Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption:
- Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. For example, BitLocker Drive Encryption leaves an unencrypted volume to boot from, while the volume containing the operating system is fully encrypted.
- With full disk encryption, the decision of which individual files to encrypt is not left up to users’ discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.
- Immediate data destruction, such as simply destroying the cryptographic keys (crypto-shredding), renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.
Boot Key Issues
One issue to address in full disk encryption is that the blocks where the operating system is stored must be decrypted before the OS can boot, meaning that the key has to be available before there is a user interface to ask for a password.
Most Full Disk Encryption solutions utilize Pre-Boot Authentication by loading a small, highly secure operating system which is strictly locked down and hashed versus system variables to check for the integrity of the Pre-Boot kernel. Some implementations such as BitLocker Drive Encryption can make use of hardware such as a Trusted Platform Module to ensure the integrity of the boot environment, and thereby frustrate attacks that target the boot loader by replacing it with a modified version.
This ensures that authentication can take place in a controlled environment without the possibility of a bootkit being used to subvert the pre-boot decryption.
With a pre-boot authentication environment, the key used to encrypt the data is not decrypted until an external key is input into the system.
Solutions for storing the external key include:
- Username / password
- Using a smartcard in combination with a PIN
- Using a biometric authentication method such as a fingerprint
- Using a dongle to store the key, assuming that the user will not allow the dongle to be stolen with the laptop or that the dongle is encrypted as well
- Using a boot-time driver that can ask for a password from the user
- Using a network interchange to recover the key, for instance as part of a PXE boot
- Using a TPM to store the decryption key, preventing unauthorized access of the decryption key or subversion of the boot loader
- Using a combination of the above
All these possibilities have varying degrees of security; however, most are better than an unencrypted disk.