Encryption is key to making sure that your data is protected. It’s also an easy best practice to include in your security policies. SOC 2, a common security framework, has one of the five Trust Service Criteria, Confidentiality, that dictates confidential information must be encrypted to limit access by unqualified parties. This encryption process can vary between systems and devices, so we’re going to break it down one at a time for you, starting with Windows 10 and Bitlocker. Show
BitLocker is Microsoft’s proprietary disk encryption software for Windows 10. Following these eight steps will make sure your data is safe and protected. Plus it’s free and you don’t have to install anything. You can use BitLocker to encrypt your entire drive, as well as protect against unauthorized changes to your system like firmware-level malware. How to Encrypt Your Hard Drive in Windows 10
Note: BitLocker is not available on Windows 10 Home edition, but there is a similar feature for device encryption. Why You Should Encrypt Your FilesThe nightmare situation would be if your laptop was stolen and had a million social security numbers, or bank information, stored on it. Unencrypted. Or let’s say, the private information on 2,500 participants in a clinical trial stolen from the truck of a worker’s car. Unencrypted. None of us want to be in that situation. If you don’t store information like that on your computer, and you only use it at home, then you don’t need to use encryption. But it’s still a good idea. Encryption is especially relevant for people who are concerned about data breaches. And companies often require it in information security policies. These information security policies and procedures at your company are incredibly important. You don’t want to learn your company laptop was not only stolen but had unencrypted data, in violation of your corporate security policies. Encryption and Security PoliciesAn encryption policy is a basic, easy-to-implement way to make yourself or your business more secure. You will likely have to create your own security policies if you have a small business or startup. You don’t have to write security policies from scratch though. We have a cheat sheet if you do want to make your own encryption policy, you can look for templates for security policies, or use the Carbide Platform to automatically generate custom security policies. Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.[1] For nearly all cryptosystems, one of the most difficult challenges is "key management" – in part, how to securely store the decryption key. If the key is stored in plain text, then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets. The DPAPI keys used for encrypting the user's RSA keys are stored under Security properties[edit]DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns ciphertext (or conversely). DPAPI security relies upon the Windows operating system's ability to protect the master key and RSA private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. A main encryption/decryption key is derived from user's password by PBKDF2 function.[2] Particular data binary large objects can be encrypted in a way that salt is added and/or an external user-prompted password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option – i.e. under the control of the application developer – and is not controllable by the end user or system administrator. Delegated access can be given to keys through the use of a COM+ object. This enables IIS web servers to use DPAPI. Active Directory backup keys[edit]When a computer is a member of a domain, DPAPI has a backup mechanism to allow data deprotection in case the user's password is lost, which is named "Credential Roaming". When installing a new domain on a domain controller, a public and private key pair is generated, associated with DPAPI. When a master key is generated on a client workstation, the client communicates through an authenticated RPC call with a domain controller to retrieve a copy of the domain's public key. The client encrypts the master key with the domain controller's public key. Finally, it stores this new backup master key in its AppData directory, just like traditional master key storage. Use of DPAPI by Microsoft software[edit]While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive version of Windows. However, many applications from Microsoft and third-party developers still prefer to use their own protection approach or have only recently switched to use DPAPI. For example, Internet Explorer versions 4.0–6.0, Outlook Express and MSN Explorer used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. Internet Explorer 7 now protects stored user credentials using DPAPI.[3]
References[edit]
External links[edit]
How can I protect my computer data?Here are some practical steps you can take today to tighten up your data security.. Back up your data. ... . Use strong passwords. ... . Take care when working remotely. ... . Be wary of suspicious emails. ... . Install anti-virus and malware protection. ... . Don't leave paperwork or laptops unattended. ... . Make sure your Wi-Fi is secure.. How can I protect my drive in Windows 10?How to Encrypt Your Hard Drive in Windows 10. Locate the hard drive you want to encrypt under “This PC” in Windows Explorer.. Right-click the target drive and choose “Turn on BitLocker.”. Choose “Enter a Password.”. Enter a secure password.. What Privacy settings should I use on Windows?How to protect your privacy in Windows 10. Turn off ad tracking.. Turn off location tracking.. Turn off Timeline.. Curb Cortana.. Ditch a Microsoft account for a local account.. Change your app permissions.. Control and delete diagnostic data.. Use Microsoft's Privacy Dashboard.. |