This is part of a series on the top full disk encryption products and tools in the market.
Full disk encryption (FDE) is a storage encryption technology that secures a desktop or laptop computer by encrypting all the data at rest on its hard drive. This includes end-user files and application settings, as well as application and operating system (OS) executables.
The principal concern with data at rest is that a device containing sensitive information could be lost or stolen, allowing a person with malicious intent to recover that data. Any organization of any size with sensitive data at rest to protect (e.g., financial information, customer records, medical records and other sensitive data that could lead to major breaches and cost thousands or millions of dollars) can benefit from using full disk encryption software.
As long as the device in question is not in a booted state, FDE software can mitigate risk. Since FDE doesn’t encrypt data in use, it is often used alongside other storage-encryption types, such as virtual disk encryption, volume encryption and file encryption.
Organizations in the process of making the decision to deploy FDE technology should bone up on the criteria for evaluating full disk encryption products. That way, when it comes time to select the right FDE product, the company will be well-versed on what FDE product features (deployment methods, management capabilities, OS and application compatibility, integration with existing authentication services, cryptographic robustness and key recovery, brute-force password attack mitigation, among others) best match its environment and storage encryption needs.
As with so many other IT security technologies, it can be difficult to choose the right product from so many competing products. Here is a list of the top full disk encryption products in the market to help enterprises get started.
Check Point Full Disk Encryption
Check Point Full Disk Encryption is an FDE product for enterprises running Windows. It comes in a single version and is part of a modular software-based security product that can encompass a wide variety of security controls. Check Point Full Disk Encryption supports the recommended Advanced Encryption Standard (AES) with 256-bit key encryption algorithm and is Federal Information Processing Standard (FIPS) 140-2-certified (meaning it was independently verified to meet certain cryptographic standards), can be centrally managed through the Check Point Endpoint Policy Management Software Blade, and supports self-service recovery by end users. To learn more about Check Point Full Disk Encryption, read the full overview.
Dell Data Protection Encryption
The Dell Data Protection | Encryption product provides FDE capabilities for various desktop and laptop Windows and Mac OS hard drives. Intended for Dell and non-Dell hardware, Dell Data Protection | Encryption comes in various flavors -- from a Personal to an Enterprise edition -- all of which support AES 128-bit and (the preferred) AES 256-bit encryption algorithms. While all the commercial products in this article support Multifactor authentication -- including smart cards and cryptographic tokens -- Dell Data Protection | Encryption is noteworthy in that it also specifically supports biometrics. To learn more about Dell Data Protection Encryption, read the full overview.
McAfee Complete Data Protection
The McAfee Complete Data Protection provides the ability to fully encrypt hard drives on desktops, laptops and servers. In addition to FDE, it delivers storage encryption capabilities for individual files and for removable media. Like Dell Data Protection | Encryption and Sophos SafeGuard, McAfee Complete Data Protection offers the option to improve upon OS-based FDE by adding central management features to these end-user-based hard-disk encryption applications. The product comes in two versions: McAfee Complete Data Protection and McAfee Complete Data Protection Advanced, the latter of which adds data loss prevention (DLP) capabilities. Both editions can be centrally managed through McAfee ePolicy Orchestrator software, support AES 256-bit encryption, and have been FIPS 140-2-certified. To learn more about McAfee Complete Data Protection, read the full overview.
The Sophos SafeGuard line of FDE products comes in three varieties: SafeGuard Disk Encryption, SafeGuard Enterprise Encryption 6.10 (a bundled form for organizations) and SafeGuard Easy 6.10 (for small businesses and individuals). All three support various Windows and Mac OS flavors and AES 128-bit and 256-bit encryption. They are also FIPS 140-2-certified. SafeGuard Disk Encryption encompasses two types of FDE: There's the SafeGuard Native Device Encryption, which supports the management of native BitLocker (Windows) and FileVault 2 (Mac OS X; AES 128-bit only) encryption; and there is the SafeGuard Device Encryption for Sophos product, a hard-disk encryption product that does not rely on native OS FDE capabilities. To learn more about Sophos SafeGuard, read the full overview.
Symantec Endpoint Encryption
Symantec Endpoint Encryption replaced the Symantec Drive Encryption product in October 2014. Unlike some other vendors, Symantec makes a single version of its FDE software. It is centrally managed via the Symantec Endpoint Encryption Management Server, which must be hosted in an Active Directory domain, and is only supported by relatively recent versions of Windows on the desktop, laptop and server. AES 128-bit key or 256-bit key encryption-compatible, Symantec Endpoint Encryption has (as of writing) not yet been FIPS-140-2-certified. As with Check Point Full Disk Encryption, Symantec Endpoint Encryption promotes mitigations against brute-force password attacks. To learn more about Symantec Endpoint Encryption, read the overview.
An open source FDE product, DiskCryptor is intended to protect hard drives on a variety of Windows OSes for desktops, laptops and servers. It supports several encryption algorithms, including the robust AES-256 algorithm, but has not gone through the formal testing to become FIPS 140-2-certified. The DiskCryptor documentation only discusses passwords as an authentication mechanism (no multifactor support) and it does not provide any sort of key recovery option or centralized management. What distinguishes DiskCryptor from other FDE products is its support for complex hardware configurations, such as redundant array of independent disk (RAID) arrays. It also provides a wide range of options related to boot loading. To learn more about DiskCryptor, read the full overview.
Apple FileVault 2 is an FDE application for desktop and laptop hard drives built into certain versions of the Mac OS X. It is AES 128-bit- and AES 256-bit-compatible -- the latter only in the latest versions of Mac OS X, Yosemite (10.10) and Mavericks (10.9) -- and is FIPS 140-2-certified. FileVault 2 is intended for local management, as Apple does not provide any centralized management capabilities for the FDE product. Another disadvantage of using FileVault 2 is that it leverages the user's Mac OS X password when authenticating users before system boot. There are a variety of commercial add-on products available that add more sophisticated management and configuration capabilities, however. To learn more about Apple FileVault 2, read the full overview.
Microsoft BitLocker is the FDE feature bundled with certain versions of Windows and Windows Server. It uses either the AES 128-bit or AES 256-bit key algorithms for encryption. And, while BitLocker itself has not been FIPS 140-2-certified, the cryptographic modules it uses have been, which is what really matters.
Authentication options, meanwhile, are rather limited when using BitLocker. It is intended to be used with a Trusted Platform Module (TPM), and authentication is achieved through specifying a PIN or storing a key on a flash drive, which the user would then need to insert in order to boot the system. Often, BitLocker is used in conjunction with a third-party FDE product, which can be used to manage the native FDE product while adding a variety of additional authentication options. To learn more about BitLocker, read the full overview.
Which FDE product is right for you?
The products covered in this article all provide basic FDE capabilities, at the least. What mainly differentiates them for enterprise use are overall software management capabilities and whether a native OS, third party or open source FDE product is desired and/or required.
It is up to each organization to review the FDE products being considered closely and determine which best meets its own needs. This list is a good jumping off point to start an investigation into determining which FDE product is the best fit for a company's IT environment.
Get more reviews of other full disk encryption products featured in this series: McAfee Complete Data Protection, Symantec Endpoint Encryption, Sophos SafeGuard, Microsoft BitLocker, Dell Data Protection | Encryption, Check Point Full Disk Encryption, DiskCryptor and Apple FileVault 2.