Introduction to full disk encryption
Encryption is the process of converting plaintext to encrypted text. Encrypted text hides the original data from unauthorized users since encrypted text cannot be read by anyone. Using modern encryption algorithms, it is not easy or feasible to decrypt encrypted data, thus a breach of encrypted data is not considered reportable by many regulatory authorities.
Disk encryption
The encryption process makes use of symmetric and asymmetric encryption for encryption and decryption of data. If the encryption process uses the same key to encrypt and decrypt the data, it’s called symmetric encryption and if the keys are different then it's called asymmetric encryption.
In disk encryption, the whole data is encrypted and decrypted using the same key, thus it makes use of symmetric encryption. In full-disk encryption, each and every file stored on the operating system is encrypted using the encryption key. Hence, someone having access to the computer/laptop cannot read the data stored on the disk, thus the organization does not have to worry about data breaches due to lost or stolen devices.
Learn Applied Cryptography
Disk encryption types
Full disk encryption and file-level encryption are the two types of encryption available for encrypting data:
- Full disk encryption (FDE) - As the name says, FDE protects the entire volume and encrypts each and every file present on the system.
- File-level encryption (FLE) - FLE is file system level based encryption, it encrypts the data in individual files and directories.
Case study
The following organizations did not have disk encryption enabled and suffered data a breach due to a lost or stolen device:
- Lifespan: In Feb 2017, an employee’s MacBook was stolen, as a result, the PII of around 20,000 patients got leaked. Patient’s names, medical record numbers and ethnicities got compromised.
- Premier Healthcare: PII of 20,000 patients got leaked when an employee’s laptop was stolen in 2016.
- Heartland Payment Systems: In 2015, Heartland suffered an office break-in and one of their systems had social security numbers and banking information stored on it.
- Cancer Care Group: A stolen laptop leaked PII of 55,000 former and current patients due to which Cancer Care Group was asked to pay $750,000 in HIPAA fines.
- Lahey Hospital: In 2011, a laptop housing the PII of around 600 patients was stolen from an unlocked room due to which the hospital had to pay $850,000 in HIPAA fines.
Full disk encryption software
The following software can be used for encrypting and protecting the data present on the system:
- Apple FileVault
- Microsoft Bitlocker
- Veracrypt
- Check Point Sandblast Agent
- ESET Endpoint Encryption Pro
- McAfee Complete Data Protection
- Micro Focus ZENworks Full Disk Encryption
- R&S Trusted Disk
- Sophos SafeGuard Encryption
- Symantec Endpoint Encryption
- TrendMicro Endpoint Encryption
Full disk encryption on Windows and MacOS
The most important benefit of full-disk encryption is that none can access the data and files stored on the machine if they don’t have the secret key. Also, the primary pitfall of full-disk encryption is that none can access the data and files stored on the machine if no one has access to the password. Thus, even if the authorized person forgets the password, he/she may not be able to access the encrypted files and data on the system.
Windows users have the option of using Bitlocker and Mac users have the option of using Apple’s FileVault for storing and encrypting the data on the system. Both the softwares are inbuilt and present by default.
Both Apple’s FileVault and Microsoft Bitlocker offer options for recovering lost passwords to the end user. On Bitlocker, recovery information can be stored on the Active Directory server and FileVault backs up encryption keys to Apple iCloud. Also, a local copy of the recovery key can also be created if a traditional method is not available.
Best practices for drive encryption
Following are the best practices for drive encryption on any system:
- Backup your files - Backing up files ensures that the files and the data present on the system can be recovered if something happens to the hard drive.
- Use a strong passcode - Strong password that includes both letters and numbers should be made use of encrypting the data.
- Keep your recovery key in a safe place - A recovery key is the only way put to access the encrypted data on the system. Thus, it’s paramount to store the recovery key in a safe place. A password manager can be made use of for storing recovery keys.
Learn Applied Cryptography
Sources
- Hard Drive and Full Disk Encryption: What, Why, and How?, Miradore
- Top Full Disk Encryption Software Products, eSecurity Planet
- Full disk encryption: do we need it?, CSO Online
- ESET identity and data protection, ESET