barscaret-downcaret-leftcaret-rightcaret-upcheckchevron-leftchevron-rightfile-pdfinfosign-in-altsignin text-widthtimesyoutube
Blog
7 min read

Hard Drive and Full Disk Encryption: What, Why, and How?

AppleDevice and Data SecurityMacOSWindows

7 min read

Lassi Pekkarinen

By Lassi Pekkarinen

When highly sensitive information, such as customer or otherwise work-related information, is handled with a laptop or desktop computer, data security should be on top of every business owner’s mind. Especially laptops are vulnerable to security risks due to their mobile nature. When a laptop gets lost or stolen, data breaches can become costly.

“Compared to hacking a secure network, it is much easier to download information from an unencrypted or unprotected laptop. This is a reality a lot of business owners and IT professionals fail to realize.”

Security Boulevard

There are multiple reasons for protecting laptops and the data in them, and luckily, there are various ways to mitigate security risks. One powerful tool is full disk encryption. Full disk encryption is a data protection method, which transforms information in a storage medium into a secret format that can be only understood by people or systems who are allowed to access the information.

In this article, we discuss different data encryption methods and why drive encryption makes sense. We also reveal a smart way to enable drive encryption on your Microsoft Windows or Apple macOS devices.

Topics to be covered in this article:

What is hard drive encryption or full disk encryption?

Essentially, encryption refers to the process of encoding data. In disk encryption, this means that information on your computer’s hard drive is transformed from plaintext to ciphertext, which makes the original information unreadable.

Hard drive encryption uses a specific algorithm, or cipher, to convert a physical disk or logical volume into an unreadable format that cannot be unlocked by anyone without the secret key or password that was used to encrypt the drive. This prevents unauthorized people or hackers from accessing the information.

There are two main computer encryption types: full disk encryption and file-level encryption.

  • Full Disk Encryption (FDE) or whole disk encryption protects the entire volume and all files on the drive against unauthorized access.
  • In contrast to FDE, File-Level Encryption (FLE) is an encryption method, which takes place on the file system level, enabling the encryption of data in individual files and directories.

Full Disk Encryption and File-Level Encryption are not mutually exclusive. In fact, they can be used simultaneously to achieve higher security as they serve different purposes, but that’s a topic on its own.

Modern versions of Windows and macOS have built-in encryption programs: BitLocker for Windows and FileVault for macOS. There are also a few open-source products for encryption, such as VeraCrypt, AxCrypt, and Gpg4win.

What is BitLocker?

BitLocker is Microsoft’s full disk encryption feature that is commonly included in Windows versions that are oriented towards professional, business, or organizational use. With the BitLocker drive encryption, you can encrypt the entire operating system drive and/or other drives mounted to your Windows PCs.

BitLocker is designed to work best with a Trusted Platform Module (TPM) that stores the disk encryption key. TPM is a secure cryptoprocessor that checks whether the encrypted data is being accessed with the right device. Disk encryption on newer Windows OS versions is strongly based on TPM but a USB startup key can also be used to access the encrypted data. However, it is not as popular.

The first BitLocker encryption usually takes some hours to complete depending on the drive features, but after that, the user experience is more or less transparent. All data on the protected drives is stored in an encrypted form while the computer is locked or turned off, but when the user unlocks the system with their Windows login credentials, everything works similarly like in an unencrypted system. Any new files will be encrypted automatically on the fly.

BitLocker is included in Windows 7 (Enterprise and Ultimate) and the Pro, Enterprise, and Education editions of Windows 8.1 and Windows 10. If your operating system version supports BitLocker, you can enable it easily on your computer. But if you need to enforce drive encryption to multiple Windows devices, it’s wise to use a UEM software, like Miradore.

What is FileVault?

FileVault is a full disk encryption feature from Apple built into the Macintosh operating system (macOS). FileVault is supported in Mac OS X 10.3 later, and it provides strong encryption for files and data on Mac computers, protecting the entire drive and all of the files located on the drive — just like BitLocker for Windows. When enabled, FileVault works silently in the background, encrypting all device data on the fly without disruptions.

Just like with BitLocker, you don’t need an additional password to use your files. Just type in your user ID and password when logging in to your computer and you’re good to go. However, to recover the encrypted data, you need a FileVault recovery key that is created when you enable FileVault for the first time.

If you are responsible for managing multiple Mac computers, you can easily enforce drive encryption as a mass deployment with Miradore.

Should I use FileVault or BitLocker disk encryption?

If you need to access sensitive information, such as medical records, customer data, or credit card information, on your computer, using FileVault and BitLocker is smart. It’s fairly easy to enforce and simple for end-users as they don’t have to worry about saving their files in a certain folder.

If you need to access sensitive information, such as medical records, customer data, or credit card information, on your computer, using FileVault and BitLocker is smart.

One of the main advantages of the full disk encryption technologies is the full automation they provide. After the activation of BitLocker or FileVault, these encryption methods will work on their own encrypting everything on the fly. Device users do not even have to think about the encryption ever again.

If a laptop is ever lost, stolen, or decommissioned inappropriately, the odds are that the data will remain safe even then, because encrypted drives are extremely difficult to access without knowing the decryption key. This is not the case with unprotected drives, to which the attacker may gain access, simply by attaching them to another computer.

Full disk encryption is a great way to protect sensitive customer data.

In addition, today’s companies need to adhere to data protection regulations and policies, such as GDPR, HIPAA, and CJIS, and full disk encryption is a great way to protect sensitive customer data.

