Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses
disk encryption software
Disk encryption software is computer security software that protects the confidentiality of data stored on computer media (e.g., a hard disk, floppy disk, or USB device) by using disk encryption.
Compared to access controls commonly enforced by ...
or
hardware to
encrypt
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can deci ...
every
bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
of
data
In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...
that goes on a
disk
Disk or disc may refer to:
* Disk (mathematics), a geometric shape
* Disk storage
Music
* Disc (band), an American experimental music band
* ''Disk'' (album), a 1995 EP by Moby
Other uses
* Disk (functional analysis), a subset of a vector sp ...
or disk
volume
Volume is a measure of occupied three-dimensional space. It is often quantified numerically using SI derived units (such as the cubic metre and litre) or by various imperial or US customary units (such as the gallon, quart, cubic inch). Th ...
. It is used to prevent unauthorized access to data storage.
The expression ''full disk encryption (FDE)'' (or ''whole disk encryption'') signifies that everything on the disk is encrypted, but the
master boot record (MBR), or similar area of a bootable disk, with code that starts the
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
loading sequence, is not encrypted. Some
hardware-based full disk encryption
Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: ClevX, Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The sy ...
systems can truly encrypt an entire
boot disk
A boot disk is a removable digital data storage medium from which a computer can load and run ( boot) an operating system or utility program. The computer must have a built-in program which will load and execute a program from a boot disk meeting ...
, including the MBR.
Transparent encryption
Transparent encryption, also known as real-time encryption and on-the-fly encryption (OTFE), is a method used by some
disk encryption software
Disk encryption software is computer security software that protects the confidentiality of data stored on computer media (e.g., a hard disk, floppy disk, or USB device) by using disk encryption.
Compared to access controls commonly enforced by ...
. "Transparent" refers to the fact that data is automatically
encrypted
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can deci ...
or decrypted as it is loaded or saved.
With transparent encryption, the files are accessible immediately after the
key
Key or The Key may refer to:
Common meanings
* Key (cryptography), a piece of information that controls the operation of a cryptography algorithm
* Key (lock), device used to control access to places or facilities restricted by a lock
* Key (map ...
is provided, and the entire
volume
Volume is a measure of occupied three-dimensional space. It is often quantified numerically using SI derived units (such as the cubic metre and litre) or by various imperial or US customary units (such as the gallon, quart, cubic inch). Th ...
is typically
mounted
Mount is often used as part of the name of specific mountains, e.g. Mount Everest.
Mount or Mounts may also refer to:
Places
* Mount, Cornwall, a village in Warleggan parish, England
* Mount, Perranzabuloe, a hamlet in Perranzabuloe parish, Co ...
as if it were a physical drive, making the files just as accessible as any unencrypted ones. No data stored on an encrypted volume can be read (decrypted) without using the correct
password
A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
/
keyfile {{Unreferenced, date=December 2009
A keyfile (or ''key-file'') is a file on a computer which contains encryption or license keys.
A common use is web server software running secure socket layer (SSL) protocols. Server-specific keys issued by tru ...
(s) or correct
encryption keys. The entire
file system
In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
within the volume is encrypted (including file names, folder names, file contents, and other
meta-data
Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including:
* Descriptive metadata – the descriptive ...
).
To be
transparent
Transparency, transparence or transparent most often refer to:
* Transparency (optics), the physical property of allowing the transmission of light through a material
They may also refer to:
Literal uses
* Transparency (photography), a still, ...
to the end-user, transparent encryption usually requires the use of
device driver
In computing, a device driver is a computer program that operates or controls a particular type of device that is attached to a computer or automaton. A driver provides a software interface to hardware devices, enabling operating systems and ot ...
s to enable the
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
process. Although
administrator access rights are normally required to install such drivers, encrypted volumes can typically be used by normal users without these rights.
In general, every method in which data is seamlessly encrypted on write and decrypted on read, in such a way that the user and/or application software remains unaware of the process, can be called transparent encryption.
Disk encryption vs. filesystem-level encryption
Disk encryption does not replace file encryption in all situations. Disk encryption is sometimes used in conjunction with
filesystem-level encryption
Filesystem-level encryption, often called file-based encryption, FBE, or file/folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself.
This is in contrast to the full disk enc ...
with the intention of providing a more secure implementation. Since disk encryption generally uses the same key for encrypting the whole drive, all of the data can be decrypted when the system runs. However, some disk encryption solutions use multiple keys for encrypting different volumes. If an attacker gains access to the computer at run-time, the attacker has access to all files. Conventional file and folder encryption instead allows different keys for different portions of the disk. Thus an attacker cannot extract information from still-encrypted files and folders.
