adam's notes

Disk and File Encryption

Encryption levels are targets for data-at-rest encryption, ranging from more granular (file or row/record) to less granular (volume/partition/disk or database).

  • lower levels: whole disk encryption
    • simple but can be complex to manage when many users need access to data
  • higher levels: encryption via file system or dbms
    • can be combined with granular access controls

Full Disk Encryption

Full-disk encryption (FDE) refers to encryption of the entire contents a drive, volume, or storage device.

  • including encryption of
    • system files and folders
    • temporary files
    • pagefile
    • metadata areas
    • free space areas
  • primarily protects against physical theft of the disk
  • drawback
    • performance is reduced because OS performs the cryptographic operation
  • self-encrypting drive (SED) is a storage device that can perform self-encryption using a cryptographic product built into the disk firmware
    • could be
      • hard disk drive (HDD)
      • solid-state drive (SSD)
      • or USB flash drive
    • firmware implements a cryptoprocessor to store the keys
      • so that they are not directly exposed to the OS that mounts the disk
    • faster than FDE, since encryption operations are done at the hardware level
    • uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption
      • encrypted by an asymmetric key pair called either
        • authentication key (AK)
          • authenticated by the user password
          • user password can be changed without having to decrypt and re-encrypt the drive
        • or key encryption key (KEK)
    • many vendors develop using the Opal Storage Specification
      • Standards for implementing device encryption on storage devices
      • developed by the Trusted Computing Group (TCG)
  • disk can be divided into separate logical areas called partitions
    • each partition can be formatted with different file system
    • can encrypt partitions individually
      • using different keys
    • e.g., disk could contain boot, system, and data partitions
      • boot and system partitions could be left unencrypted
        • contain only standard OS files
      • data partition is protected by encryption

Volume and File Encryption

A volume is any storage resource with a single file system.

  • aka, is the way the OS “sees” a storage resource
  • technology underlying a volume could be
    • a removable disk
    • or partition on a drive (HDD/SSD)
  • volume encryption product refers to a software application rather than disk firmware
    • might be called disk encryption, though
    • e.g.,
      • Microsoft BitLocker
      • Apple FileVault
    • may or may not encrypt free space and/or file metadata

A file encryption product is software that applies encryption to individual files.

  • may depend on file system support
    • Microsoft Encrypting File System (EFS) requires NTFS format

Info

  • Metadata can include
    • a list of files
    • the file owner
    • and created/last modified dates
  • Free or unallocated space can contain data remnants
    • where a file has been marked as deleted, but the data has not actually been erased from the storage medium

Important

  • If the device has a TPM or HSM compatible with the encryption product,
    • the disk/volume/file system can be locked by keys stored in the TPM or HSM

Graph View

Backlinks