1
00:00:00,000 --> 00:00:17,760
Hey guys and welcome back, so at the end of this skill what I just want to do is to pivot

2
00:00:17,760 --> 00:00:22,760
subjects and make a brief point on the concept of encryption.

3
00:00:22,760 --> 00:00:29,719
Since this is something that the LPIC 2 examination requires that we have a fairly basic understanding

4
00:00:29,719 --> 00:00:34,119
of, so what that means is that we don't have to concern ourselves too much with having

5
00:00:34,119 --> 00:00:40,239
to configure and set up an encrypted file system, but we do have to be aware of the

6
00:00:40,239 --> 00:00:45,119
concepts and why we would want to use an encrypted file system to begin with.

7
00:00:45,119 --> 00:00:51,359
Now you imagine you happen to have your laptop and because it is a laptop you like to travel

8
00:00:51,359 --> 00:00:56,079
with it and let's say you leave it on the train and then suddenly you realise that you

9
00:00:56,079 --> 00:01:01,839
have left your laptop, but even more problematic than the worrying thought that you may have

10
00:01:01,839 --> 00:01:08,319
lost some expensive device, is the realisation that anyone who happens to grab your computer

11
00:01:08,319 --> 00:01:13,120
who may have found it, they could potentially go in and read all your data.

12
00:01:13,120 --> 00:01:18,200
This can be a quite worrying thought, especially if this happens to be a laptop that you have

13
00:01:18,200 --> 00:01:24,920
for work and it has a whole bunch of super sensitive and supposedly super secret documents

14
00:01:24,920 --> 00:01:25,920
on it.

15
00:01:25,920 --> 00:01:31,240
They think, well hey they don't actually know the password to log into my account, but what

16
00:01:31,240 --> 00:01:37,760
the attacker could do is they could side load a live system, which would be a live running

17
00:01:37,760 --> 00:01:44,240
operating system via a USB stick or via a CD-ROM, or they could just pull out the hard

18
00:01:44,240 --> 00:01:49,840
drive entirely and ultimately they could conduct forensics if they had the know-how.

19
00:01:49,840 --> 00:01:55,879
So this little basic password that you have as your Windows splash screen or your MacBook

20
00:01:55,879 --> 00:02:00,799
splash screen, whatever it may be, that really isn't going to protect the data that much

21
00:02:00,799 --> 00:02:01,799
at all.

22
00:02:01,799 --> 00:02:08,680
So the reality is you want your data to be unreadable to anyone that isn't you effectively.

23
00:02:08,680 --> 00:02:12,800
In other words, what you want is when your laptop is switched off, you want all that

24
00:02:12,800 --> 00:02:19,039
data to be completely protected and unreadable so that even if someone happened to use forensic

25
00:02:19,039 --> 00:02:24,919
tools all they could see was this scrambled and indecipherable data.

26
00:02:25,039 --> 00:02:28,239
So this is what we're talking about when we're talking about encryption.

27
00:02:28,239 --> 00:02:33,839
Now we actually can encrypt files on a file by file basis.

28
00:02:33,839 --> 00:02:38,519
That means if you happen to get a very sensitive file you can encrypt that file and store it

29
00:02:38,519 --> 00:02:39,519
on your system.

30
00:02:39,519 --> 00:02:43,879
But as you can imagine, if you work for an enterprise whereby you're dealing with lots

31
00:02:43,879 --> 00:02:48,639
of sensitive data, maybe every piece of data should be protected.

32
00:02:48,639 --> 00:02:53,719
Obviously it would be pretty tedious to have to go through the process of encrypting each

33
00:02:53,840 --> 00:02:56,759
file one by one by one by one.

34
00:02:56,759 --> 00:03:00,479
And as new files come in, continually repeat that process.

35
00:03:00,479 --> 00:03:06,759
Instead, it would be much more advantageous to encrypt the entire file system itself.

36
00:03:06,759 --> 00:03:11,639
What this would mean therefore is that when the system is switched off, it would be fully

37
00:03:11,639 --> 00:03:13,479
encrypted.

38
00:03:13,479 --> 00:03:19,079
When you turn that system on, you would be prompted for some type of decryption phrase.

39
00:03:19,080 --> 00:03:24,280
And that would mean that the data would decrypt itself and become available to you.

40
00:03:24,280 --> 00:03:29,120
The cool thing about that is that it would mean that all the data on the device would

41
00:03:29,120 --> 00:03:34,800
be protected if you happen to download a file from your email on your encrypted file system.

42
00:03:34,800 --> 00:03:40,480
Whilst it would be readable to you as the computer was on, once you shut down that computer,

43
00:03:40,480 --> 00:03:45,680
that downloaded file, just like the rest of the files on the file system, will be protected

44
00:03:45,680 --> 00:03:47,520
by encryption and unreadable.

