1
00:00:06,950 --> 00:00:16,490
While digital signatures can verify an author's identity and ensure content consistency, they cannot

2
00:00:16,490 --> 00:00:18,830
protect the content itself.

3
00:00:19,550 --> 00:00:27,830
For example, if someone intercepts a digitally signed message, he or she can still read its content.

4
00:00:28,640 --> 00:00:39,200
However, the attempt to alter the content is detected because the digital signature check will fail.

5
00:00:39,890 --> 00:00:47,840
If you want to protect the content of the document so that it cannot be read, you must use encryption.

6
00:00:48,750 --> 00:00:57,300
Microsoft Windows operating systems support file based encryption called Encrypt and File System or

7
00:00:57,540 --> 00:00:58,350
DFS.

8
00:00:59,100 --> 00:01:03,600
Also, Outlook supports the encryption of email messages.

9
00:01:05,320 --> 00:01:10,240
So let's talk about efforts to encrypt a file by using it first.

10
00:01:10,570 --> 00:01:16,060
You must have an F first certificate issued like all the certificates.

11
00:01:16,390 --> 00:01:20,950
The certificate also provides a private and public key pair.

12
00:01:21,760 --> 00:01:27,580
However, this keys are not used directly to encrypt or decrypt content.

13
00:01:28,390 --> 00:01:37,390
This is due to the inefficiency of an algorithms that use a symmetric encryption.

14
00:01:38,760 --> 00:01:44,640
Well, the algorithms use one key for encryption and another for decryption.

15
00:01:45,300 --> 00:01:54,990
These algorithms are much slower than algorithms that use the same key for both encryption and decryption,

16
00:01:55,470 --> 00:01:58,050
which is called symmetric encryption.

17
00:01:58,680 --> 00:02:04,230
DFS uses a hybrid approach to overcome this problem.

18
00:02:04,920 --> 00:02:13,380
When a user selects the option to encrypt a file, the local computer generates a symmetric key, which

19
00:02:13,380 --> 00:02:16,380
is also known as a file encryption key.

20
00:02:17,490 --> 00:02:23,670
And uses the skill to encrypt the file after it encrypts the file.

21
00:02:23,910 --> 00:02:33,360
The system uses the user's public key to encrypt the symmetric key element stored on the file.

22
00:02:33,360 --> 00:02:44,340
Hadar runs a user who originally encrypted the file, wants to decrypt the file and access its content.

23
00:02:44,610 --> 00:02:49,170
The local computer accesses the user's private key.

24
00:02:49,650 --> 00:02:57,900
It first decrypt the symmetric key from the file header, which also is called the data decryption filter

25
00:02:57,900 --> 00:03:00,180
do def after loop.

26
00:03:00,480 --> 00:03:04,140
It uses the symmetric key to decrypt the content.

27
00:03:05,100 --> 00:03:11,850
This is adequate if the files owner is the only person who works for the decrypted file.

28
00:03:12,570 --> 00:03:20,670
However, there are scenarios in which you would want to share encrypted files with all the user, and

29
00:03:20,670 --> 00:03:26,220
it might be inconvenient to decrypt the file before sharing it with other users.

30
00:03:26,370 --> 00:03:27,420
But if other people.

31
00:03:28,910 --> 00:03:36,740
Also the user who originally encrypted the file loses his or her private key.

32
00:03:37,040 --> 00:03:40,550
Then the file might be inaccessible to anyone.

33
00:03:41,490 --> 00:03:51,450
To resolve this data recovery filter dev d r f is defined for each file encrypted with IFRS.

34
00:03:52,200 --> 00:03:58,200
When you configure IFRS for use locally or in an 80 year domain.

35
00:03:58,410 --> 00:04:00,240
The Data Recovery Agent.

36
00:04:01,120 --> 00:04:08,170
Rule is defined by a default and assigned to the local or domain administrator.

37
00:04:08,770 --> 00:04:18,100
The DRC certificate can be used to decrypt files in case the private key of the originating user is

38
00:04:18,100 --> 00:04:20,260
not accessible for some reason.

39
00:04:22,190 --> 00:04:31,760
When a user encrypts the file with first, he or his or her public key is used to encrypt the symmetric

40
00:04:31,760 --> 00:04:33,680
key and alert and group.

41
00:04:33,680 --> 00:04:38,600
That key is then stored in the D, d, f or the file header.

42
00:04:39,600 --> 00:04:48,850
At the same time, the public key of the zero certificate is used to encrypt the symmetric key once

43
00:04:48,850 --> 00:04:58,450
more, and the resultant encrypted key is then stored in the D of DRM of the file header.

44
00:04:59,230 --> 00:05:06,220
If there is more than one disarray defined the symmetric keys and grouped it with each of the array

45
00:05:06,220 --> 00:05:07,120
public key.

46
00:05:07,960 --> 00:05:15,160
Then if the user who originally encrypted the file doesn't have a private key available for any reason,

47
00:05:15,610 --> 00:05:25,600
the dear array can use its private key to decrypt the symmetric key from the DRM and then decrypt the

48
00:05:25,600 --> 00:05:25,990
file.

49
00:05:28,090 --> 00:05:39,130
Please know that as an alternative to the DRC, you also can use the key recovery agent or KRC to retrieve

50
00:05:39,130 --> 00:05:42,640
a user's private key from a CIA database.

