption. This article describes the applications used to create and manage encrypted volumes, from the BitLocker encryption program that comes with Windows Vista to the PGP Desktop suite with proven performance for encrypting email and instant messages. You don't even have to spend money to get an exceptionally reliable and well-implemented disk encryption feature-but in an enterprise environment, features like manageability or support services are worth buying. Tool 1. TrueCrypt 5.1a fee: free/open source Website: www.truecrypt.org TrueCrypt has enough reason to become the first disk or virtual volume encryption solution to be used. In addition to the two advantages of free and open-source, this program is well-written and easy to use. It also provides a wide range of data protection functions for the entire system (including operating system partitions) an Effective Method for encryption. TrueCrypt allows you to select advanced encryption standards (AES), Serpent, Twofish, and other algorithms. These algorithms can be used independently or in different combinations (called cascade "); you can also select hash algorithms such as Whirlpool, SHA-512, and RIPEMD-160. There are three basic methods for actual encryption: you can install a file as a virtual encryption volume; you can change the entire disk partition or physical drive into an encrypted volume; you can also encrypt the Windows operating system volume in use, but there are some limitations. Encrypted volumes can be protected by passwords. as an option, you can also use key files to protect them, enhancing security-for example, files on removable USB drives, in this way, you can establish a two-factor verification. If you create an independent virtual volume, you can use a file of any size or naming convention. The file is created by TrueCrypt and formatted to make sure it looks no different from random data. The purpose of TrueCrypt is to see any encrypted volume or hard disk at a glance. No obvious volume header, required file extension, or other identification tags. The only exception is the encrypted boot volume, the boot volume contains a TrueCrypt boot loader-but future versions of this product cannot hide the entire volume, use a USB thumb drive, or use an external boot loader on the disc. Speaking of this, you may also create a self-Encrypted USB drive in traveler mode, which contains copies of TrueCrypt executable files, it can be installed and run on any machine, as long as the user has administrator permissions. TrueCrypt also includes the so-called plausible deniability. The most important thing is to hide one volume in another. The hidden volume has its own password. You cannot determine whether another volume is hidden in a TrueCrypt volume. However, if you write too much data to the volume outside, the hidden volume may be broken-but as a protection measure, TrueCrypt provides an option: you can install the hidden volume as a read-only volume when installing the volume. If you are using system disk encryption, the actual encryption process takes some time, but this process can be paused, restore encryption when needed (you may need to perform this operation on the PC in the locked room at night ). This program will insist on creating an emergency CD, so that in case of a disaster, it can be used to guide the computer (one drawback is: you cannot encrypt a non-Windows boot loader for a dual-Boot Windows system .) Tool 2: Windows Vista BitLocker fee: Included in the Vista Ultimate Edition and Vista Enterprise Edition URL: technet.microsoft.com/en-us/windowsvista/aa905065.aspx only the Vista Enterprise Edition and Ultimate Edition have the BitLocker that comes with Vista, it is designed specifically for system volume encryption. The original intention is not to encrypt removable volumes, nor to allow you to create virtual encrypted volumes as other products described in this article. At the beginning of its development, it considered centralized management and implemented management through the Active Directory and group policy. Unlike TrueCrypt's system disk encryption, setting BitLocker requires at least two volumes in the target system: one to store the boot loader and the other to store the encrypted system files. Existing systems can use the BitLocker drive preparation tool (now Microsoft provides this additional tool for systems that support BitLocker) to repartition; but if you are dealing with systems that are not ready, you can also manually set partitions. When you use BitLocker to encrypt a volume, three basic options are displayed, that is, how to authorize users to access the encrypted volume. If the computer has a trusted computing module (TPM), it can be used together with the personal identification number (PIN) code. The second option is to create a removable USB drive that contains authorization data and then use the data in combination with the PIN, but the premise is that the computer can boot from a USB-connected device. If you decide to use this method, BitLocker will perform a boot test before disk encryption to ensure that the system can boot from a USB device. The third choice is that you only need to enter the PIN, but the PIN will be quite long (more than 25 characters) and can only be allocated by the operating system. Like any other entire disk encryption system, the slowest part is actually the encryption of the drive; my 75 GB hard drive laptop took about three and a half hours to complete the encryption. Fortunately, BitLocker can execute this task in the background while processing other jobs; it can even shut down the system and restore the encryption process as needed (My suggestion is: in the evening, keep the computer in the locked room for encryption ). If the administrator needs to access or decrypt a volume, the encryption key of the volume can also be saved to the Active Directory repository. If you are not in the Active Directory, you can also manually back up the key to the file-of course, the file should be strictly protected. Finally, although BitLocker initially only protects the operating system volume, it can also be used to manually encrypt non-system volumes through the command line interface of Vista. Tool 3, Dekart Private Disk 1.2 fee: $45 per user URL: www.dekart.com although the Dekart Private Disk function is similar to other encryption programs, frankly speaking, at least one feature makes it not recommended. First, the