This content is part of the Buyer's Guide: Full-disk encryption (FDE) tools: A buyer's guide
Get started Bring yourself up to speed with our introductory content.

The fundamentals of FDE: Full disk encryption in the enterprise

Expert Karen Scarfone examines full disk encryption, or FDE, tools and describes how the security technology protects data at rest on a laptop or desktop computer.

Full disk encryption (FDE) is a form of storage encryption technology designed to encrypt all the information on a hard drive of a desktop or laptop computer that's at rest. This includes not only end-user data, such as files and application settings, but also executables, including application and operating system (OS) executables. Any organization of any size with sensitive data at rest to protect -- which nowadays is virtually all of them -- can benefit from using FDE technologies.

The biggest risk with data at rest is that a device containing sensitive information will be lost or stolen, thereby allowing a person with malicious intent to recover that data from that device. This could involve the exposure of financial information, customer records, medical records, and other sensitive data that could lead to major data breaches and costs in the thousands or millions of dollars. The use of FDE technologies mitigates this risk, as long as the device in question is not in a booted state when it's misplaced or taken.

Individuals wishing to use an FDE-protected device must first boot it up and then -- during the OS boot process -- present valid credentials (such as a password) for authentication. (Credentials may be stored remotely, such as part of an Active Directory implementation, or locally.) Only after authentication succeeds will the encrypted data on the device's hard drive be decrypted and the boot process allowed to continue and grant access to the system's OS.

Also, FDE is designed to protect data at rest, such as the information stored on a device when it is in an "off" state or when a laptop is in a sleep mode or hibernation. FDE cannot secure data while that data is in use. Other storage encryption solutions exist to provide such protections. These solutions include virtual disk encryption, which protects data stored within a virtual container; volume encryption, which protects data within a single logical volume; and file encryption, which protects individual data files.

Organizations that need to protect both data at rest and in use often employ FDE alongside one or more of these other storage-encryption types.

From software- to hardware-based FDE

Most FDE solutions are software-based and are built into many common OSes, such as BitLocker for Windows and FileVault for Mac OS X. There are also a variety of third-party add-on programs available from commercial and open source vendors. Altogether, these tools support just about every OS on the market.

However, as with any other software-based security product, malicious users or attackers can potentially disable FDE, causing a denial-of-service condition or allowing unauthorized access to sensitive information.

Some FDE solutions, meanwhile, are hardware-based and built into hard drive disk controllers. This type of FDE delivers capabilities similar to those of software-based FDE; when a device tries to boot, the disk controller requires users to successfully authenticate themselves before it allows the boot process to continue.

Because the FDE features are built into the hard drive, they cannot be disabled or removed, however. By the same reasoning, FDE cannot be added into a hard drive as a hardware product after purchase.

Local and centralized FDE management options

There are two management possibilities with FDE technologies: local and centralized.

With local management, either the user or the administrator of the laptop or desktop is responsible for manually managing the FDE software (if any); the FDE configuration; and other elements of the FDE tool, such as authenticators.

With centralized management, a single administrator can simultaneously manage and monitor the FDE capabilities of many machines. For scalability reasons, centralized management is certainly preferable for most organizations. Admins must usually manage hardware-based FDE solutions locally, however, which is why the adoption of hardware-based FDE has been so limited.

FDE management is largely about cryptographic-key management. Organizations must store the private or secret key in a secure location where it cannot be retrieved by a malicious user or malware, and access to that key must be restricted to only authorized users who have successfully authenticated themselves.

The security of that authenticator, such as a password, is paramount, and many organizations require the use of Multifactor authentication (MFA) -- for example, a password and a code from a cryptographic token -- to protect it.

The cost of deploying FDE technology

Software-based FDE solutions are generally free to use if they're built into an OS, while third-party FDE solutions typically involve a per-device charge.

Where the greatest costs come in are the management and maintenance of the FDE -- that is, ensuring that software updates are applied, managing authenticators, monitoring configuration settings, troubleshooting problems, and -- most importantly -- unlocking access to encrypted laptops and desktops when users have forgotten their passwords. In this last scenario, the device cannot be used until the cryptographic key has been recovered by an authorized administrator.

Enabling FDE on an existing device can also incur costs because of the potential downtime while the laptop or desktop's hard drive is encrypted. Fortunately, most FDE products allow this encryption to be performed in the background.

In the early days of FDE, there were concerns that using these technologies would cause significant slowdowns for users, particularly in terms of the length of time needed to boot a device. However, in practice, these delays are generally minimal and, accordingly, the disruption to users for standard FDE usage is negligible.


By requiring strong authentication before booting a device, FDE thwarts data breaches involving the loss or theft of that device. Although there are per-device licensing costs with some FDE solutions, while others are built into operating systems, the greatest cost of using FDE is its maintenance and management. And, for a deployment to scale, an FDE rollout must be centrally managed to lock down configurations and protect encryption keys from unauthorized access.

FDE is a valuable technology for nearly any organization because it safeguards data on desktop and laptop computers at rest. But it alone is not sufficient to protect all data against the full range of today's threats.

Next Steps

The merits of encryption vs. hashing after the Adobe password breach

Should full disk encryption be used to prevent data loss?

This was last published in November 2014

Dig Deeper on Disk and file encryption tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Assuming that a classified data be protected by an encryption key of 256-bit entropy and the program to manage the system be protected by a manager’s password such as P@$$WoRd1234, the chances may well be that the system will have been taken over by the criminals who broke the password rather than those who tried to attack the 256-bit encryption key. It could be emphasized that sufficiently strong passwords are the key for the safe deployment of cryptography..
Using a strong password does help a lot even against the attack of cracking the leaked/stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Several misconceptions in the article:

"Admins must usually manage hardware-based FDE solutions locally, however, which is why the adoption of hardware-based FDE has been so limited." FALSE! Self-Encrypting Drives (SED) as standardized by the Trusted Computing Group are available from all the major drive manufacturers (both HDD and SSD) and have had CENTRALIZED management available from the beginning (eg, Wave, Credant, Absolute, WinMagic, etc).

"FDE management is largely about cryptographic-key management. " NO. The encryption key for SEDs is generated in the factory by an on-board random process and never externalized; you only manage the authenticator.

"third-party FDE solutions typically involve a per-device charge." NO. Most SED vendors are going to a no-surcharge model. For example, Samsung's 840 EVO SSD has ALL models SED; no upcharge.

"FDE rollout must be centrally managed to lock down configurations and protect encryption keys from unauthorized access." Again, SEDs require NO management of the ENCRYPTION key, only the authenticator.