Full disk encryption is the most commonly used encryption strategy in practice today for data at rest, but does that mean it's sufficient to prevent unauthorized access to your data? The short answer: No. File-based encryption is another form of transparent encryption that fills in the gaps where full disk encryption falls short. Fortunately, some encryption vendors offer multiple types of encryption.
Some form of encryption is obviously better than none at all, but you may have a false sense of security if you're exclusively using full disk encryption to protect your data. For this reason, it's important to consider adding a file-based approach to your current encryption practice. Let's get a better understanding of full disk encryption, file-based encryption, and the benefits and drawbacks of each to illustrate why both are important for 360° security.
What is full disk encryption?
As the name suggests, full disk encryption (FDE) is encryption at the disk level. It provides automatic encryption when data is being written to or read from a disk, but it does not encrypt anything at the file level. It uses the same encryption key for the whole disk, which is immediately decrypted as soon as the device is accessed with valid user credentials. This means attackers can gain access to everything if the system is compromised.
To use an analogy, full disk encryption functions somewhat like locking exterior doors to your house without locking any of the interior rooms. Of course, it's a good idea to lock your front door so intruders aren't able to get inside easily, but they will inevitably have free range across the whole house if they are somehow able to gain access.
Advantages of full disk encryption
Although full disk encryption (FDE) is not a holistic approach to security, there are some key benefits it can offer. First and foremost, it's simple to deploy. It favors a set-it-and-forget-it maintenance model, meaning once the encryption is configured, there is relatively little that needs to be done to maintain it.
FDE also eliminates any human error when it comes to whether something on a disk is encrypted or not. It doesn't differentiate between sensitive information and non-sensitive information, so everything is automatically encrypted by default. Full disk encryption also has minimal impact on ongoing performance once the disk is initially impacted.
Disadvantages of full disk encryption
Of course, there are some downsides to full disk encryption as well. For one, the data is only protected for as long as it's on the disk. And as we've already established, FDE is unreliable if the whole system is physically compromised. Especially when this is combined with the all-or-nothing approach to encryption, full disk encryption offers minimal compliance with various security standards like PCI-DSS, HIPAA, and GDPR. It also means backup practices are more cumbersome, since the entire disk needs to be backed up at once instead of being able to prioritize which files or directories are most important.
FDE also does not encrypt anything deeper than the disk level—this means metadata, file structures, and the content within the files themselves are readily accessible to any valid user. Likewise, full disk encryption only offers broad audit logs, meaning it's impossible to review activity or potential threats on a granular level using full disk encryption alone.
What is file-based encryption?
In contrast to FDE, file-based encryption (FBE) encrypts individual files or directories instead of the whole disk. This can be done automatically, but some users prefer to encrypt each file manually to maintain fine-tuned control over their data security. Each item is encrypted with a unique key, which can sometimes be a good thing or a bad thing.
To use another analogy, file-based encryption is similar to a lock box that's stored inside a vault at a bank. Even if the vault is breached, each box inside maintains its own layer of security that takes dedicated effort to crack.
Advantages of file-based encryption
The advantages of file-based encryption are a bit more dramatic than those of FDE. Obviously, the top-to-bottom encryption is ideal for concealing information about the metadata, file structure, directories, etc. in addition to the content within each file. It also offers a unique benefit to multi-user systems: because each encryption key is unique to a specific user, no two users can access the same file by default. And file encryption can be used to protect data in motion too.
Unlike full disk encryption, FBE allows for granular controls and access logs, so users can monitor their system and identify security threats as soon as they happen. This also impacts analytics and reporting because encryption can reveal discrepancies elsewhere in the system.
Disadvantages of file-based encryption
One disadvantage of FBE is its incompatibility across operating systems. While FDE is usually inherent in a computer system (although this is not always the case), FBE is usually accomplished by a supplemental software program. The most popular encryption products will likely be operating system-agnostic, but as with any software category, this is not always the case.
Another obvious drawback of FBE is that managing numerous encryption keys is not always practical. This burden is easily alleviated by encryption key management tools and services, but this also means you have another tool or service that costs money and effort to maintain.
FBE or FDE: which encryption is better?
It may seem like a complex question, but considering all the advantages and disadvantages listed above, it's easy to understand why one encryption method isn't inherently better than the other. In fact, a layered approach that uses both encryption models is an ideal solution for most scenarios. File-based encryption fills in many of the security gaps that full disk encryption leaves behind, so implementing both measures means your data will always be protected whether it's in motion or at rest.