Whole disk encryption is a process in which every bit of data that is on a disk is encrypted using either software or hardware. This is meant to ensure that there is no unauthorized attempts at accessing the data being stored. Typically, a whole disk encryption means that most everything on the disk is encrypted including the software that does the encryption. However, the master boot record (MBR) must be left unencrypted. This means that part of the disk is unsecured. However, there are types of hardware-based whole disk encryption that make it possible for the entire boot disk, including the MBR, to be encrypted. This guarantees maximum security.
Benefits of Whole Disk Encryption
The typical question that comes up when discussing encryption is whether to go with file/folder encryption or to go with the whole disk encryption. There are a series of benefits that explain why whole disk encryption is the route to go.
- Nearly everything gets encrypted. This includes the swap space and temporary files that can reveal very important data that one might not want revealed. People don't think to manually encrypt these files.
- There is no need to manually encrypt files. The individual does not have to show discretion as to which files should be encrypted. Everything gets encrypted.
- Data destruction is immediate. Destroying the key makes the data that is contained completely useless.
-
There is support for the pre-boot authentication which serves as an extension of the BIOS.
Security Concerns
The primary issue with a whole disk encryption is that, despite the fact the entire drive is encrypted, the operating system still needs to save the key to access the drive. Without the key, the computer has no access to that disk. The typical vulnerability for a whole disk encryption is from a cold boot attack. What this attack relies on is the fact that it can take individual data bits up to several minutes to degrade after the power has been removed. That means that the contents of memory can be dumped by cold-booting the machine before the memory has degraded. If the memory has degraded, though, the cold-booting is not successful.
Hardware vs. Software
Typically, it is better to have a hardware-based whole disk encryption than a software-based whole disk encryption. The reason for this is because the hardware-based is faster. Since it is built right into the hardware, it can immediately encrypt without having to access the software. More importantly, since there is no access of software, there is typically no overhead for the hard disk drive or the CPU which is beneficial when discussing efficiency.
