Full disk encryption (FDE) technology protects data-at-rest by encrypting all data stored on the hard drive of a protected computer. FDE is considered the most complete protection of such data. Even if an encrypted hard drive of a computer is removed, the data is still protected because it is encrypted. Almost all FDE products transparently encrypt or decrypt data “on the fly.” This means that once you have authenticated to the system, the data you need is decrypted as you need it, and data that you write to the system is encrypted as it is being written.
Most FDE solutions implement a pre-boot authentication environment (PBA), frequently implemented as a hardened — not connected to the network– lightweight operating system kernel. You must authenticate successfully at boot time in order for the encryption key to be recreated and provided to the encryption driver, or to the encrypting disk, so that the normal host operating system can start up (or boot into). If you do not successfully authenticate, the disk remains encrypted and you cannot boot into the operating system. Some FDE solutions provide single sign-on, so that once you authenticate at PBA, you are also logged in to the operating system.