7.4 File Encryption Flashcards
Which editions of Windows include Encrypting File System (EFS)?
Why would you create a Data Recovery Agent (DRA)?
Which standard does Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) follow?
What partition/volumes are created when implementing BitLocker?
What are three methods of database encryption?
Encrypting File System
EFS provides a easy and seamless way for users to encrypt files on Windows computers. EFS is used to encrypt only individual files and folders.
File Encryption Key
(FEK)
A pseudo-random number used with the AES encryption algorithm to encrypt files and folders in EFS.
Data Decryption Field
(DDF)
A special location in a EFS encrypted file’s header that stores the FEK.
Data Recovery Agent
The DRA is an account that has been granted the right to decrypt files and folders on a EFS.
GNU Privacy Guard
GPG is an encryption tool that encrypts emails, digitally signs emails, and encrypts documents.
Pretty Good Privacy
PGP is a commercial encryption program that is now owned by NortonLifeLock (previously Symantec). PGP is used by products that protect laptops, desktops, USB drives, optical media, and smart phones.
BitLocker
BitLocker is used to encrypt an entire volume. All data on the volume is protected even if the hard drive is moved to another computer.
7.4.1 Encrypting File System
Microsoft’s Encrypting File System, or EFS, was introduced with NTFS version 3 and has been included in every version of Windows since Windows 2000, except for in the Home editions.
EFS makes it simple for users to encrypt files on their Windows systems.
EFS combines the speed of symmetric encryption with the convenience of asymmetric encryption.
However, keep in mind that EFS is used to encrypt individual files or folders on the system, not the entire drive. You would have to use BitLocker for that.
When you want to encrypt a file, Windows generates a pseudo-random number called the File Encryption Key, or FEK. Windows uses the FEK with the AES encryption algorithm to encrypt the file.
To further protect everything, the FEK is then encrypted using the user’s public key and stores the encrypted FEK in the file’s header in a special location called the Data Decryption Field, or DDF.
The user’s private key is used to first unlock the DDF and get the FEK. The FEK is then used to decrypt the file.
By combining the security of the symmetric keys and the convenience of the asymmetric keys, Microsoft has made it easy for users to encrypt their data.
Recovering Data 1:25-2:28
By default, the only user that can decrypt files is the user who encrypted them. If that user account becomes corrupted somehow or the password is forgotten, any encrypted files are lost. To prevent this, we need to setup a Data Recovery Agent, or DRA.
The Data Recovery Agent, or DRA, is simply another account that can decrypt data that’s been encrypted by other users on a Windows operating system.
In older versions of Windows, the system administrator was automatically configured as the DRA, but in newer versions, the DRA is not automatically defined.
Instead, you have to go into Group Policy on the local computer to setup the DRA.
When working on a Domain network, the DRA is defined in Active Directory.
Keeping the decryption keys safe is vital to protecting your data and being able to access it when needed.
To do this, you can backup the decryption keys to a USB drive. Then, if something catastrophic happens to the Windows system, you still have access to the files, you’ll be able to decrypt the files using the backup of the decryption keys.
Security Considerations 2:29-3:25
When using EFS, there are some security issues you need to keep in mind, such as what happens when files are moved.
If you move or copy an encrypted file to a different location on the same partition, or to another NTFS partition, your file will stay encrypted.
However, if you move or copy a file to a FAT based partition, the file will be decrypted automatically, as these file systems don’t support encryption.
We need to be careful with this because by default, USB drives are formatted with the FAT32 or exFAT file systems as these are most compatible with other operating systems.
When you copy an encrypted file over, you won’t be notified that the file is decrypted. This can lead to some serious security issues.
The other security concern is that the user’s private key is protected only by their password. If the user has a weak password and the system is compromised, all encrypted files are vulnerable. It’s absolutely vital that users have strong passwords and follow proper password security protocols.
7.4.4 PGP and GPG
When you’re encrypting files or emails, you need the help of a utility. Windows automates this process with either BitLocker or EFS. In a Unix-based operating system, such as Linux or Apple’s OS X, we can use GNU Privacy Guard, or GPG. GPG is based on an older utility, Pretty Good Privacy, or PGP. In this lesson, we’ll cover how both utilities work and how to use them.
Pretty Good Privacy (PGP) 0:29-1:23
PGP is an encryption program first developed in 1991 based on the OpenPGP standard. PGP combines the use of symmetric and asymmetric keys and can be used to send encrypted messages and encrypt data.
To encrypt data, PGP generates a large, random one-time use session key that’s used for encryption. The session key is then encrypted using the receiver’s public key, and both are combined to send the encrypted message.
When the receiver gets the message, they use their private key to decrypt the session key, which is then used to decrypt the message.
Even though PGP is an old utility, it’s still considered the standard for encrypting messages, because at the time this video was recorded, it’s never been cracked. PGP was purchased a while ago and commercialized. It’s owned by NortonLifeLock, formally known as Symantec, and provides products that can protect all sorts of devices, even smartphones.
GNU Privacy Guard (GPG) 1:24-2:03
In response to PGP becoming a commercial product, GNU Privacy Guard was created in 1999. GPG is a command line utility that’s used to encrypt and decrypt data and messages. GPG functions just like PGP. It uses both symmetric and asymmetric keys to encrypt and secure data and messages.
