Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
Full-disk encryption (FDE) is the encryption of all data on a disk drive, including the program that encrypts the bootable OS partition. It is performed by disk encryption software or hardware that is installed on the drive during manufacturing or via an additional software driver. FDE converts all device data into a form that can be only understood by the one who has the key to decrypt the encrypted data. An authentication key is used to reverse conversion and render the data readable. FDE prevents unauthorized drive and data access.
Data and OSs are automatically encrypted through FDE. However, the master boot record (MBR) remains unencrypted. Some FDE and hybrid FDE systems encrypt the complete disk, including the MBR.
FDE is also known as whole disk encryption (WDE).
The encrypted data is inaccessible to an unauthorized users, even if the device is installed on another machine. After unlocking a computer, the data is automatically decrypted and readable. A disadvantage is that the encryption/decryption process slows data access time, particularly when virtual memory is used.
FDE is useful for small electronic devices vulnerable to theft or loss, such as laptops. In a corporate or large computer network environment, a secure username and password policy is a critical requirement. The following are FDE advantages:
However, FDE has issues. Cold boot attacks may occur when data bit degradation slows after power is switched off, creating vulnerability. The OS must hold the decryption keys in memory for disk drive data access. Additionally, decryption of blocks on the stored OS drive must be done before booting the OS. Thus, the authentication key must be available before a password is requested by the interface. This is addressed by the pre-boot authentication.
File system-level encryption is similar to FDE but typically does not encrypt file system metadata, such as directory structure, file names, timestamps, or file/folder sizes.