What are the benefits of Full Disk Encryption
(Last updated on September 26, 2019)
Full (or Whole) Disk Encryption (FDE) is a phrase used to describe the encryption of a computer hard drive(s) so it is not easily readable by an unauthorized user. As the name suggests, because this is done at disk level (as opposed to file) everything on the disk is encrypted apart from the Master Boot Record. There are some hardware encryption systems that will even encrypt the boot area too.
In these days of greater cybercrime, the benefit of FDE is that all data on the disk, sensitive or otherwise, will be inaccessible to unauthorized personnel. Any users that lose a laptop/phone, do not need to worry about exposing company data. Even if the disk is removed from the computer, the data is usually irretrievable. Any files or folders created by the user on the disk are automatically encrypted, which avoids any potential for user error.
You will need to consider how the user should unlock their PC at boot time. You can make it a seamless experience for the user by using hardware that supports a Trusted Platform Module (TPM) chip. This solution does everything for the user. The keys to decrypt the disk are stored in the TPM chip and the disk will only boot if it’s connected to the TPM chip that originally encrypted it. If TPM is not available the keys can be stored on a USB stick, or require a pin/password. Some third-party encryption systems also allow the password to be synchronized with the users AD password, but this can bring its own set of problems if the user forgets their password, or needs to have it reset while off the network.
FDE does come with some drawbacks – it can’t protect data once its off the disk. If you are copying files between devices, they are usually decrypted while in transit and won’t be encrypted on the target device if FDE is not enabled there. To protect data from this attack vector you need to look at other technologies such as file encryption, and also encrypted connections such as HTTPS, TLS, FTPS, SSL, SMB3, or IPSEC. Obviously you will need to make sure that all authorized devices support these methods.
There will also be more CPU cycles involved during the encryption process so you might see some impact on performance.
Further, the biggest day-to-day issue is the complexity of recovering the data should an error occur that prevents the disk from booting.
This last issue can arise from any small change on the system which can cause the fail safes to kick in and prompt the unsuspecting user for a “recovery key”. This usually comes in the form of a 25-40 character key, that the user will have to read to a system administrator, who can then provide them with another key in return that will allow the computer to boot. This process by itself poses security and usability issues. It is not only horribly complex to type those keys in correctly from a user perspective, but also from the admin/helpdesk side – how do you know the person calling for the key is the authorized user of the laptop? Where are these recovery keys stored, are they themselves encrypted in the database in which they reside? Is the database resilient? and who has access to the database and its backups?
In summary the FDE is a great addition to any CIO/CSO security portfolio, but it must be enabled with care and consideration of the points above. In summary:
- Choose hardware that supports TPM chips
- Categorize your data so very sensitive files/folders are protected in transit as well as at rest
- Make sure your recovery keys are stored in secure database
- Choose a robust method for those keys to be provided to the RIGHT user. Here I recommend a self service platform secured by MFA to reduce the load on the service desk and mitigate the security issues related to key recovery.
For more tips, be sure to check out the below webinar: Encryption for end users: What IT managers need to know.