Full Disk Encryption

Full Disk Encryption: Real Security For Your Laptop

In ordinary computer encryption, data at the level of files, and sometimes folders, is encrypted; people wanting to access your data need to use a key or password in order to do so. This type of disk encryption is used primarily to protect single files, either to keep prying eyes on your computer out or to securely send files to others.

Full disk encryption is a little different. This form of computer security encrypts everything on your hard drive or a partition of your hard drive, from temp files to the operating system. It's never used to send encrypted data; instead, it is intended to prevent data access on your physical system.

There are several reasons you should consider full disk encryption:

• You carry around sensitive information, like medical records, on your laptop on a regular or even sporadic basis.
• You want to make your laptop as good as useless to anyone who steals it.
• You want to be able to destroy data immediately if necessary. (For permanent destruction, you'll need to destroy the physical hard drive as well, however.)

Full disk encryption should not be considered as a replacement for file-level encryption, but rather as a way to secure your entire computer while you are not using it. You should still use file-level encryption on your most sensitive materials, especially if you sometimes share your computer with others.

Implementing Full Disk Encryption

There are two different ways to implement full disk encryption on a computer: either with software installed on your computer or with special hardware, like a TPM chip installed on your motherboard. Software encryption is cheaper, but requires a small portion of your hard drive to be unencrypted in order for the software to run, a potential security breach.

Hardware encryption is more expensive, and it won't be compatible with every computer; in the case of the TPM chip, you may need a new motherboard. However, it's worth the trouble. Hardware encryption makes it impossible to take a hard drive out of your computer and install it to another computer; the swapped drive simply will not run. Hardware encryption is also much faster than software encryption.

If you're wanting to have full disk encryption on a laptop, you will probably have to use software encryption or purchase a whole new laptop with the appropriate hardware built in; it's very expensive and sometimes not even possible to retrofit a laptop. Desktops are more easily set up for hardware encryption.

How To Unlock Encrypted Data

There are several solutions for unencrypting the data on your laptop:

• A Simple Username/Password System
• Smartcard with PIN
• Thumbprint Scan
• Boot-Time Driver with Password Protection
• Network Interchange to Access Key
• Decryption Key Contained in the TPM Module

The best systems use some combination of the above: something within the computer and something outside of the computer. It is wise to also maintain an emergency recovery information (ERI) mechanism of some sort just in case encryption keys are lost.