What is Drive Encryption?
Drive encryption refers to the process of encrypting the data stored on a storage device like a hard drive, solid state drive, or external drive (Source). It converts the data on the drive into an unreadable format using cryptographic algorithms that can only be decrypted with the proper encryption key.
There are two main approaches to drive encryption:
- Software-based encryption uses encryption software installed on the operating system to encrypt drives.
- Hardware-based encryption relies on encryption chips built into the hard drive or SSD to handle encryption.
In both cases, drive encryption transforms plaintext data into ciphertext that looks like random gibberish to anyone without the encryption key. This prevents unauthorized access to the data in case the drive is lost, stolen, or accessed by someone who shouldn’t have access.
Why Encrypt an External Drive?
Encrypting an external drive provides important privacy and security benefits. Drive encryption helps to protect sensitive data in the event that a device is lost or stolen. It prevents unauthorized users from accessing the data, even if they have physical possession of the drive (1).
Full disk encryption transforms data on the hard drive into unreadable cipher text. Without the proper encryption key, the data remains scrambled and inaccessible (2). This protects personal or confidential business information from falling into the wrong hands.
In addition, encryption guards against unauthorized access if an unauthorized person gains physical access to the computer. The encrypted drive cannot be simply plugged into another machine and read. Proper credentials are still required (3).
Drive encryption provides peace of mind for individuals dealing with sensitive financial, medical, or personal data. Companies encrypt devices to secure proprietary information, trade secrets, strategies and more. By leveraging strong encryption, the valuable data remains private even if devices are misplaced.
Sources:
(1) https://www.recordnations.com/articles/encrypt-external-hard-drive/
(2) https://www.techtarget.com/searchenterprisedesktop/definition/hard-drive-encryption
(3) https://www.n-able.com/blog/disk-encryption-software-key-benefits
How Does Drive Encryption Work?
Drive encryption works by using cryptographic techniques to encode data on a hard drive or external storage device. A unique encryption key is randomly generated to encrypt the drive. This key is required to decrypt and access the data later.
The encryption process follows these basic steps:
- An encryption algorithm is used to generate a random, complex key that will be used to encrypt the drive.
- The drive’s file system and data are encrypted using this key and encryption algorithm, transforming the data into unreadable ciphertext.
- The encryption key is stored separately from the encrypted drive, often requiring a password to regenerate it.
- To decrypt and access the encrypted drive, the key must be provided again to reverse the mathematical operations performed during encryption.
The encryption and decryption processes use cryptographic techniques like symmetric key algorithms, asymmetric key algorithms, and hashing functions to securely transform plaintext data into ciphertext and back again. This prevents unauthorized access to sensitive data stored on external drives.
Common encryption algorithms used for drive encryption include AES (Advanced Encryption Standard), Blowfish, Twofish, Serpent, and CAST5. The algorithm and encryption key strength determine how easy it is for an attacker to crack the encryption.
Software-Based Encryption
Software-based encryption relies on encryption tools or software to encrypt drives. Some popular examples of software-based encryption tools include:
- VeraCrypt (open source disk encryption software): VeraCrypt allows you to encrypt an entire partition or disk, encrypt specific folders, or create encrypted containers. It supports encryption algorithms like AES, Serpent, and Twofish. VeraCrypt is noted for being free, open source, and easy to use.
- BitLocker (Microsoft encryption program): BitLocker is built into some versions of Windows and allows you to encrypt the system drive. It utilizes AES encryption. BitLocker makes full drive encryption seamless for Windows users.
- AxCrypt (freemium encryption software): AxCrypt enables you to encrypt individual files as well as folders. The free version has basic encryption capabilities while the premium version includes advanced features.
- Boxcryptor (paid encryption software): Boxcryptor integrates with cloud storage services and allows you to encrypt files before uploading them. It uses AES-256 encryption and supports encryption across various devices and operating systems.
- DiskCryptor (open source): DiskCryptor offers full disk and partition encryption using algorithms like AES, Serpent, and Twofish. It supports operating systems like Windows and boots from an encrypted partition.
These software tools allow you to encrypt drives in a user-friendly way without configuring complex encryption settings. Many support strong 256-bit AES encryption. The encryption runs in the background once enabled.
Hardware-Based Encryption
Hardware-based encryption relies on dedicated encryption chips or circuitry built into the external drive itself to handle the encryption/decryption process. Many external drives today come with AES 256-bit encryption capabilities built-in.
These types of self-encrypting drives have the encryption functionality handled at the drive level. When data is written to the drive, it is automatically encrypted before being stored. When reading data, it is decrypted on the fly before being passed back to the host computer. This makes the encryption/decryption process transparent to the user and OS. The encryption keys are stored internally on a cryptographic module within the drive circuitry. Many self-encrypting drives meet the FIPS 140-2 standard for cryptography.
