Glossary
Full Disk Ecnryption Glossary
Welcome to our glossary on Full Disk Encryption (FDE). This resource provides clear definitions and explanations of key terms related to encryption, data protection, and security best practices. Whether you're new to FDE or looking to deepen your understanding, this glossary aims to clarify the essential concepts and terminology for securing data at rest.
Administrator |
The ‘administrator’ – in Matrix42 Full disk encryption terms – is responsible for the installation, configuration and maintenance of the product. This person is responsible for (among other tasks) the following:
|
Advanced Encryption Standard (AES) |
In cryptography, the Advanced Encryption Standard (AES), also known as Rijndael, is a block cipher adopted as an encryption standard by the U.S. government. AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. |
Algorithm |
Algorithms are essential to the way computers process information, because a computer program is essentially an algorithm that tells the computer what specific steps to perform (in what specific order) in order to carry out a specified task. An encryption algorithm is known as a cipher (see ‘cipher’). |
autoconf.nbs (temporary name) |
A policy created by the FDE Policy Builder to automatically configure certain options for a number of computers. This policy is the last of three policies to be executed for unattended installation:
|
Blowfish |
Blowfish is a keyed, symmetric block cipher, has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits. |
Boot |
To load the first piece of software that starts a computer. Because the operating system is essential for running all other programs, it is usually the first piece of software loaded during the boot process. |
Boot manager |
The Matrix42 boot manager is an editor to prepare the computer to boot/display different systems and partitions. The boot manager has a similar graphical user interface to the Windows 2000/XP boot menu. |
Boot Time |
The time it takes to turn on the computer to either the PBA logon dialog, or the Windows logon dialog. |
bootconf.nbs (temporary name) |
A policy created by the FDE Policy Builder to automatically configure the boot security options for a number of computers. This policy is the second of three policies to be executed for unattended installation:
|
Control Center |
The Matrix42 Control Center is a console in which all the Matrix42 administration modules reside. These modules include:
|
Cipher |
A cipher (or cypher) is an algorithm for performing encryption and decryption -a series of well-defined steps that can be followed as a procedure. In most cases, that process is varied depending on a key which changes the detailed operation of the algorithm. Matrix42 uses the following ciphers:
|
Credentials |
Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only criterion for issuance is unambiguous association of the credential with a specific, real individual or other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory. See also ‘Windows Credentials’. |
Cryptographic erase |
A secure method of data deletion to ensure that hard disks can be safely redeployed or discarded. Also known as ‘secure erase’, and ‘digital shredding’. |
Data Encryption Key (DEK) |
A cryptographic key that is used to encipher application data. (See ‘key-encrypting key’). |
Data Encryption Standard (DES) |
The Data Encryption Standard (DES) is a cipher (a method for encrypting information) selected as an official Federal Information Processing Standard (FIPS) for the United States in 1976. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small; DES keys have been broken in less than 24 hours. |
Decryption |
Cryptographically restore cipher text to the plaintext form it had before encryption (see ‘Encryption’). |
Deploy |
To install, test and implement a computer system or application. The term can be used to refer to any installation and testing, such as setting up a new network in an enterprise, to installing a server farm, to implementing a new application over a distributed computing network. |
DESX |
DES-X (or DESX) is a variant on the DES (Data Encryption Standard) block cipher intended to increase the complexity of a brute force attack using a technique called key whitening. |
Emergency Recovery Disk (ERD) |
A boot CD to aid in re-accessing the data on the Matrix42 encrypted computer. In a situation in which the hard disk has been fully encrypted using Matrix42 Full Disk Encryption, and the user has forgotten the credentials necessary to access the computer (with or without PBA), the emergency recovery application can be used to gain access to the data on the computer. You may need to use the emergency recovery application if the following occurs:
|
Encryption |
Cryptographic transformation of data (called ‘plaintext’) into a form (called ‘ciphertext’) that conceals the data's original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called ‘decryption’, which is a transformation that restores encrypted data to its original state. |
