August 29, 2018

Full Disk Encryption: Not what you might think

In WIndows 10  it’s called “Device Encryption” and is powered by BitLocker. On macOS it’s called “FileVault” and it’s baked right in to iOS devices without a real name. Whatever it’s labeled as on your computer, the underlying concept is known as full disk encryption and it’s an approach that’s been used for years to secure the contents of hard drives.

It sounds thorough and exhaustive in a way you can rest easy about, right? Well, what if it wasn’t quite what you thought it was? Let’s take a deeper look through just what FDE is and what it means for you and your data.

The benefits of FDE are inactive while a user is actually using the computer.

Full disk encryption is unable to provide active, file-level protection after a user is logged in to their system. The act of entering the password or passphrase during boot-up grants permission to the system to decrypt any file that’s requested until the computer is turned off again. As a result, this also means that files could be accessible to malware, ransomware, or bad actors operating remote attacks.

Full-disk encryption does not encrypt every file uniquely on the disk

A system using full disk encryption encrypts each file using the same encryption key, typically based on your system password. In some cases a separate passphrase for FDE is used but in either scenario, an attacker who obtains the correct credentials is rewarded with unfettered access to everything on the disk.

Some recovery options for FDE can also create vulnerabilities

In recent years, both Microsoft and Apple have introduced new recovery options to their FDE implementations which integrate with their respective online services.

There is no doubt about the convenience factor here, but if your Microsoft or iCloud account were compromised by a clever attacker, they not only could perform a remote takeover of your system (if the option to log in via online services is enabled) but they could also perform a ransomware-style attack by changing your FDE passphrase.

FDE implementations created by third party developers of security software also exist. Many provide functionality designed for IT administrators to provide end-user support -- but in the wrong hands can be exploited by hackers as back doors.

In conclusion...‍

It’s relatively easy to enable FDE and it’s difficult to argue against using it as a basic precautionary measure. Just bear in mind that it’s not as robust a solution for protecting data at rest as you may think. Always consider it in combination with other types of file-level encryption schemes for stronger peace of mind.

Ready to try Atakama?

Request Demo