Data in the clear is no small security risk for organizations of all sizes. When data is stored "in the clear," it's unencrypted, meaning that anyone with access to the storage device or file can view the data.
Encrypted data, on the other hand, provides an obstacle and a layer of risk mitigation against loss, since the data is not easily readable without the right encryption key. Encrypted data involves both data in transit as well as data at rest. For data in transit, TLS (transport layer security) has long been the standard. For data at rest, there are multiple mechanisms and technologies, including file-based and full disk encryption options.
Full disk encryption provides a pervasive layer of encryption across an entire storage device, be it a spinning hard disk or solid state drive (SSD).
How to choose a full disk encryption solution
Operating System: Microsoft and Apple both have their own default full disk encryption systems that might be sufficient for some use cases. The need for broader coverage and control than default options is often the driver to look at other encryption products.
Manageability: How easy (or hard) it is to manage and recover the encryption keys is an important consideration.
Scope: Consider whether you need (or want) more than just the integrated disk encrypted, as there are solutions that will also handle removable and network attached storage (NAS).
Cost and value: With the default operating system choices, the cost for full disk encryption is negligible, so to look beyond that requires that there be additional value to justify the cost.
Top full disk encryption software
In this eSecurity Planet top products list, we spotlight the vendors that offer the top full disk encryption software tools.
- Apple FileFault
- Check Point
- Eset Endpoint Encryption Pro
- McAfee Complete Data Protection
- Micro Focus ZENworks Full Disk Encryption
- Microsoft BitLocker
- R&S Trusted Disk
- Sophos SafeGuard Encryption
Value proposition for potential buyers: FileVault 2 is the best option for Apple macOS users, as it's directly integrated into the default macOS operating system.
- FileVault 2 is the only truly purpose-built full disk encryption option for macOS users
- Provides the option to encrypt user directory as well as the startup volume, providing a high degree of protection for users
- The encryption is set with a user's Apple macOS user ID login as the pass phrase
Value proposition for potential buyers:Check Point provides multiple endpoint threat protection features, including full disk encryption as part of the SandBlast Agent.
- The pre-boot protection capabilities make sure that the system that is booting the disk isn't attempting to tamper with the data
- Authentication options ensure that only validated users get access to encrypted data
- The full suite adds anti-malware, VPN and threat protection capabilities
Value proposition for potential buyers: Eset Endpoint Encryption Pro is a reasonable option for small to mid-sized distributed organizations looking to manage disk encryption on Windows systems.
- Central management of encrypted drives is at the core of the platform, but what's powerful is that endpoints don't all need to be connected via a VPN
- Looking beyond standard encryption keys, the solution can also be enabled with multi-factor authentication as a further degree of authorized user validation
- Eset Endpoint Encryption Pro can also be used to protect removable media, files and folders as well as email
Value proposition for potential buyers: Looking beyond just full disk encryption, McAfee's Complete Data Protection provides fine-grained controls for data and devices.
- Provides policy and management overlay for Apple FileVault and Microsoft BitLocker encryption on macOS and Windows systems
- Encryption also extends to files and folders as well as removable media
- A key differentiator and component of the suite is the data loss protection (DLP) features that provide policy controls for data access
- User authentication is augmented with strong multifactor authentication mechanisms
Micro Focus ZENworks Full Disk Encryption
Value proposition for potential buyers: Micro Focus ZENworks Full Disk Encryption is a good option for Microsoft Windows users looking for endpoint protection.
- ZENworks Full Disk Encryption is part of the broader ZENworks platform that provides a unified dashboard for endpoint security and control
- A key differentiator is the full control capabilities, which can enable an administrator to decommission a drive or device
- Authentication option for booting an encrypted drive includes support for smartcards combined with a PIN
- Looking beyond endpoint encryption capabilities, Micro Focus has its SecureData product that provides file, data and cloud encryption features.
Value proposition for potential buyers: BitLocker is the default choice for Windows users, providing an operating system integrated approach to full disk encryption.
- BitLocker is the default integrated option for Microsoft Windows, making it the easy and obvious first choice for many users
- Beyond individual desktop usage, Microsoft BitLocker Administration and Monitoring (MBAM) is an optional tool for centralized management across distributed enterprise deployments
- As part of its ease-of-use feature set, there is a network unlock capability that enables a Windows PC to start automatically when connected to the internal network
Value proposition for potential buyers: Trusted Disk is a good option for both individual systems as well enterprise networks running Microsoft Windows.
- Rohde and Schwarz Trusted Disk meets stringent data security standards laid out by the German Federal Office for Information Security
- Full disk encryption also includes operating system temporary files for full coverage
- Pre-boot authentication procedure is robust and includes both a PIN and a hardware token
Value proposition for potential buyers: SafeGuard extends the native capabilities of Windows BitLocker and macOS FileVault with additional management features
- The key value of SafeGuard is the central management feature that enables an administrator to manage full disk encryption across a fleet of devices
- Beyond full disk encryption, Sophos SafeGuard also integrates file level encryption for removable storage devices and the cloud
- Reporting is another strong feature, with a dashboard view that can help administrators enforce encryption policies for regulatory compliance
Value proposition for potential buyers: Symantec goes beyond just integrated full disk encryption with a platform that can also be used to protect removable storage devices.
- Symantec has undergone significant changes over the last year, with the company's enterprise assets being acquired by Broadcom in a $10.7 billion deal
- Symantec Endpoint Encryption works alongside Microsoft BitLocker, Apple FileVault and OPAL-compliant self-encrypting storage drives, providing centralized policy management and enforcement
- Supports removable media and external hard drives
- Recovery options are strong, with the ability for IT help desk staff to recover lost encryption keys
Value proposition for potential buyers: Trend Micro Endpoint Encryption is another good option for organizations looking for a platform to manage full disk encryption as well data protection for removable media.
- Trend Micro Endpoint encryption can help complement Microsoft BitLocker and Apple FileVault with a central management system
- A key differentiator is the transparent key management capabilities, which make it easier for both users and administrators to manage encryption
- Trend Micro also enables a remote lock and remote kill capability for lost or stolen devices that is tied to to pre-boot authentication