The Benefits of Full Disk Encryption

The Electronic Frontier Foundation is asking everybody to adopt a New Year’s Resolution for 2012 – to use full disk encryption on every disk that you own.

Many of us now have private information on our computers: personal records, business data, e-mails, web history, or information we have about our friends, family, or colleagues. Encryption is a great way to ensure that your data will remain safe when you travel or if your laptop is lost or stolen. Best of all, it’s free. So don’t put off taking security steps that can help protect your private data. Join EFF in resolving to encrypt your disks 2012.

What is it any why should it be used?

Full disk encryption has long existed as a method of protecting all the data on a drive. Usually, the whole disk is encrypted using a small utility and a new bootloader is installed which prompts the user for a password when the computer is turned on. If the correct password is entered, the decryption key is loaded into memory, the disk is decrypted on the fly, and data is accessed in the usual way.

The protection is only in place when the machine is turned off – once it has been turned on, and the key entered, all data is available. As a result, full disk encryption effectively mitigates against:

• computer theft and loss
• physical data theft
• computer inspections by border guards
• data being used in evidence (though this is not legal in all countries)

There are two downsides to full disk encryption that need to be considered – if the password is lost, so is the disk, and the data read/write speed is often slower for an encrypted disk.

How is it implemented?

Encrypting a disk has never been a particularly difficult thing to do, but in the past it has relied on purchasing or downloading specialist software. PGP, recently acquired by Symantec, have a commercial solution and Truecrypt is the de-facto free equivalent.

In the last few years, though, whole disk encryption has become much, much more accessible. Microsoft led the way with the release of BitLocker, an encryption product included with the Enterprise and Ultimate editions of Windows Vista and Windows 7. BitLocker uses AES encryption in Cipher Block Chaining (CBC) mode with a 128 bit key. It caused an outcry amongst law enforcement agencies because Microsoft refused to put in a back door, allowing them to decrypt computers that may contain evidence.

In the latest version of OSX Lion, Apple have introduced FileVault 2 full disk encryption, which, like BitLocker, uses AES 128 bit encryption. This time, the AES is in XTS-AESW mode as is recommended by NIST in SP800-38E.

Selecting a pass phrase

Of course, full disk encryption is only as strong as the passphrase selected by the user. EFF recommend the use of Diceware, a technique that involves rolling dice to randomly select words from a dictionary. The Pass Phrase Generator seems to work in a similar way, but without the requirement for dice.

In short, full disk encryption is now free, very easy to implement, and will give complete peace of mind if a computer gets into the wrong hands (however you might define that).