Content deleted Content added
Added {{R from alternative name}} tag to redirect (TW) |
User93454235 (talk | contribs) No edit summary |
||
Line 1:
'''File and folder (a.k.a. directory) encryption''' are two types of [[encryption]] that help protect the confidentiality of digital information.<ref>https://www.owasp.org/index.php/Guide_to_Cryptography</ref><ref>https://digitalguardian.com/blog/what-data-encryption</ref> Encryption may be used to provide data security at different times (e.g. [[Data_in_transit|data in transit]], [[Data_at_rest|data at rest]], etc.) using different means ([[Public-key_cryptography|public key cryptography]], [[Symmetric-key_algorithm|symmetric key cryptography]], etc.) Similarly, data at rest can also be encrypted using different means as well. Methods for encrypting data at rest include [[Disk_encryption|Full Disk Encryption]], [https://www.jetico.com/web_help/bcve3_enterprise/html/01_introduction/02_what_is_ve.htm Partition Encryption], [https://www.jetico.com/web_help/bcve3_enterprise/html/01_introduction/02_what_is_ve.htm Volume Encryption], [[List_of_cryptographic_file_systems|File System Encryption]], Directory Encryption, File Encryption, [[Database_encryption|Database Encryption]] and Device-Level Encryption.
With full disk encryption, the entire disk is encrypted (except for the bits necessary to boot or access the disk when not using an unencrypted boot/preboot partition).<ref>http://www.kapalya.com/wp-content/uploads/2016/02/how_wholedisk_encryption_works_WP_21158817.en-us.pdf</ref> As disks can be partioned into multiple partitions, partition encryption can be used to encrypt individual disk partitions.<ref>http://www.techrepublic.com/article/how-to-encrypt-a-single-partition-in-linux/</ref><ref>http://www.techrepublic.com/article/how-to-encrypt-a-single-partition-in-linux/</ref> Volumes, created by combinining two or more partitions, can be encrypted using volume encryption.<ref>https://www.jetico.com/web_help/bcve3_enterprise/html/01_introduction/02_what_is_ve.htm Volume Encryption</ref> File systems, also comprised of one or more partitions, can be encrypted using file system encryption. Directories are referred to as encrypted when the files within the directory are encrypted.<ref>https://technet.microsoft.com/en-us/library/2006.05.howitworks.aspx</ref><ref>https://www.trustpds.com/</ref> File encryption encrypts a single file. Database encryption acts on the data to be stored, accepting unencrypted information and writing that information to persistent storage only after it has encrypted the data. Device-level encryption, a somewhat vague term that includes encryption-capable tape drives, can be used to offload the encryption tasks from the CPU.
==File Encryption==
File encryption software that provides encryption at the file layer can be classified into two groups.
The first group is represented by [https://technet.microsoft.com/en-us/library/2006.05.howitworks.aspx Microsoft's Encrypting File System (EFS)]. Using EFS, a file can be selected via Explorer to be encrypted. When selected, that file is encrypted and the new encrypted version replaces the unencrypted version of file.<ref>https://www.howtogeek.com/236719/whats-the-difference-between-bitlocker-and-efs-encrypting-file-system-on-windows/</ref>
A different type of file encryption creates a new, encrypted instance of a file while leaving the original file intact. This latter method is represented by [[7-Zip]], [https://www.trustpds.com Personal Data Security (PDS)], [[WinZip]] and others.
==Directory Encryption==
As with file encryption, directory encryption software can be classified into the same two groups.
Using EFS again, a directory can be selected within Explorer to be encrypted. When this is done, the EFS file encryption described previously is applied to all the files within that directory tree.<ref>https://technet.microsoft.com/en-us/library/2006.05.howitworks.aspx</ref> Moving or copying a file from an EFS encrypted directory to an unencrypted directory will result in the file being decrypted by EFS. Similarly, moving an unencrypted file into an EFS encrypted directory will result in the file being encrypted.
