3DSC 2.6: Full Disk Encryption

A full disk encryption primer

Readers of the Your Ultimate Security Guide series and the Complete Privacy and Security Desk Reference know that I am whole-heartedly in favor of full disk encryption. If you haven’t yet implemented this on your machine, I hope now is when you jump in.

Difficulty: Easy (Bitlocker, FileVault, Android, iOS)/Intermediate (VeraCrypt)
Active Time: 15-30 Minutes, inactive time 8-24 hours depending on storage size and processor speed
What it protects you from: Unauthorized access to your files and operating system; forensic analysis

Full Disk Encryption Basics

Full disk encryption is the encryption of the entire hard drive. All of your files, all programs, and even the operating system itself are encrypted. The only thing that remains unencrypted is a very small portion of the hard drive that is required to begin the boot sequence.When you enter the password to boot the compuxter the decryption process begins. Files are decrypted “on-the-fly”, as you use them. When you shut down the computer, everything is once again protected.

While using your computer, it stores various versions of files such as saved “recovery” versions, records of filenames that you have accessed, internet browsing history, and a great deal of other sensitive information without your permission or knowledge. If your hard drive is unencrypted, this information can be exploited and may reveal the names, sizes, and even the contents of your most sensitive encrypted files.

For example, if you edit a Microsoft Word document, it will automatically create an AutoSave version that can be recovered in the event your computer crashes or you accidentally close without saving.  It is written unencrypted to your hard drive in a nebulous location that is not always easy for the average user to locate.  Full-disk encryption prevents this kind of leakage from being accessed and exploited.

Full Disk Encryption Benefits

The biggest reason I value full disk encryption (FDE) is that it is totally transparent to the user. Once it is enabled, it requires only additional action from the user: entering a password (with full volume encryption this is the user’s login password which is already required if it is enabled). There are no complicated programs or procedures to learn. The user just enters his or her password to boot the machine. After that, the computer behaves as it always has. Though some users (like me) like working with additional encryption options, most do not. The user-friendliness of FDE is probably the single biggest factor that will contribute to more widespread adoption.

Full-disk encryption (FDE) offers the ultimate security for the data on a computer’s hard drive.  Full-disk encryption means that the entire hard drive, including all files, the operating system, applications and programs, and anything else on there is encrypted when the computer is turned off.  The only portion of the hard drive that is left unencrypted is the boot loader, a very small portion that allows the computer to accept the entered password and begin the boot process upon startup.

Encryption of the entire hard drive is beneficial for several other reasons.  Full-disk encryption is the most transparent form of encryption.  After the user initially enters a password and the computer boots, it functions as it normally would.  And if your computer is lost or stolen, no information can be recovered from it.  When a thief or attacker turns the device on a password prompt will appear, and the computer will not boot up until the correct password is entered.  If the hard drive is removed and plugged into another device as an external hard drive, or if the computer is booted with another operating system like a bootable DVD (two common techniques to get around operating system passwords), all of the data on the computer will still be encrypted and inaccessible to the attacker. Additionally researchers recently discovered an attack that can bypass Windows and Mac lock screens in a matter of mere seconds.

Full Disk Encryption Programs

Follow the links below for specifics and instructions for your operating system. Remember the strength of your encryption is far better than that of your password, so choose a good, strong password.

Windows: Bitlocker is the preferred option, but if you don’t have a premium version of Windows 10, you’ll have to pay $99 to upgrade. Bitlocker works seamlessly with Windows and is incredibly easy to setup, but I totally understand the unwillingness to pay for something that should be free. If you don’t want to upgrade the next-best option is VeraCrypt. VeraCrypt offers excellent encryption but setting it up can be a bit daunting.

MacOS: The best FDE option for Mac is FileVault, hands-down. Setup is simple and it works extremely well.

Android: Built in FDE where available.

iOS: Native FDE.

Leave a Reply