PROGRAM CHANGE:
Accounting, Audit, Governance, Policies, Procedures, Regulatory Compliance, Revenue Assurance, Risk Assessment
ACCESS CONTROL:
Awareness & Training, Fraud & Phishing, Incident Management, Internet Security, Security, Service Management, Spam
COMPUTER OPERATION:
Backup & Restore, Contingency, Data Center, Disaster Recovery, Environmental Exposures, System Log
STANDARD:
British Standard, Certification, Cobit, Financial Institution, ISO Standard, ITIL, NIST-SP, Oil & Gas, Sarbanes Oxley, Standard, US Standard
FREE TOOLS:
Anti Phishing, Anti Spam, Anti Spyware, Anti Virus, Audit Tools, Data Removal, Encryption, Firewall, Forensics, Password, Secure Connection

User login

Who's new

Full Disk Encryption Pros and Cons

in

Full disk encryption (FDE) or whole disk encryption methods encrypt every file stored on the drive (or drives), including the operating system file/system. This is usually done on a sector-by-sector basis. A filter driver that is loaded into memory at boot, encrypts every file as it is written to disk, and decrypts any file that is moved off of the disk. This happens transparently to the end user or the application generating the files.

Advantages

Everything on the drive (or drives) is encrypted, including temporary files and swap space, increasing security of your data.
Encryption of data is enforced on end user, alleviating decisions on what or what not to encrypt.
Encryption decryption is transparent. When information needs to be accessed, it can be saved off of the system and is automatically decrypted.
Most FDE systems offer support for pre-boot authentication, which can add another layer of protection to the method.
Since all data on the drive is encrypted, even if an alternative boot media is used against an encrypted system, the data on the drive is unreadable and therefore useless to the thief.
Hard tokens, soft tokens, or passwords can be used in most cases for the preboot authentication process that allows access to the system.

Disadvantages

Some FDE programs can cause an increase in data access times. Slight delays in writing and reading data can occur, especially with very large files.
When FDE systems encrypt on a sector-by-sector basis, fragmentation on the drive can cause significant problems.
Encryption key management has to be considered. If a key for recovery of data is stored offline, end user support processes for recovery of data need to be put in place.
Password management processes have to be defined and put into place. If a user loses their password that grants access to the encrypted system, they have no access to their data. This would impact the availability of the data as referenced in the CIA triad model.
With FDE systems, once a user is authenticated to the system via the password used for the encryption software, full access to all data is achieved. This puts increased emphasis on insuring that strong password or pass phrases are utilized for the pre-boot authentication.
If the encryption software becomes corrupted or otherwise fails and can't be recovered with the unique recovery key, the data on the drives cannot be recovered. The only option is to reformat the drive. While this protects the data, it tends not to be very popular with end users.