1
00:00:00,340 --> 00:00:03,500
<v ->Disk encryption. Encryption is a process</v>

2
00:00:03,500 --> 00:00:06,780
that scrambles data into unreadable information.

3
00:00:06,780 --> 00:00:09,070
It does this to ensure that nobody can read it

4
00:00:09,070 --> 00:00:11,490
except the person who holds the secret key.

5
00:00:11,490 --> 00:00:13,680
This ensures confidentiality.

6
00:00:13,680 --> 00:00:16,750
If you have the key, you can unlock that randomized data

7
00:00:16,750 --> 00:00:19,400
and translate it back into something readable.

8
00:00:19,400 --> 00:00:21,400
Think about it like a magic machine.

9
00:00:21,400 --> 00:00:23,100
The information goes in one side,

10
00:00:23,100 --> 00:00:25,580
and out the other side comes a jumbled mess.

11
00:00:25,580 --> 00:00:27,220
Without that key, you don't know

12
00:00:27,220 --> 00:00:29,110
how to read the jumbled mess.

13
00:00:29,110 --> 00:00:31,680
Another example of this is actually language.

14
00:00:31,680 --> 00:00:33,670
I'm speaking English right now.

15
00:00:33,670 --> 00:00:35,670
If I spoke English into my machine

16
00:00:35,670 --> 00:00:37,610
and out the other side came Spanish,

17
00:00:37,610 --> 00:00:39,260
and you didn't understand Spanish,

18
00:00:39,260 --> 00:00:41,830
it would be encrypted and you wouldn't understand it.

19
00:00:41,830 --> 00:00:44,600
But if you knew the key, meaning you understood Spanish,

20
00:00:44,600 --> 00:00:47,350
you could understand everything that was being said.

21
00:00:47,350 --> 00:00:49,660
There are two different types of encryption,

22
00:00:49,660 --> 00:00:52,250
hardware-based and software-based.

23
00:00:52,250 --> 00:00:53,240
The first one we're going to talk

24
00:00:53,240 --> 00:00:55,360
about is hardware-based encryption.

25
00:00:55,360 --> 00:00:58,380
A great example of this is a self-encrypting drive.

26
00:00:58,380 --> 00:01:00,390
It looks like an external hard drive,

27
00:01:00,390 --> 00:01:02,910
and it has embedded hardware that performs

28
00:01:02,910 --> 00:01:05,450
full disk or whole disk encryption.

29
00:01:05,450 --> 00:01:08,100
These are very fast, unfortunately,

30
00:01:08,100 --> 00:01:11,750
they're also very expensive, so they're not commonly used.

31
00:01:11,750 --> 00:01:14,670
Instead, most people use software-based encryption

32
00:01:14,670 --> 00:01:17,440
in the marketplace and in our organizations.

33
00:01:17,440 --> 00:01:19,200
Luckily for us, there are two forms

34
00:01:19,200 --> 00:01:21,530
of whole disk encryption already embedded

35
00:01:21,530 --> 00:01:25,160
into our operating systems if we're using Mac or Windows.

36
00:01:25,160 --> 00:01:28,670
In a Mac, we have a system called FileVault where we can turn

37
00:01:28,670 --> 00:01:31,380
on whole disk encryption with a single click.

38
00:01:31,380 --> 00:01:32,940
This is located under your system

39
00:01:32,940 --> 00:01:35,640
preferences and under the security tab.

40
00:01:35,640 --> 00:01:38,770
On Windows, we use a system called BitLocker.

41
00:01:38,770 --> 00:01:41,140
BitLocker, again, is very easy to turn on.

42
00:01:41,140 --> 00:01:44,390
If I want to encrypt my D drive I simply right-click it,

43
00:01:44,390 --> 00:01:46,090
turn on BitLocker, and then I'll be able

44
00:01:46,090 --> 00:01:49,320
to encrypt the entire drive with a single click.

45
00:01:49,320 --> 00:01:52,400
As I said previously, encryption requires a key.

46
00:01:52,400 --> 00:01:54,640
And when you're using BitLocker specifically,

47
00:01:54,640 --> 00:01:56,720
you're actually going to be using a hardware key

48
00:01:56,720 --> 00:01:58,660
that resides on your motherboard.

49
00:01:58,660 --> 00:02:02,230
It's called the Trusted Platform Module, or TPM.

50
00:02:02,230 --> 00:02:04,880
This TPM chip resides on the motherboard

51
00:02:04,880 --> 00:02:07,600
and it contains the encryption key inside of it.

52
00:02:07,600 --> 00:02:09,120
This is what BitLocker is going

53
00:02:09,120 --> 00:02:11,310
to use to encrypt your drive.

54
00:02:11,310 --> 00:02:13,730
So, if you're going to take that hard drive out and put it

55
00:02:13,730 --> 00:02:17,350
into another system, you have to decrypt that drive first,

56
00:02:17,350 --> 00:02:18,950
otherwise, you're not going to be able

57
00:02:18,950 --> 00:02:21,240
to decrypt it on the other system because it has

58
00:02:21,240 --> 00:02:24,620
a different TPM module and different secret key.

