User guide
Chapter 3.
95
Encryption
There are two main types of data that must be protected: data at rest and data in motion. These
different types of data are protected in similar ways using similar technology but the implementations
can be completely different. No single protective implementation can prevent all possible methods of
compromise as the same information may be at rest and in motion at different points in time.
3.1. Data at Rest
Data at rest is data that is stored on a hard drive, tape, CD, DVD, disk, or other media. This
information's biggest threat comes from being physically stolen. Laptops in airports, CDs going
through the mail, and backup tapes that get left in the wrong places are all examples of events where
data can be compromised through theft. If the data was encrypted on the media then you wouldn't
have to worry as much about the data being compromised.
3.2. Full Disk Encryption
Full disk or partition encryption is one of the best ways of protecting your data. Not only is each file
protected but also the temporary storage that may contain parts of these files is also protected. Full
disk encryption will protect all of your files so you don't have to worry about selecting what you want to
protect and possibly missing a file.
Red Hat Enterprise Linux 6 natively supports LUKS Encryption. LUKS will bulk encrypt your hard drive
partitions so that while your computer is off your data is protected. This will also protect your computer
from attackers attempting to use single-user-mode to login to your computer or otherwise gain access.
Full disk encryption solutions like LUKS only protect the data when your computer is off. Once the
computer is on and LUKS has decrypted the disk, the files on that disk are available to anyone who
would normally have access to them. To protect your files when the computer is on, use full disk
encryption in combination with another solution such as file based encryption. Also remember to lock
your computer whenever you are away from it. A passphrase protected screen saver set to activate
after a few minutes of inactivity is a good way to keep intruders out.
3.3. File Based Encryption
GnuPG (GPG) is an open source version of PGP that allows you to sign and/or encrypt a file or
an email message. This is useful to maintain integrity of the message or file and also protects the
confidentiality of the information contained within the file or email. In the case of email, GPG provides
dual protection. Not only can it provide Data at Rest protection but also Data In Motion protection once
the message has been sent across the network.
File based encryption is intended to protect a file after it has left your computer, such as when
you send a CD through the mail. Some file based encryption solutions will leave remnants of the
encrypted files that an attacker who has physical access to your computer can recover under some
circumstances. To protect the contents of those files from attackers who may have access to your
computer, use file based encryption combined with another solution such as full disk encryption.
3.4. Data in Motion
Data in motion is data that is being transmitted over a network. The biggest threats to data in motion
are interception and alteration. Your user name and password should never be transmitted over a
network without protection as it could be intercepted and used by someone else to impersonate you
or gain access to sensitive information. Other private information such as bank account information