Before you make the switch to encrypting your data, you will most likely come across this question: What’s better – encrypt my whole hard drive using Whole Disk Encryption or encrypt only selected areas using File Based Encryption (also Folder Based Encryption)?
Naturally, the most logical answer would be to encrypt the entire hard drive using Whole Disk Encryption (also Full Disk Encryption) and never worry about it again. Why would I want to break my head about whether or not I’d want a file encrypted every time I save it? Wouldn’t that make it even more of a hassle to use encryption software?
While that’s a valid point often used to proclaim Whole Disk Encryption as the Holy Grail of data security, it’s also the only one I can find. On the other hand, however, there are plenty of reasons why one may want to consider File Based Encryption instead. Let me lay out some of the reasons why I personally prefer not to encrypt my entire hard drive:
Performance: Encrypting an entire disk instead of just the files you care about is known to affect performance of your hard drive, as well as of your CPU. Notely found a decrease of up to 40% in data transfer rate and an immense increase in CPU usage. xml-dev.com even claims a decrease of up to 189%, that means almost triple the time to transfer your data
Security: Once you are logged on to your computer (after you entered the correct password) your data is completely decrypted and anyone with access to your computer, be it remotely or physically, is able to see your files. You are only protected if the computer is turned off. Also, Princeton University has claimed that one can recover the passwords of Whole Disk Encrypted hard drives, using so-called Cold Boot Attacks.
Setup Time: Encrypting the whole disk obviously takes longer than encrypting just some files. Depending on the size of your hard drive, you may have to wait several hours until the installation process is completed while you could have just encrypted the files you actually want to protect.
Configuration: Setting up a Whole Disk Encryption solution often requires you to define several passwords or tokens, you might have to create your own user management in case you are sharing the computer with other users, you usually have to create an emergency boot CD (in case something goes wrong), and you need to install a new boot loader. With File Based Encryption, you simply encrypt the file or folder you want to protect and you are set!
Multiple Users: If you share your computer, let’s say with your family members, you may not want to give everybody the same level of access to your files. (Why would your kids need to access your tax returns?) However, with Whole Disk Encryption, you either tell them your master password and give everybody access to everything or you setup a complicated user management with different passwords and access levels. With File Based Encryption, you would simply encrypt the files you want protected and don’t worry about the rest.
System Failure: What happens if your computer or your hard drive crashes? With Whole Disk Encryption, you can throw it out and pray for your backup to be up-to-date. With File Based Encryption, however, you have very good chances that your important data is not damaged, so you just copy it on another machine and decrypt it there.
Compatibility: Whole Disk Encryption goes deep into your computer’s settings and system files. It is highly important that your machine and operating system is supported by the software. If you upgrade your hardware, you are running the risk that your software may not be compatible anymore, making your encrypted data useless.
So as you can see, there are plenty of reasons speaking against Whole Disk Encryption. The only thing that really speaks against File Based Encryption, however, is the lack of convenience and the fact that you might not want to put the responsibility of deciding what to encrypt into your employee’s hands. While corporate customers may be able to raise enough money to get around the problems mentioned above by employing specialists to take care of it, the average user (and cost sensitive companies) may want to look into alternative encryption solutions.
There are a number of File Based Encryption solutions out there. Some of which have been/will be reviewed by us. One example is Steganos Safe 2008, a software that does a great job in bringing you the “best of both worlds”. Their technology is file based but they allow you to mount the encrypted file as a hard drive within your Windows system, so it looks and feels like an encrypted partition while it is in fact a file. Clever idea and they even have a free, yet slightly limited version of their Safe, called Steganos Safe One.
More about the subject:
Loading ...
PGP, market leader in Whole Disk Encryption was found to be vulnerable, containing a “feature” to allow backdoor entrance. See here:
http://www.dailymotion.com/video/x3sydn_disk-encryption-and-pgp_tech
Programs like the one mentioned above (Steganos) are much better to secure your data and I totally agree that File Based Encryption is the better choice when it comes to securing your data!
does steganos work with linux and Mac OS?
No, it doesn’t. They both come with integrated encryption solutions already.
First of all congratulation for such a great site. I learned a lot reading article here today. I will make sure i visit this site once a day so i can learn more.
Hi,
THanks for the nice post.
Cheers
Hey, I was looking around for a while searching for Encryption Disk Security Software and I happened upon this site and your post regarding isk Encryption vs. File Based Encryption | Understandable Computer Security, I will definitely this to my Encryption Disk Security Software bookmarks!
Hi there, I was looking around for a while searching for encryption security software and I happened upon this site and your post regarding isk Encryption vs. File Based Encryption | Understandable Computer Security, I will definitely this to my encryption security software bookmarks!
Yep – I would agree with that.. Thanks for the line.
[...] Whole Disk Encryption has other limitations compared to the alternative of File Based Encryption, we are happy to hear that one of the most [...]
[...] mit Nachteilen verbunden – die acht wichtigsten werden nachfolgend in Anlehnung an einen Beitrag bei Computer-Encryption.com aufgeführt [...]
I couldn’t have outlined any better the shortcomings of a fully encrypted disk drive. The one fault of a file/folder encrypting system is that it puts security responsibility in the hands of the user. Not so with Lost Data Destruction (LDD) from Beachhead Solutions where encrypting (and other security policy) is managed by the organization through the “Cloud.” Cloud-based management allows policy to be changed immediately, including remote denial (and restoration) of access to the data, even to those who have the credentials (e.g. thief who also stole the password or terminated employee still in possession of the PC. A solution such as this manages and enforces encryption without the problems associated with whole disk encryption. Best of all, it gives management considerable control and flexibility over the sensitive data on PCs.