Full Disk Encryption - What, Why, How?
Full Disk Encryption
(FDE) pertains to the encoding of plain-text (human readable) data, into cipher-text (unreadable code) for an entire drive or disc that holds valuable and/or private data. FDE allows for many benefits in security especially when used as part of a defence-in-depth security program. FDE as a strategy has been around for decades and there are plenty of great tools available to leverage it such as VeraCrypt, or BitLocker which is baked into certain versions of the Windows operating system. Surprisingly far too many people don't use FDE on their personal devices or as part of their organization's IT security program, especially considering it can provide such a strong layer of protection. At the end of this article you should understand the benefits of FDE, how it works, and how it pertains to the NIST cyber security framework.
How It Works
Implementation may require a professional, but FDE is fairly simple. During setup, software such as Microsoft's BitLocker will move through a disk, block by block encoding all the data into cipher-text, with the exception of the boot disk or MBR which is responsible for loading the operating system during the start-up sequence. A security key is created in the process that allows the system to be decrypted. Most FDE software use what is known as "Transparent encryption" or "Real-time encryption," which allows for files to be decrypted as they are needed and encrypted again once they are saved, if the security key is presented. This system allows data to be protected from unauthorized users at the physical layer (Layer 1 of the OSI model), while the data is at rest, even should the physical disks be removed. As long as an attacker doesn't have the security key, any data stolen should still be safe.
As per the NIST cyber security framework, full disk encryption belongs the the “Protect“ category of the framework (subsection PR-DS-1), as the solution directly relates to protecting the confidentiality of information.
Benefits
Employing FDE is typically a "set-it and forget-it" thing. Once setup, the software is able to keep all data protected with little intervention.
Most FDE software also allow for configuring the encryption protocol to match the risk management requirements and data security standards of your organization. (Key management and Cipher selection are important to consider when implementing FDE.)
There really is no compromise implementing FDE. Modern computing systems can handle the cryptography process with no noticeable impact to system performance
To prove this, on a workstation in our office I attempted moving a 2 GB file from an encrypted drive to an unencrypted drive to invoke a decryption action and observed absolutely zero change in the resource usage of the BitLocker drive encryption service. Have a look below.
As you can see, the service barely consumes resources at all, and remains consistent under load.
Conclusion
We believe Full Disk Encryption is an absolute must on any system where feasible, and it is a requirement by most risk management policies. We can help deploy FDE for your business as part of our ZCS Layered Security Solution. Contact us to learn more today.