3.4.9 File Encryption

Encryption Supporting Confidentiality

  • Definition of Data States:

    • Data at rest: State when data is stored on persistent storage media.

    • Data in transit (or data in motion): State when data is transmitted over a network.

    • Data in use (or data in processing): State when data is present in volatile memory (e.g., system RAM or CPU registers and cache).

File Encryption Facts

  • Purpose:

    • Encryption of files, directories, and hard drives provides an additional level of data security.

    • File encryption is part of a layered defense strategy to protect confidential data in case of hacks, loss, or theft.

    • Encrypting data means that even if disks are stolen or network transmissions intercepted, the data remains unreadable to unauthorized parties.

Encryption Methods

  • Key Types:

    • Asymmetric Key Pair: User generates this for a cipher (e.g., RSA, ECC). The private key is secured with user account credentials and acts as the key encryption key (KEK).

    • Symmetric Secret Key: A symmetric key (e.g., AES256 or AES512) is generated for encrypting target data, referred to as the data encryption key (DEK).

  • Encryption Process:

    • The DEK is encrypted with the KEK's public key.

    • To access encrypted data, users need to provide a password to use their private key for DEK decryption, which then decrypts the data.

  • Bulk Encryption:

    • Refers to encryption of large amounts of data and typically uses symmetric ciphers for efficiency due to the overhead of asymmetric encryption.

Disk and File Encryption

  • Data at Rest:

    • Various storage mechanisms can be encrypted, using either full-disk or file system encryption methods.

  • Full-disk Encryption (FDE):

    • Encrypts the entire storage device, including metadata and free space, primarily protecting against physical theft.

    • A self-encrypting drive (SED) incorporates encryption in the disk firmware, hiding keys from the OS.

    • FDE ensures that a stolen disk requires user credentials for access.

  • Volume Encryption:

    • Applies encryption to any storage resource called a volume, often seen in software applications (e.g., BitLocker, FileVault).

  • File Encryption:

    • Encrypts individual files or entire folders. Examples include Microsoft's Encrypting File System (EFS), which needs NTFS formatting.

    • It protects file metadata and ensures sensitive data remnants are purged.

Database Encryption

  • Structure:

    • Databases store data in tables (columns and rows).

    • Access is managed via a database management system (DBMS).

  • Encryption Levels:

    • Database-level encryption protects all records during storage on disk, and logs are encrypted. Known as transparent data encryption (TDE) in SQL Server.

    • Record-level encryption protects specific fields, uses public key encryption for security, and remains encrypted in memory until accessed by a client application.

  • Compliance:

    • By securing sensitive information at the record level, compliance with privacy regulations can be achieved.

Transport Encryption and Key Exchange

  • Purpose:

    • Transport encryption protects data in motion (during transmission).

    • Various products secure communications across different network protocols (e.g., WPA for wireless, IPSec for VPN, TLS for web and email).

  • Key Exchange Mechanism:

    • Alice encrypts a message with a symmetric session key, then encrypts the session key with Bob's public key, forming a digital envelope.

    • Bob decrypts the session key using his private key and subsequently decrypts the message with the session key.