Full disk encryption

What is full disk encryption?

Full disk encryption (FDE) is a security technology that encrypts all data stored on a device’s storage drive, making it unreadable without the proper authentication or decryption key.

How does full disk encryption work?

FDE protects data using a master encryption key that encrypts the entire storage drive. When the device starts, the user must authenticate, such as with a password, PIN, biometric method, or hardware-based security feature, which unlocks the master key and allows the system to access the encrypted data.

Data is encrypted automatically whenever it is written to the drive and decrypted automatically when read. While the device is powered off, the encrypted data remains unreadable without the correct key. A table showing how different device states affect full disk encryption

Types of full disk encryption

While the aim of FDE remains the same, there are different implementation approaches.

Software-based encryption: Encryption is managed by the operating system or a dedicated application. Examples include built-in features in modern operating systems.
Hardware-based encryption: Encryption is performed by the storage device itself, often through self-encrypting drives (SEDs), where encryption occurs directly on the drive hardware.
Hybrid: Combines approaches where encryption occurs in hardware while key protection and policies are controlled by software or trusted hardware.

Benefits of full disk encryption

FDE provides several important security advantages, particularly for protecting data at rest, including:

Limits the impact of device loss or theft: If a device or storage drive is stolen, the data remains inaccessible without the correct decryption key.
Protects all data automatically: Encryption applies to the entire disk, including system files and user data, without requiring manual file-level protection.
Prevents unauthorized offline access: Attackers cannot bypass security by removing the drive or booting from another operating system to read its contents.
Supports regulatory compliance: Encryption helps organizations meet data protection requirements under frameworks such as the General Data Protection Regulation (GDPR).
Strengthens overall security posture: FDE protects stored data and complements other safeguards that secure data in transit or in backup environments.

Risks and privacy concerns

FDE can be undermined by operational failures, weak authentication practices, or conditions that expose data after unlocking. Key risks include:

Loss of recovery keys: If the encryption key or recovery credentials are lost, the data may become permanently inaccessible.
Exposure while unlocked: Once a device is powered on and authenticated, malware or an attacker with access can still read the data.
Key management complexity: In organizational environments, improper storage or handling of encryption keys can create operational or security risks.
False sense of complete protection: FDE does not protect against phishing, weak passwords, insider threats, or network-based attacks.

FAQ

Is FDE the same as file encryption?

No. Full disk encryption (FDE) protects all data on the drive, including the operating system and system files, while file encryption protects only selected files or folders.

Does full disk encryption slow my device?

It may slightly increase startup time due to pre-boot authentication. But after login, modern systems typically experience little to no noticeable performance impact.

Does it protect me from hacking?

No. Full disk encryption (FDE) protects data at rest, not data in transit or against remote attacks. However, it does protect data if the device is lost, stolen, or accessed offline.

What happens if my laptop is asleep?

If the device is asleep rather than fully powered off, the encryption key may remain in memory. This means the data is still accessible to the running system and could potentially be exposed if an attacker gains physical access.

Do I still need a VPN with FDE?

Yes. Full disk encryption (FDE) and virtual private networks (VPNs) serve different purposes. FDE protects stored data on your device, while a VPN encrypts network traffic to protect data in transit.