Unlike disk encryption, filesystem-level encryption does not typically encrypt filesystem metadata, such as the directory structure, file names, modification
timestamps
A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolut ...
or sizes.
Disk encryption and Trusted Platform Module
Trusted Platform Module
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a ch ...
(TPM) is a
secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike crypt ...
embedded in the
motherboard
A motherboard (also called mainboard, main circuit board, mb, mboard, backplane board, base board, system board, logic board (only in Apple computers) or mobo) is the main printed circuit board (PCB) in general-purpose computers and other expand ...
that can be used to
authenticate
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
. It can be used to verify that the system seeking the access is the expected system.
A limited number of disk encryption solutions have support for TPM. These implementations can wrap the decryption key using the TPM, thus tying the
hard disk drive
A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
(HDD) to a particular device. If the HDD is removed from that particular device and placed in another, the decryption process will fail. Recovery is possible with the decryption
password
A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
or
token.
Although this has the advantage that the disk cannot be removed from the device, it might create a
single point of failure
A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working. SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software appl ...
in the encryption. For example, if something happens to the TPM or the
motherboard
A motherboard (also called mainboard, main circuit board, mb, mboard, backplane board, base board, system board, logic board (only in Apple computers) or mobo) is the main printed circuit board (PCB) in general-purpose computers and other expand ...
, a user would not be able to access the data by connecting the hard drive to another computer, unless that user has a separate recovery key.
Implementations
There are multiple tools available in the market that allow for disk encryption. However, they vary greatly in features and security. They are divided into three main categories:
software
Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work.
At the lowest programming level, executable code consists ...
-based, hardware-based within the storage device, and hardware-based elsewhere (such as
CPU or
host bus adaptor
In computer hardware, a host controller, host adapter, or host bus adapter (HBA), connects a computer system bus, which acts as the host system, to other network and storage devices. The terms are primarily used to refer to devices for con ...
).
Hardware-based full disk encryption
Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: ClevX, Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The sy ...
within the storage device are called self-encrypting drives and have no impact on performance whatsoever. Furthermore, the media-encryption key never leaves the device itself and is therefore not available to any virus in the operating system.
The
Trusted Computing Group
The Trusted Computing Group is a group formed in 2003 as the successor to the Trusted Computing Platform Alliance which was previously formed in 1999 to implement Trusted Computing concepts across personal computers. Members include Intel, AMD, I ...
Opal Storage Specification
The Opal Storage Specification is a set of specifications for features of data storage devices (such as hard disk drives and solid state drives) that enhance their security. For example, it defines a way of encrypting the stored data so that an u ...
provides industry accepted standardization for self-encrypting drives. External hardware is considerably faster than the software-based solutions, although CPU versions may still have a performance impact, and the media encryption keys are not as well protected.
All solutions for the boot drive require a
pre-boot authentication
Pre-boot authentication (PBA) or power-on authentication (POA) serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PB ...
component which is available for all types of solutions from a number of vendors. It is important in all cases that the authentication credentials are usually a major potential weakness since the
symmetric cryptography is usually strong.
Password/data recovery mechanism
Secure and safe recovery mechanisms are essential to the large-scale deployment of any disk encryption solutions in an enterprise. The solution must provide an easy but secure way to recover passwords (most importantly data) in case the user leaves the company without notice or forgets the password.
Challenge–response password recovery mechanism
Challenge–response password recovery mechanism allows the password to be recovered in a secure manner. It is offered by a limited number of disk encryption solutions.
Some benefits of challenge–response password recovery:
# No need for the user to carry a disc with recovery encryption key.
# No secret data is exchanged during the recovery process.
# No information can be
sniffed.
# Does not require a network connection, i.e. it works for users that are at a remote location.
Emergency recovery information (ERI)-file password recovery mechanism
An emergency recovery information (ERI) file provides an alternative for recovery if a challenge–response mechanism is unfeasible due to the cost of helpdesk operatives for small companies or implementation challenges.
Some benefits of ERI-file recovery:
# Small companies can use it without implementation difficulties.
# No secret data is exchanged during the recovery process.
# No information can be sniffed.
# Does not require a network connection, i.e. it works for users that are at a remote location.
Security concerns
Most full disk encryption schemes are vulnerable to a
cold boot attack
In computer security, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) b ...
