The fundamentals of FDE: Full disk encryption in the enterprise

Expert Karen Scarfone examines full disk encryption, or FDE, tools and describes how the security technology protects data at rest on a laptop or desktop computer.

Full disk encryption (FDE) is a form of storage encryption technology designed to encrypt all the information on a hard drive of a desktop or laptop computer that's at rest. This includes not only end-user data, such as files and application settings, but also executables, including application and operating system (OS) executables. Any organization of any size with sensitive data at rest to protect -- which nowadays is virtually all of them -- can benefit from using FDE technologies.

The biggest risk with data at rest is that a device containing sensitive information will be lost or stolen, thereby allowing a person with malicious intent to recover that data from that device. This could involve the exposure of financial information, customer records, medical records, and other sensitive data that could lead to major data breaches and costs in the thousands or millions of dollars. The use of FDE technologies mitigates this risk, as long as the device in question is not in a booted state when it's misplaced or taken.

Individuals wishing to use an FDE-protected device must first boot it up and then -- during the OS boot process -- present valid credentials (such as a password) for authentication. (Credentials may be stored remotely, such as part of an Active Directory implementation, or locally.) Only after authentication succeeds will the encrypted data on the device's hard drive be decrypted and the boot process allowed to continue and grant access to the system's OS.

Also, FDE is designed to protect data at rest, such as the information stored on a device when it is in an "off" state or when a laptop is in a sleep mode or hibernation. FDE cannot secure data while that data is in use. Other storage encryption solutions exist to provide such protections. These solutions include virtual disk encryption, which protects data stored within a virtual container; volume encryption, which protects data within a single logical volume; and file encryption, which protects individual data files.

Organizations that need to protect both data at rest and in use often employ FDE alongside one or more of these other storage-encryption types.

From software- to hardware-based FDE

Most FDE solutions are software-based and are built into many common OSes, such as BitLocker for Windows and FileVault for Mac OS X. There are also a variety of third-party add-on programs available from commercial and open source vendors. Altogether, these tools support just about every OS on the market.

However, as with any other software-based security product, malicious users or attackers can potentially disable FDE, causing a denial-of-service condition or allowing unauthorized access to sensitive information.

Some FDE solutions, meanwhile, are hardware-based and built into hard drive disk controllers. This type of FDE delivers capabilities similar to those of software-based FDE; when a device tries to boot, the disk controller requires users to successfully authenticate themselves before it allows the boot process to continue.

Because the FDE features are built into the hard drive, they cannot be disabled or removed, however. By the same reasoning, FDE cannot be added into a hard drive as a hardware product after purchase.

Local and centralized FDE management options

There are two management possibilities with FDE technologies: local and centralized.

With local management, either the user or the administrator of the laptop or desktop is responsible for manually managing the FDE software (if any); the FDE configuration; and other elements of the FDE tool, such as authenticators.

With centralized management, a single administrator can simultaneously manage and monitor the FDE capabilities of many machines. For scalability reasons, centralized management is certainly preferable for most organizations. Admins must usually manage hardware-based FDE solutions locally, however, which is why the adoption of hardware-based FDE has been so limited.

FDE management is largely about cryptographic-key management. Organizations must store the private or secret key in a secure location where it cannot be retrieved by a malicious user or malware, and access to that key must be restricted to only authorized users who have successfully authenticated themselves.

The security of that authenticator, such as a password, is paramount, and many organizations require the use of Multifactor authentication (MFA) -- for example, a password and a code from a cryptographic token -- to protect it.

The cost of deploying FDE technology

Software-based FDE solutions are generally free to use if they're built into an OS, while third-party FDE solutions typically involve a per-device charge.

Where the greatest costs come in are the management and maintenance of the FDE -- that is, ensuring that software updates are applied, managing authenticators, monitoring configuration settings, troubleshooting problems, and -- most importantly -- unlocking access to encrypted laptops and desktops when users have forgotten their passwords. In this last scenario, the device cannot be used until the cryptographic key has been recovered by an authorized administrator.

Enabling FDE on an existing device can also incur costs because of the potential downtime while the laptop or desktop's hard drive is encrypted. Fortunately, most FDE products allow this encryption to be performed in the background.

In the early days of FDE, there were concerns that using these technologies would cause significant slowdowns for users, particularly in terms of the length of time needed to boot a device. However, in practice, these delays are generally minimal and, accordingly, the disruption to users for standard FDE usage is negligible.

Conclusion

By requiring strong authentication before booting a device, FDE thwarts data breaches involving the loss or theft of that device. Although there are per-device licensing costs with some FDE solutions, while others are built into operating systems, the greatest cost of using FDE is its maintenance and management. And, for a deployment to scale, an FDE rollout must be centrally managed to lock down configurations and protect encryption keys from unauthorized access.

FDE is a valuable technology for nearly any organization because it safeguards data on desktop and laptop computers at rest. But it alone is not sufficient to protect all data against the full range of today's threats.

Next Steps

The merits of encryption vs. hashing after the Adobe password breach

Should full disk encryption be used to prevent data loss?

Dig Deeper on Data security and privacy