Full Disk Encryption
Full-Disk Encryption, FDE, is a technique that scrambles everything stored on your computer and only makes it accessible to the person with the correct decryption key.
If someone places your hard disk into another computer, they won’t be able to access the file if you have FDE installed. If implemented correctly, FDE will make it impossible for hackers to access your files. Full-Disk Encryption was the reason why FBI could not access the data stored in an iPhone which sparked a debate with Apple and others.
FDE has the advantage of not requiring any effort from the user. As files are added or modified on your hard disk, they are automatically encrypted. When data is read from disk to memory, it is automatically decrypted. This is easier than the user effort required to encrypt individual files (i.e. file encryption).
How does Full-Disk Encryption work?
Some computing devices come shipped with FDE capabilities. Others rely on software to be installed.
In Microsoft Windows, it’s called BitLocker. Mac OS calls it FileVault. iPhones running iOS version 8 and newer have full-disk encryption turned on by default. Newer versions of Android also feature FDE.
Full-Disk Encryption also applies to removable media such as thumb drives (USBs). Some drives have hardware FDE built-in. Others can be locked as an add-on to the software that encrypts the disk.
FDE’s encryption key is usually generated every time the device is booted, and the user will be prompted for the authentication. The key is generated and if it’s a match, it will be able to decrypt and read the files on the disk. This means that only someone with the correct password will be able to unlock the drive.
What if you forget your password?
Most FDE platforms and cloud services provide recovery methods, but if you are installing FDE yourself you need to be careful in the process and store the key safely – but not so safely that you can’t find it again…
This is the endemic challenge of security; the trade-off between convenience and better privacy. Therefore, choose wisely when selecting your recovery methods and supplier.
What are the limitations?
FDE only protects your files against someone who gains physical access to your device or computer while it’s turned off or locked out. Under the following circumstances, FDE won’t protect you:
- If you’re sharing your computer with other people, Full-Disk Encryption won’t protect your sensitive data from other users who also have access to the device. You should manually encrypt sensitive files with file encryption.
- FDE only protects locally stored data. Data that you send from your computer will not be encrypted once it has left you.
- Full-Disk Encryption won’t protect you against malware. You will still have to have protection against Trojans, phishing and viruses.
- Not all encryption algorithms are unbreakable. Certified Encryption solutions are tested and deemed to be safe.
Is it worth using Full-Disk Encryption?
Of course it is, if you need to be compliant with certain regulations. Full-Disk Encryption is one of most effective tools you can use to protect you and your data.
How strong encryption do I need?
It is recommended that you use a minimum of 128-bit encryption, but a 256-bit encryption is much safer.
File & Folder Encryption
As the name implies, File encryption is used to encrypt specific files only. Unlike disk encryption, described above, file encryption lets you make a decision as for what you’re going to encrypt.
There are also ways to use “policies” to automate the process. For example, you can set Excel files to be encrypted automatically, but not pictures).
Unlike disk encryption, you are able to pass around the files (via e-mail or if you store them on a file share), and they will still be encrypted to ensure the integrity. File encryption is also known as content encryption.
One analogy is to think of file encryption as translating a document into a language that only you know. So, if you leave the translated document on a table and someone picks it up, that person can’t make heads or tails out of it.
Is the same concept as disk encryption, in that everything that’s saved to a particular folder is encrypted. Take the file out of the folder, and it’s not encrypted anymore.
Both file and folder encryption are seen as less secure than Full Disk Encryption as you still risk allowing a perpetrator into your computer, from where they can run hacking tools and password generators etc.