2012 resolution: 'Full disk encryption on all computers'

2012 resolution: 'Full disk encryption on all computers'

Summary: The privacy rights group is preaching the gospel of encryption in 2012, making the case that whole disk encryption can go a long way to protecting private data on computers.

TOPICS: Privacy, Security

Privacy rights advocates at the Electronic Frontier Foundation (EFF) are urging computer users to adopt just one resolution in 2012:  Commit to full disk encryption on every computer you own.

Following the release of a white paper on protecting privacy while traveling with data on digital devices, the EFF is preaching the gospel of encryption in 2012, making the case that whole disk encryption can go a long way to protecting private data on computers.

Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key. This mathematical protection works independently of the policies configured in the operating system software. A different operating system or computer cannot just decide to allow access, because no computer or software can make any sense of the data without access to the right key.

Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer.

Fortunately, modern computer systems come with comparatively easy full-disk encryption tools that let you encrypt the contents of your hard drive with a passphrase that will be required when you start your computer. Using these tools is the most fundamental security precaution for computer users who have confidential information on their hard drives and are concerned about losing control over their computers — not just at a border crossing, but at any moment during a trip when a computer could be lost or stolen.

The group recommends Microsoft's BitLocker or TrueCrypt to manage the whole disk encryption process.

Topics: Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So what are the downsides of full-disk encryption?

    I'm assuming there is a performance hit. Is it significant? What are the reasons an OS developer not default to encrypting everything?
    • RE: 2012 resolution: 'Full disk encryption on all computers'

      I have a Windows 7 PC (work) and a Mac (home) with full disk encryption on them. The Windows PC uses a 3rd party tool and the Mac uses Apple's new implementation of FileVault which is now full disk encryption.

      Windows 7 takes a lot longer to load than I would expect, but that machine has always been encrypted so I don't know if the encryption is causing a slow down or not. Once Windows is loaded, the PC purrs along with no noticeable performance hit at all.

      On the Mac the situation is essentially the same except that I don't even notice a slow OS load time. That machine runs just as it did before I encrypted the drive.

      Overall it's pretty seamless, pretty painless, and I see no reason not to encrypt, unless you are the type who is likely to forget or lose their password/encryption key.
  • RE: 2012 resolution: 'Full disk encryption on all computers'

    Full disk encryption is becoming mandatory for most business IT, it has been at our company for three years now. I've also encrypted both my own and my wife's PCs at home because we do things like taxes and bill paying with them.

    The only performance hit I've really noticed is when doing multiple things at once, like transferring files in the background while opening programs at the same time. Most dual and quad core processors have plenty of cycles to spare to handle the increased load, so it may just be perception on my part.
    terry flores
  • RE: 2012 resolution: 'Full disk encryption on all computers'

    Now that most people are using gmail google docs and cloud storage, why is it even meaningful for most people to encrypt the local data?
    Also should your encrypted drive become corrupted for whatever reason, you may be unable to recover any data.

    People who actually carry laptops with highly-sensitive data on them hopefully have it encrypted already...
    • "Most?"

      I suspect it's a relatively small % who use cloud storage exclusively. For many, this augments local storage, not replaces it.

      Even for those who are using cloud storage exclusively, Internet history, stored acct/password data and data syncronized with the cloud is still stored local.
  • RE: 2012 resolution: 'Full disk encryption on all computers'

    So, how does full disk encryption protect against social engineering attacks? Encryption is useless if you give away the key.
  • RE: 2012 resolution: 'Full disk encryption on all computers'

    be careful...

    Full Disk Encryption + SSD = bad
    • RE: 2012 resolution: 'Full disk encryption on all computers'

      This article http://nakedsecurity.sophos.com/2011/02/28/ssd-encryption-and-decommissioning/ seems to indicate that encryption *before* storing data is fine, although encryption after the fact is less thorough. Is that the "bad" you refer to, or is there more?

      I'm genuinely interested as I have limited exposure to/knowledge of SSDs and I am very interested in using hybrid drives in some of my devices. Do you have any enlightening links?
    • Head's up bloggers

      [i]Full Disk Encryption + SSD = bad[/i]

      [i]Is that the "bad" you refer to, or is there more? I'm genuinely interested as I have limited exposure to/knowledge of SSDs??? [/i]

      The issues and caveats associated with FDE + SSD would make for a good in-depth article by Ryan or Dancho, or perhaps Robin Harris @ Storage Bits.
  • RE: 2012 resolution: 'Full disk encryption on all computers'

    I whole-heartedly agree with the EFF???s recommended resolution for Full Disk Encryption (full disclosure, I work for Symantec on our PGP encryption products).

