What kind of windows full disk encryption (fde) can be used with removable drives?

Data in the clear is no small cybersecurity risk for organizations of all sizes. When data is stored “in the clear,” it’s unencrypted, meaning that anyone with access to the storage device or file can view the data. In cases, full disk encryption is a necessary feature.

Encrypted data provides an obstacle and a layer of risk mitigation against loss since the data is not easily readable without the right encryption key. Encrypted data involves both data in transit and data at rest. For data in transit, TLS 1.3 (transport layer security) has long been the standard. For data at rest, there are multiple mechanisms and technologies, including file-based and full disk encryption options. Ultimately, FDE is about securing an enterprise environment’s endpoints.

Full disk encryption provides a pervasive layer of encryption across an entire storage device, be it a spinning hard disk or solid-state drive (SSD).

Read on for our full list of top full disk encryption software solutions. Follow it up with our Top Enterprise Encryption Vendors of 2021.

Jump to:

• Top Full Disk Encryption Software of 2021
• Evaluating Full Disk Encryption Solution
• How Full Disk Encryption Works
• Full Disk Encryption vs. File Level Encryption
• Features of Full Disk Encryption
• Full Disk Encryption Security Shorfalls
• Questions to Consider: Full Disk Encryption

Top Full Disk Encryption Software of 2021

In this eSecurity Planet top products list, we spotlight the vendors that offer the top FDE software tools.

• Apple
• Check Point
• ESET
• McAfee
• Micro Focus
• Microsoft
• R&S Trusted Disk
• Sophos
• Symantec
• Trend Micro

Apple FileVault

FileVault 2 is the best option for Apple macOS users, as it’s directly integrated into the default macOS operating system. FileVault is easily accessible from Apple’s System Preferences and Security & Privacy configurations. Using XTS-AES-128 encryption with a 256-bit key, users can create and deploy a FileVault recovery key as well as disable when unnecessary for staff or users. When enabled, FileVault starts working immediately to add another layer of security for device contents.

Key Features and Differentiators

• FileVault is the only truly purpose-built full disk encryption option for macOS users
• Provides the option to encrypt user directory as well as the startup volume, providing a high degree of protection for users
• The encryption is set with a user’s Apple macOS user ID login as the passphrase

Check Point Harmony Endpoint

Formerly known as SandBlast Agent, Check Point’s full disk encryption resides in its revamped endpoint security solution, Harmony Endpoint. The centrally managed FDE software for endpoints operates as a feature in the overall security suite. Users can only boot and access an encrypted laptop or other endpoints after authentication, and MFA options include certificate-based smartcards and dynamic tokens. The full disk encryption solution supports multiple pre-boot authentication languages for global deployments.

Key Features and Differentiators

• The pre-boot protection capabilities make sure that the system that is booting the disk isn’t attempting to tamper with the data
• Authentication options ensure that only validated users get access to encrypted data

Read more: Top Cybersecurity Companies.

ESET PROTECT

ESET PROTECT is a reasonable option for small to mid-sized distributed organizations looking to manage disk encryption. Within the vendor’s remote management console, administrators can access ESET Full Disk Encryption to encrypt system disks, partitions, or entire devices. Offering FIPS 140-2 validated and 256-bit AES encryption, clients have the ability to encrypt Windows and macOS machines from a single dashboard. ESET makes it easy to change licenses to adjust for organization scale.

Key Features and Differentiators

• Central management of encrypted drives is at the core of the platform, but what’s powerful is that endpoints don’t all need to be connected via a VPN
• Looking beyond standard encryption keys, the solution can also be enabled with multi-factor authentication as a further degree of authorized user validation
• ESET PROTECT can also be used to protect removable media, files and folders as well as email

Also read our full review of ESET PROTECT Advanced. 

McAfee Complete Data Protection

Looking beyond just full disk encryption, McAfee’s Complete Data Protection provides fine-grained controls for data and devices. McAfee – now under the Trellix name after merging with FireEye – offers an Advanced plan that provides a full disk encryption solution with pre-boot 2FA using McAfee-implemented encryption or through Microsoft’s BitLocker and Apple’s FileVault native encryption systems. Encryption can be managed centrally via McAfee’s ePolicy Orchestrator (ePO) management suite, which also manages other McAfee endpoint products. It can also synchronize security policies with Microsoft Active Directory, Novell NDS, PKI, and other systems.

