WEBVTT 1 00:00:00.000 --> 00:00:01.320 In this lesson, 2 00:00:01.320 --> 00:00:03.791 we will learn about host-based encryption. 3 00:00:03.791 --> 00:00:07.890 Host-based encryption is encryption of data managed 4 00:00:07.890 --> 00:00:11.070 and controlled by the local operating system. 5 00:00:11.070 --> 00:00:14.310 Both Windows and Linux-based operating systems 6 00:00:14.310 --> 00:00:17.310 employ a type of host-based encryption. 7 00:00:17.310 --> 00:00:21.210 In Windows, file and volume level host-based encryption 8 00:00:21.210 --> 00:00:23.280 is offered by BitLocker. 9 00:00:23.280 --> 00:00:27.210 In Linux, the Linux Unified Key Setup, or LUKS, 10 00:00:27.210 --> 00:00:30.810 is used to encrypt disk partitions and files. 11 00:00:30.810 --> 00:00:33.870 Let's learn more about host-based encryption. 12 00:00:33.870 --> 00:00:38.490 Host-based encryption is used for securing data at rest, 13 00:00:38.490 --> 00:00:42.210 which means protecting the contents of a storage device 14 00:00:42.210 --> 00:00:45.000 when the operating system is not running. 15 00:00:45.000 --> 00:00:46.650 This approach is essential 16 00:00:46.650 --> 00:00:50.610 for preventing unauthorized access to sensitive data, 17 00:00:50.610 --> 00:00:55.290 especially if someone gains physical access to the device. 18 00:00:55.290 --> 00:00:58.529 In Windows, one of the most commonly used tools 19 00:00:58.529 --> 00:01:01.851 for local drive encryption is BitLocker. 20 00:01:01.851 --> 00:01:05.310 BitLocker is built into Microsoft Windows 21 00:01:05.310 --> 00:01:09.210 and uses the Advanced Encryption Standard, or AES, 22 00:01:09.210 --> 00:01:12.570 to encrypt the entire disk at one time. 23 00:01:12.570 --> 00:01:17.570 BitLocker often relies on a Trusted Platform odule, or TPM, 24 00:01:17.670 --> 00:01:19.950 which is a secure hardware component 25 00:01:19.950 --> 00:01:22.500 that helps manage encryption keys securely 26 00:01:22.500 --> 00:01:24.330 within the device. 27 00:01:24.330 --> 00:01:27.395 This combination makes BitLocker a good solution 28 00:01:27.395 --> 00:01:30.630 for protecting data on Windows systems, 29 00:01:30.630 --> 00:01:33.870 ensuring that even if a computer is stolen 30 00:01:33.870 --> 00:01:36.000 or accessed without permission, 31 00:01:36.000 --> 00:01:38.100 the data remains inaccessible 32 00:01:38.100 --> 00:01:40.620 without the correct credentials. 33 00:01:40.620 --> 00:01:44.340 In Linux, the equivalent tool for full disk encryption 34 00:01:44.340 --> 00:01:45.600 is Cryptsetup, 35 00:01:45.600 --> 00:01:49.680 which is commonly used with the Linux Unified Key Setup, 36 00:01:49.680 --> 00:01:50.641 or LUKS. 37 00:01:50.641 --> 00:01:53.790 Cryptsetup provides a similar level of protection 38 00:01:53.790 --> 00:01:57.210 as BitLocker by using AES encryption 39 00:01:57.210 --> 00:01:59.730 to secure the entire drive. 40 00:01:59.730 --> 00:02:02.705 The implementation involves setting up LUKS, 41 00:02:02.705 --> 00:02:06.420 which acts as a layer that manages encryption keys 42 00:02:06.420 --> 00:02:08.970 and ensures data is encrypted 43 00:02:08.970 --> 00:02:13.350 before being written to the disk and decrypted when read. 44 00:02:13.350 --> 00:02:17.241 Like BitLocker, Cryptsetup helps protect data at rest 45 00:02:17.241 --> 00:02:22.241 making it unreadable without the correct passphrase or key. 46 00:02:22.470 --> 00:02:25.410 This is particularly useful in environments 47 00:02:25.410 --> 00:02:28.365 where Linux is used for servers, desktops, 48 00:02:28.365 --> 00:02:30.436 or portable devices, 49 00:02:30.436 --> 00:02:35.436 providing a flexible, yet powerful way to secure data. 50 00:02:35.460 --> 00:02:39.270 For Mac users, FileVault is the equivalent tool, 51 00:02:39.270 --> 00:02:42.660 offering full disk encryption directly integrated 52 00:02:42.660 --> 00:02:45.330 into the Mac operating system. 