What Does Full-Disk Encryption Mean?
Full-disk encryption (FDE) is the encryption of all data on a disk drive, including the program that encrypts the bootable OS partition. It is performed by disk encryption software or hardware that is installed on the drive during manufacturing or via an additional software driver. FDE converts all device data into a form that can be only understood by the one who has the key to decrypt the encrypted data. An authentication key is used to reverse conversion and render the data readable. FDE prevents unauthorized drive and data access.
Data and OSs are automatically encrypted through FDE. However, the master boot record (MBR) remains unencrypted. Some FDE and hybrid FDE systems encrypt the complete disk, including the MBR.
FDE is also known as whole disk encryption (WDE).
Techopedia Explains Full-Disk Encryption
The encrypted data is inaccessible to an unauthorized users, even if the device is installed on another machine. After unlocking a computer, the data is automatically decrypted and readable. A disadvantage is that the encryption/decryption process slows data access time, particularly when virtual memory is used.
FDE is useful for small electronic devices vulnerable to theft or loss, such as laptops. In a corporate or large computer network environment, a secure username and password policy is a critical requirement. The following are FDE advantages:
- The majority of data is encrypted, including swap space and temporary files.
- A user cannot determine file encryption.
- Authorization is established prior to computer booting (pre-boot authentication).
- Destroying authentication/cryptography keys also destroys data. Physical drive destruction or purging is recommended if future attacks are a concern.
However, FDE has issues. Cold boot attacks may occur when data bit degradation slows after power is switched off, creating vulnerability. The OS must hold the decryption keys in memory for disk drive data access. Additionally, decryption of blocks on the stored OS drive must be done before booting the OS. Thus, the authentication key must be available before a password is requested by the interface. This is addressed by the pre-boot authentication.
File system-level encryption is similar to FDE but typically does not encrypt file system metadata, such as directory structure, file names, timestamps, or file/folder sizes.