If disk encryption is used instead of file- or column-level encryption, how should logical access and decryption keys be handled?

• A. Logical access can be managed using the OS authentication.
• B. Decryption keys can be associated with user accounts.
• C. Access controls can be managed by the local network.
• D. Logical access must be managed separately and independently of native OS authentication; decryption keys must not be associated with user accounts.

Answer: (D)

Disk encryption protects data at rest with a decryption key, so how that key is managed is crucial. If the key or the ability to decrypt is tied to the operating system login or to individual user accounts, anyone who can log into the OS—or who inherits that account—could decrypt the data. That creates a weak point: a compromised device or a terminated user could still expose sensitive information. To prevent this, logical access to the encrypted data should be governed by a separate, independent key management process. Decryption keys should be stored in a dedicated system (like a key management server or hardware security module) with strict access controls, auditing, and the ability to enforce separation of duties, rotation, and revocation. Access to the decrypted data is then controlled by policy-based mechanisms that are independent of native OS authentication, ensuring that keys aren’t directly tied to user accounts. The goal is to prevent the OS or individual user credentials from alone granting access to the encrypted material, even if the device is compromised. Other approaches that rely on OS authentication or tying keys to local network access don’t provide the same level of separation and control for protecting data at rest.