Sunday, September 13, 2015

Full Disk Encryption and Filesystem Level Encryption


I think we all have heard the terms 'Full Disk Encryption' and 'Filesystem Level Encryption'. They are the technologies that protect us from data theft by encrypting data in disks. But how do they work actually? How does Full Disk Encryption differ from Filesystem Level Encryption? And, which one to go for ?


Let's look into a bit deeper.






Full Disk Encryption

A Full Disk Encryption or FDE is a technology in which everything on disk is encrypted, including the programs that can encrypt bootable operating systems partitions, only exception being some part of the disk which necessarily may not get encrypted, for example, the part containing the Master Boot Record. But for systems using hardware based full disk encryption, even the MBR gets encrypted.

In Full Disk Encryption technology, the whole disk gets encrypted using an encryption key. When the system starts, it prompts the user to provide an encryption key, and using that encryption key data is decrypted and the system boots and runs normally.

After the system boots, any information which is read from the disk, is decrypted on the fly and stored in memory. Similarly, any information which is written to disk is encrypted and stored in the disk. Without the encryption key, any data stored in the disk remains inaccessible to hackers.



Filesystem Level Encryption

On the other hand, in a Filesystem Level Encryption, individual files and directories in the filesystem are encrypted by the filesystem itself. It does not encrypt the disk as a whole. Rather, encryption is done on filesystem level.

Using this encryption technology, we can efficiently encrypt and decrypt selected files and directories in the filesystem, where other not so important files and directories can remain unencrypted at the same time.



Difference between Full Disk Encryption and Filesystem Level Encryption

Full Disk Encryption, mostly, uses a single key to encrypt the whole volume. And all data is decryptable when the system runs. So, if an attacker gets access to the computer at run time, he can get access to all the files.

Filesystem Level Encryption, on the other hand, uses different keys for encrypting different parts of the disk. So, the attacker cannot extract information from still encrypted files and folders. So, if we think in this direction, Filesystem Level Encryption seems a better solution than a Full Disk Encryption.

But, Filesystem Level Encryption does not typically encrypt the filesystem metadata, such as directory structure, file names, modification timestamps, sizes etc. So, if an attacker gets access to a stolen disk, he will still be able to get some information from the filesystem metadata.



Which is better – Full Disk Encryption or Filesystem Level Encryption ?

As we have seen, both of these technologies have their own pros and cons. So, a better solution is to go with Full Disk Encryption along with Filesystem Level Encryption, rather than going with any of the technologies alone.

A Full Disk Encryption with Filesystem Level Encryption is always robust and secure enough to prevent any data theft from the system.


So, go with both the technologies together and stay safe, prevent data theft !

No comments:

Post a Comment