What is Full-Disk Encryption (FDE)?


If you think someone without your desktop login won’t be able to access your computer’s files, think again. Anyone with mediocre IT skills can take your your hard disk, plug it as a secondary drive to another computer, and extract your files.

So how can you protect your files from hackers?

One option would be to encrypt your sensitive files manually or avoid storing them on your computer altogether and lock them away in a safe cloud. An alternative is to use Full-Disk Encryption (FDE), a technique that scrambles everything stored on your computer and makes it only accessible to the person with the decryption key.

With Full-Disk Encryption, even if someone places your hard disk on another computer, they won’t be able to access the file. If implemented well, FDE can give hackers and three-letter agencies headaches accessing your files. In fact, Full-Disk Encryption was at the heart of the debate between Apple and FBI over access to the data stored in an iPhone belonging to one of the San Bernardino shooters.

FDE has the advantage of requiring no effort from the user. As files are added to or modified on your hard disk, they are automatically encrypted. When data is read from disk to memory, it is automatically decrypted. This is much easier than the user effort required to encrypt individual files.

But the added encryption and decryption steps do have the drawback of slowing things down a bit. However, given the immense security benefit, it’s a fair compromise, especially if you’re handling sensitive files.

How does Full-Disk Encryption work?

Some computing devices come shipped with FDE capabilities. Others rely on software. The latest versions of all operating systems have FDE support built-in.

In Microsoft Windows, it’s called BitLocker. MacOS calls it FileVault. iPhones running iOS version 8 and newer have full-disk encryption turned on by default. Newer versions of Android also feature FDE, but it’s not as robust as iOS’s.

Full-Disk Encryption also applies to removable media such as thumb drives. Some drives have hardware FDE built-in. Others can be locked with software such as BitLocker to Go.

FDE’s encryption key is usually generated with an authentication token provided by the user. For instance, in iOS, the PIN or Touch ID used to unlock the phone is part of the process generating the key (the rest is complicated). BitLocker requires a password or USB drive.

Every time the device is fired up, the user will be prompted for the authentication. The key is generated with the provided token and if it’s a match, it’ll be able to decrypt and read the files on the disk. This means that only someone with the authentication token will be able to unlock the drive.

What it also means is that if you forget your password, or lose your physical key (or your finger gets cut off, perchance), you won’t be able to access your files anymore, right?

Well, not exactly. Some FDE platforms provide recovery methods such as recovery key files, or cloud backups, but do take care that scattering extra information and recovery data here and there will provide potential hackers with methods to undo the encryption.

This is the endemic challenge of security, The tradeoff between convenience and better privacy. Therefore, choose wisely when selecting your recovery methods. Don’t create too much redundancy while at the same time avoid blocking your own way back.

What are the caveats?

Does Full-Disk Encryption provide absolute protection of your files? No it doesn’t. There’s no such thing as absolute security.

In fact, FDE only protects your files against someone who gains physical access to your device or computer while it’s turned off or locked out. Under the following circumstances, FDE won’t protect you:

  • If an authorized user has logged in to the computer, anyone with physical access to the computer will have access to the files, except for files that have been manually encrypted.
  • Likewise, if you’re sharing your computer with other people, Full-Disk Encryption won’t protect your sensitive data from other users who have legit access to the device. You should manually encrypt those as well.
  • Full-Disk Encryption won’t protect you against malware. If a hacker manages to install an exploit kit or a trojan on your device, since they’ll be accessing your drive through the operating system, they’ll be able to access your files, except—of course—those that have been encrypted manually.
  • Not all encryption algorithms are unbreakable. For instance, a weakness in Android phones made the FDE feature vulnerable to brute force attacks.
  • Evil maid attacks can also circumvent Full-Disk Encryption. In such scenario, an attacker gains physical access to your computer and installs a hacked bootloader on the encrypted drive by booting the computer with another drive. The next time you boot your computer, the malicious bootloader steals your passcode and sends it over the internet or stores it away for the hacker to retrieve at a later time.

With all these methods of circumvention, is it worth it to turn on Full-Disk Encryption? Of course it is, if you value your files, every single measure that makes them safer is worth exploring, and in this regard, Full-Disk Encryption is one of most effective tools.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.