Drawbacks of disk encryption

Although it may seem a no-brainer to use encryption, many organizations still hesitate to implement disk encryption for different reasons. There may be, for example, uncertainty about how to implement the encryption wisely or concerns about what challenges the encryption could cause for data recovery if a computer breaks down or the user forgets his login password.

"Who has the time and competence to enable encryption?"

"How can we see which drives are or aren’t encrypted?"

"Who should store the recovery keys and where?"

The questions above are examples of valid concerns that may slow down the adoption of disk encryption. Luckily, all of them can be easily addressed with the right tools, like Miradore.

Also, some might be concerned about how drive encryption affects the computer’s performance but with modern Windows computers and Mac, there is no noticeable change.

How to enable BitLocker encryption?

Enabling BitLocker manually is actually quite straightforward and easy if your Windows computer is running the right operating system version. The device user can enable BitLocker disk encryption in Windows File Explorer by right-clicking on a drive and then choosing “Turn on BitLocker”. After that, the user is asked to choose how they want to preserve the BitLocker recovery key. Keeping the recovery key in a safe place is essential as you need it to unlock your disk.

Sounds simple but gets complex quickly if dozens or hundreds of users need to be instructed through the implementation step-by-step and if there is no centralized way for storing the recovery keys.

This is where Miradore steps in.

Miradore makes it easy to enable BitLocker on all of your Windows devices. You can create a Configuration Profile, which defines the desired settings for BitLocker encryption. You only need to choose whether you want to encrypt the system drive or all fixed drives of a computer – and that’s it. If you want, you can also choose the preferred encryption mode.

BitLocker configuration profile

Creating a Configuration Profile for drive encryption in Miradore

You can then deploy the configuration profile remotely to as many Windows computers as you like and Miradore works its magic to enable the BitLocker.

Deploying BitLocker to multiple devices

Deploying the created Configuration Profile to multiple Windows computers

Miradore applies exactly the same encryption settings tirelessly to all computers without the risk of a human error and what’s best: it stores the recovery keys from all devices automatically in one place – to your Miradore site. You can rest assured knowing that device users do not need to bother you with questions and the recovery keys are stored appropriately. Other users than administrators cannot see the stored recovery keys on your Miradore site.

BitLocker recovery keys stored in Miradore

Miradore stores BitLocker recovery keys in one place

What’s more, Miradore shows you which drives on your Miradore managed computers are protected with BitLocker, which makes it easy to follow-up the disk encryption status of your Windows devices.

Miradore shows the status of disk encryption and the algorithm used to encrypt your drives

View the BitLocker encryption status of your Windows devices

You can also add the BitLocker encryption configuration profile as part of a Business Policy which enables the automation of device setups.

How to enable FileVault disk encryption?

Enabling FileVault disk encryption works quite similarly to enabling BitLocker. In System Preferences, click Security & Privacy, go to the FileVault tab, and click the Lock button. After entering your admin name and password, you can turn on FileVault.

Miradore supports FileVault disk encryption for macOS 10.9 and newer devices. The implementation procedure follows the same lines as for the BitLocker with a few exceptions. You can enable FileVault to your Mac devices by creating a Configuration Profile that defines the right settings for encryption and deploy that configuration profile remotely to multiple Macs. With Miradore's dashboard widget, you can view the FileVault drive encryption status of your device fleet.Miradore dashboard widget for FileVault status

View the FileVault encryption status of your Mac computers

With FileVault, you can choose whether you want to use personal, institutional, or both types of recovery keys for unlocking the encryption. The personal recovery key is always device-specific, and it will be generated automatically at the target device when enabling the encryption. The device’s user is responsible for writing down and storing the personal recovery key. The institutional key, on the other hand, is intended for organizations to unlock encrypted drives. As said, it is also possible to use both key types which means an encrypted drive could be unlocked using the correct personal or institutional key.

Best practices for drive encryption

A few things should be remembered when planning full disk encryption:

  • Back up your files: Make sure to back up your files before encryption and regularly after the encryption has been enabled. This ensures that you can recover your files quickly if something happens to your hard drive.
  • Use a strong passcode: As the Windows and Mac login credentials are used to access the encrypted files and documents, make sure to use a strong passcode that includes both letters and numbers.
  • Keep your recovery key in a safe place: If you forget your password, a recovery key is the only way to access the encrypted data. Thus, it’s important to store your recovery key in a secure place. You can for example use a password manager or Miradore.

Summary

Altogether, drive encryption is a very powerful data protection method, which is relatively easy to implement with proper tools.

The use of BitLocker and FileVault can step up the data security of any organization where Windows and Mac devices are used to process and store any kind of valuable or sensitive information like customer information, credit card details, or employee information. With Miradore’s Premium plan, you can easily enable BitLocker and FileVault to all your organization’s devices remotely.

If you’re responsible for ensuring data security in your organization, you can test Miradore’s Premium plan for free for 14 days. If you want to know more about disk encryption or Miradore’s capabilities, don't hesitate to reach out to us!

Lassi Pekkarinen Author background

by Lassi Pekkarinen

Lassi has been part of our team since the very beginning (2006). He's worn many hats during his time here at Miradore and has acquired unparalleled experience in the area of device management. Currently, he works as a Senior Software Engineer in our pre-sales team, helping customers find the right solution for their needs. Sports and nature are close to Lassi's heart, and in his free time, he likes to combine those by hiking in one of Finland's many forests. Let us know if you spot him out there!

Get started with Miradore

Take control of your mobile devices today by creating your own Miradore site. You can get started for free and try out the Premium features with a 14-day Premium trial — or explore our Showroom with a virtual device fleet.

No credit card needed.

Get started now See plans & pricing