The distinction between EFS and the other encryption applications presented also holds true for directory encryption. Within this group of applications, encrypting a directory results in a new encrypted directory and the original files and directories again remain intact. In this method of directory encryption, the encrypted directory is typically used as a backup that can be securely archived offline and/or offsite. This latter method is again represented by [[7-Zip]], [https://www.trustpds.com Personal Data Security (PDS)], [[WinZip]] and others.
==Uses of File/Directory Encryption==
Business, industry and universities have long used "tape" to create backups of their information. As tapes are relatively inexpensive, portable and durable, best practices led to archiving some of the tape backups off site. For some organizations, this then led to the need to secure the confidential business information, which was addressed by encrypting the files as they were written to tape.
In the last decade or so, file/directory encryption to tape is gradually given way to device-level encryption, with the encryption being performed by the tape drives instead of the system CPU.<ref>http://www.lto.org/wp-content/uploads/2014/07/ESG-White-Paper-LTO-Sep-07.pdf</ref> Some examples of encryption-capable drives include the StorageTEK T10K series of drives as well as the LTO 4 (and newer) drives. With encryption-capable tape drives in the data center, encryption keys are managed and securely delivered to tape drives by dedicated key managers. Some examples of key managers include the [https://www.oracle.com/storage/tape-storage/key-manager-3/index.html Oracle Key Manager] and [[Backup_Exec|Veritas Backup Exec]].
Though higher-end tape solutions have moved away from file/directory encryption to device-level encryption, the increase in cybercrime may be causing small to mid-size companies, as well as individual consumers, to increase the use of file/directory encryption.
==Trends in File/Directory Encryption==
====Cloud Storage====
Due to encrypted tape drive solutions being a significant investment, smaller businesses, and especially "startups", rely upon backup solutions that include remote ("cloud") storage as well as writing files to removable discs and/or disks.<ref>http://cw.com.hk/news/disk-and-cloud-adoption-leaving-tape-dust</ref> These trends are typically performed as a file/directory backups, and they can easily be encrypted. "Small" SQL databases can be backed up to a file, and thus included as part of the businesses file/directory backup.
====Cybercrime====
According to [[Europol|EUROPOL]], the European police, ransomware is a key threat and the dominant concern to certain law agencies.<ref>https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2016</ref> [[Ransomware]], which infects a system like any other form of [[Malware|malware]], delivers its payload (intended purpose) by encrypting the files in certain directories and then deleting the original files.<ref>https://hotforsecurity.bitdefender.com/blog/how-does-ransomware-work-the-ultimate-guide-to-understanding-ransomware-part-ii-11856.html</ref><ref>https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-101-what-it-is-and-how-it-works</ref> The original files are then "lost" until a ransom is paid, which is typically required to be paid in bitcoin.<ref>https://iapp.org/news/a/bitcoins-strategic-place-in-ransomware/</ref> Since the attacks use "unbreakable encryption", the victim has little choice if they want the files back.<ref>http://www.cnbc.com/2016/07/21/holy-bitcoin-theyve-locked-up-my-computer.html</ref> Either pay the ransom, or lose the files. For this reason, victims of ransomware learn that they should create regular backups and save them offline*, which means they should be encrypted using file/directory encryption
* Note: Backups to cloud storage providers that use <b>syncing</b> to upload files are vulnerable to ransomware.
==Software Applications for File/Directory Encryption==
There are many software applications that provide file/directory encryption. Some of those are explicitly for business, while others may be used by both businesses and consumers. Listed below are but a few of the software applications that provide file/directory encryption.
====Examples For Consumers and Businesses====
Local File/Directory Encryption:
* [[7-Zip]]
* [https://www.trustpds.com Personal Data Security (PDS)]
* [[WinZip]]
Cloud Based File/Directory Encryption:
* [[Carbonite_(online_backup)|Carbonite]]
* [[Code42|Crash Plan]]
* [[ICloud|iCloud]]
* [[SOS_Online_Backup|SOS Online Backup]]
====Examples For Enterprise-class Businesses====
* [[IBM_Tivoli_Storage_Manager|IBM Tivoli]]
* [[Backup_Exec|Veritas Backup Exec]]
* [[NetBackup|Veritas NetBackup]]
==References==
| |||