Data Encryption – CompTIA Security+ SY0-401: 4.4

If you want to keep your data safe, then you need to encrypt it. In this video, you’ll learn about encrypting full-disks, databases, individual files, removable media, and data on mobile devices.

<< Previous Video: Cloud and SAN Storage Data SecurityNext: Hardware-based Encryption >>


If you work in an environment where the data on your device is so important that you want it to be protected any time you’re away from that computer, you may want to consider full-disk encryption. This is an encryption methodology that encrypts everything on the drive. It encrypts all of your documents. It encrypts all of the files. The operating system itself is encrypted. Nothing is left unturned. Everything on that drive is now protected with this encryption mechanism.

This is obviously perfect for mobile devices– devices that can easily be stolen, devices that may get out of your hands and into somebody else’s. And if you have the entire disk encrypted, you can feel very secure that even if somebody does gain access to the hardware, they’re still not going to gain access to any of your data.

Many of these encryption methods are built right into the operating system. Linux has a number of encryption options available. In Windows, you could use BitLocker. In OS X, you could use FileVault. And it makes it very easy because it’s part of the operating system itself. Of course, you can go outside of the operating system and get your encryption technology from a third party. For example, PGP has a full-disk encryption application. And up until recently, TrueCrypt was a very popular full-disk encryption option for Windows, and that project is now inactive.

With any of these encryption methods, the management of the keys is incredibly important. It is these certificates that are encrypting this data. So we want to be sure that we have a backup of that data. If that encryption key goes missing, or you lose it, or it’s damaged in any way, you will no longer have access to any of the data on the disk. So it’s always important if you’re using full-disk encryption, that you’ve also got a very good backup or you have at least copies of your key that you’re keeping other places.

If we’re keeping a large active store of data in a database, it might make sense to us to simply encrypt all of that data. But technologically speaking, it becomes very difficult to have all of that information stored in an encrypted form and still have a very good way to access that data in a timely manner. Encrypting data requires CPU overhead. There are calculations that have to be made. And if we’re retrieving and storing information very quickly– especially across a very large number of people to a very active database– it may not be practical to keep all of that information encrypted.

The ability to encrypt this data at the database level may be subject to the capabilities of the DBMS that you’re using, that is, the database management system. So there are some methods within Microsoft SQL Server. There are completely different encryption methods in MySQL. Those engines are very different, and as you go across different platforms, you’ll see that there are different encryption options, depending on what you’re using.

What many people will do is instead of encrypting the entire database, they’ll pick particular fields– especially fields that have very sensitive information– and will only encrypt that data. This way you’re able to retrieve and store information reasonably quickly, but still protect information that would be sensitive inside of that database. It’s very important if you do have a relational database, not to encrypt your key fields. These are the fields that will allow you to compare information when you’re comparing across individual databases. And it’s these indexes and these key fields that are very important to maintain in an unencrypted form.

If you don’t want to encrypt everything that’s on your drive– you don’t want to take advantage of full-disk encryption– but there are certain files that would be nice to store in an encrypted form on your drive, you might want to take advantage of some built-in capabilities of your operating system. Many operating systems allow you to right-mouse click on a file, choose to encrypt it, and that file would then stay encrypted on disk. That way, if somebody did come across your computer, they may be able to see some other spreadsheets and documents on your drive, but the ones that you’ve encrypted would obviously be protected.

There’s a number of third-party applications that can also do this, so you don’t have to rely on the operating system. You can rely on the encryption method that makes sense for you. This means of course, that some files on your drive will be encrypted, and other files will not. And you have to decide, then, exactly what data will be stored in an encrypted form on your drive.

Remember that encryption doesn’t come for free. There are CPU cycles that must be used to retrieve and store that data. There’s memory that has to be used to be able to perform that encryption process. For example, if you have a file on disk that is being accessed quite a bit, you might be losing response time and speed by encrypting that data. And then it’s up to you to decide if the decrease in performance will be made up by the security that’s going to be based on that encryption.

In all of these cases, again, you want to be sure that you protect the encryption keys that are used on this information. Even though it’s a single file, there’s still going to be an encryption key. And if you lose that encryption key, you will lose access to that encrypted data. So make sure you have backups, make sure that information is stored elsewhere, and make sure that that key is something that you can then provide back onto the computer if it ever gets lost or damaged.

The security of the data stored on removable devices is the bane of the security administrator. And I can tell you personally that I’ve lost a number of USB keys through the years, and of course, wherever that USB key ends up, is where my data is now going to live. And it’s very important that the data, therefore, is protected on those removable devices. The security administrators and system administrators in your environment may set policies in the operating system that require that data that is stored on a removable device must be encrypted. And they can automate this process, so whenever you store data on that removable device, it will always be encrypted without any input from you. And this way, they can be assured that if that information is lost in some way, at least the data itself will not be accessible.

Again, key management is incredibly important. There is an encryption key, and that encryption key is what you use to retrieve that data. If you lose access to that key or that key is damaged, all of that information is no longer going to be accessible. It’s very common for network administrators and operating system administrators to automatically store your encryption keys in a central area. That way if you leave the organization, or your laptop goes missing, or you lose the key, they can then provide a key that’s going to gain access to that data.

And if your system administrator is very concerned about data on these removable devices, they might set policies that say that the USB is completely disabled on your systems. And in that way, you would not be able to plug in a USB drive or external hard drive and store any information on a removable device.

We’re all walking around with our mobile phones and our tablets, and these devices obviously have data stored on them that are also a concern of ours. We want to be sure that we’re encrypting that data, as well. Fortunately almost all the operating systems that you’ll run into on these mobile devices already implement some form of encryption of the data on that device. It may not be all of the data on that mobile device, but some of the most important and private information is encrypted by default.

Very often, it’s the key on this device that, of course, is going to encrypt all of that data. In fact, if somebody performs a wipe of data on these mobile devices, what they’re really doing is deleting the key. Once the key is deleted, none of the data on your device will then be accessible. If you’re using an iOS device like an iPhone or an iPad, then a lot of this data may already be encrypted, using something Apple calls Data Protection.

If you look into the configuration of your device and you’ve enabled a passcode, then you’ll have a note there that says Data Protection is enabled. This means that if your mobile device is stolen, they would have to have that pass code. If they don’t have the pass code, then they do not have access to the data. Not everything on your iOS device will be encrypted using this method. Things like SMS messages or pictures are not generally encrypted. So you can’t be assured that everything on the mobile device will be encrypted, just some of the most important information on the device.

If you’re running the Android operating system on a mobile device, there are encryption settings in the Settings and Security section. You even have the option for a full-disk encryption across that entire device. And the key, again, on these devices is built on the pass code itself. Regardless of the type of data you’re using, whether it’s on your desktop, whether it’s on removable storage, or on your mobile devices, encryption becomes extremely important and a very valuable way to protect your personal data.