Brendon
Baxter

File-based encryption vs full-disk encryption

Brendon Baxter

Jan 24, 2022

9 min read

Are you one of those people who think just because you have a strong password for your device, your data is safe? If yes, then you might want to go through this blog.

Data protection is becoming a major concern in the modern world. Whether it is your private files or highly confidential corporate data, if it reaches the wrong guys then the result would be devastating.

Ensure data security with Hexnode

Almost all governments have released strict laws for organizations to provide strict data protection for both their employees and customers. Businesses and other organizations failing to ensure this will have to face legal actions.

From all this, it is pretty clear how important data protection is and the first step towards data protection is data encryption.

Hacker trying to access confidential data
Hacker trying to access confidential data
 

Data encryption simply means the encoding of meaningful data into a non-readable format. Encryption is always based on a key so that only authorized personnel with the key can access the data. The primary idea of encryption is that even if data is breached and falls into the wrong hands, it would be useless without the key.

Data encryption can be categorized based on different criteria like the type of algorithm used, type of encryption key used, and so on. One of the most common and important ones is based on what part of a drive/disk is encrypted. In this category, there are two types:

  1. Full-disk encryption (FDE)
  2. File-based encryption (FBE)

What is Full-disk encryption or FDE?

Encryption of an entire disk drive is referred to as full-disk encryption. In the case of full-disk encryption, every piece of data in the disk is encrypted using a single encryption key.

Full-disk encryption is useful for protecting data that is at rest. This means that FDE can protect data that is stored in a device but cannot protect data in motion or use. When FDE is enabled in a device, data gets encrypted as it is stored in the device.

When an FDE-enabled device is locked, all the data in it is encrypted and it can be accessed only by entering a valid encryption key. Once the device is unlocked all the data in it gets decrypted and can be accessed by the user.

Full-disk encryption is normally done using tools provided by the operating system provider itself. Windows devices can be encrypted using BitLocker, whereas Mac devices are encrypted using FileVault.

Hard drive or full disk encryption explained

BitLocker

BitLocker is the full-disk encryption tool provided by Microsoft for Windows devices. Encryption is done using AES algorithm having a block size of 128-bit. The key used here can be 128-bit or 256-bit.

Remote configuration of BitLocker is possible using UEMs like Hexnode. Using Hexnode, BitLocker for multiple devices in an organization can be configured very easily. Another huge advantage of remote configuration is that no user interaction is required.

What is BitLocker and why is it used?

FileVault

Similar to BitLocker for Windows devices, FileVault is the full-disk encryption tool for Mac devices provided by Apple. FileVault also uses an AES encryption algorithm with a block size of 128-bit and a key size of 256-bit.

FileVault can also be configured remotely using Hexnode UEM. Apart from remotely enforcing FileVault, Hexnode allows multiple other configurations such as choosing the type of key, escrowing personal key, and so on.

How and why to use FileVault encryption on Mac?

What is AES algorithm?

Advanced Encryption Standard algorithm is also known as AES algorithm. AES is an encryption technique introduced by two cryptologists, Joan Daemen and Vincent Rijmen. Another name for AES is the Rijndael algorithm.

AES algorithm uses a fixed block size of 128-bit. The key used here can be one of 3 sizes: 128-bit, 192-bit or 256-bit. AES algorithm uses symmetric encryption, meaning both encryption and decryption are done using the same key.

Benefits of full-disk encryption

Full-disk encryption can ensure that no meaningful data can be extracted from a device without the device password/encryption key, whichever is used to lock the device. Thus, FDE can ensure the safety of device data at rest.

Data in drives/disks locked with a password can be accessed if the drive is put in another system. Data cannot be extracted from disks encrypted with FDE even if the disk is put on another system.

Hard drive taken outside a computer
Hard drive without encryption can be used in other computer
 

One of the most important features of full-disk encryption is that once it is enabled on a device, all data that is written on the disk is automatically encrypted. Similarly, the decryption process also happens automatically as the data is read from the disk.

