SY0-701 Security+: 1.4 Encryption Technologies

Trusted Platform Module (TPM)

If you were to look on a modern motherboard, you would find a chip or a subsystem called _ . This is a standardized bit of hardware specifically designed to provide cryptographic functions for that computer.

• If you want to do anything with cryptography, such as generating random numbers or keys, you can use this

• Has a built-in cryptographic processor that includes a random number generator and a key generator

• Contains persistent memory, where unique keys are burned in during manufacturing. These keys are unique to only this machine.

• Offers versatile memory to store keys and hardware configuration information. For instance, if you want to use a different set of keys for BitLocker, you can have it create and store those keys on that system.

• There's no way to use a brute force or dictionary attack to gain access to the information stored

Hardware Security Module (HSM)

You can think of a TPM as providing encryption functions for a single device. But in data centers, where cryptographic functions are needed for hundreds or thousands of devices, this is used.

• Usually clustered together and feature redundancy, such as power supplies and network connectivity, ensuring continuous access.

• Often have separate plug-in cards or hardware designed to perform very fast cryptographic functions, making it more efficient to carry out these functions within the device's hardware itself.

• Are specially designed to securely store keys, offering key backup and secure storage in hardware.

• Act as cryptographic accelerators, offloading CPU overhead from other devices, especially when performing encryption and decryption in real time in large-scale computing environments.

Key Management System

We need some way to manage all of these keys. These systems can be run on devices on your premises or as cloud-based systems accessible from anywhere.

• All keys can be managed from a single console. These systems are often provided as third-party software, separating the encryption keys from the data.

• Once you create the keys, you can associate them with specific users in the system's software

• You can also set up automatic key rotation to continuously change out keys over time.

• An excellent place to provide logging and reporting of all the keys and how they are used in your environment.

Dashboard Of The Key Management System

Gives us a summary of the types of keys that we’re using.

• We can see what certificate authorities have been used for, when certificates might expire, details for licenses, and more.

• We can create reports that can give us information on how these keys are being used, what keys are currently active, which keys are inactive.

Keeping Data Private

When all of our data was stored on one central mainframe computer, it was relatively easy to provide security. We just had to keep anyone from gaining access to that one source of data. However, today, our data is spread across many different systems.

• Attackers are always finding new techniques, and it’s a race to stay one step ahead. Our data is constantly changing, which adds to the challenge.

Secure Enclave

Area designed specifically for safeguarding secrets. It is a security processor built into the systems we use.

• Dedicated solely to the privacy of your data. This processor is isolated from the main processor.

• Different manufacturers may refer to this security processor by various names, but it is generally known as this

• Provides extensive security features, including its own boot ROM, monitoring the system boot process, a true random number generator, real-time memory encryption, and root cryptographic keys.

  • It also performs AES encryption in hardware and more.