hi and welcome to module to lessen six dot for
And this lesson we're gonna talk about Dar encryption A dar stands for data at rest. A lot of the same principles apply here. This type of encryption is the same as the one we talked about in the encryption section. Under the network layer. The same encryption principles apply. We're simply talking about encrypting data as it sits at rest on a disk
instead of in transit when it's being transmitted across the network.
But it's the same basic principles.
There's two major types of Dar encryption. There's full disk encryption where we're encrypting the entire volume of a disc, the whole thing. And then there's file level encryption. We're gonna encrypt each individual file at a different level and give different people permissions to read it
with full disk encryption. Here's how that works. We've got an in user. Let's say we get in user who's gonna boot up their laptop
well before the laptop, even boots. The end user would be prompted for a key,
and it's a essentially just a password. In user enters that password. That key is sent back to the management server, the key management system. It takes a look at its policies to determine whether or not that key is correct. And if the if the user, if that key is allowed to decrypt that particular in point, or that laptop
makes a decision and says yes. And it allows that
UN encryption toe happen on the laptop, and at that point the operating system would boot up.
So the entire disc is encrypted in one blob, so the operating system nothing can function. If that laptop was stolen are anything like that, it couldn't be. It couldn't be decrypted. So really full disk encryption is used to prevent against physical theft is purchased to prevent. If someone grabbed the whole disk
and ran off with it, they couldn't really decrypted or reading the their contents on it.
It can also be used to wipe a disk if if it's reported stolen so that check in mechanism it. Let's say the laptop was reported stolen. Well, when, when? That when that thief tries to boot up that system, if he's out there, are connected to the Internet and types in some password. As soon as it that call out goes to the key management server.
Ah, command could be sent back to the laptop to just wipe the whole disk.
Next check type of dark encryption is file level encryption. And with this type, we can encrypt individual files and give certain people access to decrypt them and read the contents
and the way this works. Let's take a look at this one. If we've got a nightie administrator who wants access to the legal server
when it goes and connects the legal silver is gonna kick off two things. One thing that's gonna do is it's gonna look at local policies on that server, the local policies that are assigned to that file that is trying to access. Does that administrator have read Write access to the file itself?
The other thing that's gonna do is it's going to reach out to the key management server if it has, Ah, Dar encryption agent on the server is gonna reach out to key management,
and it's gonna determine whether or not this person has access to decrypt this file.
In this case, the I T administrator does not have access to decrypt the file, so that decision's gonna be sent back to the legal server and at this point, the I T administrator. You see, they have read, write access to the file itself, but they do not have access to decrypt that file and read the contents of it.
Now this is important because administrators, for example, may need read. Write access to a file read is a little misleading Here, Read doesn't mean you can read the actual contents read. Just in this case means you can copy the file on you can. You can move the file somewhere else,
and I t x I T administrators might need that type of access because maybe they're in charge of the backups that happened on that system.
Or maybe they're part of a help desk and attorneys call in and they need to find their files and the administrator needs to help with them. They can see the files themselves. They just can't see what's in them. You need actual decrypt capabilities to be able to open that file and actually read the contents of the file.
Now that attorney connects to the legal server and the same process happens. And this time, the key management services. Yes, that attorney does have access to decrypt and read the contents. That sends the key back to the attorney session on the legal file server and it and it allows that attorney toe actually decrypt the file and read it.
So this is how you can use file file level encryption when it comes to Dar encryption file level encryption to get much, much more granular. Because you're allowing encryption at individual file levels versus full disk encryption, where your encrypting the entire volume, it's either on or off.
That wraps up our lesson. Ondar encryption. Next up, we're gonna talk about file integrity monitoring.