What is encryptionIn cryptography, encryption is theprocess of transforminginformation (referred to asplaintext) using an algorithm(called cipher) to make itunreadable to anyone exceptthose possessing specialknowledge, usually referred to asa key. The result of the process is
What is FDEDisk encryption uses disk encryption softwareor hardware to encrypt every bit of data thatgoes on a disk or disk volume. The term "fulldisk encryption" (or whole disk encryption) isoften used to signify that everything on a diskis encrypted, including the programs that canencrypt bootable operating system partitionsDisk encryption prevents unauthorized accessto data storage.--source: wikipedia
Why Disk/ﬁle Encryption ?Because (there are inﬁnite reasons to do it): Its last line of defense in case everything else fails information is more important than anything else nowadays of security,privacy, conﬁdentiality and integrity
Where can we useFDE/encryption ? Everywhere !!!
When ?* Its never too late.* When you feel its time !* when you start taking securityseriously !!!
How ?Open source to the rescue !Easy to use (those pointy clickythings, dont know what ? ), GUIsNo major performance hits
Here comes interesting stuﬀ– Various types of encryption for diﬀerent levels. – Disk controller level – Volume level – Disk block level – Filesystem level – Directory level – File level – Row and column level (fordatabases)
Encryption tools (continued)– The biggest weakness with encryption tools is not the algorithm, but how encryption keys are managed. – Some tools allow only one passphrase, forcing groups of staﬀ to share it, which can result in it being divulged. – Some tools store the passphrase in a weak manner, allowing for easy brute force cracking using rainbow tables or dictionaries. – Some tools may be poorly designedand leave sensitive information out of the
Disk controller encryptionPros Cons As the encryption is Only select few drives done in hardware, little have AES encryption to no performance loss on the drive controller is encountered. level. A secure erase and Key management is an repurposing of the issue with some drive can be done in drives, as they only milliseconds by wiping may have one and generating a new password that would master encryption key. have to be shared among staﬀ.
Disk/Volume encryption (BitLocker, PGP Whole Disk Encryption)Pros Cons Generally excellent key Most are commercially licensed. management depending Malicious software that manages to get superuser access can pull on utility. the master decryption keys from Recovery of data by IT memory and set them aside for later use by an attacker. staﬀ is doable. BitLocker May have performance issues if can store recovery keys used on volumes with high in Active Directory, PGP read/write throughput. can issue disk recovery May render data unrecoverable if tokens. used with RAID, depending on program. Encrypts everything on Only protects if the machine is the disk, OS, data, and powered oﬀ or volumes areall. This protects against unmounted.
Filesystem encryption (EncFS, FileVault)Pros Cons Able to resize Sensitive data, if stored ﬁlesystems without outside the protected having to copy data or ﬁlesystems can be left decrypt ﬁles. unprotected. None have any Backup programs can enterprise level recovery store the encrypted abilities. EncFS only has data. one passphrase, FileVault Users can have their can oﬀer a recovery own encrypted passphrase, but that isn’t directories, protected scalable.against a root/admin
Directory/ﬁle level (EFS)Pros Cons Excellent Conﬁdential recoverability. information can leak, if Multiple users can stored outside the EFS have access to groups protected directory. of encrypted ﬁles. Unless a backup program uses special semantics to back EFS protected ﬁles up, the backup will fail.
Row/Column level for databasesPros Cons Encryption is Key management is an independent of the issue. Where does the system. app keep its Resistant to authorization compromise even if credentials? superuser privileges Recovery of encrypted are obtained by data is iﬃsh, depends unauthorized entities. on the database Most new DBMS program. programs support this. Sometimes hard to sync up encrypted
Hardware assisted encryption (cryptographic tokens)Pros Cons Protects against brute Hardware is sometimes hard force password guessing to ﬁnd. For example, its by either disabling hard to ﬁnd machines with access after a number of an onboard TPM/security chip. password guesses, or adding a signiﬁcant delay Diﬀerent drivers required for diﬀerent cards. There is no between entries. real standard for Allows a machine to boot cryptographic token I/O, unattended while other than APDU. providing hard disk Hardware can fail, locking protection (Bitlocker). legitimate users out.