Dekart Private Disk feature combination is only a little more practical than the two free/open-source products described in this article. Users can create virtual encrypted volumes, back up the volume headers of encrypted disks, and control disk installation and uninstallation based on user activities. The only feature that really matters is the Disk Firewall, which is not available in other products. You can authorize or deny certain programs to access the encrypted volume. The best indication is that Private Disk did not really consider security at the beginning of development. It is the "recovery option", which attempts to implement brute force attack (brute-force attack) on the password) attack to determine the password of the private disk. No professional encryption products have such functions. This is like buying a lock plug-in for the front door and discovering that it also carries a set of crowning tools-"for fear that you have lost the key ". Since the vast majority of Private Disk features can be obtained free of charge in other places, it may be difficult to recognize this billing program if it is better implemented elsewhere. Tool 4. DriveCrypt fee: 59.95 Euro (USD 88.73) per user URL: www.securstar.com SecureStar's DriveCrypt features similar to TrueCrypt and FreeOTFE described below-you can create an encrypted container from a file or entire disk, hide one encrypted drive in another, and so on. For more advanced features, such as full disk encryption, you need to add DriveCrypt PlusPack ($185 ). As for the extra features provided by DriveCrypt, the value is not worth buying, it is a matter of benevolence, because many people think that the free product has a combination of functions that are also enough. If you have used similar products before, most of the encryption functions of the standard DriveCrypt will be as expected. You can create a virtual encrypted disk in a file or partition, automatically lock the disk after it is not used for a period of time, and create a hidden disk in the disk. DriveCrypt also allows you to install disks created in earlier versions of the product (ScramDisk and E4M). Therefore, if you migrate from one of the two versions of the program to the new version, don't feel cold. It has some features not available for free products, including the ability to adjust the capacity of existing encrypted disks and the Administrator key escrow service (however, the latter can also be implemented in TrueCrypt and FreeOTFE, you only need to manually back up the volume header ). Another feature unique to DriveCrypt is that you can create a "DKF Access File", which allows a third party to access the encrypted volume without a volume password. DKF keys can be attached with various restrictions-it can use its own password (not related to the password on your own disk), expire after X days, or only valid for a certain period of time. In this way, it is possible to provide certain control for access to the encrypted drive. Note: by default, the program uses the partition code 0x74 to mark the entire encrypted partition. This makes it easier for the program to identify and install encrypted partitions, but it also means that a hostile third party can easily know that a volume is encrypted by DriveCrypt. Fortunately, you can defeat this behavior by setting program options ...... You should probably do this, because only you should know what is an encrypted container and what is not. The most attractive aspect of DriveCrypt is the ability to convert a. WAV file into a container encrypted by hiding technology, whether the file is captured from a CD or re-created. The four or eight bits of each sample are used to store data. Therefore, a 175 MB. WAV file (equivalent to a music disc) can be used to store MB or MB. Therefore, the generated file can still be played, but the audio quality will be affected to some extent. (Note: it may not be a good idea to use a normal CD music file, because even if attackers cannot decrypt it, they can use the content captured on the CD to compare it with your file, check whether the data is hidden. Recording By yourself may be better .) Tool 5. FreeOTFE 3.00 fee: free/open source Website: www.freeotfe.org FreeOTFE (OTFE stands for "real-time encryption") is similar to TureCrypt in many ways-it provides many of the same features, the implementation is slightly different in some places; it also has a software license with very loose usage conditions. The process of creating a new volume is again similar to that of TrueCrypt: A wizard is provided to guide you through the entire process and related options are provided in each step. FreeOTFE has a range of more options that involve the volume's random data string (salt) and hash length, password, key, and disk sector systems, but for most users, use the default option. Some options are mainly provided for backward compatibility, such as the obsolete MD2 and MD4 hash functions-the newly created hard disk uses SHA512 or better functions. Another outstanding feature that TrueCrypt does not seem to have is that after the volume is installed and before and after the volume is detached, you can run any script, such as clearing temporary files or files used for Forensics (to avoid being held by others ). Another convenient feature for Linux users is that they can use their own Linux File System to encrypt drives, such as Crypttoloop, dm-crypt, and LUKS. Like TrueCrypt, you can also choose to create an independent key file, but this mechanism is a bit different. TrueCrypt the key file used for the volume can be any file because it uses the read-only mode. FreeOTFE is a key file created from scratch to store the volume's metadata block. The key file may be stored on a USB flash drive to further enhance physical security. When you generate random data for a new volume, you can choose to use Microsoft's CryptoAPI function, move the generated data with the mouse to enhance randomness, or use both. In addition, like TrueCrypt, FreeOTFE can be used to hide another encrypted volume in one encrypted volume, but this process is slightly more complex. You need to manually specify the "Byte offset" value, which describes the location of the hidden volume. If you do not know the offset value (and the password of the hidden volume), you cannot install the hidden volume. This may also hide the encrypted volume to the unencrypted volume, but it is a bit