Drivers Data Encryption Others

21-04-2021
 |  [RAND-100] - Comments



  1. Data Encryption Definition
  2. Drivers Data Encryption Others Data
Drivers Data Encryption Others

What is device encryption?

Device encryption helps protect your data, and it's available on a wide range of Windows devices. If you turn on device encryption, the data on your device can only be accessed by people who've been authorized. If device encryption isn't available on your device, you may be able to turn on standard BitLocker encryption instead.

  • Enable data protection with drive, file, folder, removable media encryption, and data protection for cloud storage. This suite includes data encryption integrated with centralized management and encryption for Apple FileVault and Microsoft BitLocker to prevent unauthorized access and loss or theft of sensitive data.
  • Process access restriction makes on-the-fly file encryption driver development more complicated. User session data security means that only limited range of applications has access to decrypted data. Other applications should receive encrypted data while trying to read it from file.
  • Get the fastest, most scalable application performance for data integration with DataDirect ODBC drivers. Available for all major big data, relational, and SaaS/cloud data sources.
  • To be able to encrypt and decrypt the data, the application must use an Always Encrypted-enabled driver that interfaces with SQL Server 2016. It is this driver that carries out the actual encryption and decryption.
Encryption

To encrypt data in-transit between clients and DB2 databases, you can use the DATAENCRYPT authentication type, or, the DB2 database system support of Secure Sockets Layer (SSL). Note: DATAENCRYPT and SERVERENCRYPT.

Note: BitLocker is not available on Windows 10 Home edition.

Is it available on my device?

Device encryption is available on supported devices running any Windows 10 edition. If you want to use standard BitLocker encryption instead, it's available on supported devices running Windows 10 Pro, Enterprise, or Education. Some devices have both types of encryption. For example, a Surface Pro which runs Windows 10 Pro has both the simplified device encryption experience, and the full BitLocker management controls. Not sure which version of Windows you have? See Which Windows operating system am I running?

To see if you can use device encryption

  1. In the search box on the taskbar, type System Information, right-click System Information in the list of results, then select Run as administrator. Or you can select the Start button, and then under Windows Administrative Tools, select System Information.

  2. At the bottom of the System Information window, find Device Encryption Support. If the value says Meets prerequisites, then device encryption is available on your device. If it isn't available, you may be able to use standard BitLocker encryption instead.

To turn on device encryption

  1. Sign in to Windows with an administrator account (you may have to sign out and back in to switch accounts). For more info, see Create a local or administrator account in Windows 10.

  2. Select the Start button, then select Settings > Update & Security > Device encryption. If Device encryption doesn't appear, it isn't available. You may be able to turn on standard BitLocker encryption instead.

  3. If device encryption is turned off, select Turn on.

To turn on standard BitLocker encryption

  1. Sign in to your Windows device with an administrator account (you may have to sign out and back in to switch accounts). For more info, see Create a local or administrator account in Windows 10.

  2. In the search box on the taskbar, type Manage BitLocker and then select it from the list of results. Or you can select the Start button, and then under Windows System, select Control Panel. In Control Panel, select System and Security, and then under BitLocker Drive Encryption, select Manage BitLocker.

    Note: You'll only see this option if BitLocker is available for your device. It isn't available on Windows 10 Home edition.

  3. Select Turn on BitLocker and then follow the instructions. (If BitLocker is turned on and you want to turn it off, select Turn off BitLocker.)

Additional resources

Others

If your device requires a recovery key to unlock, see Find your recovery key.

-->Techniques

Understand the basic elements of encryption for data security in OneDrive for Business and SharePoint Online.

Security and data encryption in Office 365

Microsoft 365 is a highly secure environment that offers extensive protection in multiple layers: physical data center security, network security, access security, application security, and data security. This article specifically focuses on the in-transit and at-rest encryption side of data security for OneDrive for Business and SharePoint Online.

Watch how data encryption works in the following video.

Encryption of data in transit

In OneDrive for Business and SharePoint Online, there are two scenarios in which data enters and exits the datacenters.

  • Client communication with the server Communication to OneDrive for Business across the Internet uses SSL/TLS connections. All SSL connections are established using 2048-bit keys.

  • Data movement between datacenters The primary reason to move data between datacenters is for geo-replication to enable disaster recovery. For instance, SQL Server transaction logs and blob storage deltas travel along this pipe. While this data is already transmitted by using a private network, it is further protected with best-in-class encryption.

Encryption of data at rest

Examples of data encryption

Encryption at rest includes two components: BitLocker disk-level encryption and per-file encryption of customer content.

BitLocker is deployed for OneDrive for Business and SharePoint Online across the service. Per-file encryption is also in OneDrive for Business and SharePoint Online in Microsoft 365 multi-tenant and new dedicated environments that are built on multi-tenant technology.

While BitLocker encrypts all data on a disk, per-file encryption goes even further by including a unique encryption key for each file. Further, every update to every file is encrypted using its own encryption key. Before they're stored, the keys to the encrypted content are stored in a physically separate location from the content. Every step of this encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The encrypted content is distributed across a number of containers throughout the datacenter, and each container has unique credentials. These credentials are stored in a separate physical location from either the content or the content keys.

For additional information about FIPS 140-2 compliance, see FIPS 140-2 Compliance.

File-level encryption at rest takes advantage of blob storage to provide for virtually unlimited storage growth and to enable unprecedented protection. All customer content in OneDrive for Business and SharePoint Online will be migrated to blob storage. Here's how that data is secured:

  1. All content is encrypted, potentially with multiple keys, and distributed across the datacenter. Each file to be stored is broken into one or more chunks, depending its size. Then, each chunk is encrypted using its own unique key. Updates are handled similarly: the set of changes, or deltas, submitted by a user is broken into chunks, and each is encrypted with its own key.

  2. All of these chunks—files, pieces of files, and update deltas—are stored as blobs in our blob store. They also are randomly distributed across multiple blob containers.

  3. The 'map' used to re-assemble the file from its components is stored in the Content Database.

  4. Each blob container has its own unique credentials per access type (read, write, enumerate, and delete). Each set of credentials is held in the secure Key Store and is regularly refreshed.

In other words, there are three different types of stores involved in per-file encryption at rest, each with a distinct function:

Data Encryption Definition

  • Content is stored as encrypted blobs in the blob store. The key to each chunk of content is encrypted and stored separately in the content database. The content itself holds no clue as to how it can be decrypted.

  • The Content Database is a SQL Server database. It holds the map required to locate and reassemble all of the content blobs held in the blob store as well as the keys needed to decrypt those blobs.

Drivers Data Encryption Others Data

Each of these three storage components—the blob store, the Content Database, and the Key Store—is physically separate. The information held in any one of the components is unusable on its own. This provides an unprecedented level of security. Without access to all three it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt any chunk, or reconstruct a document from its constituent chunks.