Software-based encryption can encrypt individual files and folders, entire disks, removable media, mobile devices, and databases. If you’re planning on taking the Security+ exam, you should have a basic understanding of software-based encryption.
For example, can you answer this question?
Q. Bart copied an encrypted file from his desktop computer to his USB drive and discovered that the copied file isn’t encrypted. He asks you what he can do to ensure files he’s encrypted remain encrypted when he copies them to a USB drive. What would you recommend as the BEST solution to this problem?
A. Use file-level encryption.
B. Convert the USB to FAT32.
C. Use whole disk encryption on the desktop computer.
D. Use whole disk encryption on the USB drive.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Although software-based encryption is slower than hardware-based encryption, it is secure when using strong encryption algorithms.
File-Level Encryption
Many operating systems support file- and folder-level encryption. Linux systems support GNU privacy guard (gpg), which is a command-line tool used to encrypt and decrypt files with a password. Microsoft NTFS includes Encrypting File System (EFS), available in Windows Explorer. Users can right-click any file or folder, select Advanced, and select Encrypt Contents to Secure Data. An attacker will have a more difficult time accessing these encrypted files.
A benefit of file- and folder-level encryption is that you can encrypt individual files without encrypting an entire disk. For example, a server may store files accessed by users throughout the company. Access controls provide a first level of protection for these files, but administrators may be able to bypass the access controls. Imagine that a company stores payroll data on the server and wants to ensure that a malicious insider with administrative privileges can’t access the data. Using file encryption provides an additional level of protection.
One of the challenges with file-level encryption is that the encryption can be lost if an authorized user copies encrypted files to another disk that doesn’t support encryption. For example, imagine that Bart encrypts a file on his system using NTFS and then copies the file to a FAT32-formatted USB drive. Because FAT32 doesn’t support NTFS encryption, the system decrypts the file before copying it onto the drive. The solution to this is to use USBs with whole device or full disk encryption.
Full Disk Encryption
Full disk encryption programs encrypt an entire disk. For example, TrueCrypt is available on Linux and many other operating systems. It performs whole disk encryption for USB drives to protect the confidentiality of data if the device is lost. Users can access the data with a password, and TrueCrypt will decrypt and encrypt data on the fly without any other user intervention. It’s also possible to use full disk encryption on traditional hard disk drives.
Software-based Encryption with Databases
Another form of software-based encryption is with databases. For example, many database applications such as Oracle Database or Microsoft SQL Server include the ability to encrypt data held within a database. Although it’s possible to encrypt the entire database, it’s more common to encrypt specific data elements.
As an example, imagine a database includes a table named Customers. Each record within the table has multiple columns, including customer number, last name, first name, credit card number, and security code. Instead of encrypting the entire table, administrators can choose to encrypt only the credit card number and security code fields within each record. This protects the sensitive data, but doesn’t waste valuable processing power encrypting data that isn’t sensitive.
Remember this
File- and folder-level protection protects individual files. Full disk encryption protects entire disks, including USB flash drives and drives on mobile devices. Database column encryption protects individual fields within a database.
Q. Bart copied an encrypted file from his desktop computer to his USB drive and discovered that the copied file isn’t encrypted. He asks you what he can do to ensure files he’s encrypted remain encrypted when he copies them to a USB drive. What would you recommend as the BEST solution to this problem?
A. Use file-level encryption.
B. Convert the USB to FAT32.
C. Use whole disk encryption on the desktop computer.
D. Use whole disk encryption on the USB drive.
Answer is D. The best solution is to use whole disk encryption on the USB drive.
The scenario indicates Bart is using file-level encryption (such as NTFS encryption) on the desktop computer, but the USB drive doesn’t support it, possibly because it’s formatted as a FAT32 drive.
The result is that the system decrypts the file before copying it to the USB drive.
Another solution is to convert the USB to NTFS.
Whole disk encryption on the desktop computer wouldn’t protect files copied to the USB drive.