Key Features and Differentiators

• Provides policy and management overlay for Apple FileVault and Microsoft BitLocker encryption on macOS and Windows systems
• Encryption also extends to files and folders as well as removable media
• A key differentiator and component of the suite is the data loss protection (DLP) features that provide policy controls for data access
• User authentication is augmented with strong multi factor authentication mechanisms

Read more: McAfee-FireEye Merger Makes STG’s Plans Clearer

Micro Focus ZENworks Full Disk Encryption

Micro Focus ZENworks Full Disk Encryption is a good option for Microsoft Windows users looking for endpoint protection. Formerly a part of Novell, ZENworks includes tracking, configuration, security, and endpoint management from a web-based console. When devices are powered off or in hibernation mode, ZENworks FDE offers advanced encryption, pre-boot authentication, and self-encrypting hard disks.

Key Features and Differentiators

• ZENworks Full Disk Encryption is part of the broader ZENworks platform that provides a unified dashboard for endpoint security and control
• A key differentiator is the full control capabilities, which can enable an administrator to decommission a drive or device
• Authentication option for booting an encrypted drive includes support for smartcards combined with a PIN
• Looking beyond endpoint encryption capabilities, Micro Focus has its SecureData product that provides file, data and cloud encryption features.

Also read: Best Patch Management Software Solutions of 2021.

Microsoft BitLocker

Microsoft’s BitLocker full disk encryption software is the native encryption system that is supplied with the Ultimate, Enterprise, and Pro versions of Microsoft’s Windows Vista and later. For enterprise deployment, Microsoft BitLocker Administration and Monitoring (MBAM) provides centralized management. BitLocker can also be managed by third-party FDE systems such as Symantec and Sophos. MBAM allows security officers to quickly determine the compliance state of individual computers and enables administrators to automate the process of encrypting volumes on client computers.

Key Features and Differentiators

• BitLocker is the default integrated option for Microsoft Windows, making it the easy and obvious first choice for many users
• Beyond individual desktop usage, MBAM is an optional tool for centralized management across distributed enterprise deployments
• As part of its ease-of-use feature set, there is a network unlock capability that enables a Windows PC to start automatically when connected to the internal network

Read more: Windows 11 Security Features & Requirements

Rohde and Schwarz (R&S) Trusted Disk

R&S Trusted Disk is a good option for both individual systems as well enterprise networks running Microsoft Windows. Available within R&S’s cybersecurity solutions, the vendor offers full disk encryption, secure browser, VPN client, and more in its R&S Trusted Endpoint Suite. Trust Disk comes with full disk encryption and is functional for individual users up to large enterprise organizations. Together, the R&S endpoint stack ensures organizations mitigate data loss risk across endpoints.

Key Features and Differentiators

• R&S Trusted Disk meets stringent data security standards laid out by the German Federal Office for Information Security
• Full disk encryption also includes operating system temporary files for full coverage
• Pre-boot authentication procedure is robust and includes both a PIN and a hardware token

Sophos Central Device Encryption

Sophos Central Device Encryption extends the native capabilities of Windows BitLocker and macOS FileVault with additional management features. Sophos is deployable on endpoints centrally without any end user involvement, and encryption can be accelerated using Intel’s AES-NI instruction set. A single console provides management for all enterprise devices, including hard disks encrypted with Microsoft’s BitLocker, Apple’s FileVault 2 and Opal self-encrypting drives. This includes encryption status and reporting and auditing to ensure compliance with internal policies and external regulations.

Key Features and Differentiators

• The key value of Sophos is the central management feature that enables an administrator to manage full disk encryption across a fleet of devices
• Beyond full disk encryption, Sophos also integrates file level encryption for removable storage devices and the cloud
• Reporting is another strong feature, with a dashboard view that can help administrators enforce encryption policies for regulatory compliance

Read more: Top MDR Service Providers in 2021

Broadcom Symantec Endpoint Encryption

Symantec goes beyond just integrated full disk encryption with a platform that can also be used to protect removable storage devices. Powered by PGP, Symantec Endpoint Encryption software can be deployed and managed centrally from a single console, offering full disk encryption for Windows and macOS devices. As well as managing its own endpoint encryption, the console can also be used to manage systems encrypted with Microsoft BitLocker and Apple FileVault, as well as Opal-compliant self-encrypting drives. The solution provides a choice of self-recovery and help-desk support for employees that forget their passwords and cannot access their systems.

