Full disk encryption

Full Disk Encryption or Whole Disk Encryption is a phrase that was coined by Seagate to describe their encrypting hard drive. Under such a system, the entire contents of a hard drive are encrypted. This is different from Full Volume Encryption where only certain portions, such as a partition or volume is encrypted.

Some examples of full disk encryption:

Hardware Solutions

Embedded into internal HDD

Hitachi Bulk Data Encryption ("BDE") http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf

• FIPS 197 (Federal Information Processing Standard 197 certification issued by NIST)
• AES-128

Seagate Full Disk Encryption ("FDE") http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf

Seagate's encrypted drives are only available as OEM products. Seagate provides no software to utilize encrypted drive features (such as key management). There is a proprietary Windows-only API, but it is not available to the public.

• FIPS 140-2 (Federal Information Processing Standard 140-2 certification issued by NIST)

Toshiba Self-Encrypting Drives ("SED")

• AES-256 (certification issued by NIST)

Supplemental Hardware / External Chassis

Addonics product lines http://www.addonics.com/products/cipher/CPD256U.asp

Apricorn product lines http://www.apricorn.com/products.php?cat_id=72

DigiSafe http://www.digisafe.com/products/products_DiskCryptMobile.htm

Eracom Technology DiskProtect http://www.eracom-tech.com/drive_encryption.0.html

iStorage DiskCrypt Mobile http://www.istorage-uk.com/diskcryptmobile.php

Network Appliance (Decru) https://www.netapp.com/ftp/decru-fileshredding.pdf

https://www.netapp.com/us/products/storage-security-systems/

Software Solutions

beCrypt https://www.becrypt.com/uk/

BitArmor by DataControl FDE tool that protects fixed and removable media.

BitLocker Part of Windows Vista that uses AES 128 or 256 bit encryption

CGD Cryptographic Device Driver. Provides transparent full disk encryption for NetBSD.

Supports various ciphers: AES (128 bit blocksize and accepts 128, 192 or 256 bit keys), Blowfish (64 bit blocksize and accepts 128 bit keys) and 3DES (uses a 64 bit blocksize and accepts 192 bit keys (only 168 bits are actually used for encryption).

http://www.netbsd.org/docs/guide/en/chap-cgd.html

Checkpoint Full Disk Encryption https://www.checkpoint.com/quantum/data-loss-prevention/

DiskCryptor Free solution provided under GNU General Public License.

https://diskcryptor.org/

FreeOTFE Transparent on the fly encryption for MS Windows and Windows Mobile PDAs. Also supports mounting Linux dm-crypt and LUKS volumes

GBDE GEOM Based Disk Encryption. Provides transparent full disk and swap encryption for FreeBSD. Supported ciphers: AES (128 bit).

Supports hidden volumes and Pre-Boot Authentification.

Since data loss can occur on unexpected shutdowns, GELI is recommended instead of GBDE.

GELI Cryptographic GEOM class. Provides transparent full disk encryption for FreeBSD. Supports various ciphers: AES, Blowfish and 3DES.

Supports hidden volumes and Pre-Boot Authentification.

FileVault Disk Encryption

Jetico BestCrypt

loop-AES Transparent file system and swap encryption for Linux using the loopback device and AES.

Linux Unified Key Setup (LUKS) or dm-crypt Transparent file system and swap encryption for Linux using the Linux 2.6 device mapper. Supports various ciphers and Linux Unified Key Setup (LUKS).

https://www.saout.de/misc/dm-crypt/

PGPDisk Pretty Good Privacy Whole Disk Encryption provides transparent whole disk encryption with Pre-Boot authentification for Windows. Also supports Mac OS X 10.4 (non-boot disks only).

Can use OpenPGP RFC 2440 keys and X.509 keys for authentification.

Supports USB Tokens for authentification.

Supported ciphers: AES (256 bit keys).

http://www.pgp.com/products/wholediskencryption/

SafeGuard Easy Certified according to Common Criteria EAL3 and FIPS 140-2

Encryption algorithms supported: AES (128 and 256 bit) and IDEA

Provides complete hard drive encryption including the boot disk.

https://utimaco.com/products

Securstar DriveCrypt

TrueCrypt Transparent full disk encryption for Linux and Windows. Supports AES (256 bit), Serpent and Twofish.

Supports hidden volumes within TrueCrypt volumes (plausible deniability).

https://truecrypt.sourceforge.net/

VeraCrypt Fork of TrueCrypt project. Support for for Linux, Windows, and MacOS.

vnconfig The -K option of OpenBSD associates and encryption key with the svnd device. Supports saltfiles. Supported ciphers: Blowfish.

http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8

Full Disk Encryption Analysis Tools

Due to continual updates and variances to full disk encryption software, there is varied coverage of each software by digital forensics tools. Additionally, each forensic tool may only support limited versions of the encryption software, as noted in the table below:

Solution
EnCase Forensics
AccessData FTK v6
X-Ways
Other Applications

See Also

• BitLocker Disk Encryption
• Full Volume Encryption

External Links

• Wiki page for FDE on Thinkpads
• Bypassing SelfEncrypting Drives (SED) in Enterprise Environments, by Daniel Boteanu and Kevvie Fowler, November 12, 2015