53 00:02:45.330 --> 00:02:48.969 FileVault uses the same AES encryption standard 54 00:02:48.969 --> 00:02:52.200 to secure data on Apple devices, 55 00:02:52.200 --> 00:02:54.794 ensuring that sensitive information is protected 56 00:02:54.794 --> 00:02:59.100 when the computer is shutdown or left unattended. 57 00:02:59.100 --> 00:03:02.220 Now let's do a quick demonstration. 58 00:03:02.220 --> 00:03:03.930 In this demonstration, 59 00:03:03.930 --> 00:03:07.590 we will be detailing how to conduct full disk encryption 60 00:03:07.590 --> 00:03:11.730 on a Linux machine with Cryptsetup and LUKS. 61 00:03:11.730 --> 00:03:12.871 For this demonstration, 62 00:03:12.871 --> 00:03:16.860 Cryptsetup and LUKS are already installed and configured 63 00:03:16.860 --> 00:03:19.890 on this Kali Linux virtual machine. 64 00:03:19.890 --> 00:03:24.863 Additionally, a disk called /dev/sdb 65 00:03:24.863 --> 00:03:27.900 has been created for encryption. 66 00:03:27.900 --> 00:03:31.530 First, let's confirm the disk we want to encrypt 67 00:03:31.530 --> 00:03:34.260 by using the lsblk command 68 00:03:34.260 --> 00:03:37.650 to list all connected storage devices. 69 00:03:37.650 --> 00:03:41.100 We can see that the disk SDB exists. 70 00:03:41.100 --> 00:03:44.490 That's the disk we will encrypt. 71 00:03:44.490 --> 00:03:46.200 Second, before encrypting, 72 00:03:46.200 --> 00:03:50.670 we need to make sure that the SDB disk is unmounted. 73 00:03:50.670 --> 00:03:53.160 Let's do this with the following command, 74 00:03:53.160 --> 00:03:57.742 sudo umount /dev/sdb. 75 00:03:57.742 --> 00:03:59.160 All right, there we go. 76 00:03:59.160 --> 00:04:01.140 It is not mounted. 77 00:04:01.140 --> 00:04:02.970 Third, just to be safe, 78 00:04:02.970 --> 00:04:05.760 let's wipe the disk with random data. 79 00:04:05.760 --> 00:04:08.760 We'll do this with the following command, 80 00:04:08.760 --> 00:04:13.760 sudo dd input file equals /dev/urandom 81 00:04:15.581 --> 00:04:20.581 then output file /dev/sdb bs for block size, 82 00:04:21.297 --> 00:04:25.380 and we'll choose one megabit of data at a time. 83 00:04:25.380 --> 00:04:28.470 And finally, we'll use the status progress 84 00:04:28.470 --> 00:04:31.410 to let us view the progress of this command 85 00:04:31.410 --> 00:04:32.493 as it's occurring. 86 00:04:34.080 --> 00:04:34.913 There we go. 87 00:04:34.913 --> 00:04:37.350 We can see the status happening right now. 88 00:04:37.350 --> 00:04:38.880 This could take some time 89 00:04:38.880 --> 00:04:42.453 depending upon the size of the disk or drive. 90 00:04:43.740 --> 00:04:45.300 It's done. 91 00:04:45.300 --> 00:04:49.419 Fourth, let's initialize LUKS on the SDB drive 92 00:04:49.419 --> 00:04:51.990 to set up encryption headers. 93 00:04:51.990 --> 00:04:54.870 We'll do this with the following command, 94 00:04:54.870 --> 00:04:59.870 sudo cryptsetup luksFormat and then /dev/sdb. 95 00:05:07.860 --> 00:05:11.820 Since we'll be overriding this data irrecoverably, 96 00:05:11.820 --> 00:05:15.630 then we'll choose to type YES in capital letters 97 00:05:15.630 --> 00:05:17.673 to go ahead and complete this command. 98 00:05:19.350 --> 00:05:22.160 Next, we'll have to enter a secure passphrase 99 00:05:22.160 --> 00:05:26.043 that will be used to lock and unlock the disk. 100 00:05:27.390 --> 00:05:30.573 I'm just going to use password. 101 00:05:34.590 --> 00:05:36.273 This might take a second. 102 00:05:37.950 --> 00:05:39.630 And there we go. 103 00:05:39.630 --> 00:05:43.230 Fifth, we'll need to open the encrypted disk 104 00:05:43.230 --> 00:05:47.010 and create a mapped device called encrypted disk. 105 00:05:47.010 --> 00:05:49.590 We'll do this with the following command, 106 00:05:49.590 --> 00:05:54.590 sudo cryptsetup open /dev/sdb and encrypted_disk. 107 00:05:59.730 --> 00:06:03.810 As we mentioned, we're going to need that passphrase again 108 00:06:03.810 --> 00:06:06.150 to unlock this disk. 109 00:06:06.150 --> 00:06:07.650 And it's done. 110 00:06:07.650 --> 00:06:10.110 Sixth, now that the disk is mapped, 111 00:06:10.110 --> 00:06:12.300 we can create a file system. 