As the name suggests, FDE solutions work by encrypting a system’s entire hard drive – including the operating system and all applications and data stored on it. When the system is started, the user is prompted for the encryption key, which enables the system to boot and run normally. As information is read from the disk, it is decrypted on the fly and stored in memory – and any information written to the disk is also encrypted on the fly. Without the encryption key, the data stored on the disk remains inaccessible to thieves and hackers.
FDE differs from File-Level Encryption (FLE) in that it secures all data stored on your hard drives automatically and transparently – including swap files and hidden files that may contain confidential data – without any user intervention. In contrast, FLE only protects specific files that are manually encrypted, and generally depends on the user to perform some action to ensure that files are encrypted before storage.
One drawback of FDE is that it does nothing to protect files “in motion.” Once a file is sent via email or copied to a memory stick, it is no longer encrypted. For that reason, you may want to consider deploying FLE in conjunction with FDE, so that users have the option to manually encrypt files that need to be shared with others.