Full-disk encryption, explained
Full-disk encryption ensures the data on your device stays safe even if the device is compromised. Find out how full-disk encryption works, why it matters, and how it protects your data.
What is full-disk encryption?
Full-disk encryption (FDE) is a security method that automatically encrypts all data stored on a device’s drive, including the operating system, applications, and personal or business files. Without proper authentication, like a password, PIN, or biometric login, the data remains unreadable on the device.
Think of FDE like having a safe: Even if someone steals it, they wouldn't be able to open it without the combination, so all your valuables stay protected.
How is full-disk encryption different from file-based encryption?
Full-disk encryption (FDE) encrypts an entire storage device automatically. It protects all data including the operating system, apps, and files as long as the device is locked or powered off. File-based encryption (FBE), on the other hand, encrypts only specific files or folders individually. It gives more granular control, but you have to set it up selectively.
How does full-disk encryption work?
Full-disk encryption protects all data stored on a device (data at rest) by automatically converting it from readable information (plaintext) into unreadable code (ciphertext) using cryptographic algorithms.
When you power on the device, you authenticate with a password, PIN, or biometric login, which unlocks the encryption key and allows data to decrypt in real time.
If authentication succeeds, everything works normally; if not, the data stays scrambled and inaccessible, even if someone removes the drive or tries to access it from another environment, such as a recovery toolkit.
How file-disk encryption is used
Here are some common examples of full-disk encryption (FDE) solutions across different platforms:
- BitLocker is a built-in Windows tool that can secure entire drives, including USB devices, with FDE. It’s available in Windows Vista and newer.
- FileVault is Apple’s native full-disk encryption tool, first introduced in Mac OS X 10.3 Panther (2003) and included in newer macOS versions.
- LUKS / dm-crypt is the standard full-disk encryption framework on many Linux distributions, offering strong, flexible encryption for desktops, servers, and removable media.
- On iOS, full-disk encryption is automatically enabled when you set a passcode.
- Older Android devices used full-disk encryption (FDE), but Google gradually moved to file-based encryption (FBE). Devices launching with Android 10 or newer are required to use FBE, and support for FDE has been phased out in recent Android versions.
- Self-encrypting drives (SEDs) are hard drives that perform encryption automatically, often used in enterprise environments.
What are the benefits of full-disk encryption?
Prevent unauthorized access
If someone gets physical access to your laptop, phone, external drive, or even a server hosting your data, FDE keeps the information unreadable.
It’s particularly helpful for securing sensitive personal files and confidential business data.
Stay compliant
Many security standards and data protection laws expect encryption when you’re handling sensitive or customer data.
FDE helps you stay compliant and goes a long way toward protecting customer trust and your organization’s reputation.
Dispose of data securely
When an entire disk is protected by full-disk encryption, securely deleting the encryption keys makes all stored data permanently inaccessible.
It’s faster and safer to recycle, resell, or dispose of devices without relying on manual data wiping.
Take charge of your data
Proton was built to protect your data from the start. With end-to-end encryption, open-source apps, and independent audits, your information stays yours.
Frequently asked questions
- Is full-disk encryption really necessary?
- Does full-disk encryption slow down a computer?
- Are there risks full-disk encryption doesn’t protect against?