112 00:06:12.300 --> 00:06:15.870 Here, we'll use an EXT4 file system 113 00:06:15.870 --> 00:06:17.880 with the following command, 114 00:06:17.880 --> 00:06:22.880 sudo mkfs.ext4 /dev/mapper and encrypted_disk. 115 00:06:33.990 --> 00:06:36.810 All right, that has been completed. 116 00:06:36.810 --> 00:06:39.600 Seventh, we'll mount the encrypted disk 117 00:06:39.600 --> 00:06:43.470 to a directory called /mnt, or mount, 118 00:06:43.470 --> 00:06:45.300 using the following command, 119 00:06:45.300 --> 00:06:50.300 sudo mount /dev/mapper/encrypted_disk and /mnt. 120 00:06:53.610 --> 00:06:55.350 Okay, that's done. 121 00:06:55.350 --> 00:06:57.540 Eighth, let's confirm the setup 122 00:06:57.540 --> 00:06:59.760 by listing the mounted file systems 123 00:06:59.760 --> 00:07:03.750 to check if the encrypted disk is in fact mounted. 124 00:07:03.750 --> 00:07:06.270 We'll do this with the following command, 125 00:07:06.270 --> 00:07:10.380 df -h /mnt. 126 00:07:10.380 --> 00:07:11.430 And there it is. 127 00:07:11.430 --> 00:07:14.580 Our file system the encrypted disk is mapped 128 00:07:14.580 --> 00:07:17.460 and available and ready for use. 129 00:07:17.460 --> 00:07:19.350 Ninth, for extra protection, 130 00:07:19.350 --> 00:07:23.010 we could even unmount and close the encrypted disk, 131 00:07:23.010 --> 00:07:24.278 taking it out of service, 132 00:07:24.278 --> 00:07:27.840 but keeping it encrypted and protected. 133 00:07:27.840 --> 00:07:30.690 We would do this with the following two commands, 134 00:07:30.690 --> 00:07:35.690 sudo umount for unmount and /mnt. 135 00:07:36.570 --> 00:07:39.660 Then we will close the encrypted disk 136 00:07:39.660 --> 00:07:44.660 with sudo cryptsetup close encrypted_disk. 137 00:07:47.370 --> 00:07:48.390 There we go. 138 00:07:48.390 --> 00:07:51.990 We have now successfully set up full disk encryption 139 00:07:51.990 --> 00:07:56.550 on the SDB disk using Cryptsetup and LUKS. 140 00:07:56.550 --> 00:07:59.880 To access the encrypted partition in the future, 141 00:07:59.880 --> 00:08:02.490 we would use the cryptsetup open command 142 00:08:02.490 --> 00:08:04.950 with our passphrase to unlock it. 143 00:08:04.950 --> 00:08:08.187 So right now, our data is secure and protected 144 00:08:08.187 --> 00:08:12.060 even if this drive is lost or stolen. 145 00:08:12.060 --> 00:08:15.750 So remember, host-based encryption 146 00:08:15.750 --> 00:08:19.260 is a method used to protect data at rest. 147 00:08:19.260 --> 00:08:23.790 In this case, data at rest is data stored on a device 148 00:08:23.790 --> 00:08:26.430 when the operating system is not running. 149 00:08:26.430 --> 00:08:29.430 This type of encryption is managed and controlled 150 00:08:29.430 --> 00:08:31.650 by the local operating system 151 00:08:31.650 --> 00:08:35.760 to prevent unauthorized access to sensitive information, 152 00:08:35.760 --> 00:08:39.630 especially if the device is physically compromised. 153 00:08:39.630 --> 00:08:43.590 In Windows, BitLocker provides full disk encryption 154 00:08:43.590 --> 00:08:46.320 utilizing the advanced encryption standard 155 00:08:46.320 --> 00:08:51.090 and often relying on a trusted platform module, or TPM, 156 00:08:51.090 --> 00:08:54.330 to securely manage encryption keys. 157 00:08:54.330 --> 00:08:59.330 In Linux, Cryptsetup with Linux Unified Key Setup, or LUKS, 158 00:09:00.000 --> 00:09:01.980 offers similar protection, 159 00:09:01.980 --> 00:09:05.940 encrypting entire disk partitions with AES 160 00:09:05.940 --> 00:09:07.800 to keep data secure. 161 00:09:07.800 --> 00:09:11.820 For macOS, FileVault is the go-to tool, 162 00:09:11.820 --> 00:09:14.370 offering built-in full disk encryption 163 00:09:14.370 --> 00:09:17.160 to safeguard data on Apple devices 164 00:09:17.160 --> 00:09:20.193 when they are powered off or unattended.