Full-Disk Encryption

What Does Full-Disk Encryption Mean?

Full-disk encryption (FDE) is the encryption of all data on a disk drive, including the program that encrypts the bootable OS partition. It is performed by disk encryption software or hardware that is installed on the drive during manufacturing or via an additional software driver. FDE converts all device data into a form that can be only understood by the one who has the key to decrypt the encrypted data. An authentication key is used to reverse conversion and render the data readable. FDE prevents unauthorized drive and data access.

Advertisements

Data and OSs are automatically encrypted through FDE. However, the master boot record (MBR) remains unencrypted. Some FDE and hybrid FDE systems encrypt the complete disk, including the MBR.

FDE is also known as whole disk encryption (WDE).

Techopedia Explains Full-Disk Encryption

The encrypted data is inaccessible to an unauthorized users, even if the device is installed on another machine. After unlocking a computer, the data is automatically decrypted and readable. A disadvantage is that the encryption/decryption process slows data access time, particularly when virtual memory is used.

FDE is useful for small electronic devices vulnerable to theft or loss, such as laptops. In a corporate or large computer network environment, a secure username and password policy is a critical requirement. The following are FDE advantages:

  • The majority of data is encrypted, including swap space and temporary files.
  • A user cannot determine file encryption.
  • Authorization is established prior to computer booting (pre-boot authentication).
  • Destroying authentication/cryptography keys also destroys data. Physical drive destruction or purging is recommended if future attacks are a concern.

However, FDE has issues. Cold boot attacks may occur when data bit degradation slows after power is switched off, creating vulnerability. The OS must hold the decryption keys in memory for disk drive data access. Additionally, decryption of blocks on the stored OS drive must be done before booting the OS. Thus, the authentication key must be available before a password is requested by the interface. This is addressed by the pre-boot authentication.

File system-level encryption is similar to FDE but typically does not encrypt file system metadata, such as directory structure, file names, timestamps, or file/folder sizes.

Advertisements

Related Terms

Margaret Rouse

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.