9.3 File Encryption
Which of the following protocols establish a secure connection and encrypt data for a VPN? (Select three.) - WEP - L2TP - IPsec - FTP - PPTP - WPA - RDP
- L2TP - IPsec - PPTP A virtual private network (VPN) uses an encryption protocol (such as IPsec, PPTP, or L2TP) to establish a secure communication channel between two hosts (or between one site and another site). Data that passes through the unsecured network is encrypted and protected. Remote Desktop Protocol (RDP) is used by Windows Terminal Services-based applications, including Remote Desktop. FTP is used for transferring files. It does not establish a secure connection. WPA and WEP are protocols used to secure wireless communications.
You have used EFS to encrypt a directory of highly sensitive company files on your hard drive. You then decide to copy one of the files in the directory to a thumb drive to edit the files on a laptop computer while you are travelling to an industry conference. What is the result of copying the file to the thumb drive? - The file will no longer be encrypted. - The file becomes inaccessible. - The file is compressed and remains secure. - The file remains secure and accessible.
- The file will no longer be encrypted. EFS encryption is only a feature of the NTFS file system, and thumb drives are normally formatted with FAT32. Because EFS does not work on FAT32 or eFAT, copying an encrypted file from your NTFS volume to a thumb drive means that the file will no longer be encrypted. Because the file is copied to a FAT32 file system on the thumb drive, the file will no longer be secure and will be completely accessible to anyone. Encryption cannot be used with compression, which means that the EFS-encrypted file will not be compressed.
Which of the following components is a special hardware chip included on a computer's motherboard that contains software that generates and stores cryptographic keys? - Trusted Platform Module (TPM) - BitLocker partition - USB device - BIOS/UEFI
- Trusted Platform Module (TPM) A Trusted Platform Module (TPM) is a special hardware chip included on a computer's motherboard that contains software (within the firmware) that generates and stores cryptographic keys. BitLocker is an encryption program, not a hardware chip. A USB device is what saves the BitLocker key on a system that does not have a TPM chip. The TPM chip must be enabled in the BIOS/UEFI, but the BIOS/UEFI is not the chip itself.
You have decided to use BitLocker as your whole disk encryption solution for the hard drive on your laptop. The laptop includes a TPM chip. What happens if you store the startup key required to unlock the hard drive in the TPM chip? - You can boot the hard drive without providing the startup key. - You are prompted to insert a USB drive with the startup key. - You are prompted to provide the startup key before booting the hard drive. - You can boot the hard drive from another computer without providing the startup key.
- You can boot the hard drive without providing the startup key. When you implement BitLocker on a hard drive and store the startup key in the TPM chip, you can boot the hard drive without providing the startup key. You do not need to provide the key before booting or a USB drive with the key on the drive. When you move the hard drive to another computer, the startup key is not available in the TPM chip (if one exists), which means you need to provide the startup key before booting the hard drive.
You have the following options for implementing Bitlocker on systems without a TPM chip:
- You can save the BitLocker key on a USB device. The USB device is inserted before starting the computer and provides authentication before the operating system drive is decrypted. The BIOS must support reading USB devices during startup. - Windows 8 and later allows you to configure an unlock password for the operating system drive. To use this feature, enable Configure Use Of Passwords For Operating System Drives policy in the Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives node of Computer Configuration. - Windows supports authentication using a smart card certificate. The smart card certificate is stored on a USB device and is used similarly to the BitLocker key on a USB device.
The TPM ensures system integrity as follows:
1) The TPM examines the startup components present on the unencrypted partition. 2) Based on the hardware and system components, a system identifier is generated and saved in the TPM. 3) At startup, components are examined and a new system identifier is generated. 4) The new identifier is compared to the saved identifier. If the identifiers match, the system is allowed to boot.
Implementing BitLocker requires two NTFS partitions:
1) The system partition is a 100 MB volume that contains the boot files. This partition is set to active; it is not encrypted by the BitLocker process. 2) The operating system partition must be large enough for the operating system files. This partition is encrypted by BitLocker.
On Windows _____, you can also supply a password at system boot to unlock a BitLocker-encrypted drive.
10 or 11
Trusted Platform Module (TPM)
A Trusted Platform Module is a special hardware chip (included on the computer motherboard) that contains software in firmware that generates and stores cryptographic keys. The TPM chip must be enabled in the BIOS/UEFI.
Symmetric key
A symmetric key is a key that both encrypts and decrypts the data.
Virtual private network (VPN)
A virtual private network (VPN) uses an encryption protocol to establish a secure communication channel between two hosts, or between two sites. Data that passes through the unsecured network is encrypted and protected. IPsec, PPTP, and L2TP are common protocols used for establishing a VPN.
