13.8 File Encryption
What key length is considered to be minimally strong for encryption algorithms?
80
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a special hardware chip included on the computer motherboard that contains software in firmware that generates and stores cryptographic keys. The TPM chip must be enabled in the BIOS/UEFI. The TPM chip stores the BitLocker key that is used to unlock the disk partitions and stores information about the system to verify the integrity of the system hardware. The TPM ensures system integrity as follows: 1. The TPM examines the startup components present on the unencrypted partition. 2. Based on the hardware and system components, a system identifier is generated and saved in the TPM. 3. At startup, components are examined and a new system identifier is generated. 4. The new identifier is compared to the saved identifier. If the identifiers match, the system is allowed to boot.
Trusted Platform Module (TPM)
A special hardware chip that generates and stores cryptographic keys.
Decryption
An encrypted file can be converted back to its original format by a process known as what?
Data transmission encryption
Data that is sent through a network can potentially be intercepted and read by an attacker. Use some form of encryption to protect data sent through a network.
Why VPN is used?
Data that passes through the unsecured network (over the internet) is encrypted and protected.
After a file has been encrypted, it is stored in what format?
Encrypted
File Encryption
Encryption cannot be used together with compression (you can use either, but not both).
File encryption
Encrypts individual files so that only the user who created the file can open it.
Disk encryption
Encrypts the entire contents of a hard drive.
You can encrypt individual files, but Microsoft recommends encrypting at what level?
Folder
Secure Sockets Layer (SSL) is a protocol that can be added to other protocols to provide security and encryption. What protocol uses SSL to secure Web transactions.
HTTPS (Port 443)
A virtual private network (VPN) uses one of three encryption protocols to establish a secure communication channel between two hosts, or between one site and another site.
IPsec, PPTP, and L2TP
BitLocker partition
Implementing BitLocker requires two NTFS partitions: • The system partition is a 100 MB volume that contains the boot files. This partition is set to active, and is not encrypted by the BitLocker process. • The operating system partition must be large enough for the operating system files. This partition is encrypted by BitLocker. Be aware of the following: • A new Windows installation creates both partitions prior to the installation of the operating system files. • For operating systems already installed on a single partition, you may need to resize the existing partition and create the system partition required by BitLocker.
wireless encryption with 802.1x
Provide authentication for devices trying to connect with other devices on LANs or wireless LANs.
When implementing network services, do not use protocols such as FTP or Telnet that pass logon credentials and data in clear text. Instead, use a secure alternative such as FTP-S ?
SSH (port 22)
What's the status of your data if someone has your public key?
Safe
On what type of computer is BitLocker not commonly used?
Servers
Single-key encryption is also known as what kind of encryption?
Symmetric
What happens if you move unencrypted files into an encrypted folder?
The new files become encrypted
What built-in computer hardware feature makes BitLocker Drive Encryption far more secure than other forms of folder or file-based encryption?
Trusted Platform Module
Public-key cryptography uses how many keys?
Two, Public key, Private key
Encryption is the process of converting data into what kind of format?
Unreadable
wireless encryption
Use WPA, WPA2, or WEP to secure wireless communications, which are highly susceptible to eavesdropping (data interception). WEP, WPA Personal, and WPA2 Personal use a common shared key configured on the wireless access point and on all wireless clients.
Disk Encryption
Whole disk encryption encrypts the entire contents of a hard drive, protecting all files on the disk. • During system startup, a special key is required to unlock the hard disk. Without the key, data on the drive is inaccessible. Providing the key allows the system to decrypt files on the hard drive. • You cannot access the contents of an encrypted drive by moving it to another computer because the encryption keys needed to decrypt the data do not exist on the other computer system. • Most solutions provide for a backup recovery key that can be used to unlock the drive if the original key is lost. If both the encryption key and the recovery key are lost, data cannot be retrieved. • BitLocker is a Microsoft solution that provides whole disk encryption. BitLocker is supported on Ultimate or Enterprise editions of Windows. • You can implement BitLocker with or without a Trusted Platform Module (TPM). o When using BitLocker with a TPM, the key required to use the disk can be stored in the TPM. This means that the computer can boot without a prompt as long as the hard drive is in the original computer. o Without a TPM, the startup key must be stored on a USB drive. On Windows 10, you can also supply a password at system boot to unlock a BitLocker-encrypted drive. o When the startup key is saved in the TPM, you can require an additional PIN or startup key that must be used to start the system. • You can use BitLocker to encrypt removable storage devices (such as USB flash drives).
What is the meaning of EFS?
Windows feature that can encrypt data.- it links directly to specific user- Only the user that encrypted thedata will be able to access the encrypted files or folders.
Non-TPM Security
You have the following options for implementing Bitlocker on systems without a TPM chip: • You can save the BitLocker key on a USB device. The USB device is inserted before starting the computer and provides authentication before the operating system drive is decrypted. The BIOS must support reading USB devices during startup. • Windows 8 and later allows you to configure an unlock password for the operating system drive. To use this feature, enable Configure Use Of Passwords For Operating System Drives policy in the Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives node of Computer Configuration. • Windows supports authentication using a smart card certificate. The smart card certificate is stored on a USB device and is used similarly to the BitLocker key on a USB device.
EFS encryption is what type of feature that can be enabled or disabled at will, similar in effect to read-only, compression, or hidden?
attrib(Attribute)
What happens if you move encrypted files into a non-NTFS folder?
non-encrypted
What is one purpose of using hash function (extra effort) encryption?
o store passwords in a non-readable format
main step needed before using BitLocker
the user needs to enable Trusted Platform Module (TPM) in the BIOS