difficult. FreeOTFE pays special attention to portability. User settings of the program can be saved to the user's own configuration file, or saved globally (that is, saved to the program directory ). In addition, like TrueCrypt, FreeOTFE also has a "portable mode"-so that you can place the FreeOTFE executable files and encrypted volumes on a removable disk so that they can be used on another computer, even if FreeOTFE is not installed on this computer. Finally, FreeOTFE can be used by personal digital assistants (PDAs) based on Windows Mobile 6; volumes created or used on desktops can be used on PDAs, and vice versa. Tool 6. PGP Desktop Professional Edition fee: $199 per user URL: www.pgp.com PGP Desktop provides a complete set of encryption tools, which were originally designed to be perfectly integrated with Windows systems, no matter what program combination you use (but there are several exceptions to this rule ). It is most suitable for such users: Looking for a wide range of encryption, and willing to spend some money to buy fully functional products. The main interface of the program has five basic parts: key management, mail, compression, disk management and network sharing (NetShare ). The Key Management Section is where you may start-you can create a new encryption key and a key ring from the outside) import existing keys, publish keys to the global key store of PGP (You can also search for other keys in the store), and so on. The Mail Section controls how PGP Desktop processes emails. By default, PGP Desktop can encrypt standard SMTP/POP emails, Exchange/MAPI emails, and Lotus Notes emails. PGP Desktop can proxy and monitor two-way transmission of email, and take action as needed, rather than modifying the email client. If the email sent to you is encrypted using the key in your key ring, the email will be automatically decrypted. You can also create policies to define how many emails are intercepted and encrypted. For example, emails sent to all domains except a specific domain can be sent in plaintext format. The Instant messaging (IM) encryption system (also working through a local proxy system) only supports the United States online Instant Messenger (AIM) and Trillian; other programs using the AIM protocol can use, however, PGP cannot guarantee them. IM encryption uses the 1024-bit one-time RSA key for each login. The email uses the AES 256-bit symmetric key for encryption. The PGP Zip Tab allows you to create encrypted archives. These archives can be decompressed by PGP on the other end or encapsulated into self-decompressed archives. Therefore, the generated archive can also be signed and encrypted using a password phrase or the accesskey of the receiver (if the receiver has a key. If you only want to create password-protected, Encrypted documents, you don't need the entire PGP suite-you can use many independent compression programs to do this, however, signatures, key usage, and other features are usually not available in other programs. PGP Disk is the entire Disk or virtual volume encryption solution in the suite. Virtual volumes are similar to TrueCrypt or FreeOTFE: volumes can be stored in any file. However, if PGP is used, a corresponding volume (or multiple volumes) can be protected using a password phrase, you can also use user keys for encryption (using AES, CAST5, Twofish, and other algorithms ). If you use the entire disk encryption, you can select several options during the encryption process: Maximum CPU usage, to save time; power failure security options, so that in case of power failure during the encryption process, prevent system damage. Encrypted disks can use TPM hardware (if you have such hardware) or USB flash drives to store key files. They can also be used in combination. PGP Disk has another outstanding feature: Data crushing tools, similar to the Free Software Eraser product. It can clear files or only free space on the existing disk. The features of network sharing (PGP Desktop Storage and PGP Desktop volume ate) allow you to share encrypted files on portable drives or network-connected drives. All decryption is performed on the client. Therefore, no sensitive information is transmitted in plaintext format, and no special software is required to be installed on the file server. Network sharing can also be integrated with active directories to implement fine-grained Management of who can access what information. You can also encrypt a single file outside the specified protected folder. However, this feature must be enabled independently (this feature is disabled by default ). PGP Desktop is not only used as an independent program-it can also be managed by the PGP central server program (PGP Universal) in the enterprise environment. If you plan to use it on a single system and migrate it to a more centralized management environment, PGP Desktop Professional Edition is a good choice. Tool 7, 7-Zip cost: free/open source web site: www.7-Zip.org you may think that the Open Source archive program 7-Zip and other programs described in this article are not the same grade, however, if you are only looking for temporary emergency solutions to create encrypted and password-protected archives, it is actually a good choice. 7-Zip can also be used to create self-decompressed archives, so the recipient does not need 7-Zip-any password as long as you have agreed in advance. However, it does not support any two-factor verification. To improve security, You must select the "encrypted file name" option when creating an archive. Conclusion Most people who want to protect the basic disk solution may try TrueCrypt (or FreeOTFE closest to it), especially since the former provides encryption for the entire disk and boot volume. PGP Desktop also adds many other tools. This is a good choice for users who not only need to encrypt the content on the disk, but also want to encrypt emails and instant messages. One of the major advantages of BitLocker is that it is a feature of Vista that can be centrally managed through the Active Directory. DriveCrypt also has some potentially useful hiding and access management functions. 7-Zip is a simple method for creating encrypted and password-protected archives. Unfortunately, Dekart Private Disk is hard to be called a professional encryption solution because it includes a ridiculous feature: it can launch brute-force attacks on volumes that you hand over to the program to protect.