, whereby encryption
keys can be stolen by
cold-booting a machine already running an
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
, then dumping the contents of
memory
Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered, ...
before the data disappears. The attack relies on the
data remanence
Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting o ...
property of computer memory, whereby data
bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
s can take up to several minutes to degrade after power has been removed.
Even a
Trusted Platform Module
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a ch ...
(TPM) is not effective against the attack, as the operating system needs to hold the decryption keys in memory in order to access the disk.
Full disk encryption is also vulnerable when a computer is stolen when suspended. As wake-up does not involve a
BIOS
In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...
boot sequence, it typically does not ask for the FDE password. Hibernation, in contrast goes via a BIOS boot sequence, and is safe.
All software-based encryption systems are vulnerable to various
side channel attack
In computer security, a side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is implemented, rather than flaws in the design of the protocol or algorit ...
s such as
acoustic cryptanalysis Acoustic cryptanalysis is a type of side channel attack that exploits sounds emitted by computers or other devices.
Most of the modern acoustic cryptanalysis focuses on the sounds produced by computer keyboards and internal computer components, bu ...
and
hardware keylogger
Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users' keystrokes, including sensitive passwords. They can be implemented sala madarevel firmware, or
alternatively, via a device plugged inline bet ...
s. In contrast, self-encrypting drives are not vulnerable to these attacks since the hardware encryption key never leaves the disk controller.
Also, most of full disk encryption schemes don't protect from data tampering (or silent data corruption, i.e.
bitrot). That means they only provide privacy, but not integrity.
Block cipher-based encryption modes used for full disk encryption are not
authenticated encryption
Authenticated Encryption (AE) and Authenticated Encryption with Associated Data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data.
Programming interface
A typical programming interface for ...
themselves because of concerns of the storage overhead needed for authentication tags. Thus, if tampering would be done to data on the disk, the data would be decrypted to garbled random data when read and hopefully errors may be indicated depending on which data is tampered with (for the case of OS metadata – by the file system; and for the case of file data – by the corresponding program that would process the file). One of the ways to mitigate these concerns, is to use file systems with full data integrity checks via
checksum
A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data ...
s (like
Btrfs
Btrfs (pronounced as "better F S", "butter F S", "b-tree F S", or simply by spelling it out) is a computer storage format that combines a file system based on the copy-on-write (COW) principle with a logical volume manager (not to be confused ...
or
ZFS
ZFS (previously: Zettabyte File System) is a file system with volume management capabilities. It began as part of the Sun Microsystems Solaris operating system in 2001. Large parts of Solaris – including ZFS – were published under an ope ...
) on top of full disk encryption. However,
cryptsetup
dm-crypt is a transparent block device encryption subsystem in Linux kernel versions 2.6 and later and in DragonFly BSD. It is part of the device mapper (dm) infrastructure, and uses cryptographic routines from the kernel's Crypto API. Unlike it ...
started experimentally to support
authenticated encryption
Authenticated Encryption (AE) and Authenticated Encryption with Associated Data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data.
Programming interface
A typical programming interface for ...
Full disk encryption
Benefits
Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption:
# Nearly everything including the
swap space and the
temporary file
A temporary file is a file created to store information temporarily, either for a program's intermediate use or for transfer to a permanent file when complete. It may be created by computer programs for a variety of purposes, such as when a program ...
s is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the
bootstrapping
In general, bootstrapping usually refers to a self-starting process that is supposed to continue or grow without external input.
Etymology
Tall boots may have a tab, loop or handle at the top known as a bootstrap, allowing one to use fingers ...
code cannot be encrypted however. For example,
BitLocker Drive Encryption
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in ...
leaves an unencrypted
volume
Volume is a measure of occupied three-dimensional space. It is often quantified numerically using SI derived units (such as the cubic metre and litre) or by various imperial or US customary units (such as the gallon, quart, cubic inch). Th ...
to
boot
A boot is a type of footwear. Most boots mainly cover the foot and the ankle, while some also cover some part of the lower calf. Some boots extend up the leg, sometimes as far as the knee or even the hip. Most boots have a heel that is cle ...
from, while the volume containing the operating system is fully encrypted.
# With full disk encryption, the decision of which individual files to encrypt is not left up to users' discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.
# Immediate data destruction, such as simply destroying the cryptographic keys (
crypto-shredding
Crypto-shredding is the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys.
