![]() Volume encryption protects very well when either the system is powered off or the protected volume is not actively available for use (i.e., not mounted). Files saved in that special location are automatically encrypted and added to the container. This container, often several gigabytes in size, is internally encrypted by a piece of software that also makes the container appear as a drive letter or folder. Volume encryption works either by encrypting an entire hard disk partition (C:, D:, etc) or by creating an encrypted container file. Common volume encryption software includes BitLocker or FileVault (both used at Cornell), Truecrypt, or PGP. Volume encryption protects a smaller subset of a drive, possibly down to the level of individual folders. Where this restriction is the case, it will be noted in application descriptions. Because of the risk of sensitive data being inadvertently stored on the unprotected drive or volume, these technologies share many of the weaknesses inherent with volume level encryption, below. Some software full disk encryption cannot be used to encrypt the drive from which the operating system starts. Drive-based encryption technologies, like those offered on certain Seagate or Hitachi 2.5-inch notebook drives, show no detectable performance penalty. That is, it offers very high defense against theft or loss of the computer or drive, but offers no defense against disclosure to malware, viruses, or unauthorized use.įull disk encryption does exact a small performance penalty, which ranges from imperceptible to a few percent, depending on CPU performance. Full disk encryption is at its best when the system using it is powered off. ![]() It is generally transparent to the operating system and to backup software such as EZ-Backup. It can be implemented by a software package such as BitLocker or FileVault (both used at Cornell), Truecrypt, PGP, etc., or by specialty hard disks such as those offered by Seagate or Hitachi.įull disk encryption has the advantage of protecting all software applications, data, log files, and anything else stored on the disk. The first type, full disk encryption protects an entire drive. (2) When the file is not automatically re-encrypted when one is done viewing or editing it, as it the case with stand-along encryption utilities.) (Note that there are two flavors of file-level encryption: (1) When the file is decrypted only when it is in use, typically the case with application-based encryption. On the other hand, this is where you need to invest the most effort in file management. File-Level Encryption: Encryption at the level of individual files affords a good level of protection against data loss due to theft.On the other hand, you need to take care that sensitive data is always kept in an encrypted volume. By only mounting the encrypted volume when you need to work with the sensitive material it contains, you reduce the risk of data loss due to malware, as well as enjoy good protection if the computer is stolen. Volume-Level Encryption: Here one creates a “container” – a virtual directory space – whose contents are always encrypted.when one is logged in, the entire contents of the disk are exposed to theft of data via malware. On the other hand, when a system with FDE is in active use, i.e. Full-Disk Encryption (FDE): When the entire drive is encrypted, you have good defense against data loss due to theft since you don’t need to worry about whether or not a given file is encrypted.Lesser granularity: Encrypting the entire device at once provides good protection against data loss due to theft and requires less attention to how one handles files.Greater granularity: Encrypting each file individually provides good protection against data loss due to theft but requires the most attention to how one handles files.Technologies like SSL or IPSec that are intended to protect data in transmission over the network are not included.Ī summary of Cornell IT Policy regarding the use of encryption is in University Policy 5.10, Information Security. This content covers the use of encryption to protect data at rest on hard disks, external drives, thumb drives, and the like. This can be a powerful tool for enhancing data security but it has limitations and you need to decide among some trade-offs in how it is applied. Encryption is the process of scrambling data to make it unreadable to anyone who does not possess the proper key to unscramble it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |