There was a time, not all that long ago, when a fully-encrypted system disk was something only for people with money to burn. You bought a special disk controller which performed hardware-based encryption, and then trusted the hardware vendor to make sure everything was implemented properly -- e.g., that they were using a good algorithm, that the key size for the encryption wasn't laughably short, and so on.
Today, full-system encryption in software is both feasible and practical -- although how practical will depend on the workload involved. But it's not a security silver bullet, much as it might seem to be from the outside. It can, and does, add a layer of protection that greatly reduces the risk of data compromise in the event hardware is lost or stolen. But that protection depends entirely on how it's implemented, and whether or not the user's been educated in the way an encrypted system works.
How Disk Encryption Works
System-disk encryption, or full-disk encryption, involves encrypting the operating system partition on a computer and then booting and running with the system drive encrypted at all times. If the computer is stolen or lost, all the data on the drive -- including the OS itself -- is unreadable without that volume's key. The data on the system can be considered a write-off without the need to remotely wipe the device.
When you boot an encrypted system, you need to provide a decryption key at boot time. The key could be any number of different things -- a password; a USB flash drive with the decryption key; an RSA token-generating device; a fingerprint in conjunction with a Trusted Platform Module; or a combination of the above, in some variety of two-factor authentication. For the most part, the only thing that changes for the end user is the boot process, and then only minimally.
If the key itself is lost or stolen, most full-disk encryption systems provide some form of key escrow. This means a backup copy of the encryption key is held by the system administrator and can be used to recover the data on the system, and a new key can be generated without too much trouble. Professional-grade products typically allow the key to be held in a central repository such as an LDAP or Active Directory schema. (The lost key itself is useless without the data encrypted with it, so it can generally be written off if it goes missing.)
Google in the Enterprise SurveyThere's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity products, and 69 percent cite Google Apps' good or excellent mobility. But progress could still stall: 59 percent of nonusers distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.