Full disk encryption
Full Disk Encryption or Whole Disk Encryption is a phrase that was coined by Seagate to describe their encrypting hard drive. Under such a system, the entire contents of a hard drive are encrypted. This is different from Full Volume Encryption where only certain portions, such as a partition or volume is encrypted.
Some examples of full disk encryption:
Hardware Solutions
Embedded into internal HDD
Hitachi Bulk Data Encryption ("BDE") http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf
- FIPS 197 (Federal Information Processing Standard 197 certification issued by NIST)
- AES-128
Seagate Full Disk Encryption ("FDE") http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf
Seagate's encrypted drives are only available as OEM products. Seagate provides no software to utilize encrypted drive features (such as key management). There is a proprietary Windows-only API, but it is not available to the public.
- FIPS 140-2 (Federal Information Processing Standard 140-2 certification issued by NIST)
Toshiba Self-Encrypting Drives ("SED")
- AES-256 (certification issued by NIST)
Supplemental Hardware / External Chassis
Addonics product lines http://www.addonics.com/products/cipher/CPD256U.asp
Apricorn product lines http://www.apricorn.com/products.php?cat_id=72
DigiSafe http://www.digisafe.com/products/products_DiskCryptMobile.htm
Eracom Technology DiskProtect http://www.eracom-tech.com/drive_encryption.0.html
iStorage DiskCrypt Mobile http://www.istorage-uk.com/diskcryptmobile.php
Network Appliance (Decru) https://www.netapp.com/ftp/decru-fileshredding.pdf
https://www.netapp.com/us/products/storage-security-systems/
Software Solutions
beCrypt https://www.becrypt.com/uk/
BitArmor by DataControl FDE tool that protects fixed and removable media.
BitLocker Part of Windows Vista that uses AES 128 or 256 bit encryption
CGD Cryptographic Device Driver. Provides transparent full disk encryption for NetBSD.
Supports various ciphers: AES (128 bit blocksize and accepts 128, 192 or 256 bit keys), Blowfish (64 bit blocksize and accepts 128 bit keys) and 3DES (uses a 64 bit blocksize and accepts 192 bit keys (only 168 bits are actually used for encryption).
http://www.netbsd.org/docs/guide/en/chap-cgd.html
Checkpoint Full Disk Encryption https://www.checkpoint.com/quantum/data-loss-prevention/
DiskCryptor Free solution provided under GNU General Public License.
FreeOTFE Transparent on the fly encryption for MS Windows and Windows Mobile PDAs. Also supports mounting Linux dm-crypt and LUKS volumes
GBDE GEOM Based Disk Encryption. Provides transparent full disk and swap encryption for FreeBSD. Supported ciphers: AES (128 bit).
Supports hidden volumes and Pre-Boot Authentification.
Since data loss can occur on unexpected shutdowns, GELI is recommended instead of GBDE.
GELI Cryptographic GEOM class. Provides transparent full disk encryption for FreeBSD. Supports various ciphers: AES, Blowfish and 3DES.
Supports hidden volumes and Pre-Boot Authentification.
loop-AES Transparent file system and swap encryption for Linux using the loopback device and AES.
Linux Unified Key Setup (LUKS) or dm-crypt Transparent file system and swap encryption for Linux using the Linux 2.6 device mapper. Supports various ciphers and Linux Unified Key Setup (LUKS).
https://www.saout.de/misc/dm-crypt/
PGPDisk Pretty Good Privacy Whole Disk Encryption provides transparent whole disk encryption with Pre-Boot authentification for Windows. Also supports Mac OS X 10.4 (non-boot disks only).
Can use OpenPGP RFC 2440 keys and X.509 keys for authentification.
Supports USB Tokens for authentification.
Supported ciphers: AES (256 bit keys).
http://www.pgp.com/products/wholediskencryption/
SafeGuard Easy Certified according to Common Criteria EAL3 and FIPS 140-2
Encryption algorithms supported: AES (128 and 256 bit) and IDEA
Provides complete hard drive encryption including the boot disk.
TrueCrypt Transparent full disk encryption for Linux and Windows. Supports AES (256 bit), Serpent and Twofish.
Supports hidden volumes within TrueCrypt volumes (plausible deniability).
https://truecrypt.sourceforge.net/
VeraCrypt Fork of TrueCrypt project. Support for for Linux, Windows, and MacOS.
vnconfig The -K option of OpenBSD associates and encryption key with the svnd device. Supports saltfiles. Supported ciphers: Blowfish.
http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8
Full Disk Encryption Analysis Tools
Due to continual updates and variances to full disk encryption software, there is varied coverage of each software by digital forensics tools. Additionally, each forensic tool may only support limited versions of the encryption software, as noted in the table below:
Solution |
EnCase Forensics |
AccessData FTK v6 |
X-Ways |
Other Applications |
See Also
External Links
- Wiki page for FDE on Thinkpads
- Bypassing SelfEncrypting Drives (SED) in Enterprise Environments, by Daniel Boteanu and Kevvie Fowler, November 12, 2015