Full disk encryption (FDE) technology protects data-at-rest by encrypting all data stored on the hard drive of a protected computer. FDE is considered the most complete protection of such data. Even if an encrypted hard drive of a computer is removed, the data is still protected because it is encrypted. Almost all FDE products transparently encrypt or decrypt data “on the fly.” This means that once you have authenticated to the system, the data  you need is decrypted as you need it, and data that you write to the system is encrypted as it is being written.

Most FDE solutions implement a pre-boot authentication environment (PBA), frequently implemented as a hardened — not connected to the network– lightweight operating system kernel. You must authenticate successfully at boot time in order for the encryption key to be recreated and provided to the encryption driver, or to the encrypting disk, so that the normal host operating system can start up (or boot into). If you do not successfully authenticate, the disk remains encrypted and you cannot boot into the operating system. Some FDE solutions provide single sign-on, so that once you authenticate at PBA, you are also logged in to the operating system.

Full Disk Encryption + YubiKey

There are various two-factor authentication options available in commercial FDE products. However, most options require installation of additional hardware, such as smart card readers and/or special drivers. Using a YubiKey configured in Challenge-Response mode, commercial FDE products can easily add an additional layer of security.

YubiKey is simple to use and has following advantages:

  • Does not require any additional hardware to be installed
  • Uses a standard USB port
  • Does not require network access in the pre-boot authentication environment

Implementing FDE with a YubiKey requires YubiKey Hardware and the Personalization Tool (to program the YubiKey for Challenge-Response mode). The Implementation Guide describes how to implement YubiKey two-factor authentication in Challenge-Response mode with FDE products.

Third-Party Integrations

EgoSecure Data Protection

EgosecureEgoSecure Data Protection FDE provides easy and effective protection for your laptop. The encryption and decryption of data is completely transparent to authorized authenticated users, which makes the solution simple to use. The only user interaction occurs during authentication phase.

To enhance security, EgoSecure’s full disk encryption application supports two-factor authentication during pre-boot authentication using YubiKey NEO. The traditional single-factor scheme relies on the user to be authenticated with username and password (what the user knows). For stronger security,  a YubiKey (what the user has) is used as a second factor. This significantly increases the overall security of the solution.

For enterprise installations, EgoSecure Data Protection FDE can be centrally deployed and managed using the EgoSecure management console.