Skip to main content

Full Disk Encryption

As the mobile workforce heads out with their laptops, how can an organization keep the company information stored on those laptops safe?  This is the question that disk encryption products try to answer.  Although there are many file/folder level encryption products (also known as vaults), this page will focus on Full Disk Encryption (FDE) products.

 

Full Disk Encryption is the process by which every bit of data that goes on a disk is encrypted. This can be performed by software or hardware.  Everything on a disk, including the operating system, is encrypted. There are also products that can encrypt everything but the system partition or boot partition of the OS, but can fully encrypt a second hard drive.  To boot from a fully encrypted disk on a standard personal computer requires hardware assistance as there is otherwise no other way for the BIOS to decrypt and transfer program control to an encrypted master boot record (MBR). There are software programs that can encrypt bootable operating system partitions but they must still leave the MBR, and thus part of the disk, unencrypted.

 

FDE has several added benefits compared to regular file or folder encryption, or encrypted vaults. For example, Everything including the swap space and the temporary files are encrypted, ensuring no confidential data is inadvertently left unprotected.  Also, with FDE the decision of which files to encrypt is not left up to users.  And it provides a method for immediate data destruction, as simply destroying the cryptography keys renders the contained data useless.  Purging or physical destruction is still advised in instances where the data needs to be protected from future attacks. However, FDE does not necessarily replace the requirement for file/folder level encryption. This is because once the FDE drive boots up, all the data is available in a decrypted format.  If a network connection to the running laptop can be obtained, then the data is exposed.

 

Many mobile computer manufacturers include a Trusted Platform Module (TPM) chip in their current product set.  The TPM provides the means for hardware and software to generate and store keys for use in digital certificates and encryption, securely and in an encrypted format. The TPM also provides the cryptographic engine to perform encryption / decryption, and digital signature operations.  No person ever sees the private keys used for encryption in TPM-enabled applications, as they are stored on and processed by the TPM itself.  Some FDE products support and/or require TPM.

PGP Whole Disk Encryption provides enterprises with comprehensive, nonstop disk encryption, enabling quick, cost-effective protection for data on PCs, laptops, and removable media. The encrypted data is continuously safeguarded from unauthorized access, p ...