The main advantage of hardware-based encryption is that it does not rely on the host computer resources to encrypt/decrypt data, making the process faster and freeing up the computer CPU for other tasks. It also ensures encryption applies to the entire drive. However, the encryption keys are only as secure as the drive hardware itself. If the cryptographic module storing the keys is compromised, the encryption can be defeated.
Encryption Algorithms
Encryption algorithms are the mathematical functions used to encrypt data. There are several common encryption algorithms that are widely used today for encrypting data and communications:
AES (Advanced Encryption Standard) is a symmetric encryption algorithm that is considered one of the most secure. It encrypts data in blocks of 128 bits using cipher keys of 128, 192, or 256 bits. AES is commonly used to encrypt files, disks, and databases today. It is very fast and efficient at encrypting large amounts of data [1].
Blowfish is another symmetric encryption algorithm known for its speed and efficiency. It uses variable length keys up to 448 bits, making it very secure. Blowfish is commonly used for encrypting files and disks. It’s designed to be used on large microprocessors efficiently [2].
RSA is an asymmetric algorithm used for encrypting messages and digital signatures. It uses a public and private key pair for encryption and decryption. RSA is commonly used for encrypting web traffic and smaller pieces of data. It can be less efficient for bulk encryption compared to algorithms like AES [3].
Setting Up Drive Encryption
To encrypt an external drive, the first step is to enable encryption on the target drive. On Windows, BitLocker is the built-in drive encryption tool. To enable BitLocker on an external drive:
- Connect the external drive to your Windows PC via USB.
- Open File Explorer and locate the external drive.
- Right click on the drive and select “Turn on BitLocker.”
- Choose how you want to unlock the drive in the future – with a password or smart card.
- Enter a password to encrypt the drive. Make sure it is long and complex.
- Save the recovery key that is generated. This key can unlock the drive if you forget the password.
- Wait for the encryption process to complete before disconnecting the drive.
On macOS, FileVault is the built-in disk encryption tool. To enable FileVault on an external drive:
- Connect the external drive and open Finder.
- Right click on the external drive and select “Encrypt [Drive Name]”
- Choose a strong password to encrypt the drive.
- Save the recovery key provided. This can unlock the drive if you forget the password.
- Allow time for the encryption process to fully complete.
The key generation and management process is important. The encryption keys should be strong, complex passwords that are stored securely. The recovery keys allow access to the encrypted data if the main password is forgotten. Follow best practices for password security when managing encryption keys.
Encrypting Specific Folders
Instead of encrypting the entire drive, you can choose to encrypt only certain folders or files on the external drive. This allows you to protect sensitive data while keeping other folders accessible.
On Windows 10 and later, you can enable Advanced Encryption Standard (AES) encryption on specific folders. Right click on the folder, select Properties, click Advanced and check the box for “Encrypt contents to secure data.” This will prompt you to create an encryption key that is required to access the folder. Only the folder contents will be encrypted, not the folder name itself. Refer to this SuperUser guide for details.
On Mac OS, you can create an encrypted disk image that mounts as a separate drive. Then just copy the sensitive folders or files into the encrypted disk image. Instructions can be found here on Apple’s support site. This allows file-level encryption without encrypting the entire external drive.
Third party encryption tools like Veracrypt also give you the option to selectively encrypt folders on an external drive while keeping other data untouched.
Accessing an Encrypted Drive
To access files and data on an encrypted external drive, the user needs to provide the correct password or decryption key. Encryption keys are usually stored in a key file or certificate that must be accessible to unlock the drive.
On Windows machines, BitLocker-encrypted drives will prompt for a password or smart card upon connecting the drive. On Macs, FileVault full disk encryption requires the user’s account password to mount the encrypted volume and access files. For software encryption tools like VeraCrypt, the user must provide the correct password to mount the encrypted volume.
Proper key management is crucial when using drive encryption. If the encryption key is forgotten or lost, the data will remain inaccessible. Some solutions like BitLocker allow resetting or recovering the key 1, but without the original key the decryption process can be very difficult or impossible. Organizations and users should have strict backup procedures for encryption keys to prevent permanent data loss.
Besides entering a password or decryption key, accessing an encrypted drive works like using any other storage device. Once unlocked, the encrypted drive mounts and operates normally allowing seamless access to protected files.
Drawbacks of Drive Encryption
There are some disadvantages to using full drive encryption:
Performance Overhead – Encrypting and decrypting data on the fly can cause a performance hit, especially on older hardware. The encryption/decryption process uses additional CPU resources which can lead to slower read/write speeds.1 Solid state drives and newer CPUs generally have dedicated encryption instructions to minimize the performance impact.
Key Management Complexity – Protecting, backing up, and managing encryption keys adds complexity, especially in enterprise environments. If the keys are lost, the data becomes inaccessible. Policies need to be implemented to secure keys while also allowing access for authorized users.2
Recovery Challenges – If something goes wrong with the bootloader or keys, it can be difficult to recover data from an encrypted drive. Specialized recovery software may be required. Encrypted drives also pose challenges for data recovery services if there is a hardware failure.