A Full Disk Encryption (FDE) solution SHALL be implemented on all endpoint devices and servers within the business environment to protect the confidentiality and integrity of data at rest.
Devices that contain sensitive data at rest present several risks to businesses. If the devices are physically stolen, whether from business facilities or a mobile area, the thieves can remove the storage components and retrieve company data from them. Digital attacks that compromise host operating systems can pivot to other areas of resident storage and access the data there. Businesses need to take measures to secure all data at rest on endpoints throughout their digital infrastructure.
Full Disk Encryption (FDE) is the process of encrypting all data on the hard drive used to boot a computer, including the operating system, and permitting access to the data only after successful authentication to the FDE product. Basically, FDE expands cryptographic protection to the entire system storage. Hence, threat actors who manage to acquire the device or its storage will be unable to retrieve the data on it unless they also compromise the necessary authenticator to unlock the disk encryption.
There are a number of standard FDE solutions that should be implemented wherever possible in a business environment. BitLocker is a Microsoft product provided with Professional and Enterprise versions of the Microsoft Windows operating system. BitLocker allows end users to encrypt either the entire hard disk or the currently utilized space. BitLocker also works with the devices' Trusted Platform Module (TPM) to monitor the integrity of the device. If a suspicious change is made to the device, BitLocker will require the user to reauthenticate during the next startup. Businesses should be aware that changes to device firmware will often summon BitLocker authentication on the subsequent startup. BitLocker can also be used to lock the device startup process, requiring the user to provide a PIN or a physical smart card in order to proceed with system startup.
Linux systems provide Linux Unified Key Setup (LUKS) as a full disk encryption solution. LUKS can be configured during the initial installation wizard on many Linux distributions. LUKS encrypts storage volumes with a master cryptographic key. The end user is asked to provide a passphrase, which is then used to derive another key to encrypt the master key. When a system boots to the encrypted storage, the user is required to provide their passphrase, which then enables the decryption of the storage. Both BitLocker and LUKS utilize the Advanced Encryption Standard (AES) due to its cryptographic strength. In addition to built-in FDE solutions like BitLocker and LUKS, users can opt for third-party FDE solutions. VeraCrypt is a popular open-source solution. VeraCrypt supports the use of more algorithms than BitLocker and offers a wider degree of customization. However, VeraCrypt may not be appropriate for business environments, as there is no centralized management enabled.
Every business should implement an FDE solution on its systems, both user endpoints and servers, to protect data at rest. Businesses that use decentralized, highly mobile environments have an even higher degree of risk, making FDE even more necessary. Businesses that implement an FDE solution must ensure that the deployment of the FDE software is securely managed. Of major importance is the secure management of user authenticators, such as the PINs and passphrases that unlock the encrypted storage.