Key Features and Differentiators

• Symantec has undergone significant changes in the last couple of years, with the company’s enterprise assets being acquired by Broadcom in a $10.7 billion deal
• Symantec Endpoint Encryption works alongside Microsoft BitLocker, Apple FileVault and OPAL-compliant self-encrypting storage drives, providing centralized policy management and enforcement
• Supports removable media and external hard drives
• Recovery options are strong, with the ability for IT help desk staff to recover lost encryption keys

Also read: Top XDR Security Solutions

Trend Micro Endpoint Encryption

Trend Micro Endpoint Encryption is another good option for organizations looking for a platform to manage full disk encryption as well data protection for removable media. The endpoint solution is compatible with Windows and macOS devices as well as laptops, desktops, USB drives, and other removable media. When deployed, Trend Micro Endpoint Encryption gives operators full disk, file, folder encryption capabilities to ensure secured access and protect devices across an enterprise environment.

Key Features and Differentiators

• Trend Micro Endpoint encryption can help complement Microsoft BitLocker and Apple FileVault with a central management system
• A key differentiator is the transparent key management capabilities, which make it easier for both users and administrators to manage encryption
• Trend Micro also enables a remote lock and remote kill capability for lost or stolen devices that is tied to pre-boot authentication

Read more: Top Enterprise Network Security Tools

Evaluating Full-Disk Encryption Solutions

Operating System: Microsoft and Apple both have their own default full-disk encryption systems that might be sufficient for some use cases. The need for broader coverage and control than default options is often the driver to look at other encryption products.

Manageability: How easy (or hard) it is to manage and recover the encryption keys is an important consideration.

Scope: Consider whether you need (or want) more than just the integrated disk encrypted, as there are solutions that will also handle removable and network-attached storage (NAS).

Cost and value: With the default operating system choices, the cost for full disk encryption is negligible, so to look beyond that requires that there be additional value to justify the cost.

How Full Disk Encryption Works

Full disk encryption works by encrypting a system’s entire hard drive – all the confidential data stored on it, but also the operating system and all applications. When the system is started, the user is prompted for the encryption key, which enables the system to decrypt enough to boot and run normally.

Most full disk encryption products allow users to provide the system’s encryption key at the pre-boot stage in several ways:

• In the form of a password or passphrase
• By inserting a USB drive containing the encryption key
• Using a one-time password-generating device such as an RSA token
• Using a biometric device (fingerprint scan connected to actual encryption key module)

A combination of two or more of these methods can be used to create multi-factor authentication (MFA), for greater encryption strength and added security.

As information is read from the disk that is protected by full-disk encryption, it is decrypted on the fly and stored in memory – and any information written to the disk is also encrypted on the fly. Without the encryption key, the data stored on the disk remains inaccessible to thieves and hackers.

Full Disk Encryption vs. File Level Encryption

Full disk encryption differs from file-level encryption (FLE) in that it secures all data stored on your hard drives automatically and transparently – including swap files and hidden files that may contain confidential data – without any user intervention. In contrast, FLE only protects specific files that are manually encrypted. And FLE generally depends on the user to perform some action to ensure that files are encrypted before storage.

A drawback of whole encryption, however, is that it does nothing to protect files “in motion.” Once a file is sent via email or copied to a memory stick, it is no longer encrypted. For that reason, you may want to consider deploying FLE in conjunction with full disk encryption, so that users have the option to manually encrypt files that need to be shared with others.

Read more: Disk vs File Encryption: Which Is Best for You?

Features of Full Disk Encryption Software

All full disk encryption systems encrypt a system’s entire disk, but they are certainly not all identical. Here are four key capabilities to look for when choosing full disk encryption software.

Centralized Deployment And Management

Some full-disk encryption software – notably most open-source whole encryption products – is designed for personal use and must be installed and configured on the device itself.

In an enterprise setting, though, it is not practical to visit every laptop to install whole encryption software. FDE software should be configured centrally to ensure uniformity and to make it easy to send any configuration changes to every laptop whenever necessary. It is also generally desirable for admins to be able to lock down the configuration of a full disk encryption system, so it can’t be changed by end users.

Thus a key consideration is a centralized management system. It may also be convenient to look for a management system that integrates or is part of a broader system that can manage all aspects of endpoint security, such as anti-virus software, as well as full-disk encryption. Other key functions to look for in a management system are remote patching and updating, and the ability to update the underlying cryptographic system.

