Full Disk Encryption (FDE) is widely used on a variety of desktop and mobile operating systems. This technology encrypts all data on a hard drive at rest to secure important information and prevent vulnerabilities.
There are different types of full disk encryption software. Some are coupled with security software, others are standalone, and still others are integrated with the operating system (OS).
This article discusses uncached (stand-alone, built-in OS) solutions. However, this does not mean that the other solutions are less interesting. On the other hand, they require more evaluation criteria than an FDE solution alone.
Here are the top five marketed FDE products: Check Point Full Disk Encryption, Dell Data Protection | Encryption, McAfee Complete Data Protection, Sophos SafeGuard, and Symantec Endpoint Encryption (note that the Dell product can be used on Dell and non-Dell hardware).
There are also several open source FDE solutions, such as DiskCryptor. Finally, there are solutions built into the operating system , such as Apple FileVault 2 and Microsoft BitLocker.
These FDE solutions are widely used. As for FDE products in general, they have existed for several years. All of these products provide basic EDF features to protect dormant data on desktops, laptops, and some mobile devices.
Some products can also be used on servers, but their main targets are desktops and laptops. This article therefore covers only these latest platforms.
Companies sometimes struggle to find the right solution in the multitude of FDE products available. Fortunately, many of them have reached maturity and seven criteria make it possible to separate FDE products.
First criterion: deployment of peripherals
One could think that the FDE solution integrated into the operating system has a certain advantage for the deployment of peripherals, because of its installation at the OS level. This is however not the case.
In an FDE deployment, the software configuration, and subsequently maintaining the lock of this configuration, is often much more complicated than installing the software.
If users can change the FDE configuration, they can voluntarily or not, weaken or disable the technology, until it can be made unusable. Users can also commit a denial of service against their own systems by deleting encryption keys or modifying the configuration one way or another.
Commercial (ready-to-use) FDE products can be deployed remotely, eliminating the need for the system administrator to directly manipulate the end-user device.
In addition to saving valuable time, this may be a necessity for remote users (such as telecommuters or people on long trips). The Microsoft BitLocker software built into the operating system can be managed through Group Policy. Like Apple FileVault 2, however, it is designed for local management.
Open source products should generally be installed and configured locally. In addition, they assume that no user will change the FDE configuration.
Second criterion: product management
FDE management is not strictly limited to its configuration. It includes other aspects, such as changing keys, changing passwords, installing patches, and updating encryption (for example, longer keys or new algorithms).
Quote “The main cost is not related to the software itself, but to its administration”
In the case of enterprise FDE deployment, the importance of centralized management can not be overstated. Indeed, the main cost of an FDE solution is not related to the software itself, but to its administration and support.
A solution with a low initial cost is not necessarily economical in the long run. Open source solutions typically do not have centralized management capabilities, which makes them sometimes expensive to administer and support, especially in a large enterprise.
Surprisingly enough, the FDE products provided with the operating system are often considered difficult to administer and are complemented by other FDE products.
Some commercial products presented in this article, such as Dell Data Protection | Encryption, McAfee Complete Data Protection and Sophos SafeGuard, can complement the FDE management features provided with the operating system.
This scenario can be advantageous in terms of performance, because it is possible to use native FDE functions, while ensuring the existence of a single, robust centralized management infrastructure that will administer both FileVault and BitLocker. .
Third criterion: compatibility
In terms of compatibility with their environment, organizations need to ask how an FDE solution manages a device (typically a laptop) that enters sleep or hibernation.
The question is important in case of loss or theft of a laptop that would be in one of these modes. If the FDE solution does not properly protect the storage, the confidential data may be compromised.
Compatibility is not the same from one product to another and from one operating system to another (and probably even from one environment to another). It is therefore in companies’ best interest to test their own devices with each FDE solution, whether it’s an operating system-integrated solution (Microsoft BitLocker, Apple FileVault 2), a third-party solution (Check Point Full Disk Encryption, Dell Data Protection | Encryption, McAfee Complete Data Protection, Sophos SafeGuard and Symantec Endpoint Encryption) or an open source solution (DiskCryptor).