This requires that the data have been encrypted. Data may be considered to exist in three states: data at rest, data in transit an ...
), renders the contained data useless. However, if security towards future attacks is a concern,
purging or physical destruction is advised.
The boot key problem
One issue to address in full disk encryption is that the blocks where the
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
is stored must be decrypted before the OS can boot, meaning that the key has to be available before there is a user interface to ask for a password. Most Full Disk Encryption solutions utilize
Pre-Boot Authentication
Pre-boot authentication (PBA) or power-on authentication (POA) serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PB ...
by loading a small, highly secure operating system which is strictly locked down and hashed versus system variables to check for the integrity of the Pre-Boot kernel. Some implementations such as
BitLocker Drive Encryption
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in ...
can make use of hardware such as a Trusted Platform Module to ensure the integrity of the boot environment, and thereby frustrate attacks that
target the boot loader by replacing it with a modified version. This ensures that authentication can take place in a controlled environment without the possibility of a bootkit being used to subvert the pre-boot decryption.
With a
pre-boot authentication
Pre-boot authentication (PBA) or power-on authentication (POA) serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PB ...
environment, the key used to encrypt the data is not decrypted until an external key is input into the system.
Solutions for storing the external key include:
* Username / password
* Using a
smartcard
A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
in combination with a PIN
* Using a
biometric authentication
Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify in ...
method such as a fingerprint
* Using a
dongle
A dongle is a small piece of computer hardware that connects to a port on another device to provide it with additional functionality, or enable a pass-through to such a device that adds functionality.
In computing, the term was initially synonym ...
to store the key, assuming that the user will not allow the dongle to be stolen with the laptop or that the dongle is encrypted as well
* Using a boot-time driver that can ask for a password from the user
* Using a network interchange to recover the key, for instance as part of a
PXE PXE may refer to:
* Preboot Execution Environment, booting computers via a network
* Proof and Experimental Establishment, an Indian defense laboratory
* Pseudoxanthoma elasticum, a genetic disease
* Pentium Extreme Edition, a variant of Pentium D ...
boot
* Using a
TPM to store the decryption key, preventing unauthorized access of the decryption key or subversion of the boot loader
* Using a combination of the above
All these possibilities have varying degrees of security; however, most are better than an unencrypted disk.
See also
*
Comparison of disk encryption software
This is a technical feature comparison of different disk encryption software.
Background information
Operating systems
Features
* Hidden containers: Whether hidden containers (an encrypted container (A) within another encrypted container (B) ...
*
Digital forensics
Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery, investigation, examination and analysis of material found in digital devices, often in relation to mobile devices and co ...
*
Disk encryption hardware
Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/ SSD) vendors, including: ClevX, Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The ...
*
Disk encryption software
Disk encryption software is computer security software that protects the confidentiality of data stored on computer media (e.g., a hard disk, floppy disk, or USB device) by using disk encryption.
Compared to access controls commonly enforced by ...
*
Disk encryption theory
Disk encryption is a special case of data rest protection when the storage medium is a sector-addressable device (e.g., a hard disk). This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion ...
*
Encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
*
Filesystem-level encryption
Filesystem-level encryption, often called file-based encryption, FBE, or file/folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself.
This is in contrast to the full disk enc ...
*
Hardware-based full disk encryption
Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: ClevX, Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The sy ...
*''
In re Boucher
''In re Boucher'' (case citation: No. 2:06-mJ-91, 2009 WL 424718), is a federal criminal case in Vermont, which was the first to directly address the question of whether investigators can compel a suspect to reveal their encryption passphrase o ...
''
*
Single sign-on
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.
True single sign-on allows the user to log in once and access services without re-enterin ...
References
Further reading
*{{cite journal , last=Casey , first=Eoghan , author2=Stellatos, Gerasimos J. , year=2008 , title=The impact of full disk encryption on digital forensics , journal=Operating Systems Review , volume=42 , issue=3 , pages=93–98 , doi=10.1145/1368506.1368519 , s2cid=5793873
External links
Presidential Mandate requiring data encryption on US government agency laptopsOn-The-Fly Encryption: A Comparison– Reviews and lists the different features of disk encryption systems (archived version from January 2013)
– covers the use of dm-crypt/LUKS on Linux, starting with theory and ending with many practical examples about its usage (archived version from September 2015).
– Overview of full-disk encryption, how it works, and how it differs from file-level encryption, plus an overview of leading full-disk encryption software.