Your laptop contains your entire digital life: emails, financial records, personal photos, work documents, saved passwords, and more. If someone steals it, or if you leave it in a taxi, the only thing standing between a thief and all of that data is full-disk encryption. Without it, anyone who physically possesses your device can read everything on it, no password required.
What Is Full-Disk Encryption?
Full-disk encryption (FDE) encrypts the entire contents of a storage drive, including the operating system, applications, and all user files. Every bit of data written to the disk is automatically encrypted, and every bit read from the disk is automatically decrypted, all transparently in the background as you use your computer.
When you power on your device, you provide an authentication credential, typically a password, PIN, or biometric. This credential unlocks the encryption key, which allows the system to decrypt data on-the-fly as it is accessed. Once authenticated, you use your computer normally with no noticeable difference in experience. When you shut down or lock the device, the data on disk remains encrypted and unreadable without the key.
FDE operates at a level below the file system, which means it protects everything: not just your documents, but also temporary files, swap space, application caches, deleted files that have not been overwritten, and the operating system itself. This comprehensive approach eliminates the risk of forgetting to encrypt a sensitive file because everything is encrypted by default.
Platform Options
Every major operating system now includes built-in full-disk encryption. Here is what is available on each platform:
Windows: BitLocker
BitLocker is Microsoft's built-in FDE solution, available on Windows Pro and Enterprise editions. It uses AES-128 or AES-256 encryption and integrates with the Trusted Platform Module (TPM) chip present in most modern computers. The TPM stores the encryption key in hardware, providing protection against certain physical attacks. For Windows Home users, Device Encryption provides similar protection but with fewer configuration options. VeraCrypt, a free and open-source alternative, works on all Windows editions and offers additional features like hidden volumes and plausible deniability.
macOS: FileVault 2
FileVault 2 is Apple's built-in FDE, using XTS-AES-128 encryption. It is tightly integrated with macOS and can be enabled with a single click in System Settings. On Macs with Apple Silicon or the T2 security chip, hardware-level encryption is always active; FileVault adds an additional layer by protecting the volume encryption key with your login password. FileVault is straightforward to set up and has minimal performance impact on modern hardware.
Linux: LUKS/dm-crypt
LUKS (Linux Unified Key Setup) with dm-crypt is the standard for full-disk encryption on Linux. Most Linux distributions offer LUKS encryption as an option during installation. It uses AES-256 by default and supports multiple key slots, allowing different passphrases or key files to unlock the same volume. For advanced users, it offers extensive customization of cipher algorithms, key sizes, and hash functions.
Mobile Devices
iOS devices have been encrypted by default since iOS 8 (2014), using hardware-backed AES-256 encryption tied to the device passcode. Android devices have required encryption by default since Android 10 (2019), with most modern devices using file-based encryption (FBE) that encrypts different files with different keys, allowing some features (like alarms) to work before the device is unlocked.
What FDE Protects Against
Full-disk encryption is specifically designed to protect your data from physical access threats:
- Stolen or Lost Devices: The most common scenario. A thief who steals your laptop cannot access your data without the encryption password, even if they remove the hard drive and connect it to another computer.
- Discarded Hardware: When you sell, donate, or recycle a computer, FDE ensures that residual data on the drive is unreadable. Even "deleted" files remain on disk until overwritten; encryption makes them useless without the key.
- Border Crossings and Inspections: In some countries, authorities may inspect electronic devices at border crossings. While legal compulsion to provide passwords varies by jurisdiction, FDE ensures that the data is technically inaccessible without your cooperation.
- Evil Maid Attacks: An attacker with brief physical access to your device (a hotel room, an unattended conference table) cannot simply copy or tamper with data on an encrypted drive. Without pre-boot authentication credentials, the drive contents are opaque.
What FDE Does NOT Protect Against
It is equally important to understand the boundaries of full-disk encryption:
- Malware on a Running System: Once you have unlocked your device and are using it, the disk is decrypted in real time. Malware running on your system has the same access to decrypted data as you do. FDE does not replace antivirus software or safe browsing practices.
- Remote Attacks While Logged In: If an attacker gains remote access to your computer while it is running and unlocked (through a vulnerability, phishing, or stolen credentials), FDE provides no protection. The data is already decrypted in memory.
- Cold Boot Attacks: A sophisticated and relatively rare attack where an attacker freezes the RAM chips immediately after power-off to preserve the encryption keys stored in memory. Modern systems with secure boot and memory encryption mitigate this risk, but it remains a theoretical concern for high-value targets.
- Coercion: Sometimes called "rubber hose cryptanalysis," this refers to scenarios where someone forces you to provide your password through threats, legal compulsion, or physical coercion. No amount of technical encryption can protect against this. Some tools like VeraCrypt offer hidden volumes that provide plausible deniability, but their effectiveness in real-world coercion scenarios is debatable.
Setup Best Practices
If you have not enabled full-disk encryption yet, here is how to do it right:
- Enable It Before Storing Sensitive Data: Ideally, enable FDE when you first set up your device, before any sensitive data is written to the drive in unencrypted form. If you enable FDE after the fact, remnants of previously unencrypted data may persist in unallocated disk space.
- Use a Strong Passphrase: Your encryption is only as strong as the password protecting it. A four-digit PIN provides minimal protection. Use a strong passphrase of at least 12 characters. On devices with hardware-backed encryption and brute-force throttling (like iPhones), a six-digit PIN may be acceptable, but longer is always better.
- Store Your Recovery Key Securely: Both BitLocker and FileVault generate a recovery key that can unlock the drive if you forget your password. Store this key in a safe physical location or in a password manager. Never store the recovery key on the encrypted drive itself, as that defeats the purpose. Never store it unencrypted alongside the device.
- Test the Recovery Process: Before you need it in an emergency, verify that your recovery key works. Try booting into recovery mode and using the key to unlock the drive. An untested recovery key is a liability, not an asset.
- Consider Pre-Boot Authentication: For maximum security, configure your system to require a password before the operating system loads (pre-boot authentication). This prevents attacks that target the running OS to extract encryption keys from memory.
Full-disk encryption is one of the most impactful security measures you can take, and on most modern devices, it is free, built-in, and takes minutes to enable. If your device is not encrypted right now, stop reading and enable it. The small effort today could prevent a catastrophic data breach tomorrow.