Full disk encryption (FDE) or whole disk encryption is a means of protecting information by encrypting all of the data on a disk, including temporary files, programs, and system files. Certain full disk encryption systems leave the boot sector of the disk unencrypted; others encrypt that as well. Following FDE initialization, all information is automatically encrypted when written to the disk and decrypted when read, if the user has authorization.
Unlike creating encrypted partitions or folders, using full disk encryption lets users protect confidential information that they might forget or not know about, such as system and temporary files. At the same time, even if an attacker removes the disk and installs it in their own device, they will not be able to access the data without the password or encryption keys.
Full disk encryption is particularly useful on portable devices, which have greater risk of theft or loss than stationary devices do.
Full disk encryption tools
Both hardware- and software-based tools exist for full disk encryption.
Hardware-based full disk encryption
Hardware-based systems tend to be more powerful than software-based systems. Options for hardware-based FDE include:
- Self-encrypting drives (SEDs), hard drives with a built-in cryptoprocessor. SEDs automatically encrypt all data as it is written to the disk. Hard drive suppliers such as Samsung, Seagate, and Toshiba manufacture SEDs;
- Hard drives whose enclosures include chips with built-in cryptoprocessors. The chip automatically encrypts all data written to the drive while the drive is inside the enclosure;
- Chipsets located between processors and hard drives.
Software-based full disk encryption
FDE software enables users to configure full disk encryption using existing hardware. It is compatible with most operating systems and storage devices on the market.
Encryption software can ship with an operating system, as is the case with Microsoft BitLocker or Apple FileVault 2, or it can exist as a standalone utility such as VeraCrypt or as a component of security software. For example, Kaspersky Endpoint Security for Windows includes a full disk encryption tool.
Full disk encryption protection
If an attacker gains physical access to the device it’s protecting, such as in the event of theft, FDE will keep that data safe. Disk encryption cannot solve all security problems, however. In particular, FDE does not protect sent data, or data on a device on which an authorized user is already signed in. Full disk encryption also won’t protect against malicious software acting for a signed-in user or prevent the installation of questionable programs from the Internet. For this reason, FDE should be used in conjunction with other security tools such as antivirus software and a firewall.