Encryption is the process of transforming data to make it unreadable except to those who have the required key to unlock the obscured data. You should be familiar with the following types of encryption.
||File encryption encrypts individual files so that only the user who created the file can open it.
- The Encrypting File Service (EFS) with Windows encrypts individual files. Windows automatically decrypts a file when the file owner opens it.
- With EFS, you can add other users who can also open the encrypted file.
- EFS is only available on NTFS partitions. Moving an encrypted file to a non-NTFS partition removes the encryption.
- Files remain encrypted and inaccessible even when the drive is moved to another computer or if another operating system is used.
- Encryption cannot be used together with compression (you can use either, but not both).
||Whole disk encryption encrypts the entire contents of a hard drive, protecting all files on the disk.
- During system startup, a special key is required to unlock the hard disk. Without the key, data on the drive is inaccessible.
- Providing the key allows the system to decrypt files on the hard drive.
- You cannot unlock/decrypt a drive simply by moving it to another computer.
- Most solutions provide for a second recovery key that can unlock the drive when the original key is lost. If both the encryption key and the recovery key are lost, data cannot be retrieved.
- BitLocker is a Microsoft solution that provides whole disk encryption. BitLocker is supported on Vista and Windows 7 Ultimate or Enterprise versions. DriveLock is another solution that includes disk encryption.
- You can implement BitLocker with or without a Trusted Platform Module (TPM).
- When using BitLocker with a TPM, the key required to use the disk can be stored in the TPM. This means that the computer can boot without a prompt as long as the hard drive is in the original computer.
- Without a TPM, the startup key must be stored on a USB drive.
- When the startup key is saved in the TPM, you can require an additional PIN or startup key that must be used to start the system.
- You can use BitLocker (with Windows 7) and other solutions to encrypt removable storage devices (such as USB flash drives).
|Data transmission encryption
||Data that is sent through a network can potentially be intercepted and read by an attacker. Use some form of encryption to protect data sent through a network. You should be aware of the following solutions to protect data communications.
- A virtual private network (VPN) uses an encryption protocol to establish a secure communication channel between two hosts, or between one site and another site. Data that passes through the unsecured network is encrypted and protected.
- IPSec, PPTP, and L2TP are common protocols used for establishing a VPN.
- Secure Sockets Layer (SSL) is a protocol that can be added to other protocols to provide security and encryption. For example, HTTPS uses SSL to secure Web transactions.
- Use WPA, WPA2, or WEP to secure wireless communications.
- When implementing network services, do not use protocols such as FTP or Telnet that pass logon credentials and data in clear text. Instead, use a secure alternative such as FTP-S or SSH.