To generate a random session key, the user performs actions on the computer, such as typing on the keyboard or moving the mouse. This helps to ensure that the key is truly random.
Because it’s an open-sourced utility, GPG can be used on many different systems, including Windows, Linux, Android, and Apple’s OS X.
Summary 2:04-2:21
That wraps up this lesson. In this video, we looked at two popular utilities for encrypting files and messages, Pretty Good Privacy and GNU Privacy Guard. Both utilities use a hybrid cryptographic model and are very secure. The biggest difference between them is that PGP is a commercial product, and GPG is a free open-source utility.
7.4.6 BitLocker and Database Encryption
Organizations often store sensitive data on devices and in databases. Implementing proper data encryption is key to securing this sensitive data. Using BitLocker and proper database encryption can help protect data if a physical device, such as a laptop, is stolen or if a hacker gains access to a database.
BitLocker 0:23-3:28
A lost or stolen computer can be catastrophic to an organization if it holds confidential information. With the release of Windows Vista, Microsoft introduced BitLocker to address this concern. BitLocker is a powerful encryption tool that, instead of encrypting individual files and folders, encrypts an entire volume, including operating system files. BitLocker is designed to protect data from unauthorized access, even if the drive is moved to another computer.
It’s important to note that BitLocker isn’t available on Home editions of Windows.
To implement BitLocker on a computer, the hard disk must be partitioned with two volumes. The system, or boot, volume contains the Windows boot files and is created during Windows installation. The standard volume contains all other data. The system volume won’t be encrypted, but the standard volume will be.
One of the newer features of BitLocker in Windows 10 is the ability to only encrypt used space. This makes the encryption process so much faster. Previously, the entire drive, even space not in use, was encrypted. This process could take hours depending on the size of the drive.
BitLocker can also use the computer’s Trusted Platform Module, or TPM, chip to verify the integrity of the system’s boot files as long as the chip is at least version 1.2. It does this by encrypting the boot files and stores the encryption key in the TPM chip. When you log in to Windows, BitLocker automatically unlocks the encrypted drive. If the drive is moved to another computer, the encryption key won’t match up, and the drive can’t be accessed. It’s possible to configure BitLocker to protect the system files without having a TPM chip, but you have to insert a startup USB key or have a system volume password enabled to boot into Windows.
When BitLocker is enabled, Windows creates the recovery key. This randomly generated key will be used if the hard drive needs to be moved to a different system, if changes are made to the startup files, or if BitLocker goes into a locked state and needs to be accessed. The recovery key is different from the user-generated password created during the configuration process.
Obviously, this is an incredibly important key. Windows gives you the option to save the key to your Microsoft Account, a USB flash drive, or a file on the local computer. You can also print the key out, and if you’re on a domain, you can store the key in Active Directory. It’s a good idea to back up this key multiple ways and then store it safely locked.
If you’re on a domain, there are additional options for recovering data if the user password is lost. Using the stored recovery key would be the first and easiest option, especially if the key was stored in Active Directory. If the key can’t be found, a Data Recovery Agent, or DRA, can be used. The DRA is just another account that has rights to decrypt the drive. This option must first be configured in Group Policy. If the hard drive contains the OS files, it’ll need to be installed in another system as a data drive before the DRA can decrypt it.
When implemented properly, BitLocker is a powerful tool that can be used to protect data in case a laptop or other device that contains sensitive information is stolen or lost.
Database Encryption 3:29-4:08
Many organizations store important sensitive data, such as customer billing information, in databases. Keeping this data encrypted helps protect it if a hacker ever gains access to the database.
The three main methods of database encryption are transparent, column-level, and application-level. Before we look at these methods in detail, let’s review the structure of a database.
Databases are made up of multiple tables that use columns and rows filled with data. For example, we might have a table labeled Customers. In that table, we have columns labeled Name, Number, Email, and Address. The rows in each column are filled with the pertinent information.
Transparent Data Encryption (TDE) 4:09-4:28
Transparent data encryption, or TDE, encrypts the entire database and all backups. TDE is used for data at rest–data that’s not in current use. This method is called transparent encryption because when an authorized user needs to access the data, it’s automatically decrypted, so the user doesn’t see the process or need to do anything extra.
Column-Level Encryption 4:29-4:42
Column-level encryption allows the administrator to encrypt each column using different keys. This increases security because multiple encryption keys are required to access all of the data. Keep in mind that this method does slow the database’s performance.
Application-Level Encryption 4:43-5:09
In application-level encryption, the program that’s used to create or modify the data is responsible for encrypting the data. This works well because the data is encrypted before it even hits the database. The drawback of this method is that the amount of resources required for setup can be prohibitive.
When an organization maintains sensitive data, they need to ensure that it’s kept safe. Any of the methods in this video will help keep databases secure.
Summary 5:10-5:23
That wraps up this lesson. We’ve covered some solutions for encrypting sensitive data. BitLocker can be used to encrypt an entire hard drive or volume, which will prevent access if a device is stolen. And there are several methods an organization can use to encrypt sensitive data that’s stored in databases.
