Disk Encryption – why is it important?

Ever had a user lose a laptop or have one stolen, or had desktops stolen as a result of an office break in?

Hopefully not!  But what risks are there to accessing your company data or systems should a machine end up in someone else’s hands?

You may think there isn’t an issue or risk because your machines are protected by a login password?  Incorrect, we could reset a Windows or Mac user password in minutes and gain access to the machine and data, or create a new Admin user on the machine to reset user passwords.

Scary!  Scary, unless you have disk encryption enabled on the machine, then it becomes near on impossible to gain access or retrieve data, additionally so if the machine is set to use a startup PIN to unlock the drive on startup.

What is Disk Encryption?

Disk Encryption converts data into a unreadable code making unauthorised access near impossible (without the decryption keys).  The technology protects the data on the drive.

Once encryption is enabled and completed on a drive, trying to access the data either through installing the disk in a different machine or through a Disk Caddy would require the decryption key to be able to access content.  The same applies if you were to boot the machine into a separate environment through a USB key or other method.  Any access to the disk would require the decryption key.

Why use Disk Encryption with Startup PIN?

Enabling Disk Encryption alone does protect the content on the disk in most circumstances, however there is still a risk.  If you startup a machine (even with Disk Encryption) and get to the login prompt, there is still potential to try and access the data across the network.  It’s not going to be as easy a process as just resetting the user password which is possible without Disk Encryption, there is still potential to try and access the data on a machine as the disk in Windows (*Check MAC – think locks the drive until login) is decrypted on startup (as long as no hardware changes have been detected e.g. such as putting the disk into another machine).

Enabling Disk Encryption to use a Startup PIN requires you to enter a PIN upon initial startup (or enter the Decryption key if you do not know the PIN).  Windows will not boot (*check if PIN is possible on MAC) until the disk has been unlocked with either the PIN or Decryption key being entered and as a result blocks the risk mentioned above of potential access being possible across a network as the Operating System is unable to load.

Common Disk Encryption Solutions

Windows

Bitlocker – Bitlocker is built into the Professional versions of the Windows Operating System, with the option to enable the requirement for a PIN available through the Local Group Policy on the machine

ESET Endpoint Encryption – Not running Windows Professional?  The most common reason to use a third party product to Encrypt a machine using ESET Endpoint Encryption would be as an alternative to upgrading a Standard version to Professional

Mac

FileVault – Like Bitlocker available within Windows Professional, Mac OS includes FileVault to enable Disk Encryption on Mac Computers.

Protecting your machines with Disk Encryption is an important step in securing your data should the unfortunate events of loss or theft occur.  Planning for potential future unfortunalities is a necessity and Disk Encryption should be part of this.  A laptop or device loss that includes company data or access would need to be reported as a Data Breach under GDPR (Link), Disk Encryption on machines would help evidence such an event as a low risk.

Final Note: KEEP YOUR DECRYPTION KEYS SAFE AND SECURE!

If you would like any further information on Disk Encryption or options available to you, please get in touch here (LINK)

Get in touch via our contact page