A security measure for data at-rest against Data Tampering
Working in an organization nowadays means working with some security constraints in order to protect critical data. Since one of the most critical assets of an organization can reside in its data, it is one of its top priorities of businesses to prevent data from being tampered with. When you work with devices such as an external hard drive, USB key or laptop, you are exposed to vulnerable data loss with data tampering attacks. One way to protect those devices is encryption. On a laptop it can take two forms:
- Volume encryption: Encrypt data in your /home folder
- Full disk encryption: Encrypt your disk including your operating system
Those processes can protect your data at-rest from being accessed. But these two methods have pros and cons that come with using them.
Home encryption versus full disk encryption
When it comes to encryption, most people prefer to only encrypt /home folder. It is easier than full disk but it still has some cons when compared with full disk encryption:
- Data outside your /home folder encrypted
→ Some programs write data in /tmp, log files which can contain some sensitive data are in /var/log, swap data from memory usage.
- Data at-Rest: Protection against tampering
→ Data tampering attacks consist in tampering PMU data package (Phasor Measurement Units) by modifying or changing its content in order to damage or change the configuration of a network, a system, modify user credentials to gain access to sensitive data, etc.
- Protection of password, user login, wifi, database, etc...
→ Encrypt your /home file won’t protect data stored in /etc/shadow (which contains actual password data, Some other passwords can be stored in the /lib/service directory of the software you are using (for example mysql or postgresql databases)
But still, we need to talk about the cons of having a fully encrypted disk. It is the right way to protect your data at-rest, but still a hard process to follow. You’ll need to back up all of your data and, for Linux users, reinstall your system with encryption.
How to encrypt it?
Let’s see how to encrypt your /home folder or full disk encrypt:
Mac has some program doing the full encryption perfectly, without the need for a full reinstall. You’ll need to turn on and set up FileVault: https://support.apple.com/en-us/HT204837
- Linux - Ubuntu 18.04, 20.04:
On Linux, it can be a bit harder, if you are looking for a /home encryption, you can use ecryptfs after your OS installation: https://help.ubuntu.com/community/EncryptedHome
For full encryption, you’ll need to reinstall your system from the start in order to ready your system and partition to encrypt: https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
- Windows 10:
Turn on device encryption on Windows by using default device encryption in Settings → Device encryption. If it doesn’t appear, turn on BitLocker encryption. You’ll need to sign in to Windows with an administrator account and then, with your Microsoft account, turn on Encryption with default tool or BitLocker (you can add it in the search box on the task bar).
Now your data at-rest is protected. You might want to know how to protect your data in motion by setting up an SSH Bastion on AWS with Terraform.