Encryption is one of the most common controls used to protect sensitive information. In this video, you will learn how encryption protects data at rest when used for full disk, file, and database encryption. You will also learn the use of hardware encryption technology, including hardware security modules, the trusted platform module, and hardware devices with built-in encryption technology, including USB drives and hard drives.
- [Narrator] Encryption is one of the most common controls used to protect sensitive information. When you encrypt a file or other form of data, you take its plain text form and use a mathematical algorithm to transform it using an encryption key into a version that is unreadable to someone who does not have the corresponding decryption key. This makes it possible to take sensitive information, encrypt it, and store it in insecure locations or transmit it over insecure networks. If the encryption is strong, the information will remain safe.
We normally encrypt information using some type of software. For example, the AES Crypt software package, available for Windows, Mac, and Linux systems, implements the U.S. government's advanced encryption standard to encrypt files. Let's take a quick look at how we can encrypt a file using AES Crypt on a Linux system. Let's go ahead and list the file contents of my home directory. And as you can see here, I have a file called AES.html. If I look at the contents of my file, you can see some clear text going by.
This is just a copy of the Wikipedia page that actually describes the advanced encryption standard. You can see the text here in the file. It's clearly not encrypted. Now I'm going to go ahead and encrypt it by using the aescrypt command. I just type in aescrypt, the -e flag to indicate that I would like to encrypt a file, and then the file name. I hit Enter, and it asks me for a password that I'd like to use to protect this file. I'm going to enter secret password and hit Enter.
It asks me to confirm the password one more time. And then I'm just returned to the prompt. If I go ahead and list the directory contents again, you can see that there are now two files in the directory: our original AES.html file that we started with and now a second file called AES.html.aes. If I go ahead and look at the contents of that file, you can see that it's just a bunch of garbage here as far as I can tell.
That's because the contents of this file have been encrypted. I'm going to go ahead and clear the screen here just to make things a little easier to read. List the file contents again. I still do have the original AES.html file here. What I'm going to do next is show you decryption. But before I do that, I'm going to delete the original file. And now notice, the directory only has the encrypted version of the file. If I want to go ahead and decrypt this file, I use the aescrypt command again, this time with the -d flag, and then the name of the encrypted file.
It asks me for the password. I'm going to go ahead and type the wrong password in the first time. I'm just gonna type hello here. And notice that I get an error message saying that either the message has been altered, somehow the encrypted file became corrupted, or the password I entered is incorrect. And if I list the directory contents again, there's still no decrypted file. Let's run that same command one more time, and this time, enter the correct password, secret password. This time I'm just returned to the prompt. But if I do an ls -l, you can see that the AES.html file is back.
And if I run cat on that again, there's the contents of that Wikipedia page. That's how easy it is to encrypt and decrypt a file using AES Crypt on a Linux system. You can also use encryption to protect the entire contents of a hard drive. This is an important protection against the loss of an entire computer system. If an employee loses a laptop, someone who finds it can easily bypass the operating system access controls by placing the hard drive in another computer system.
If the drive is encrypted, this is not possible. It's easy to perform full disk encryption on almost any modern operating system. Let's take a look at the encryption settings on my MacBook. Here I am in System Preferences. I'm going to go ahead and click Security and Privacy. Then I'm going to choose the File Vault tab. File Vault is the name that Apple gives to their full disk encryption technology. You can see here that File Vault is already turned on for my computer. If I lose my MacBook, nobody will be able to access the contents of my hard drive without knowing my password.
Of course, that also means that I can't access the contents of my hard drive if I forget my password. We've talked about applying encryption to individual files and entire disks. The last place that you might want to apply encryption is the contents of databases. This protects sensitive information from attacks that attempt to directly access the database or the files underlying that database. All of the encryption techniques we've discussed so far use software encryption which works well when we don't have a tremendous amount of encryption to perform.
It doesn't scale well, however, because encryption and decryption are mathematically complex. If we need to perform a lot of these operations, it places a lot of pressure on the CPU. It's easier to perform encryption using dedicated hardware that is built for that purpose. Hardware security modules, or HSMs, such as the one shown here, use dedicated hardware to perform encryption and decryption operations and safely store encryption keys. These are the gold standard for implementing encryption, as they are both efficient and secure.
The trusted platform module, or TPM, is a specialized HSM found in many computer systems. It allows the use of full disk encryption on a hard drive in a manner that minimizes the impact on system performance. Since the TPM contains the encryption keys, it also prevents an attacker from removing an encrypted hard drive from a computer and placing it in another computer for reading. If the correct TPM isn't present, the contents of the drive can't be read. In some cases, you can purchase hardware that performs encryption automatically.
Some hard drives and USB sticks include built-in encryption functionality. This technology is especially useful with removable devices.
Members who take all eight courses in the series will be prepared to take and pass the CISSP exam. Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Understanding data security policies and roles
- Limiting data collection
- Developing security baselines
- Leveraging industry standards
- Restricting access to data with Windows and Linux file permissions
- Encrypting data
- Securing cloud storage