Skip to content
d-centralize handbook

Disk encryption

If you bring a laptop to work and put company data on it (code or other valuable documents), it is very much recommended to encrypt this data. If, for whatever reason, you lose the physical device the data on it remains safe. Leaked data can lead to serious financial issues for the company or its clients. Our security is as strong as the weakest link, so let’s look at this as a share responsibility.

For every OS there is a solution, here are a few:

Full disk encryption vs (home) folder encryption

Usually there is an option to encrypt the whole disk or only a certain folder, like the home folder where user data is stored. Overall applying full disk encryption is safer and thus recommended. Usually the sensitive user data is stored in the home folder, but you probably don’t know what data is stored by applications. If applications decide to store sensitive data (like passwords) elsewhere on the disk then there is still a risk of that data being stolen.

tl;dr: If possible, encrypt the whole disk.

Passphrase or key?

In order to unlock an encrypted disk a key or passphrase is usually used. Here’s a summary of pros and cons for each of them:

Passphrase

Ah, the good ol’ passphrase (or password). It’s the most common practice to secure anything. This may be considered a pro, it’s widely implemented and works almost anywhere without hassle. A passphrase can’t be stolen either, however it can be forgotten (memory is a funny thing). It can also be quite annoying to manually enter a passphrase in order to be able to boot. The strength of the security depends strongly on the strength of the passphrase. Read more on passwords and best practices managing them.

Key

A key or keyfile can be used instead of a passphrase. Usually a key is considered more secure than a passphrase as it is usually way longer and more random. When using a key for disk encryption it is advised to put it on a separate drive, like a USB flash disk. With the USB drive the encrypted drive can be unlocked, without the USB drive unlocking is nearly impossible. (So be sure not to lose it! Or make a backup.) Brute force attacks are quite pointless as well as the key is usually long enough. If you want, you can also encrypt the keyfile using a passphrase, but the chances are that this might be unsupported or that it’s way too troublesome.

Some laptops may also have a so-called TPM. Keys can be stored in here securely so no separate drives are needed. However, the encryption becomes tied to the hardware and the drive will probably not work elsewhere. A TPM may also be unsecure but that’s documented in the linked wiki page.