Home / IT Fundamentals / ITF+ FC0-U61 / Common Uses of Encryption | CompTIA IT Fundamentals FC0-U61 | 6.6

Common Uses of Encryption | CompTIA IT Fundamentals FC0-U61 | 6.6

By on March 21, 2020

In this video you will learn about the common uses of encryption such as:  plain text vs. cipher text, data at rest, & data in transit.

Plain Text vs. Ciphertext

Plain text is any text, text file, or document that contains only text before encryption.  Ciphertext is data that has been encrypted. Ciphertext is unreadable until it has been converted into plain text (decrypted) with a key.

Here’s a simple example of a plain text message:

  • my class is the best class on this topic

In this example, the encryption process performs the following steps

1. The words are reversed in order, followed by the letters in each word.

  • cipot siht no ssalc tseb eht si ssalc ym

2. Each letter is shifted three characters to the right (c becomes f, i becomes l, and so on).

3. Each shifted letter is replaced by a number (1-26, where a = 26, b = 25, and so on).  A percent sign (%) is inserted between numbers, and an at symbol (@) is used for spaces.

Step 1:  ym  ssalc  si eht   tseb ssalc  no siht cipot
Step 2:  bp  vvdof  vl hkw  wvhe vvdof  qr vlkw flsrw
Step 3:  25%11   5%5%23%12%21   5%15 19%16%4   4%5%19%22 5%5%23%12%21   10%9 5%15%16%4 21%15%8%9%4

4. The resulting ciphertext looks like this:

To decipher the ciphertext, the receiver must have a key.  In the above example, the key is used to reverse each transformation.  In computer algorithms, encryption and decryption methods can be extremely much more complex.  Data can be encrypted where it is stored (data at rest) and when being sent between devices (data in transit).

Data at Rest

Data at rest is defined as data that is not in use or is not traveling to system endpoints, such as mobile devices or workstations.  Encryption can take place on a file level, a disk level, or in a mobile device.

File Level

File-level (also known as file/folder-level) encryption is a form of disk encryption where individual files or directories are encrypted by the file system itself; other files on the device are not affected.

EFS (Windows)

An Encrypting File System (EFS) is a functionality of the New Technology File System (NTFS) found on various versions of Microsoft Windows (Pro, Ultimate, Business) and all server versions starting with Windows 2000.  EFS facilitates the transparent encryption and decryption of files by making use of complex, standard cryptographic algorithms. To encrypt a particular file or folder with EFS, follow these steps:

  1. From the Home tab in File Explorer, open the Properties menu and click Properties.
  2. Click Advanced.
  3. Click Details to specify which users can open the file when encrypted.
  4. Click the Encrypt contents to secure data check box.
  5. Click OK.
  6. Click Apply, then OK on the properties sheet for the file.
  7. The encrypted file now has a padlock, and the filename might also be displayed in green.
Encrypting a File

macOS

macOS does not include file-level encryption, but it can be added through various free and commercial apps, such as AxCrypt, Concealer, Espionage 3, SimpleumSafe, VeraCrypt, etc.  To create compressed archive files that are also encrypted using AES-256 encryption, use iZip.

Linux

Common encryption tools that can be installed with most distributions include Gnu Privacy Guard (GnuPG) with a Windows version available HERE, eCryptfs, OpenSSL, VeraCrypt, etc.  Most of these work by encrypting a copy of the file, so the original should be deleted after encryption. eCryptfs is supported by the Linux kernel. This type of encryption is often referred to in Linux as “filesystem stacked level encryption.”  eCryptfs encryption stays with a file when it is copied from one system to another. The p7zip tool is available HERE; it is a Linux version of 7-Zip’s command-line version.

Disk Level

Disk-level encryption, also referred to as full-disk encryption (FDE), is the encryption of all data on a disk drive, including the program that encrypts the bootable OS partition.  Only an authorized user can view the drive’s contents after logging in to the system. Use FDE such as BitLocker, BitLocker To Go, or a similar product on laptops and mobile devices that store or access sensitive data.  Many instances of significant data breaches have been the result of the loss or theft of unencrypted devices.