45
00:03:47,560 --> 00:03:52,719
So if in the event you lost your laptop or someone happened to access your computer in

46
00:03:52,719 --> 00:03:57,560
your office unknowingly, unless they had the decryption passphrase, they would not be

47
00:03:57,560 --> 00:03:58,840
able to access that data.

48
00:03:58,840 --> 00:04:04,840
So clearly in the world of modern computing, when security is absolutely at the forefront,

49
00:04:04,840 --> 00:04:08,840
encryption is one of those technologies that we do want to be aware of and certainly employing

50
00:04:08,840 --> 00:04:09,840
when we can.

51
00:04:09,840 --> 00:04:13,120
Now, one thing we do want to be aware of is LUX.

52
00:04:13,120 --> 00:04:17,080
This is the Linux Unified Key Setup.

53
00:04:17,079 --> 00:04:23,240
And what this is, is ultimately a specification for encryption, meaning that it describes

54
00:04:23,240 --> 00:04:26,639
how systems should be encrypted on Linux.

55
00:04:26,639 --> 00:04:29,519
It doesn't actually give you the software to do such a thing.

56
00:04:29,519 --> 00:04:35,279
So clearly you will have to find a particular tool that can encrypt your system that adheres

57
00:04:35,279 --> 00:04:37,639
to the LUX specification.

58
00:04:37,639 --> 00:04:43,039
And one of those tools that we want to be aware of is something called DMCrypt.

59
00:04:43,040 --> 00:04:47,120
Now what DMCrypt is, is ultimately a module.

60
00:04:47,120 --> 00:04:52,040
And it's a module that is going to be used by the kernel so that when you happen to invoke

61
00:04:52,040 --> 00:04:57,720
encryption, the kernel is going to be able to interact and utilise the encrypted file

62
00:04:57,720 --> 00:04:58,720
system.

63
00:04:58,720 --> 00:05:04,800
Now, with respect to DMCrypt, we have the ability to encrypt the entire disk.

64
00:05:04,800 --> 00:05:07,200
This would be known as full disk encryption.

65
00:05:07,200 --> 00:05:12,120
Like I say, this can encrypt absolutely everything so that no matter what you do on your computer,

66
00:05:12,199 --> 00:05:14,240
it's always going to be protected.

67
00:05:14,240 --> 00:05:17,680
Or you could choose to encrypt particular partitions.

68
00:05:17,680 --> 00:05:22,360
Or if you so wish, you could choose to encrypt removable media.

69
00:05:22,360 --> 00:05:27,120
So let's say you had a USB thumb drive with some sensitive information on it.

70
00:05:27,120 --> 00:05:30,720
You could use DMCrypt to encrypt that drive.

71
00:05:30,720 --> 00:05:37,759
Similarly, DMCrypt can also be used to encrypt software RAID volumes, which relates to what

72
00:05:37,759 --> 00:05:40,840
we talked about in the previous skill.

73
00:05:40,879 --> 00:05:45,119
Now, even though the examination does not require us to actually be able to configure

74
00:05:45,119 --> 00:05:52,560
such a setup, we do want to be aware of that the DMCrypt utility has a command called

75
00:05:52,560 --> 00:05:53,799
CryptSetup.

76
00:05:53,799 --> 00:05:59,399
And this command here is the command that you could use to ultimately create and mount

77
00:05:59,399 --> 00:06:02,519
an encrypted file system using DMCrypt.

78
00:06:02,519 --> 00:06:06,759
So really, like I say, for the purposes of the examination, we just want to have a high-level

79
00:06:06,759 --> 00:06:12,439
understanding of what encryption is and understand the benefits of not just being able to encrypt

80
00:06:12,439 --> 00:06:18,079
on a file-by-file basis, but being able to encrypt an entire file system or an entire

81
00:06:18,079 --> 00:06:19,079
disk.

82
00:06:19,079 --> 00:06:25,240
We want to be aware of the LUX specification and the DMCrypt kernel module, which will

83
00:06:25,240 --> 00:06:30,519
allow us to create and configure a Linux-based encrypted file system.

84
00:06:30,519 --> 00:06:36,560
And like I said, the way we can do that with the DMCrypt utility is via the CryptSetup

85
00:06:36,560 --> 00:06:37,639
command.

86
00:06:37,639 --> 00:06:41,639
And those are the core components that we want to understand for the purposes of the

87
00:06:41,639 --> 00:06:44,280
L-Pick 2 objective on encryption.

88
00:06:44,280 --> 00:06:47,399
So I hope this has been informative for you and I'd like to thank you for viewing.