File encryption is only as good as your end-users’ level of interest or knowledge. Simply put would you leave updating the corporate AV software, or software patching to your users? The key advantage of full disk encryption is that it automates the process and secures the entire disk, so mobile users don’t have to worry about it – and also cannot interfere with it. Enterprise data encryption solutions also offer central management with tools for resetting passwords when the user forgets or leaves so the corporate data remains a corporate asset. Let’s look at some of the factors it is worth considering with a full disc encryption product.

Performance and standards matters

Increasingly, compliance emphasis is being placed on encryption that meets the Federal Information Processing Standard (FIPS) developed by the United States Federal government. This entails the use of either Triple DES (Data Encryption Standard) or 256-bit AES (Advanced Encryption Standard) as the encryption algorithm.

Encryption performance is also a factor to consider. A common criticism levelled at FDE techniques is that they slow down the PC’s performance, with the user experiencing delays while data is encrypted and decrypted on the fly. To a certain extent this is true, but misleading. A typical business-oriented machine from a corporate fleet of laptops, built in the last 2 to 3 years, will have the processing power and memory capacity to make any difference in running performance barely noticeable. In fact, the only times that FDE truly impacts on performance is on boot-up or going into hibernation – but this is a very modest trade-off for security.


It’s essential that the FDE solution you choose is operative during these wake-up and shut down periods, to avoid security vulnerabilities. Busy users often don't shut down their laptops at the end of a session: they put them into sleep or hibernate mode, so they can start again quickly. It is vital to ensure the FDE solution you choose can encrypt the contents of the laptop’s memory during the process of it being written to the drive. If the solution does not do this, a thief can remove the disk drive from a stolen laptop that’s in sleep mode, mount it in another machine, and recall and read the data written from the memory. So support for laptops’ sleep and hibernation modes is critical.

For similar reasons, it’s important to choose an FDE solution that encrypts data before the laptop operating system loads, on boot. The FDE solution should take control while the computer’s BIOS looks for a master boot record to load, to prompt for the users for their login credentials. This ensures that only authenticated users boot the OS, and minimises the opportunities for manipulating data.

Security in hand

So far, so good and while the examples given relate to laptop PCs, the same concerns are just as valid for PDAs and smart phones which are also platforms for corporate data. Because these devices vary in operating system – from Symbian, Pocket PC and Windows Mobile to Palm – and architecture, an easy security solution is harder to define than for an Intel PC platform.