What is full-disk encryption?
(Last updated on February 17, 2020)
In today’s threat landscape, encryption is a necessary component of an organization’s security policy. Encryption is the process of changing information to make it unreadable by anyone except those possessing special knowledge (commonly referred to as a secret key) that allows them to change the information back to its original form. By converting information into an unreadable format, encryption technology protects data from unauthorized access.
Disk encryption is a security mechanism that protects data at rest on an endpoint. An endpoint is any device that has the capability to connect to an organization’s network (e.g. desktop computers, laptops, smart phones, printers, and similar hardware).
Encryption at the hardware level of a storage device is commonly referred to as full-disk encryption (FDE), or whole disk encryption. It signifies that everything on disk is encrypted – data, OS, files, including swap files and hibernation files. FDE is common practice for laptops, which are highly susceptible to theft, and consequently, data breaches. Not surprisingly, 41% of data breach events from 2005 through 2015 were the result of lost devices (laptops, tablets, smartphones).
FDE addresses this problem, but its protections are limited to the loss or theft of device. Once the machine is powered on and functioning, it provides no protection against unauthorized users. A hacker can get through a web vulnerability, and access any data stored in plaintext.
How to enable full-disk encryption
FDE can be achieved with hardware-based, and software-based methods. Hardware-based methods include storage devices built-in during manufacturing, and off-device hardware like where the storage device is attached through an adapter.
Major commercial operating systems have built-in encryption programs – Microsoft BitLocker for Windows, Apple FileVault for Mac OS X, and dm-crypt for Linux. All the user has to do is opt to use it, and select a strong password.
Software-based FDE implementations can be installed on top of the operating system to increase security, and include third-party tools such as Symantec’s PGP Whole Disk Encryption.
Hardware and software-based methods create a pre-boot authentication environment that can require a secret key every time the computer is started. The secret key will vary depending on the program, but can include:
- Password or passphrase
- USB drive containing encryption key
- One-time password generating device (for example, RSA token)
- Biometric device (for example, fingerprint reader)
FDE will authenticate the user before permitting the usual boot sequence to start.
Security and user challenges
FDE is only a small part of a complete security plan for protecting organizational data. FDE is unlocked as soon as an authorized user logs in to the computer. Unless the user has manually encrypted individual files, data is exposed to anyone who can access the computer while the user is logged in. FDE only protects against physical access to device, and does not safeguard data against hackers over the internet.
The pre-boot authentication environment is protected with a password, and in some scenarios, a second authentication factor. In the case of forgotten passwords, the computer can’t be accessed, and the data can’t be recovered. Most encryption solutions provide a password recovery component but many organizations choose not to deploy them due to weak user verification methods (e.g. security questions) and the challenge related to tying multiple end-points to the self-service portal. This results in increased lockouts, and consequently, calls to the helpdesk. According to research findings from leading analyst firms like Gartner and Forrester, the average helpdesk call:
- Takes 15 minutes
- Costs between $8-15 to resolve
- Impacts security due to weak verification methods (security questions)
Analyst findings also indicate that key recovery calls can occur on average 3-4 times a year resulting in an average cost per user, per year ranging from $24 to $60. Productivity losses are not considered, in these averages although they also have a cost factor.
Do you want users to unlock their computers without calling the helpdesk? Specops Key Recovery is a self-service solution for unlocking computers encrypted by Microsoft BitLocker and Symantec Endpoint Encryption. A user who is locked out at the pre-boot authentication screen can use the solution to unlock their computer using multi-factor authentication. Read more about Specops Key Recovery here.