Readers of the Your Ultimate Security Guide series and the Complete Privacy and Security Desk Reference know that I am whole-heartedly in favor of full disk encryption. Throughout this month, National Cyber Security Awareness Month, I have promised to bring you a daily blog post. A huge focus of those posts will be on disk encryption. I will cover specifics for the following operating systems: Mac (FileVault), Windows (Bitlocker and VeraCrypt), Linux (LUKS), Android, and iOS. Before we delve into specifics, I would like to first discuss what full disk encryption is and why it matters.
Full Disk Encryption Basics
Full disk encryption is the encryption of the entire hard drive. All of your files, all programs, and even the operating system itself are encrypted. The only thing that remains unencrypted is a very small portion of the hard drive that is required to begin the boot sequence.When you enter the password to boot the compuxter the decryption process begins. Files are decrypted “on-the-fly”, as you use them. When you shut down the computer, everything is once again protected.
In some systems like Mac’s FileVault or Windows’ BitLocker a more appropriate term is “full volume encryption”. This means that the entire system partition is encrypted, but some portions of the operating system are left unencrypted. This is why on Mac systems protected with FileVault the computer is still able to reach a user login screen prior to a password being entered. Though full disk encryption is generally preferred, full volume encryption is sufficient for the needs of all but the most at-risk users.
Many users assume that file-level encryption is sufficient as long as their sensitive files are encrypted. Unfortunately, this may be somewhat inaccurate. While using your computer, it stores various versions of files such as saved “recovery” versions, records of filenames that you have accessed, internet browsing history, and a great deal of other sensitive information without your permission or knowledge. If your hard drive is unencrypted, this information can be exploited and may reveal the names, sizes, and even the contents of your most sensitive encrypted files.
For example, if you edit a Microsoft Word document, it will automatically create an AutoSave version that can be recovered in the event your computer crashes or you accidentally close without saving. Unless you specifically change the location to which this file saves, it is written unencrypted to your hard drive in a nebulous location that is not always easy for the average user to locate. Full-disk encryption prevents this kind of leakage from being accessed and exploited.
Full Disk Encryption Benefits
The biggest reason I value full disk encryption (FDE) is that it is totally transparent to the user. Once it is enabled, it requires only additional action from the user: entering a password (with full volume encryption this is the user’s login password which is already required if it is enabled). There are no complicated programs or procedures to learn. The user just enters his or her password to boot the machine. After that, the computer behaves as it always has. Though some users (like me) like working with additional encryption options, most do not. The user-friendliness of FDE is probably the single biggest factor that will contribute to more widespread adoption.
Full-disk encryption (FDE) offers the ultimate security for the data on a computer’s hard drive. Full-disk encryption means that the entire hard drive, including all files, the operating system, applications and programs, and anything else on there is encrypted when the computer is turned off. The only portion of the hard drive that is left unencrypted is the boot loader, a very small portion that allows the computer to accept the entered password and begin the boot process upon startup.
Encryption of the entire hard drive is beneficial for several other reasons. Full-disk encryption is the most transparent form of encryption. After the user initially enters a password and the computer boots, it functions as it normally would. And if your computer is lost or stolen, no information can be recovered from it. When a thief or attacker turns the device on a password prompt will appear, and the computer will not boot up until the correct password is entered. If the hard drive is removed and plugged into another device as an external hard drive, or if the computer is booted with another operating system like a bootable DVD (two common techniques to get around operating system passwords), all of the data on the computer will still be encrypted and inaccessible to the attacker. Additionally researchers recently discovered an attack that can bypass Windows and Mac lock screens in a matter of mere seconds.
Full Disk Encryption Disadvantages
There is no free lunch. Users should recognize there are also downsides to everything, and FDE is no exception. There is a degradation in system performance when using any form of encryption because the computer must decrypt everything on-the-fly as it is used. I have found this reduction in processor power to be minimal, though your circumstances may vary depending on your processor speed, the encryption algorithm you use, and some other factors. Power users who depend on their devices for processor-heavy functions like video editing or graphic design may find this slow-down noticeable but the overwhelming majority of users will not.
You also have to realize that if you lose or forget your password, you are probably in trouble. Though some full disk encryption programs prompt you to create a recovery key, some do not. Without the password or recovery key you data is lost and gone forever. I contend that the benefits far outweigh the disadvantages, and you should enable FDE on all your devices. In the coming days I will show you how.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.