

Ask HN: How can I easily but securely encrypt my laptop & emails? - codex_irl


======
tptacek
On a Mac:

Get up to very most recent OS X. A dot release in OS X disabled Firewire while
the machine was sleeping, which is important because Firewire is basically a
thin veneer around direct DMA access to system memory.

Enable FileVault. Unlike the feature that used to be called FileVault, modern
FileVault is block-level AES-XTS encryption. (Before FileVault, my
recommendation would have been to buy PGP WDE).

Tell the system to forget its key during sleep; the most recent rubber chicken
to wave for this appears to be "sudo pmset -a destroyfvkeyonstandby 1
hibernatemode 25".

Power down your machine whenever you can; don't just shut the lid.

Buy Knox.app from AgileBits, which is a nice UI on top of the VFS-level block
AES encryption OS X does. Create virtual disk drives for each of your clients,
or each of your projects, or whatever. Create another for your mail; create
another for personal documents. Give each a separate key (you'll rarely have
all of them unlocked or need to use all of them). Do not store the keys in the
Keychain.

Copy ~/Library/Mail's contents to the virtual disk you made for Mail and then
replace ~/Library/Mail with a link to that disk; now, you'll need to have that
virtual disk unlocked to read your mail.

Disable sharing; make sure every box in "Sharing" under Preferences is
unchecked.

Enable the firewall and block all incoming connections;
Preferences->Security->Firewall, Enable, Options->Block All Incoming
Connections.

Get GPGTools and GPGMail (the most recent official build supports Mt. Lion
nicely). Install them, and use GPG, from your Mac only, to send mail.

Do not supply your GPG private key to _any_ service, ever.

Uninstall Dropbox. Sorry. Dropbox is fantastic. We ban it wholesale.

Though we can't use it for a variety of contractual reasons, I highly
recommend Colin Percival's Tarsnap for backup.

~~~
codenerdz
Out of curiousity, what is a purpose of using a separate 'vault' for email if
the entire disk(where email is stored) is encrypted?

~~~
tptacek
Because block encryption doesn't help you if your machine is compromised by
software, but project-specific vaults might.

------
gasull
\- Use an open-source OS like Linux. Ubuntu is user-friendly. Windows isn't
safe:
[https://en.wikipedia.org/wiki/NSAKEY](https://en.wikipedia.org/wiki/NSAKEY)

\- Install the OS with full-disk encryption.

\- If you use a service like Dropbox, use EncFS to encrypt everything in the
cloud.

\- For email, you'll need to start using a mail user agent like Mutt or
Thunderbird with PGP/GnuPG. And then the problem will be that none of your
friends use encryption anyway. Personally I'm telling everyone about using
Bitmessage instead of email: [https://bitmessage.org](https://bitmessage.org)

~~~
tptacek
It's like we're devolving back to Slashdot circa 1999. In reality, the Windows
kernel is one of the most heavily audited carefully inspected codebases in the
world, not because Microsoft spends a cubic fuckton of money getting external
firms to do that (though they do), but because every vulnerability research
firm in the world has reverse engineered the code --- which Microsoft tends to
make very easy, for instance by publishing symbols.

The likelihood that Microsoft is shipping block-level encryption with secret
backdoors is pretty close to zero.

------
codex_irl
Do we know what is secure against the likes of the NSA / what encryption they
can break today?

I understand this is almost impossible for us to accurately answer, just
curious if we have any clues regarding their codebreaking capabilities in this
regard.

------
gesman
You cannot encrypt emails. Even if you'll satisfy your urge for privacy - the
originator of email or addressee of email will still contain unencrypted
copies. So forget about it.

The presence of encryption will raise more suspicion and cause further
investigation in your activities. So forget about it.

------
iamjustin
TrueCrypt for the laptop, and GnuPG for emails.