They will thus know the behavior of the various FDE solutions during the periods of standby and hibernation in their specific environment.
Conflicts can also occur between FDE software and applications that access the hard drive directly: if some are obvious, such as disk utilities, others are less obvious, such as some asset management programs.
Companies have every interest in testing each FDE product considered with applications that may directly access the hard drive. They will be able to identify any incompatibilities and request a solution from the supplier of the products concerned.
Fourth FDE Criterion: Integration of the Authentication Service
Businesses are typically invited to use MFA (MutiFactor Authentication) for FDE. Products that simply re-use operating system password authentication are generally not acceptable.
FDE software must have its own authentication or use a corporate MFA solution, such as Active Directory, smart cards, or encryption tokens (preferably the latter).
All of the commercial products mentioned here support MFA authentication, including smart cards and encryption tokens.
Note that Dell Data Protection encryption | Encryption also supports biometric systems. Authentication service options are quite limited for Apple FileVault 2 and Microsoft BitLocker, unless you add a third-party product to add a functional layer, such as centralized management.
Fifth criterion: key recovery
The recovery of encryption keys is a particularly important FDE management function, because in the event of failure or inability to recover the keys, the user concerned may permanently lose access to all his data stored locally.
Only commercial add-ons provide advanced, centralized key recovery capabilities. FileVault provides this service: a recovery key is stored with Apple, and the user can call to retrieve it.
However, the fact that a third party retains encryption keys may violate business security rules.
Companies evaluating products should be aware of where the recovery keys are stored. Used alone, Microsoft BitLocker does not provide centralized key management.
Commercial products support centralized key recovery by administrators. Some, like Check Point Full Disk Encryption and Symantec Endpoint Encryption, also manage self-service recovery for users. The safety of recovery options must be carefully evaluated.
For example, self-service recovery products may include questions to users, such as their favorite color or the name of their pet. Questions of this type can be exploited to illegally access a user password and to bypass FDE encryption on that user’s device.
When evaluating recovery options, companies should first find out who is collecting the keys: users, administrators, or both.
Sixth criterion: attenuation of brute force
The most common mitigations of brute force password attacks lengthen the time between authentication attempts, which suspends such attempts for a period of time or clears the contents of a device after too many failures.
These attenuations are even more useful with single-factor (password) authentication.
Aside from Check Point Full Disk Encryption and Symantec Endpoint Encryption, no other product mentioned uses brute force attack mitigation. Contact the supplier for more information.
Seventh criterion: encryption
At the current stage of encryption technologies, FDE products typically use the Advanced Encryption Standard (AES) algorithm, preferably with a 256-bit key. All products mentioned here use AES and handle 256-bit keys.
It is recommended, or even required by some companies, to formally evaluate products to determine the robustness of their encryption.
Another aspect to consider is where to store encryption keys: locally or remotely, and in the first case, where on the device.
Dell Data Protection | For example, Encryption and Microsoft BitLocker can use a local Trusted Platform Module (TPM) to securely protect storage.
If the keys are stored locally and the storage is not properly secured, the attackers can recover the keys, bypass the FDE protection, and enter the device.
All software reviewed in this article are basic FDE encryption products. What essentially characterizes products for business use is its overall software management capabilities.
For example, many companies already have FDE software that comes with the operating system, but still buy third-party FDE products because they face management challenges.
At the same time, some open source products provide free FDE functionality, but no management capability. They are therefore suitable for individual use and unique systems, but not for standard enterprise deployment.
Few commercial products really stand out. Each company must analyze the products and determine the one that best meets their needs. Often, it will be a question of buying a product from the supplier who supplied the other security products of the company. Businesses should be comfortable with all the commercial products planned for an FDE deployment at their scale.