59
00:02:24,620 --> 00:02:26,810
If your motherboard doesn't have TPM,

60
00:02:26,810 --> 00:02:29,290
you still can use BitLocker, but instead,

61
00:02:29,290 --> 00:02:32,740
you have to use an external USB drive as a key.

62
00:02:32,740 --> 00:02:35,010
It'll store the key on that USB drive.

63
00:02:35,010 --> 00:02:37,830
But if you use that USB drive, you're never going to be able

64
00:02:37,830 --> 00:02:40,110
to unlock that hard drive again.

65
00:02:40,110 --> 00:02:42,320
Because every time you boot up that computer,

66
00:02:42,320 --> 00:02:43,390
you have to make sure you have

67
00:02:43,390 --> 00:02:47,280
that USB key inserted so it can unlock the drive.

68
00:02:47,280 --> 00:02:49,100
Both BitLocker and FileVault

69
00:02:49,100 --> 00:02:51,010
use the same type of encryption.

70
00:02:51,010 --> 00:02:55,589
They use Advanced Encryption Standard, also known as AES.

71
00:02:55,589 --> 00:02:59,710
AES is a symmetric key encryption that supports 128-bit

72
00:02:59,710 --> 00:03:03,400
and 256-bit keys and is considered unbreakable

73
00:03:03,400 --> 00:03:05,460
as of the time of this recording.

74
00:03:05,460 --> 00:03:08,550
Encryption sounds like a wonderful thing, and it is.

75
00:03:08,550 --> 00:03:11,410
It secures our data and keeps prying eyes out.

76
00:03:11,410 --> 00:03:13,640
But it does have some drawbacks.

77
00:03:13,640 --> 00:03:16,180
Encryption adds additional security for us,

78
00:03:16,180 --> 00:03:19,530
but it comes with a lower performance for your system.

79
00:03:19,530 --> 00:03:21,760
If I'm doing whole disk encryption, that means

80
00:03:21,760 --> 00:03:23,720
before I can even boot up the computer

81
00:03:23,720 --> 00:03:26,370
and read things from that drive, I have to decrypt it,

82
00:03:26,370 --> 00:03:28,930
and that takes time and processing.

83
00:03:28,930 --> 00:03:31,840
So, you have to remember there is a sacrifice in speed

84
00:03:31,840 --> 00:03:34,910
and performance when you're using full disk encryption.

85
00:03:34,910 --> 00:03:37,070
Because of this performance hit, some people

86
00:03:37,070 --> 00:03:39,600
decide not to use full disk encryption.

87
00:03:39,600 --> 00:03:42,560
Instead, they rely on file-level encryption.

88
00:03:42,560 --> 00:03:45,750
In Windows, we use a system called EFS

89
00:03:45,750 --> 00:03:48,050
or the Encrypting File System.

90
00:03:48,050 --> 00:03:49,980
For example, if I have a hard drive

91
00:03:49,980 --> 00:03:52,000
with a folder called finances in it,

92
00:03:52,000 --> 00:03:53,610
and I wanted to make sure nobody could read

93
00:03:53,610 --> 00:03:57,090
that particular folder but me, I could go in, right-click

94
00:03:57,090 --> 00:04:00,140
that folder, and set up the EFS to be enabled on it.

95
00:04:00,140 --> 00:04:03,020
But going back to our security performance issue,

96
00:04:03,020 --> 00:04:05,950
there is a way that we can speed up encryption.

97
00:04:05,950 --> 00:04:08,350
We can use hardware-based encryption.

98
00:04:08,350 --> 00:04:10,920
It's much faster than using software-based encryption

99
00:04:10,920 --> 00:04:12,600
because we have dedicated hardware

100
00:04:12,600 --> 00:04:14,620
to do the processing for us.

101
00:04:14,620 --> 00:04:16,290
One of the ways we do that is using

102
00:04:16,290 --> 00:04:19,690
a hardware security module, or HSM.

103
00:04:19,690 --> 00:04:22,370
An HSM is a physical device that acts

104
00:04:22,370 --> 00:04:24,800
as a secure cryptoprocessor during

105
00:04:24,800 --> 00:04:27,630
the encryption process or during digital signing,

106
00:04:27,630 --> 00:04:29,710
which is also an encryption process.

107
00:04:29,710 --> 00:04:32,610
HSMs come in many forms, but most commonly

108
00:04:32,610 --> 00:04:34,310
you'll see them as an adapter card

109
00:04:34,310 --> 00:04:37,830
that plugs in through a USB or a network-attached device.

110
00:04:37,830 --> 00:04:39,950
These devices are generally tamper-proof

111
00:04:39,950 --> 00:04:41,800
and they have a high level of security.

112
00:04:41,800 --> 00:04:44,810
But they're also very expensive, so most people

113
00:04:44,810 --> 00:04:47,450
aren't going to find these inside their organization.

114
00:04:47,450 --> 00:04:50,963
Most organizations still rely on software-based encryption.