What is Disk Encryption?
Disk encryption provides protection for Data At Rest, that is to say, inactive data stored in a physical from such as on disk or tape. To be clear on terminology:
- Data At Rest: Inactive data stored physically
- Data In Motion: Data traversing a network
- Data In Use: Data in the process of being created, retrieved, updated, or deleted
Disk encryption means someone obtaining the physical storage (the hard disk), or a raw copy of the physical storage, can’t access the data held on it. When the data is in use, for example a MySQL database on an encrypted disk, that data is “In Use” and so not protected from access within the OS, via temporary storage for that data (e.g. RAM, cache, etc.), or over a network.
Why do I Need Disk Encryption?
Disk encryption is useful if:
- The storage media is at risk of theft or loss (e.g. a laptop, USB key, or server in an insecure location), and the data held on it is private or sensitive
- If you must meet a compliance requirement, and there’s no other way to meet that requirement
Disadvantages
- Performance: There is some overheard for disk encryption, so I/O performance will be reduced
- Complexity: Additional complexity carries additional risk of problems
- Recovery: It’s harder to recover data from an encrypted disk than an unencrypted one
- Limitations: Encryption implies that a secret is held somewhere, or by someone, in order to unlock the encrypted device. That secret must be kept safe, and this imposes limitations (for example you may not be able to automatically mount an encrypted disk since the secret has to be held elsewhere).