A new Windows installation creates [ONE OF THE/BOTH] partitions prior to the installation of the operating system files.
BOTH
You can use _____ to encrypt removable storage devices (such as USB flash drives).
BitLocker
_____ encrypts the volume for use on the computer, regardless of the user. Any user who has the PIN or startup key and who can successfully log on can access a _____ volume. With _____, only the user who encrypted the file can access the file unless access has been granted to other users.
BitLocker BitLocker EFS
_____ encrypts the entire volume. _____ encrypts individual files.
BitLocker EFS
_____ protects files against offline access only. If the computer boots successfully, any authorized user who can log on can access the volume and its data. _____ protects against offline access as well as online access for unauthorized users. _____ does not provide online protection if an authorized user's credentials are compromised.
BitLocker EFS EFS
BitLocker
BitLocker is a Microsoft solution that provides whole disk encryption. BitLocker is supported on Pro, Ultimate and Enterprise editions of Windows. You can implement BitLocker with or without a Trusted Platform Module (TPM). BitLocker protects against unauthorized data access on lost or stolen laptops and on other compromised systems.
Integrity checking
BitLocker uses integrity checking early in the boot process to ensure that the drive contents have not been altered and that the drive is in the original computer. If any problems are found, the system will not boot and the drive contents remain encrypted. The integrity check prevents hackers from moving the hard disk to another system to try to access to its contents.
You [CAN/CANNOT] use encryption with compression. You can use either, but not both.
CANNOT
You [CAN/CANNOT] access the contents of an encrypted drive by moving it to another computer because the encryption keys needed to decrypt the data [DO/DO NOT] exist on the other computer system.
CANNOT DO NOT
EFS is available only on _____ partitions. Moving an encrypted file to a non-_____ partition removes the encryption.
NTFS NTFS
BitLocker is available on Windows _____ and _____ editions of Windows 10 and newer operating systems. In Windows _____ and newer, you can choose to encrypt the entire volume or just the used space on the volume.
Pro Enterprise 8
BitLocker requires data to be decrypted before it can be used. The decryption process [REDUCES/INCREASES] disk I/O throughput.
REDUCES
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is a protocol you can add to other protocols to provide security and encryption. For example, HTTPS uses SSL to secure web transactions.
When the startup key is saved in the _____, you can require an additional PIN or startup key that must be used to start the system.
TPM
When using BitLocker with a _____, you can store the key in the _____. This means that the computer can boot without a prompt as long as the hard drive is in the original computer. Without a _____, the startup key must be stored on a USB drive.
TPM
Encrypting File Service (EFS)
The Encrypting File Service (EFS) on Windows systems encrypts individual files. Windows automatically decrypts a file when the file owner accesses it. With EFS, you can allow other users to access the decrypted file.
BitLocker key
The TPM chip stores the BitLocker key used to unlock the disk partitions and stores information about the system to verify the integrity of the system hardware.
Asymmetric encryption
To add a much greater level of security, EFS also encrypts the FEK using asymmetric encryption. Asymmetric encryption is a type of encryption that uses a key pair for stronger security. The key pair includes a public key that can be seen by anyone and a private key that only the user has access to.
_____, _____ Personal, and _____ Personal use a common shared key configured on the wireless access point and on all wireless clients.
WEP WPA WPA2
You can use _____, _____, or _____ to secure wireless communications, which are highly susceptible to eavesdropping (data interception).
WPA WPA2 WEP
You need to use a common USB flash drive to transport important sensitive information for your organization. Which of the following would be the BEST program for protecting the data on the flash drive with encryption? - EFS - Microsoft Defender - BitLocker To Go - BitLocker
- BitLocker To Go BitLocker To Go provides drive encryption for removable data drives, including USB flash drives. You can use BitLocker To Go to encrypt the data on a flash drive. The only way to decrypt the data on the flash drive is through the recovery password. Using BitLocker To Go and not sharing the recovery password would keep the data on the flash drive secure. BitLocker is a drive encryption program that is designed to be used with NTFS files on your hard drive, not on non-NTFS removeable devices. Most USB flash drives use FAT32 or exFAT storage. Files that are encrypted with EFS, or Encrypting File System, lose their encryption when they are copied to a USB flash drive, which is commonly formatted with FAT32 or exFAT. Microsoft Defender is an antivirus program for Windows that does not encrypt files on a flash drive.
Which of the following is true of the Windows BitLocker program? - BitLocker is designed to protect files against offline and online access. - BitLocker is designed for use on the Home version of Windows 10 and later. - BitLocker is designed to protect files against offline access only. - BitLocker is designed to encrypt individual files.
