- What is Full Disk Encryption ?
- Benefits of Full Disk Encryption
- Good to read
- Software Based Full Disk Encryption vs Hardware Based Full Disk Encryption
- Best Open Source and free Full Disk Encryption Products
- Best Full Disk Encryption Products for Enterprises
What is Full Disk Encryption ?
Full Disk Encryption or FDE is a technology in which almost everything on disk can be encrypted. It can encrypt all the data at rest on the hard drive of a computer including end user files, applications and even Operating System executables.
Full Disk Encryption can encrypt almost everything on disk of a computer. Some part of the disk necessarily may not get encrypted though, for example the part containing the Master Boot Record. But for systems using hardware based full disk encryption, even the MBR can get encrypted.
Benefits of Full Disk Encryption
A device containing sensitive information may get lost or stolen. And, if the data on the device is not encrypted at that time, it may possess a risk. Any person with malicious intent can recover the data and exploit that for malicious purposes.
For an enterprise, if a device of an employee gets lost or stolen, that may possess a risk. The device may contain sensitive data like employee details, financial information, medical records or other confidential information of the company. And, if these information get recovered by someone with malicious intent, it may lead to data breaches causing even million of dollars to a company.
With Full Disk Encryption almost everything on disk get encrypted using a secret key. Typically a device asks for the secret key while booting up and encrypt and decrypt all data using the secret key. Hence, if a device with Full Disk Encryption is not in booted state, it will not be feasible for anyone to retrieve the data on the device provided he does not have the secret key.
Please note that, while Full Disk Encryption secures data on rest, it may not be effective in preventing data theft from a device which is already in booted state. And hence, other encryption technologies like virtual disk encryption, volume encryption and file encryption should be used along with Full Disk Encryption to ensure better security of data.
Software Based Full Disk Encryption vs Hardware Based Full Disk Encryption
Full Disk Encryption can use software as well as hardware to encrypt disk. Full Disk Encryption Software, though they are able to encrypt almost the whole disk, may not be able to encrypt Master Boot Record (MBR) or similar area on a bootable disk that starts the Operating System. A hardware based Full Disk Encryption system can however encrypt the entire boot disk including the MBR.
Let’s understand a few terms related to Full Disk Encryption, that will help us in evaluating various Full Disk Encryption products.
Transparent Encryption
Transparent Encryption is a technology used by Full Disk Encryption Software. It is also known as real time encryption or On The Fly Encryption (OTFE). Using this technology data can be autopmatically encrypted and decrypted when it is loaded or saved.
Using this technology, entire filesystem within a volume is encrypted with a secret key. Data like file names, folder names or other metadat of a file or folder are encrypted. When a user provides the secret key, the entire volume is mounted as if it were a physical drive. As a result, a user can access the files and folders transparently as any unencrypted ones. No data stored on the encrypted volume can be decrypted or read without the secret key.
This is usually implemented using device drivers. But, encrypted volumes can be used by normal users without administrative rights on the device.
Trusted Platform Module or TPM
Trusted Platform Module or TPM is a cryptoprocessor that can be used to authenticate a hardware device. This secure cryptoprocessor is typically embedded in the motherboard of the device and stores the secret keys that are required for hardware authentication. When a system boots, it uses the secret keys to ensure the hardware system that is seeking for access is the expected system.
TPM can improve security, since if a hardware drive is removed from a system, it cannot be decrypted anymore. But, it has its disadvantages. If something happens to the TPM or the motherboard, the user won’t be able to access the data unless he has a separate recovery key.