What is Disk Encryption?
Well it’s a technology to protect data by converting it into an unreadable format through encryption so that only authorized people can read that data. It is the cryptographic protection of a logical part of a disk such as a folder partition or the whole disk so that all data written to it is automatically transparently encrypted and decrypted on the fly and the disk in this context, it can be internal or it can be an external hard disk. It can also be a USB flash disk or a SD card, DVD CD, virtual storage disk, loopback device (which is an ISO image) as well as most storage mediums that are readable as a block device or a file system.
Disk encryption can be implemented using software such as dm-crypt, LUKS, VeraCrypt, FileVault2 and so on, and it can also be implemented in hardware. Many of the modern solid-state drives or SSD’s come with hardware-based Disk encryption called Self encrypting drives (SED)
Whole Disk/Full Disk Encryption
There is also the concept of whole disk encryption. This approach encrypts the whole operating system and the user data as the name suggests that every single bit of the disk is encrypted. However this isn’t always true especially with software based encryption as the boot and swap partitions can be unencrypted with hard disk encryption as well as the master boot record.
Some hardware-based self-encrypted drives can provide real full disk encryption. Alternatively to hold encryption just a partition of a disk can be encrypted or a container can be encrypted. When you encrypt just a partition or a container it just encrypts the selected user data within the partition or the container and not the whole system itself.
What does Disk Encryption protect you from?
So what does disk encryption protect you from? It’s very important to understand what it protects you from as many people misunderstand the point and purpose of encryption and what threats it actually mitigates.
Disk encryption protects you from when your adversary can gain physical access to your device and it protects you because all the files on the disk are unreadable without the correct key or password that often creates the key. Files are only readable when the operating system is running and the key has been entered. If the operating system is not running and the key is not entered then your data is not accessible. So disk encryption can protect your privacy and in some cases it can protect anonymity as well. Let me give you some clear examples of where Disk encryption helps –
- If your device is lost or stolen
- if your device is seized
- if it is left unattended where untrusted people may tamper or access it
- when sent in for hardware repair.
- If sent through the postal service
- when crossing borders (potentially)
- when you come to want to securely discard it
Encryption can also help maintain the integrity of the files and the operating system. If someone attempts to tamper with it, encryption helps to mitigate that tampering because it has integrity controls preventing the installation of things like root kits, key loggers and general malware which can get access to your files and decrypt your key while it is unattended. So because you have disk encryption somebody can’t just put some bytes onto your disk. There are actually malware if those bars are entered onto your disk the disk will no longer function correctly.
Your standard operating system passwords provides almost zero protection against someone with physical access to your device. The password can be bypassed simply by booting your device into their operating system and examining the file system. You can do this with live CDs or you can take out the hard drive and connect to it with another machine. You cannot explore the file system if you have disk encryption so the point is operating system passwords provide no protection against someone who has physical access to your device even if you have a super complex password. What does protect you from physical access is disk encryption!
What does Disk Encryption not protect you from?
Disk encryption is far from a panacea and doesn’t protect you actually from most threats. It is important to understand the limitations of disk encryption.
In a nutshell it only protects you against attackers that have physical access to your device. You are still susceptible to all the countless attacks when you have disk encryption such as your traffic being observed, SSL stripping, browser attacks, malware rootkits and so on and it provides no protection whatsoever when your system is powered on and the key has been entered. Any adversary or malware that gets on your system at this point can get access to your files and data and even potentially steal your key from memory as well as use key loggers to record your keystrokes and passwords.
Once you enter your password or key or use a token to decrypt your drive the key is in memory. Anyone who can get access to the memory can determine your key and therefore decrypt your drive. Even if your device has the screen lock it can be bypassed.
In some cases, it is possible to recover the key from memory shortly after the device has been switched off. This is called a cold boot attack. The key can remain for a short period of time in memory shortly after being switched off and then that key can be recovered through the cold boot attack.
Disk encryption doesn’t protect you if you live in a country with mandatory disclosure laws that force you to give up your decryption key. There is also no protection from coersion or someone hitting you on the head with a spanner untill you give up your key.
There is little protection against a well resourced adversary such as a nation state who is able to tamper with your device without your knowledge and then later when you use it only the strongest disk encryption set up stands any chance of protecting your files. If your device has been tampered with by a well-resourced adversary and then after you enter in your key it is likely to result in it being captured. That’s a very hard attack to mitigate, if your device has been out of your hands and somebody has tampered with it
And obviously if you backup your files on an encrypted disk and you back them up somewhere else those files are not going to be encrypted and they will be vulnerable so backups must be encrypted too.
So that is what disk encryption protects you from and what it doesn’t protect you from so I hope that is clear.