Encrypting Data

Data Protection Overview

  • Data protection is essential for securing information stored on various storage devices such as SSDs and hard drives.

  • The process of safeguarding stored data is known as encrypting data at rest.

  • This can involve encrypting individual files or applying full disk or volume-level encryption to all data on a storage device.

Types of Encryption

Full Disk and Volume-Level Encryption

  • Full Disk Encryption (FDE): Encrypts all data on a storage device.

    • Example on Windows: BitLocker.

    • Example on Mac OS: FileVault.

File-Level Encryption

  • For cases where only specific files need protection, file-level encryption can be utilized.

    • Encrypting File System (EFS) in Windows: Built into the NTFS file system for encrypting individual files.

    • Availability of third-party utilities for Mac OS and Linux allowing similar file-level encryption.

    • To enable EFS in Windows:

    • Access the properties of a file or folder.

    • Go to Advanced Attributes.

    • Select "Encrypt contents to secure data".

Database Encryption Techniques

Transparent Encryption

  • Involves encrypting all data within a database via a symmetric key.

  • Enables encryption and decryption of data upon retrieval from the database.

Selective Encryption

  • Some data can remain unprotected, while other sensitive data is encrypted (e.g., Social Security numbers).

  • Example: an employee database with fields for IDs, names, and Social Security numbers.

    • Full database encryption results in all data being unreadable; thus, search operations require decryption of all data.

    • Column Level Encryption can be utilized for efficiency:

    • Employee ID, first name, and last name in plain text.

    • Access to Social Security numbers requires decryption of either the entire column or specific record.

Data Transmission Security

  • Ensuring encrypted communication over networks is crucial to prevent unauthorized access.

  • Most web communications today utilize HTTPS, providing encryption for data being transmitted.

VPN Encryption

  • A Virtual Private Network (VPN) creates a secure tunnel for data transfer, ensuring encryption throughout the transmission.

    • Often employed with client-based VPNs using SSL or TLS protocols.

    • For site-to-site connections, IPsec is commonly used.

Encryption Algorithm Compatibility

  • Successful encryption and decryption processes require both parties to utilize compatible encryption algorithms.

  • Both sides should agree on encryption algorithms to ensure smooth communication and data protection.

  • Users typically do not need to know the algorithm specifics, but they must use compatible applications on either end.

Comparison of Encryption Algorithms

  • Data Encryption Standard (DES) vs. Advanced Encryption Standard (AES):

    • DES:

    • Consists of five steps for encrypting data into a 64-bit ciphertext.

    • AES:

    • Utilizes a plaintext and a secret key to generate ciphertext; has variations producing different output levels.

    • Importance of matching algorithms on both sides to avoid encryption/decryption mismatches.

Understanding Encryption Algorithms

  • The functionality of algorithms is generally public, allowing for scrutiny and enhancing trust.

  • The key is the crucial component for encryption; without it, algorithms can't be reverse-engineered.

    • Comparison to door locks: understanding the mechanism does not provide access without the correct key.

Key Security

  • Security of private keys is paramount; unauthorized access equates to unauthorized access to data.

  • Encryption and decryption keys are subject to brute force attacks, wherein attackers attempt every possible key until finding the correct one.

Key Lengths

  • A common symmetric key length is 128 bits or more.

  • With technological advancements, the recommended key length increases for better security against brute force attacks.

  • Asymmetric keys also require significant lengths, commonly 3072 bits or larger.

Key Stretching

  • Implementing multiple rounds of encryption on a single data set enhances security.

    • Example: Hashing a password multiple times (hashing the hash, etc.) is referred to as key stretching or key strengthening.

    • This approach complicates brute-force attacks since the attacker must break through multiple encryption layers, increasing the time required to successfully access the original data.