Encryption key |
A varying set of characters, numbers, and special characters used by an encryption algorithm as a ‘key’ to encrypt data. See also ‘algorithm’. |
External media |
All devices connected to, or inserted into, a computer. This includes USB hard disks, USB flash drives, and PCMCIA drives. |
Full Disk Encryption (FDE) |
The Full Disk Encryption module for Matrix42. FDE uses a sector-based encryption principle encrypt all the data written to the hard disk, and decrypt all the data read from the hard disk at a very low level, all directly at physical hard disk access. This technology enables the encryption of the whole disk or partition, to include temporary files, swap files, and the operating system itself. Due to the encryption of whole partitions, no one can access the data by starting the computer from media such as a CD-ROM, floppy disk or USB stick. Hacker tools that crack, or reset the system password, no longer have a chance to compromise the system. If the hard disk is built into another computer as a second disk, the access to encrypted partitions is also impossible. |
HelpDesk |
In an emergency in which the user has lost their smart card or forgotten their Windows credentials and/or has no access to administrator resources, Matrix42 FDE offers the user the chance to access their notebook via a HelpDesk. The HelpDesk is usually a telephone hotline that can be reached by the user via information in the PBA dialog. The HelpDesk administrator will use information form the user (called the ‘challenge’) and relays a ‘response’ that the user enters in the PBA help-dialog to bypass the authentication mechanism for a limited number of times. |
HelpDesk Administrator |
A person with administrator access to the HelpDesk application to aid users in obtaining access to their computers in an emergency. |
Key Encrypting Key (KEK) |
A cryptographic key that is used to encrypt other keys, either DEKs or other KEKs, but usually is not used to encrypt application data. |
Key length |
The number of symbols (usually bits) needed to be able to represent any of the possible values of a cryptographic key. |
Log file |
A file to which system/component messages are collected for the purpose of evaluation. The following log files are created by Matrix42 Full Disk Encryption:
|
PKCS#11 |
‘PKCS’ refers to a group of Public Key Cryptography Standards devised and published by RSA Security. ‘PKCS#11’ is an API defining a generic interface to cryptographic tokens. Pre-Boot Authentication (PBA) A means to authenticate a person to a computer before the computer boots to the primary operating system. The Pre-Boot Authentication (PBA) module is an extension of Matrix42 Full Disk Encryption (FDE). A choice of two authentication methods is possible:
PBA is supported by the PBA HelpDesk (See ‘HelpDesk’). |
Policies |
See ‘autoconf.nbs’, ‘bootconf.nbs’, and ‘setup.iss’. |
Remote administration |
An administrator has the possibility to deploy and/or configure Matrix42 Full Disk Encryption to any number of computers from a single computer. This helps maintain a consistent security policy throughout the company and saves time. |
Secure erase |
See ‘Cryptographic erase’ setup.iss This policy is the first of three policies to be executed for unattended installation:
|
Single sign-on |
A method of access that administrates authentication information allowing a user to logon to systems and open programs without the need for re-authentication. For Matrix42 FDE, single sign-on is for Windows credentials. |
Smart card |
A credit-card sized device containing one or more integrated circuit chips, which perform the functions of a computer's central processor, memory, and input/output interface. |
Smart card reader |
Smart card readers are used as a communications medium between the smart card and a host, e.g. a computer, a point of sale terminal, or a mobile telephone. |
Token |
A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Smart card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device (smart card reader). From the computer operating system’s point of view such a token is a USB-connected smart card reader with one non-removable smart card present. |
User |
An individual who uses a computer. This includes expert programmers as well as novices. An end user is any individual who runs an application program. The user usually cannot configure, remove, or change any Matrix42 Full Disk Encryption component. |
Windows Credentials |
A unique set of information authorizing a user to access the Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional). PBA allows the user to authenticate themselves via their Windows credentials. The ‘single sign-on’ function of PBA allows the user to enter their credentials once in PBA with no need to re-enter them in the Windows logon dialog. |