2.7 Given a scenario, apply workstation security options and hardening techniques.
📘CompTIA A+ Core 2 (220-1202)
1. What Is Data-at-Rest?
Data-at-rest is data that is stored on a device and not actively being used or transmitted.
In an IT environment, this includes:
- Files saved on a hard drive (HDD) or solid-state drive (SSD)
- Data stored on USB flash drives
- Data on external hard drives
- Data on laptops, desktops, and mobile devices
- Data stored in databases on a local system
Once data is saved and sitting on a storage device, it is considered data-at-rest.
2. What Is Data-at-Rest Encryption?
Data-at-rest encryption is a security method that scrambles stored data so that unauthorized users cannot read it, even if they gain physical or logical access to the device.
- The data is converted into ciphertext using encryption
- A key (password or cryptographic key) is required to decrypt and read the data
- Without the key, the data appears unreadable and useless
3. Why Data-at-Rest Encryption Is Important
In real IT environments, devices can be:
- Lost
- Stolen
- Improperly disposed of
- Accessed by unauthorized users
Encryption ensures that:
- Data remains protected even if the device is compromised
- Sensitive information cannot be accessed without authorization
- Confidential business or personal data is not exposed
From a CompTIA A+ exam perspective, encryption:
- Is a key workstation hardening technique
- Protects against data theft
- Supports confidentiality in the CIA triad
4. What Types of Data Should Be Encrypted?
Common types of sensitive data that should be encrypted at rest include:
- User credentials (usernames and passwords)
- Financial data
- Customer records
- Employee records
- Configuration files
- Operating system files
- Application data
- Backup files
For the exam, assume any sensitive stored data should be encrypted.
5. Where Data-at-Rest Encryption Is Used
In IT environments, data-at-rest encryption is commonly used on:
a. Workstation Hard Drives
- Desktop computers
- Laptop computers
- Shared office systems
b. Portable Storage Devices
- USB flash drives
- External hard drives
- Memory cards
c. Mobile Devices
- Smartphones
- Tablets
- Company-owned mobile devices
d. Virtual Machines
- Virtual disks (VHD, VMDK)
- Local virtual machine storage
6. Full Disk Encryption (FDE)
Full Disk Encryption (FDE) encrypts the entire storage device.
Key Points:
- Encrypts all data on the drive
- Includes operating system files, applications, and user data
- Requires authentication before the system boots
Benefits:
- Protects all data automatically
- No need to select individual files
- Very strong protection against data theft
Exam Tip:
If the exam mentions:
- Laptop security
- Stolen devices
- Protecting the entire system
→ Full Disk Encryption is the correct choice.
7. File-Level and Folder-Level Encryption
Instead of encrypting the entire disk, encryption can be applied to:
- Individual files
- Specific folders
Characteristics:
- Only selected data is encrypted
- User must have proper permissions
- Operating system manages encryption automatically
Limitations:
- Other unencrypted files may still be exposed
- Less secure than full disk encryption if misconfigured
8. Operating System Support for Data-at-Rest Encryption
Modern operating systems support encryption natively.
Windows
- Supports full disk encryption
- Supports file-level encryption
- Often integrated with system authentication
macOS
- Supports full disk encryption
- Automatically encrypts user data
- Integrated with user login
Linux
- Supports full disk encryption
- Encryption can be applied during OS installation
Exam Focus:
You do NOT need command syntax. You only need to know that operating systems support encryption and where it is applied.
9. Encryption Keys and Passwords
Encryption relies on keys to protect data.
Important Concepts:
- A strong password protects the encryption key
- Losing the key means permanent data loss
- Keys must be stored securely
For the exam:
- Weak passwords weaken encryption
- Strong authentication strengthens encryption
10. Hardware-Based vs Software-Based Encryption
Software-Based Encryption
- Managed by the operating system
- Uses CPU resources
- Flexible and widely supported
Hardware-Based Encryption
- Performed by the storage device itself
- Faster performance
- Less CPU usage
Both are valid for the exam.
Key idea: encryption can be done by software or hardware.
11. Data-at-Rest Encryption and Workstation Hardening
Encryption is a core hardening technique because it:
- Reduces the impact of device theft
- Protects data even if access controls fail
- Complements other security measures like:
- Strong passwords
- Secure boot
- User permissions
- BIOS/UEFI security
Encryption does not replace other security controls—it adds another layer.
12. What Encryption Does NOT Protect Against
Important for the exam:
Encryption does NOT protect against:
- Malware running on a logged-in system
- Authorized users misusing data
- Weak passwords
- Key theft
Encryption protects data when the system is powered off or accessed without authorization.
13. Best Practices (Exam-Focused)
For CompTIA A+ exams, remember these best practices:
- Encrypt all portable devices
- Use full disk encryption on laptops
- Protect encryption keys with strong passwords
- Enable encryption during system setup
- Back up encryption keys securely
- Combine encryption with access control
14. Common Exam Keywords to Recognize
If you see these phrases, think Data-at-Rest Encryption:
- “Protect stored data”
- “Lost or stolen laptop”
- “Unreadable data on hard drive”
- “Encrypt data on disk”
- “Prevent unauthorized access to stored files”
- “Workstation hardening”
15. Quick Exam Summary
Data-at-rest encryption:
- Protects stored data
- Encrypts files, folders, or entire disks
- Prevents unauthorized access
- Is critical for workstation security
- Is a required hardening technique
- Commonly uses full disk encryption
Final Exam Tip
If the question asks how to protect data on a device if it is stolen, the correct answer is encryption of data-at-rest, especially full disk encryption.
