Objective 1.4High Priority9 min read

Encryption Levels

Different scopes at which encryption can be applied: full-disk encryption (entire drive), partition encryption, volume encryption, file-level encryption, database encryption, and record-level encryption. Each level has different use cases and trade-offs.

Understanding Encryption Levels

Encryption can be applied at different levels—from entire drives to individual data fields. Each level offers different protection scope, performance characteristics, and management complexity.

Key principle: Encryption protects data at rest (stored data) against physical theft and unauthorized access. However, the level you choose affects what's protected and the trade-offs involved.

The more granular the encryption, the more flexible the protection but the more complex the management. The broader the encryption, the simpler but less flexible.

Why This Matters for the Exam

SY0-701 tests your ability to choose appropriate encryption levels for different scenarios. Questions may ask which encryption level protects against specific threats or which is appropriate for specific compliance requirements.

Understanding encryption levels also helps with data loss prevention questions. Knowing that full-disk encryption protects against theft but not authorized user access helps you design layered security.

Real-world, you'll often need to explain why multiple encryption levels might be needed—for example, full-disk encryption PLUS database encryption for sensitive records.

Deep Dive

Full-Disk Encryption (FDE)

Encrypts the entire storage device including operating system, applications, and all data.

How it works:

  • All data encrypted when written to disk
  • All data decrypted when read
  • Requires pre-boot authentication
  • Transparent to applications

Tools:

  • BitLocker (Windows)
  • FileVault (macOS)
  • LUKS (Linux)
  • VeraCrypt (cross-platform)

Protects against:

  • Physical theft of device
  • Removing drive and accessing on another system
  • Data recovery from decommissioned drives

Does NOT protect against:

  • Authorized user accessing data
  • Malware running on unlocked system
  • Network-based attacks

Partition Encryption

Encrypts specific disk partitions rather than the entire disk.

Use cases:

  • Separate encrypted partition for sensitive data
  • Dual-boot systems with one OS encrypted
  • Selective protection of data partitions

Volume Encryption

Encrypts logical volumes (which may span multiple physical disks).

Use cases:

  • Cloud storage volumes
  • Virtual disk files
  • Removable media

File-Level Encryption

Encrypts individual files rather than entire disks or partitions.

Characteristics:

  • Granular control over what's encrypted
  • Files remain encrypted even when copied
  • Requires key management per file or file group

Tools:

  • EFS (Encrypting File System - Windows)
  • GPG/PGP for file encryption
  • 7-Zip with encryption

Advantages:

  • Selective encryption
  • Protection persists when file is moved
  • Different keys for different files

Disadvantages:

  • Management complexity
  • Metadata (filenames) may not be encrypted
  • Each file needs key management

Database Encryption

Encrypts data within databases at various levels.

Transparent Data Encryption (TDE)

  • Encrypts entire database files
  • Transparent to applications
  • Protects data at rest on disk

Column-Level Encryption

  • Encrypts specific sensitive columns
  • Different keys for different columns
  • Applications must handle encryption

Record-Level Encryption

Encrypts individual records or fields within a database.

Use cases:

  • Credit card numbers
  • Social Security numbers
  • Healthcare identifiers
  • Any field requiring specific protection

Characteristics:

  • Most granular protection
  • Highest management complexity
  • Can use different keys per record
  • Enables fine-grained access control

Encryption Levels Comparison

LevelScopeManagementUse Case
Full-diskEntire driveSimpleLaptop theft protection
PartitionDisk sectionsModerateSelective protection
VolumeLogical volumesModerateCloud storage
FileIndividual filesComplexSensitive documents
DatabaseDatabase filesModerateRegulatory compliance
RecordIndividual recordsVery complexPCI DSS, HIPAA data

Layered Encryption

Multiple encryption levels can be combined: • Full-disk encryption for theft protection • Database encryption for compliance • Record-level for highly sensitive fields

Each layer protects against different threats.

How CompTIA Tests This

Example Analysis

Scenario: A hospital needs to protect patient records. Laptops may be stolen (physical theft), but they also need to ensure that even authorized users can only see records they're permitted to access.

Solution: Layered encryption

Level 1: Full-disk encryption (BitLocker) • Protects against laptop theft • If laptop is stolen, data is inaccessible • Requires authentication at boot

Level 2: Database encryption (TDE) • Protects database files at rest • Meets HIPAA requirements • Transparent to applications

Level 3: Record-level encryption • Sensitive fields (SSN, diagnoses) encrypted • Different keys per patient or department • Access control at field level

Key insight: Full-disk encryption alone isn't enough. Once an authorized user logs in, FDE provides no protection. Additional layers protect against insider access and provide compliance.

Key Terms to Know

encryption levelsfull disk encryptionfile encryptiondatabase encryptionvolume encryptionBitLockerdata at restFDE

Common Mistakes to Avoid

Thinking full-disk encryption protects against all threats—FDE protects against physical theft. Once the system is booted and unlocked, the data is accessible.
Forgetting that file metadata may be exposed—file-level encryption often doesn't encrypt filenames, timestamps, or file sizes.
Not considering key management—more granular encryption means more keys to manage. Record-level encryption can have millions of keys.
Assuming one level is enough—layered encryption protects against different threat vectors. Multiple levels often needed for compliance.

Exam Tips

Full-disk encryption = Theft protection. It doesn't help once the system is unlocked.
BitLocker = Windows FDE. FileVault = macOS FDE. Know these associations.
Database TDE = Transparent Data Encryption. "Transparent" means applications don't need modification.
Record-level = Most granular, most complex. Used for PCI DSS (credit cards), HIPAA (health records).
Layered encryption addresses different threats—physical theft, unauthorized access, compliance.

Memory Trick

"Encryption Levels: Drive → File → Field"

  • Broad to narrow:
  • Drive (full-disk) — Whole device
  • Partition/Volume — Sections
  • File — Individual files
  • Database — Database level
  • Record/Field — Individual data elements
  • Protection Scope Memory:
  • FDE protects the DISK, not the DATA once unlocked
  • File encryption protects the FILE, not the FILENAME
  • Record encryption protects the FIELD, not the SCHEMA
  • Tool Associations:
  • BitLocker = Windows Boot encryption
  • FileVault = macFDE
  • TDE = Transparent database encryption

Test Your Knowledge

Q1.A company laptop with sensitive data is stolen from an employee's car. The laptop was powered off and had full-disk encryption enabled. What is the status of the data?

Q2.An organization needs to encrypt specific credit card numbers in their database while leaving other fields unencrypted for performance. Which encryption level is MOST appropriate?

Q3.What is a limitation of full-disk encryption (FDE)?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Symmetric vs Asymmetric EncryptionCryptographic Hardware

Ready to test your knowledge?

Practice questions on encryption levels and other Objective 1.4 concepts.

Start Practice
Symmetric vs Asymmetric EncryptionTransport Encryption