    In regards to various comments:
    Yes, there is a slight performance hit. If you are using a modern machine, then the hit will be about 2% overhead, which would not be noticeable by users. There are other processes running in the background that utilize more CPU than that. In addition, if your chipset has AES-NI, then we can utilize that and offload all the encryption algorithm to that instead of the main CPU further increasing performance.

    @terry flores
    Yes I would agree that the performance hit is minimal. I would imagine the only people that would notice it would be those that open multi-megabyte files all day. Otherwise for day to day usage one would not notice the hit. There is an initial performance hit when the HD is being encrypted. This is not due to the overhead, but due to the i/o activity occurring on the HD itself. But once fully encrypted, you won???t notice a difference in performance.

    I think a lot of things are in the cloud today, but a question I have to ask (and I???m not being factitious at all ??? it???s a serious question) is, do you trust the security of your personal information in the cloud? How secure is it? I will admit I upload personal files to the cloud, but I also encrypt it first to ensure my data is protected.
    The corrupted HD is a tough situation. More often than not, with a corrupt encrypted HD situation you will be able to recover the data with the same success rate as if the HD was not encrypted. The one ???gotcha??? would be if the area containing the key was corrupted, then you would be out of luck. (A good practice is to always have a backup of your data, in an encrypted format.)

    @macadam, klumper
    In regards to FDE + SSD = bad from wendellgee, I believe (this is a big assumption on my part) he is referring to the performance hit on SSDs and encryption. If you have a regular spindle HD, the head on the disk needs to jump around to access the data. This in itself is a slow process and creates the i/o overhead. With encryption the performance loss is ???masked??? because ultimately everyone is waiting for the head to jump around reading/writing the data onto the disk. With SSDs, there are no moving parts as it is solid state. So when data is read/written it happens in parallel. This no longer masks the encryption performance hit because the data is moving fast and furious. (Think of spindle HDs as reading/writing data in series and SSD reading/writing data in parallel.) So with all things being equal, encryption on an SSD will show a larger performance hit vs. spindle HDs. When evaluating potential solutions, you should look for products that can alleviate this performance hit. Features to look for include utilization of the AES-NI chipset to speed up on the fly encryption/decryption and also the ability to choose cipher strength. By default almost every FDE vendor out there uses AES 256-bit key lengths for disk encryption (PGP is guilty of this as well. The combination of 128-bit key and AES-NI vastly improves the user experience for SSD users.

    Think about encryption like insurance. We all buy insurance in one form or another (car insurance, medical insurance, home insurance, life insurance, etc). When we buy insurance we often feel that we???re getting nothing out of it. There is no ROI on insurance. You pay monthly for insurance but you simply get a piece of paper that says ???you???re insured.??? Encryption is like insurance, you hope you never have to make a claim on it because if you do, it means you???ve lost your laptop, or your house just burned down to the ground.
  • RE: 2012 resolution: 'Full disk encryption on all computers'

    SSD drives must be encrypted before you add any data. If you decide 'hey i'm going to FDE' and run Truecrypt or whatever it won't matter, because all previous data is still accessible. SSDs are basically a scam, I have no idea why anybody would pay hundreds for a useless HDD that you can never properly erase data from or protect. Bitlocker is also junk/NSA backdoored. Truecrypt deniable encryption is the way to go. Go on fiverr and buy an encryption/security guide or google
  • Isolated storage

    If you want security we need to think like windows phone 7 with isolated storage and encrypt on as needed level. if no user files can make it into operating system storage area then why encrypt OS?
    • So that when it screws up it completely bricks the device.

      Since programmers write the software that enables the encryption and software always screws up..... keep that in mind with your data.
      Keep it in many different areas and many backups.

      With computers -- default action is always fail.
      Reality Bites
  • Full-disk encryption?

    What a non-starter! My home has a g4 450 mhz PPC. Nothing on it is in need of such encryption, and it is slow as s__ compared to a modern machine, and nothing on it will run on a new machine anyway, thanks to Apple's habit of breaking every app with every revision of the OS after SL
  • Infographic on Full Disk Encryption

    Please visit http://blog.winmagic.com/2012/09/04/making-the-case-for-data-encryption/ to view their infographic.