Google Drive Encryption

[Violette Taps]

Whenevera hacker breaches a network or an executive loses a laptop, data is exposed to theft. Full disk encryption of hard drives, external drives, and other storage systems provides a baseline of defense against this risk and can easily be implemented as a first step toward better security.

We will start with a list of 10 top full disk encryption (FDE) software solutions and discuss their features, pros, cons, and cover any available pricing. Next, we will cover the pros and cons of full disk encryption as a technology before we conclude with an overview of what criteria enabled vendors to make this list.

Most PC and server operating systems have built-in encryption technology that can be easily enabled for local file and full-drive encryption. The top two technologies are covered in detail below: FileVault 2 and BitLocker.

Built-in free encryption tools provide strong protection, but larger businesses need centralized controls to enforce compliance with security standards and to manage encryption keys. Organizations willingly pay licensing fees for more sophisticated encryption software to reduce IT support costs associated with encryption setup, management, and user support.

Micro Focus, acquired by OpenText in August 2022, delivers the ZENworks Full Disk Encryption (FDE) solution for management and enforcement of endpoint full-disk encryption. Other tools in the ZENworks product family include solutions for tracking, configuration, security, and endpoint management through a single web-based console.

Microfocus does not publish pricing for the ZENworks FDE product on their website. Zenworks FDE annual licenses can be purchased on a per user/device basis and customers likely can obtain volume discounts or reseller discounts through sales partners.

Sophos does not publish pricing information but offers free trials and quotations through their website. Sophos Central Device Encryption can also be purchased through resellers and annual per endpoint client licenses are priced around $15. Bulk discounts and dealer incentives may reduce the prices further.

A license for the Symantec Endpoint Encryption with one year of support is estimated to cost around $65 per Windows device. There may be variance in prices for licenses for different operating systems and volume discounts.

Trellix does not publish pricing but encourages interested organizations to contact sales through their website. Trellix offers annual subscriptions and perpetual licenses with one year of support, and organizations can likely obtain volume-based discounts and partner promotions.

Trend Micro does not publish pricing information on their website for the Endpoint Encryption tool; however, a license for a single user and up to 500 endpoints is estimated to be between $75 and $85 per year. Trend Micro offers free quotes and free trials of the Smart Protection Suite that includes the Endpoint Encryption tool. Trend Micro also helps organizations to find a resale partner that can likely provide bulk pricing or other incentives.

Check Point offers demos and free trials for Harmony Endpoint. Check Point offers annual licenses for three versions of Harmony Endpoint (Basic, Advanced, Complete). However, host encryption is only available with Harmony Endpoint Complete, which costs about $64 for per device (Windows, macOS, Linux).

ESET PROTECT delivers full disk encryption as part of their ESET PROTECT bundle that also includes a unified management console, endpoint protection, file server security, advanced threat defense, email security, and cloud application protection.

ESET offers an interactive demo and a 30-day free trial of PROTECT. Pricing is listed on their website, but does not reflect potential discounts available through resellers and MSP / MSSP partners. For businesses, ESET offers three versions of ESET Protect (Entry, Advanced, Complete), but only Advanced and Complete support full disk encryption.

ESET Protect licenses are for a minimum of one year and five devices. Discounts are available for longer time commitments, more endpoints, and through occasional new customer promotions. Prices start at:

Encrypted data provides an obstacle and a layer of risk mitigation against data loss by rendering data unreadable at rest. Full disk encryption (FDE) uses encryption algorithms to encase the operating system, all data, and all installed applications residing within a storage device within the encrypted environment.

When a device is turned on, the user is prompted for the encryption key that descrambles the data and allows the system to decrypt enough to boot and run normally. However, while encryption provides a strong benefit in specific use cases, it cannot solve all problems, and organizations need to be aware of both the advantages as well as the limitations of FDE.

Enables User-Data-Device Matching: FDE can also work with multi-factor authentication methods (biometrics, USB keys, one-time passwords, etc.) to ensure that the data is only accessed by the correct person on the correct device.

Decrypted data remains vulnerable: Full disk encryption only works when the data is at rest. Once the user turns on the device and the drive decrypts, information read from the disk is decrypted on the fly and stored in memory. This decrypted data can then become vulnerable to a variety of attacks:

Brute force attack vulnerability: The only practical way to decrypt encrypted drives without access to the key is to use software to make repeated attempts to guess the password. Organizations prevent these brute force attacks through settings in the FDE software to limit failed login attempts or disable the system (permanently or for a fixed period) after a certain number of failed login attempts. Weak user passwords undermine brute force protections so password complexity should be enforced.

Slowed performance: Encryption adds a layer of calculations and one more application for computer memory and processors to juggle in addition to other workloads. For newer personal computers, the slowness may be imperceptible, especially for users that begin working with already-encrypted drives. However, for computationally heavy applications and older devices, performance will certainly be affected.

Disabled software: Full disk encryption products may overwrite parts of the disk (such as the boot sector) already in use by other installed software. FDE installed later may make this software unusable. In most cases, this type of conflict can only be detected after installation.

To gather candidates for this list, market research was performed on the encryption category to determine popular solutions for full disk encryption. Based upon product reviews, industry discussions, and industry rankings, the list was narrowed to top candidates. An analysis of capabilities was then performed to determine how the product fit into the Full Disk Encryption category relative to peers.

We then considered tool features, with the most weight on the critical centralization of encryption control and key management. Finally, price, prominence, and extra features helped us make our final list.

A large number of tools enable full disk encryption, and the market continues to evolve. This list of top tools will likely evolve with the market over time to reflect added capabilities and rising competitors.

Full drive encryption may be a limited tool, but it plays a crucial role in a business environment. The low effort to implement FDE and the decrease in risk for lost or stolen data more than offsets potential limitations. FDE provides a high-value solution that all organizations should strongly consider adding to their security stack.

Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the device's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled.

BitLocker provides maximum protection when used with a Trusted Platform Module (TPM), which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn't been tampered with while the system is offline.

In addition to the TPM, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device that contains a startup key. These security measures provide multifactor authentication and assurance that the device can't start or resume from hibernation until the correct PIN or startup key is presented.

For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker

A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware

TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.

Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool mbr2gpt.exe before changing the BIOS mode, which prepares the OS and the disk to support UEFI.

If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create the volume. For more information about using the tool, see Bdehdcfg in the Command-Line Reference.

3a8082e126