51
00:05:43,000 --> 00:05:45,640
We've talked about it in the previous lesson.

52
00:05:46,300 --> 00:05:55,930
If you have enabled key archival for the EFL certificate template on this C, when a user wants to share

53
00:05:55,930 --> 00:06:02,410
an encrypted file with other users, the approach is similar to using DRC.

54
00:06:03,510 --> 00:06:12,750
When the user selects first sharing the files, owner must select a certificate from each user who shares

55
00:06:12,780 --> 00:06:13,410
the file.

56
00:06:14,540 --> 00:06:19,250
This certificate can be published to editors and are accessible from there.

57
00:06:20,150 --> 00:06:28,130
When the owner of Select the certificate, the public key over the destination user encrypt the symmetric

58
00:06:28,130 --> 00:06:32,360
key which is then added to the file header.

59
00:06:33,610 --> 00:06:34,390
At this point.

60
00:06:34,630 --> 00:06:43,210
The other users also can access the first encrypted content because they can use their private keys

61
00:06:43,540 --> 00:06:45,940
to decrypt the symmetric key.

62
00:06:47,250 --> 00:06:55,020
Please know that you can also define a data recovery certificate for Bitlocker Drive Encryption.

63
00:06:55,710 --> 00:07:05,550
Although Bitlocker Data Recovery Agent Certificate template is not predefined in aid to the address,

64
00:07:05,970 --> 00:07:15,240
you can copy the Kyari template and then add new application policies for Bitlocker encryption and data

65
00:07:15,240 --> 00:07:19,680
recovery by using the following object identifiers.

66
00:07:20,160 --> 00:07:21,840
Make local Bitlocker.

67
00:07:21,840 --> 00:07:27,600
Drive encryption and Bitlocker Data Recovery Agent.

68
00:07:28,600 --> 00:07:36,640
After you enroll a user for this certificate, you can define a recovery agent for the domain level.

69
00:07:37,030 --> 00:07:43,960
If you use group policies settings in the following path computer configuration, window settings,

70
00:07:44,290 --> 00:07:49,450
security, public key policies bitlocker drive encryption.

71
00:07:50,260 --> 00:07:55,180
It is recommended that you use Bitlocker for full drive encryption.

72
00:07:56,120 --> 00:07:58,460
Lots of worries about email encryption.

73
00:07:59,060 --> 00:08:07,250
Besides using files to encrypt files and bitlocker to encrypt drives, you can also use certificates

74
00:08:07,250 --> 00:08:08,480
to encrypt emails.

75
00:08:09,020 --> 00:08:17,120
Email encryption, however, is more complicated than a digital signature, although you can send digitally

76
00:08:17,120 --> 00:08:21,680
signed emails to anyone, you cannot do the same with them.

77
00:08:21,950 --> 00:08:23,510
Encrypted email.

78
00:08:24,990 --> 00:08:34,500
To be able to send an encrypted email to someone with a PGI TKI, you must possess the recipient's public

79
00:08:34,500 --> 00:08:42,510
key from his or her key pair in the aid of this environment, which here this exchange server is an

80
00:08:42,510 --> 00:08:51,540
email system you can publish to the public kids or world mailbox users to a global address list.

81
00:08:52,380 --> 00:09:00,330
When you do that, applications such as Outlook can grab a recipient's public key easily from the girl.

82
00:09:00,330 --> 00:09:04,230
And if you are ascendant, send an encrypted email.

83
00:09:05,270 --> 00:09:12,680
When you send an encrypted email to an internal user, your email application takes the recipient public

84
00:09:12,680 --> 00:09:13,700
key from Google.

85
00:09:15,600 --> 00:09:23,880
Encrypt the mail with it and then send the mail after the receiving the mail to the recipient who uses

86
00:09:23,880 --> 00:09:31,500
his or her private key from the certificate to decrypt the content of in the middle of an email.

87
00:09:32,480 --> 00:09:38,480
However, sending an encrypted email to external users is more complicated.

88
00:09:38,960 --> 00:09:47,980
While the public keys of internal users can publish to a do this or the girl, the the same is not true

89
00:09:47,980 --> 00:09:54,110
of all external users to send an encrypted email to an external user.

90
00:09:54,380 --> 00:09:57,370
The first must get his or her public key.

91
00:09:58,220 --> 00:10:09,050
The external user can send it to you in a dope c r file, which you can import in your local address

92
00:10:09,050 --> 00:10:09,440
book.

93
00:10:10,880 --> 00:10:16,250
Also even external users are to one digitally signed email.

94
00:10:16,580 --> 00:10:24,350
Then you will get his or her public key, which also can import to your local address book of two of

95
00:10:24,350 --> 00:10:27,320
the public key imports to your address book.

96
00:10:27,680 --> 00:10:33,260
You can use it to a certain group that emails to external user or users.

97
00:10:33,890 --> 00:10:41,810
Please note that if you want to provide authenticity, content, consistency and protection, then you

98
00:10:41,810 --> 00:10:46,850
can send a message that is both digitally signed and encrypted.

99
00:10:47,600 --> 00:10:50,150
Next up, we'll have a demonstration.

100
00:10:50,390 --> 00:10:51,230
Well, we'll see.

101
00:10:51,620 --> 00:10:56,150
Well, we'll see how to encrypt a file with DFS.

102
00:10:56,510 --> 00:10:57,350
I'll see that.