- BitLocker is designed to protect files against offline access only. BitLocker is designed to protect files against offline access only. BitLocker is not designed to protect file against online access. This is the purview of EFS. BitLocker is not designed to encrypt individual files. BitLocker encrypts the entire hard drive. BitLocker is not designed for use on the Home edition of Windows 10 or later. BitLocker is only available on the Ultimate and Enterprise editions.
When you arrive at your company, you discover that a hard drive with your customers' sensitive information has been stolen. You feel confident that the thief will not be able to view the data on the hard drive because you had previously taken security precautions to protect the data in case the hard drive was stolen. Which of the following precautions is the MOST likely solution you used to protect the data on the hard drive? - Microsoft Defender - Windows Security - BitLocker To Go - BitLocker with TPM
- BitLocker with TPM BitLocker checks the integrity of the early boot components and the boot configuration data by using the Trusted Platform Module (TPM) to ensure that the data is accessible only when the computer's boot components appear unaltered. Also, the encrypted disk must be in the same computer it was in when it was originally encrypted with BitLocker. This means that if someone were to obtain that hard drive and put it in a different computer, they wouldn't be able to access the data on that drive. The data stays encrypted. While BitLocker is designed to protect system hard drives, BitLocker To Go is designed to protect removeable storage devices, such as flash drives. Microsoft Defender is an antivirus program designed to protect the Windows system from malware. This program would have no effect on preventing access to a stolen hard drive's data. Windows Security is a program that scans for security threats, malware, and viruses. It would have no effect on preventing access to a stolen hard drive's data.
Which of the following security solutions would prevent you from reading a file that you did not create? - BitLocker - IPSec - VPN - EFS
- EFS EFS is a Windows file encryption option that encrypts individual files so that only the user who created the file can open it. Decryption is automatic when the file owner opens it. Other users cannot open the encrypted file unless specifically authorized. A virtual private network (VPN) uses an encryption protocol (such as IPsec, PPTP, or L2TP) to establish a secure communication channel between two hosts (or between one site and another site). Data that passes through the unsecured network is encrypted and protected. BitLocker is a Microsoft security solution that encrypts the entire contents of a hard drive, protecting all files on the disk. BitLocker uses a special key, which is required to unlock the hard disk. You cannot unlock/decrypt a drive simply by moving it to another computer.
A user has a file that contains sensitive data. Which of the following security technologies should he or she use to encrypt the single file? - BitLocker - EFS - Single sign-on - Administrative share
- EFS Encrypting File Server (EFS) is a Windows feature that can encrypt a single file or multiple files and folders. BitLocker is a Windows feature that encrypts an entire disk. Single sign-on (SSO) permits a user to employ the same credentials to automatically log in to other sites and services. SSO is not used for encryption. An administrative share is used by administrators to access system drives. It is not used for encryption.
After creating an FEK (file encryption key) for a file, what does EFS do next to add a greater level of security for the file? - EFS stores the FEK with the public key. - EFS creates a symmetric key. - EFS instructs Windows to create a key pair (private and public). - EFS encrypts the FEK by creating a key pair (private and public).
- EFS encrypts the FEK by creating a key pair (private and public). After creating an FEK for the file, EFS then encrypts the FEK through asymmetric encryption by creating a private key and a public key. While EFS does store the FEK with the public key, this happens after EFS creates a key pair (private and public). The symmetric key is the FEK, which has already been created in this situation. EFS does not instruct Windows to create a key pair. After the EFS process is complete (all keys are created), the user is assigned EFS access to the file. If he or she does not have a key pair, Windows automatically creates a public key (called the EFS certificate) and its associated private key for the user.
File encryption key (FEK)
EFS creates a file encryption key (FEK) for the file or folder. The FEK is a symmetric key. EFS takes the FEK, encrypts it using the public key, and then stores it with the encrypted file.
Encryption
Encryption is the process of scrambling data to make it unreadable except to those who have the key to unlock the obscured data.
The user's private key is used to decrypt the _____ when the file is opened. The _____ then decrypts the data within the file.
FEK FEK
When implementing network services, do not use protocols such as _____ or _____ that pass logon credentials and data in clear text. Instead, use a secure alternative such as _____-S or _____.
FTP Telnet FTP SSH
File encryption
File encryption changes the content of individual files so that only authorized users can read the contents. Files remain encrypted and inaccessible even when the drive is moved to another computer or another operating system is used. The encryption keys needed to decrypt the file do not exist on these other systems.
EFS certificate
If the user account doesn't have a key pair, Windows automatically creates a public key (called the EFS certificate) and its associated private key the first time EFS is enabled.
Whole disk encryption
Whole disk encryption encrypts the entire contents of a hard drive, which protects all files on the disk.