Authentication

A whole encryption system is only as good as the authentication system that allows users to access their computers, so ensure any system you consider offers a range of two-factor authentication (2FA) methods such as the use of a card-based authenticator or a USB key. Some products also allow biometrics to be used as a second factor.

For ease of management, it may be most convenient to use a system that can tie in with your existing corporate authentication system and directory service such as Active Directory.

Also read: Best Identity and Access Management (AIM) Solutions

Key Management And Recovery

One of the most common problems with full disk encryption is that users can get locked out of their computers and unable to work because they have forgotten their password or lost their second-factor authentication credentials. Laptops and the data they contain can also become inaccessible if a staff member leaves the organization and no knowledge transfer occurs.

That means it is important to verify that any FDE solution you consider has an adequate key management and recovery system that meets the security policies of your organization.

For example, some management systems offer self-service key recovery – allowing users to get back into their systems quickly after supplying information such as their date of birth or Social Security number. But if that provides insufficient security for some or all users, you should look for a system that offers key recovery only via an administrator.

Operating System Support

Since it is only practical to deploy and manage full disk encryption centrally, it follows that it is important to ensure that any FDE product you consider supports the full range of operating systems in use by employees. In particular, if your organization has a BYOD culture then you should investigate whether OS X (and even Linux) are supported and, if so, whether all features are supported on those OSes.

Read more: Homomorphic Encryption Nears Reality, Pushed by IBM, Google

Full Disk Encryption Security Shortfalls

No security system is 100 percent secure, and whole disk encryption can be vulnerable to various attacks including:

Accessing The Encryption Key

When users store a USB drive containing the encryption key along with a computer, accessing the encryption key becomes trivial for a thief. Users can also be fooled into revealing their passwords through social engineering.

Theft Of Device While Running

Full disk encryption only protects data when the computer is turned off. So if a laptop is stolen while it is running but unattended (or while the user is distracted), the data will be fully accessible to the thief.

Also read: New Python-based Ransomware Encrypts Virtual Machines Quickly

Advanced In-Memory Techniques

FDE systems require encryption keys to be held in memory while the system is running. Since the contents of DRAM chips persists for a period of seconds to minutes after a system is shut down – and this time period can be extended by chilling the DRAM with canned air – it is possible to cut the power to a laptop that has been left unattended and boot it from a memory stick or CD into another operating system, then read (and save) the contents of the DRAM. The key can then be extracted from this data and used in a subsequent attack.

It’s also worth noting that some software applications place information on the main drive’s boot sector, and this can get overwritten by full disk encryption systems, causing them to stop working.

Questions to Consider: Full Disk Encryption Solutions

In addition to researching the above features, enterprises will want to seek answers to these four questions:

What cryptographic system is used, and has it been implemented securely?

Any system you consider should use strong, standard, certified encryption algorithms such as the Advanced Encryption Standard (AES) with 256-bit keys. To ensure that the cryptography subsystem has been implemented securely, look for FIPS 140-2 certification.

Is the system compatible with any uncommon software you use?

Full disk encryption products may overwrite parts of the disk (such as the boot sector) that other software already uses. If that’s the case, whole encryption may make this software unusable. In most cases, the only way to be sure is to conduct thorough testing.

How does the full disk encryption software handle brute force attacks?

The only practical way to decrypt encrypted drives without access to the key is to make repeated attempts to guess the password. This can be prevented by ensuring that the full disk encryption product you choose has a password lockout that disables logins either permanently or for a fixed period (perhaps two hours) after a certain number of failed login attempts.

Does the product support AES-NI instructions for hardware-accelerated encryption and decryption?

Intel introduced a set of seven new instructions after 2008 to improve the speed of applications performing encryption and decryption using AES. Full disk encryption systems involve some processor (and therefore power) overhead to carry out the on-the-fly encryption and decryption; the impact of this depends on the amount of disk I/O that individual applications demand.

For users carrying out typical email and office productivity activities, the performance impact is unlikely to be noticeable – but it can be significant for very data-intensive activities such as video processing unless the computer’s main processor and the full disk encryption product both support Intel’s AES-NI instructions.

Read more: The Case for Decryption in Cybersecurity

Updated by Sam Ingalls on November 5, 2021.

What kind of windows full disk encryption can be used with removable drives?

What kind of full disk encryption FDE is built into the enterprise edition of Windows?

Which type of encryption does Windows BitLocker offers network storage remote connectivity memory?

When encrypting file system data How can you apply encryption to individual files and folders?