Full Disk Encryption: Why It Matters
Why encrypting your entire drive is one of the most important security steps you can take, and how to enable it on every major platform.
If your laptop is lost or stolen, full disk encryption (FDE) is the single barrier standing between an attacker and all of your data — every document, photo, browser history, saved password, session token, and encryption key stored on that device. Without FDE, an attacker can simply remove the drive, mount it on another computer, and read everything in minutes. With FDE, the data is unreadable without your passphrase.
How Full Disk Encryption Works
FDE encrypts the entire contents of a disk (or partition) using a symmetric encryption algorithm, typically AES-256. When you power on the device, a pre-boot authentication step asks for your passphrase (or accepts a hardware token). This passphrase unlocks a key encryption key, which in turn decrypts the master key used to encrypt the drive. Once unlocked, the operating system reads and writes data transparently — encryption and decryption happen in real time with negligible performance impact on modern hardware.
Enabling FDE by Platform
Linux (LUKS)
Most Linux distributions offer LUKS (Linux Unified Key Setup) encryption during installation. If you did not enable it at install time, you can encrypt an external drive or a new partition with LUKS from the command line.
# Encrypt a partition (WARNING: destroys existing data)
sudo cryptsetup luksFormat /dev/sdX1
# Open the encrypted partition
sudo cryptsetup open /dev/sdX1 encrypted_drive
# Create a filesystem on the opened device
sudo mkfs.ext4 /dev/mapper/encrypted_drive
# Mount it
sudo mount /dev/mapper/encrypted_drive /mnt/secure
# To check LUKS status on an existing encrypted drive
sudo cryptsetup luksDump /dev/sdX1Windows (BitLocker)
BitLocker is available on Windows 10/11 Pro, Enterprise, and Education editions. On Home editions, Windows offers "Device Encryption" which is a limited form of BitLocker that requires a Microsoft account to store the recovery key. For maximum control, use BitLocker with a TPM + PIN combination rather than TPM-only, which can be vulnerable to certain hardware attacks.
macOS (FileVault)
FileVault 2 is Apple's full disk encryption, available on all modern Macs. Enable it under System Settings > Privacy & Security > FileVault. On Apple Silicon Macs, the hardware is always encrypted, but FileVault adds the critical pre-boot authentication step that actually protects your data.
Warning
Store your recovery key somewhere safe and offline. If you forget your passphrase and lose the recovery key, your data is permanently unrecoverable. Write it on paper and store it in a secure location separate from the device. Do NOT store it solely in a cloud account that might be locked at the same time.
What FDE Does NOT Protect Against
- A powered-on, unlocked device — FDE only protects data at rest. Once you have entered your passphrase and the OS is running, the drive is decrypted in memory.
- Remote attacks while the system is running — malware, phishing, and network-based attacks operate on the decrypted data.
- Cold boot attacks — a sophisticated attacker may be able to extract encryption keys from RAM shortly after power-off. Mitigate this by shutting down (not sleeping) your device when leaving it unattended.
- Evil maid attacks — an attacker with repeated physical access can install a hardware keylogger or modify the bootloader to capture your passphrase.
Tip
For maximum protection, always fully shut down your laptop when crossing borders, leaving it in a hotel room, or any time it will be out of your physical control. Suspending or closing the lid keeps the encryption keys in RAM.