Full Drive Encryption (FDE) FAQs

Ask an Admin logo

Full Drive Encryption (FDE), whether you use Windows BitLocker or purchase disks with hardware-based encryption, can sometimes be deemed to introduce complexity and administrative costs that are greater than the potential advantages. But with the increased use of mobile devices and the potential for data to find its way beyond the physical security of an office, FDE can protect data from falling into the hands of the casual thief. And, if implemented properly, FDE can prevent skilled hackers from extracting information from the disk.

Can my data be read if my PC, notebook, or server is stolen?

In short, yes. If FDE isn’t deployed, either the disk drive can be removed and read in another device, or your stolen computer can be booted into a different operating system that can then read the contents of the disk. Your logon username and password only protects data from network and user based attacks when Windows is running. Once the data is offline and an attacker has physical access, those credentials can’t protect unencrypted data on the disk. FDE protects data on the disk when Windows isn’t booted.

Is TPM required to use BitLocker?

A misconception about BitLocker is that it needs a Trusted Platform Module (TPM) on the device’s motherboard. While storing encryption keys on a TPM is the most secure and convenient way to deploy BitLocker, it’s also possible to require a user to enter a password or startup key (on a USB drive) to unlock a drive. Another fallacy is that it’s only necessary to encrypt sensitive data and not the OS binaries. If a hacker gains access to the OS files, it’s possible that logon credentials and the page file can be read, leading to the possibility that encrypted data can also be compromised, hence the need to encrypt the entire system drive and not just sensitive data.

Is BitLocker is easier to manage in Windows Server 2012 and Windows 8?

It sure is. BitLocker in Windows 8 and Server 2012 has two modes of encryption, one that encrypts the entire volume including free space, and another that only encrypts used space, allowing for the initial encryption process to be completed much faster.

In Windows 7, BitLocker can only be provisioned after the operating system is installed. Windows 8 allows BitLocker to be enabled in the Windows Preinstallation Environment (WinPE) prior to OS deployment. Once the OS is installed, administrators must activate BitLocker before a volume is protected.

While administrative privileges are still required to deploy BitLocker on the system volume in Windows 8, standard users are now able to change PINs for system volumes and passwords for fixed data volumes by default, meaning that IT can deploy a standard PIN to all machines and allow users to change them. Before, PINs and passwords were set by IT and couldn’t be modified by standard users.

When Windows 8 devices are connected to a Windows Server 2012 enabled wired network, they can automatically unlock themselves should a user forget their BitLocker PIN, reducing calls to the helpdesk. This new Network Unlock feature also makes it easier for machines to be booted using Wake-On-LAN, so that they can be patched automatically. Network Unlock requires computers to have a compatible TPM, and it can be turned off using Group Policy.

What About Encrypted Hard Drives?

An Encrypted Hard Drive for Windows, not to be confused with a self-encrypting hard drive, allows BitLocker to offload encryption to the drive hardware, providing better performance than BitLocker can give with a standard disk. Windows 8 can detect if a drive is an Encrypted Hard Drive device and allow users to manage it via the BitLocker Control Panel Applet. Note that Encrypted Hard Drive devices cannot be connected to RAID controllers.