Windows

Starting with Windows Vista & Windows Server 2008, Microsoft includes BitLocker support in business-oriented versions of its desktop operating systems.  Originally, BitLocker supported only system drives, but current versions of Windows also support encrypting non-system drives and removable drives (BitLocker To Go).  A system with a Trusted Platform Module (TPM) is ready to use BitLocker. If a TPM is not built in to the computer, the Local Group Policy Editor (gpedit.msc) is used to enable BitLocker:

  1. After opening the Local Group Policy Editor, click Computer Configuration, Windows Components, BitLocker Drive Encryption, Operating System Drive, Require additional authentication at startup.
  2. Click the empty Allow BitLocker…check box.
  3. Click Apply, then OK.
Navigating GPEDIT.MSC to the BitLocker Configuration Dialogs

To enable BitLocker, right-click a drive and select Turn On BitLocker.  During setup, the user sets a BitLocker password.  It can be saved to the user’s Microsoft account, a USB flash drive, a file on another storage device, or printed (any or all of these options can be used).  On systems with a smart card reader, you can also choose to use your smart card and PIN to unlock the drive.

Making BitLocker Available on a System w/o a TPM

A BitLocker-encrypted drive is mounted automatically when the BitLocker password is entered or the BitLocker USB drive is inserted.  If a TPM is used, you are prompted to enter a PIN. You might also use a smart card with a PIN to unlock the drive. With BitLocker to Go, you can also set up the drive to unlock automatically when plugged back into the PC that encrypted it.  A drive encrypted with BitLocker To Go also includes the BitLocker To Go reader so it can be read on versions of Windows that lack BitLocker support.

macOS

FileVault 2 full-disk encryption is built in to versions of macOS starting with version 10.7 (OS X Lion) and later.  The login password can be used as the recovery key, or you can set up a separate recovery key. FileVault 2 is enabled through System Preferences, Security & Privacy, FileVault.  Each current user of the system must be enabled (and must enter their password) before the drive can be encrypted, but users added after FileVault 2 are automatically included.

Setting up FileVault 2 Full Disk Encryption on macOS

In versions of macOS starting with Mavericks (10.9), you can store a recovery key with Apple by providing three security questions and answers.  In versions of macOS starting with Yosemite (10.10), you can use iCloud to unlock an encrypted drive and reset the password. Alternatively, you can create a recovery key and store it locally.

Continuing FileVault 2 setup

Linux

The cryptsetup package is the standard Linux disk encryption program; it works with the dm-crypt kernel module included in recent Linux distros.  Install cryptsetup from the package manager (sudo apt-get cryptsetup for Debian-based distros; yum install cryptsetup for Red Hat-based distros).  Cryptsetup includes LUKS, or Linux Unified Key Setup, which makes encryption easier to use.

Mobile Device

Both iOS & Android support full-device encryption.  When the user assigns a PIN or passcode to a smartphone or tablet, the device is encrypted.  The minimum length for a PIN or passcode is four characters, but more characters enables greater security.  Entering the PIN or passcode at login decrypts the device. Locking the device re-encrypts it. When combined with remote wiping, encrypting a mobile device helps protect it from being used by unauthorized parties. iOS devices use hardware-based encryption.  Current versions use AES (Advanced Encryption Standard) 256-bit cryptography along with a unique identifier (UID) that is also encrypted using AES 256-bit encryption. The result is a tamper-proof key.  However, unless a passcode is assigned to the device, encryption is not enabled. Some Android devices are encrypted when the users receive them, but most require encryption to be activated manually.  Android is based on Linux, so Android devices use the dm-crypt encryption features in the Linux kernel.

Data in Transit

Data may be encrypted while stored, but when it is traveling between devices, it is decrypted.  To protect it while it is being sent or received, other types of encryption are needed. To decrypt encrypted data in transit, recipients need to have the appropriate decryptor available.