Drawbacks of full-disk encryption

Full-disk encryption is not a fool-proof technique to ensure data security. Once the device is unlocked pretty much anyone can access any piece of data in the device. In this modern age, hacking a device password might not be the hardest job there is.

It can take hours to initially set up full-disk encryption on a device based on the amount of data that is already stored in the device. FDE tends to take up a bit of device resources making the device performance a bit slower.

What is file-based encryption or FBE?

Just as the name suggests, file-based or file-level encryption is a type of encryption where individual files or even small groups of files on a disk are encoded. Unlike full-disk encryption, each file in a disk/drive can be encrypted with a different key.

Files that are encrypted using FBE require the key to be decrypted even if the device is unlocked. Encrypted files sent to other devices will stay encrypted till the encryption password/key is entered. So, this keeps data in motion as well as in rest secured.

File-based encryption is normally achieved using third-party tools that are commercially available.

Benefits of file-based encryption

File-based encryption gives granular control to device admins on what data is to be encrypted and what data is to be left unencrypted. Individuals who use personal devices for work purposes can make the most use out of this. Personal files which the individual finds unimportant can be left unencrypted while critical work files can be encrypted.

Using FBE, each file in a device can be encrypted using a unique encryption key. This is very useful because even if someone cracks the key to any one of the files, it cannot be used to access any other data on the device.

Files that are encrypted using FBE can be safely transferred to other devices because even in other devices the password/encryption key would be required to open the file. In this way, file-based encryption can protect data in transit.

The main highlight of FBE is that even if a device is compromised or the device password is cracked using brute force attacks, the files remain encrypted, thereby ensuring data security.

Drawbacks of file-based encryption

Keeping track of encrypted and non-encrypted files might become a difficult task if too many files are encrypted. Also, if every file in a disk is encrypted using a different key/password, then keeping track of this might also become a tedious task for the device owner.

File-based encryption is normally done using a third-party software, unlike FDE. When using such software, there is a possibility of compatibility issues since these are not made exactly for particular operating systems.

Backing up encrypted files is a common practice. However, when there are too many files, backing up can become a hectic process.

Best practices to follow while encrypting data

Whether it is FBE or FDE, backing up encrypted files is always recommended if there is a need for fast and easy recovery. This is suggested because, in the event of a lost encryption key, it might be nearly impossible to recover the data.

Make sure to keep your passwords and keys safe. Never write it down or store them in a poorly secured device. There is one more thing to keep in mind – do not forget your passwords and keys.
When it comes to configuring FDE for a lot of devices, consider doing it using a UEM solution like Hexnode. Trust me, it will save you a lot of time.

If you are implementing data encryption for an organization with a complex hierarchy, you should specify who all has access to the encryption keys and passwords. If everyone has access, then what is the point of encrypting, right?

Comparing FDE and FBE

When it comes to data protection, full-disk encryption is the bare minimum you can do to secure data in a device. FDE is more like a device password with superpowers. Full-disk encryption can ensure one thing – data in the drive would be useless without the device password.

As mentioned before, one of the major drawbacks of FDE is that once the device is unlocked, pretty much all the data in it is accessible. Assume a simple scenario where you leave your unlocked devices somewhere, then anyone can access the data stored in them.

Weak device passwords can be bypassed or even cracked using brute force attacks. This can be avoided by making use of strong and complex passwords. IT admins can enforce strong password policies to be used in devices with a UEM solution like Hexnode. IT admins can specify requirements of passwords like password length, complexity, age, and so on.

This is where file-based encryption can help you. File-based encryption can act as an extra layer of security for files stored on your device. Even if a device is compromised, FBE can ensure that data is useless without encryption.

So, instead of using one type of encryption as a replacement for the other, consider using both of the encryptions together.

Layering of full-disk encryption along with file-based encryption is always considered a great practice when data security is considered. This is because both of the encryptions cover the flaws of the other as much as possible.

Share

Brendon Baxter

Product Evangelist@Hexnode. Read. Write. Sleep. Repeat.

Share your thoughts