Hard drive or full disk encryption explained

Brendon Baxter

Dec 21, 2021

8 min read

Encryption is another name for encoding and hard drive or full disk encryption (FDE) means the encoding of every piece of data available on a hard drive, whether it is the old SATA drives or the relatively new SSD.

The only piece of data that might not be encrypted by default while performing full disk encryption is the operating system. But now, even operating system files can be encrypted by default.

To clarify what encryption or encoding means, it is the process of turning something, data in this case, meaningful, into something gibberish based on a key, meaning that the data would be useless without the key. The data can be converted to the original form only with this key.

Types of full disk encryption

There are mainly 2 kinds of full disk encryptions:

Software encryption

As the name suggests, the whole encryption is done by software. Some examples are BitLocker by Microsoft and FileVault by Apple. Encryption tools like these, when enabled, encrypt data as it gets stored to a device.

Software encryption is mostly based on a password/passphrase. Only the password/passphrase can decrypt the data.

Both the encryption and decryption processes happen automatically. When data gets written to the encryption-enabled disk it is scrambled automatically at that instant. The same happens when data on the disk is accessed, the data is automatically decrypted as it is read from the disk.


  • Software-based encryption is normally cheap and companies like Apple and Microsoft provide in-built tools for the process.
  • Software-based encryption is also very easy to implement. It does not require any other external resources.


  • Software-based encryption generally takes its toll on the processor. Software encryption can slow down your device considerably. Accessing encrypted files might not happen as quickly as accessing normal files.
  • Another major drawback of this is that if a person gets hold of the password, then the whole encryption process can be undone.

Hardware encryption

Here a separate processor is responsible for the entire encryption process. Here also the encryption is based on a key, but this key is randomly generated by the processor.

Keys are often a bit hard to remember, so in some cases, the key can be attached to a biometric lock, like a fingerprint lock or even a pin.


  • The whole process is much safer compared to the software encryption process. This is because the whole process is done by a separate processor, which is not linked to the rest of the system.
  • Another main advantage of this is that this process happens much faster and doesn’t exert any extra load on the device processor.


  • The main disadvantage is that most of the hardware-based encryption techniques are expensive compared to software encryptions.
  • Another disadvantage with this technique is that if there is a problem with the external processor, it might become a very hard task to recover the data.

Why should you go for a hard drive or full disk encryption?

All kinds of valuable and sensitive data get accessed from devices. And when it comes to corporate devices, if the device gets into the wrong hands, the result would be devastating. If a work device gets lost or stolen, there is a high chance that unwanted personnel might get hold of your sensitive corporate data.

So, organizations should take every measure possible to prevent the loss of data even if devices are lost, and full drive encryption might be the first thing that can be done in this aspect. Encryption can ensure one thing, even if unwanted people get hold of a device, the data in it would be useless without the password.

If a non-encrypted device gets stolen or lost, it is very easy to recover the data even if the device is password protected. Just put the drive in a new device, and the data in it can be accessed.

Full disk encryption is designed in such a way that when enabled, every piece of data that gets stored on the drive gets automatically encrypted. Once the device is locked, the data in it can be accessed only using the key/password.

How does FDE work?

So, we saw what full disk encryption is, why it is useful and why it is not enough on its own to protect your data. Now let’s get an idea on FDE works.

Tools like BitLocker and FileVault help in FDE. Full disk encryption happens in such a way that the data in a drive is first split into blocks of fixed sizes like 128-bit or 256-bit.

After the data is separated into blocks, the data is then scrambled into gibberish based on a key of fixed data length like 128-bit or 256-bit or 512-bit.

Encryptions are normally based on algorithms and each algorithm has a different combination of key length and block size. AES and DES are some of the most common algorithms out there.

AES and DES algorithms

AES is the abbreviation for Advanced Encryption Standard. AES is also known as Rijndael, a name derived from the names of the cryptologists who found this encryption method, Joan Daemen and Vincent Rijmen.

AES is an algorithm that uses a fixed block size of 128-bit. But the key size here can be 128-bit, 192-bit or 256-bit. AES is a symmetric block cipher, meaning it uses the same key for the encryption and decryption process.

Another common but older algorithm used is DES or Data Encryption Standard. DES method has a block size of 64-bit and a key length of 64-bit. But the thing with the key length is only 56-bit is effective, 8-bit is used as check bits. DES is also symmetric like the AES algorithm.

For ease, the encryption key can be associated with a password/passphrase. But the thing with this is that you have to take care of the password with extra care because if a hacker gets it the data is very vulnerable.


BitLocker is the encryption tool that is provided by Microsoft for Windows devices. Using BitLocker, entire disk volumes can be encrypted very easily on Windows devices.

BitLocker uses an AES algorithm associated with CBC or cipher block chaining or XTS mode. Here there is an option of choosing a 128-bit key or a 256-bit key.

With the help of a UEM like Hexnode, BitLocker can be configured on work devices of employees remotely. By remotely setting up BitLocker you can tighten your company’s data without causing any hassle to the employees.

Featured resource

Hexnode Windows Management Solution

Get started with Hexnode’s Windows Management solution to improve security, increase productivity, save time and overhead costs of managing your corporate devices.

Download datasheet


FileVault is the full disk encryption tool introduced by Apple for macOS devices. FileVault is similar to BitLocker in the aspect of the algorithm used. FileVault also uses an AES-XTS algorithm with a block size of 128-bit and a key size of 256-bit.

Remote configuration of FileVault setting is also possible with UEMs like Hexnode. Even though configuring FileVault settings is easy, it becomes a very hard task when you have to configure it for 100 devices. Hexnode can help you remotely set up FileVault for multiple devices easily.

Why FDE might not be the sole answer to data protection on devices

Though FDE can encode the entire data on a drive, FDE on its own cannot ensure that all data on a device is 100% protected. Wouldn’t it have been easy if it was the one solution to all your data protection issues?

The main drawback with full disk encryption is that it can ensure data security only when the device is at rest. This means that the data is encrypted only when the device is locked. When the device is unlocked, anyone can open and access any files in the device.

The entire encryption/decryption is based on a single key/password. Since it is so valuable, it must be stored securely. If the key is lost, then it is very hard to recover the data.

Another issue is that if an unwanted person gets hold of the key, then the whole device is again compromised, and that person can get access to every piece of data on that disk.

Best practices while performing full disk encryption

Before you enable full disk encryption, make sure that you have understood all the complications involved with the process. Make sure that hard drive encryption is something you absolutely require for the devices used in your organization.

Back up the data somewhere safe and secure. This is recommended so that even if you happen to lose the encryption key/password, it is easy for you to get back to work very easily. But this practice is considered unsafe.

Make sure that you don’t lose the encryption key/password. The recovery process is very difficult if the key/password is lost, sometimes even impossible.

Always enforce strong password standards for user devices, even if the devices are encrypted. Also, make sure that screen idle lock is enabled on devices, as unattended and unlocked devices can be accessed by anyone.

When it comes to configuring full disk encryption for multiple devices enrolled under an organization, the best course of action is to do it through a UEM. Most of the UEMs today allow you to configure settings for in-built FDEs like FileVault and BitLocker.

Using a UEM remote setting up of FDE is possible. By doing so, the user is completely untroubled and doesn’t have to do the entire process on their own.


Brendon Baxter

Product Evangelist@Hexnode. Read. Write. Sleep. Repeat.

Share your thoughts