Email

Two major standards used for encrypted email are OpenPGP and S/MIME.  OpenPGP (Open Pretty Good Privacy) is a cross-platform version of the original PGP program.  To learn more about the apps that include OpenPGP support, go HERE. Another cross-platform, open source implementation is the GNU Privacy Guard (GnuPG) available HERE.  OpenPGP email encryption works by exchanging digital IDs (also known as digital certificates or public keys) between users. After digital IDs are installed, these users can exchange encrypted emails and are able to open them.  Digital certificates are acquired from a certificate authority (CA). S/MIME (Secure/Multipurpose Internet Mail Extensions) works in a similar fashion to OpenPGP, but it does not require users to exchange certificates. Support for S/MIME is included in most email systems.

You can use encryption with webmail services such as Gmail and Outlook as well as with email client apps.  With Gmail, a lock icon is displayed when you start composing a message. When you receive a message with Gmail, click the down arrow next to the recipients to see the lock icon.  A green lock icon indicates the message was encrypted with S/MIME enhanced encryption, the strongest level. A gray lock icon indicates the message was encrypted with Transport Layer Security encryption.  Although not as strong as S/MIME, TLS is supported by email clients that don’t have S/MIME support. A red lock icon indicates the message is not encrypted.

Windows

Microsoft Outlook supports sending encrypted email on an individual message or for all messages.  To enable encryption, follow these steps:

  1. Create a message.
  2. Click File.
  3. Click Properties.
  4. Click Security Settings.
  5. Click Encrypt message contents and attachments.
  6. To select a certificate or make other changes, click Change settings.

The free Microsoft Mail product included with Windows 10 and earlier Windows versions does not support S/MIME encryption.

macOS

With Apple Mail, if you install a digital ID to your Apple Keychain and then send a digitally signed message to a recipient, your certificate is added to the ones the recipient has on file.  Their reply includes their certificate. After certificates have been exchanged, you can use the Encrypt option in Mail. You can add GPG support to other macOS email clients and other apps by installing the GPG Suite from HERE.

Linux

There is no single default email package for Linux, but you can add encryption support to many packages.  Some email packages that support encryption include the following:

  • Evolution:  Supports OpenPGP and S/MIME encryption.
  • Mozilla Thunderbird (GnuPGP implementation of PGP) and Enigmail:  See HERE.
  • KMail:  Included with Linux distros that use K Desktop Environments, supports OpenPGP and TLS/SSL encrypted connections as well as S/MIME plugins.

HTTPS

Hypertext Transport Protocol Secure (HTTPS) is a secure version of the HTTP protocol used for web pages.  Originally developed for use with web banking and ecommerce websites, HTTPS connections are now used by many websites to help reduce the likelihood of personal information being abused or stolen.  An HTTPS website uses https:// as part of its URL, and web browsers add a padlock symbol to indicate the website is secure.  HTTP uses TCP port 80, and HTTPS uses port 443. HTTPS websites use Secure Socket Layers (SSL) encryption.  To access a secured website, the web browser must support the same encryption level used by the secured website (normally 128-bit encryption) and the same version(s) of SSL used by the website (normally SSL version 2.0 or 3.0).

VPN

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.  VPN connections are often referred to as “tunnels” and the process of setting up a VPN as “tunneling”. A VPN connection has several benefits compared with a standard connection:

  • A VPN connection enables insecure public Wi-Fi to provide a secure private connection to a website that supports VPNs.
  • A VPN connection enables the user to bypass blocks on websites in certain areas.  By using a VPN, a user can access social networks or search tools in countries where access is restricted or can use media subscription sites for areas other than where they live, such as a different country’s Netflix or other streaming service.
  • A VPN connection hides activity from the user’s normal ISP because their internet traffic (including P2P torrents) is tunneling through the ISPs connections and is therefore invisible.

Some VPN connections are free, whereas others charge a monthly rate.  Free connections are usually limited in terms of geographical coverage, servers, or monthly data caps.  To learn how to set up a VPN connection in Windows 10, click HERE.

Mobile Application

Although iOS and Android devices are encrypted automatically when you set up a PIN or passcode, you don’t have encryption for messages and emails unless you install secure messaging and email apps and your recipients have matching apps.  The leading secure messaging apps for iOS and Android include Signal, Wire, Wickr, and WhatsApp. These apps are available at the default app stores for your device.

Related Items