Contrary to popular belief, just using a password and encrypted communication software does not guarantee the safety of a device’s data. Anyone, especially journalists, should ensure that the information stored on their hardware is also encrypted.
Simply having a password at the login page of a computer is not sufficient and hardware is often unencrypted by default which leaves users highly vulnerable to cyberattacks. Along with a good password, journalists should always include “encryption at rest” in their safety protocol for the protection of any sensitive information being stored, the identities of sources and even the passwords to other devices.
Encryption is the process of coding information which converts the original message, also known as plaintext, into an unreadable string of letters and numbers called ciphertext, which can only be decrypted if the user has the correct password. Different to end-to-end encryption (E2EE) where information is protected while in transit, ‘encryption at rest’ prevents an attacker who physically has the device from accessing unencrypted data by encrypting the hard drive that holds it. It’s important that backups are also encrypted, as the backup could be stolen and accessed by a third party.
There are several levels of encryption at rest that a journalist can utilise. To begin, it is recommended to have hard drive encryption as it protects the entire drive from being accessed. Whether someone physically removes a user’s hard drive and plugs it into another computer or is trying to force their way into a computer, this will make whatever they access unreadable without the decryption key. Folder encryption softwares such as BitLocker involves creating a folder on a hard drive and encrypting it. It is recommended to do this if a user needs a secure section in their laptop. Finally, individual file encryption softwares such as NordLocker protects a single file and is useful when a user only has one confidential file or needs to share a file with someone else. Alternatively, 7-Zip helps the user create a password-protected zip file.
Recommended encryption software
• Apple’s FileVault. Integrated into Apple’s system, the software provides full disk encryption, forces the use of a password and allows the user to erase their Mac through using the Find My Mac tool in the case of a device being physically accessed. Like other encryption types, users should securely save a recovery key.
• VeraCrypt. An open-source software that allows users to have instantaneous encryption on a virtual disk or folders in their devices when storing files or sensitive materials while reporting. The software provides real-time automatic encryption and is available for Windows, Mac OSX and Linus.
• BitLocker. A Microsoft tool integrated with Windows products that provides full storage encryption and file and folder encryption. It also requires Microsoft Enterprise, Pro or Education to operate which makes it easier to use as part of a newsroom rather than a freelancer.
• NordLocker. A folder encryption tool which is backed up into a secure cloud system, allowing users to access it if a device goes missing. It is known for its ease of use and is regularly updated with new features and fixed for vulnerabilities. Its primary drawback is that it doesn’t currently support two factor authentication.
Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal security tools across large enterprises. Over the last two years, he has been researching on how to maintain proper security in the context of an oppressive nation-state, specifically in the context of Myanmar. He has also been working with multiple groups in Taiwan to train them on proper security and safety measures.