Full Disk Encryption (FDE)

Sec+ Glossary 📖 • Cryptography 🔒 • Security Operations 🛡️ • Difficulty: premium

What is Full Disk Encryption (FDE)?

Full Disk Encryption encrypts all data on a storage drive so it cannot be read without the correct key, even if the device is lost or the drive is removed. It protects data at rest by ensuring the disk contents are unusable to someone who does not have the decryption keys.

Examples

A company requires BitLocker on all Windows laptops so a stolen device does not expose customer data.
A developer uses FileVault on a MacBook so source code remains protected if the laptop is lost during travel.

Discover 🔎

When a laptop is stolen, the attacker does not usually try to log in like a normal user. They try to read the drive directly by removing it, booting from a USB stick, or attaching it to another system. Full Disk Encryption is designed for exactly this scenario. It makes the entire disk unreadable without the correct keys, which protects sensitive data even when the device is physically in the wrong hands.

Remember: Full Disk Encryption protects data at rest. It does not stop phishing, malware, or data theft after an attacker has logged in as a valid user.

Summary 📝

Full Disk Encryption protects data on a device by making the entire drive unreadable without the correct keys. It is most effective against loss and theft because it blocks offline access to files. Strong deployments combine encryption with secure boot, TPM-backed key protection, and well-controlled recovery keys, while recognizing that unlocked devices still require other security controls.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.