What is Disk Encryption?
The process of encrypting an entire storage device so that all data is protected when the device is powered off or stolen.
Full-disk encryption is one of the most important security measures for any device.
Platform Options
- macOS: FileVault 2 (AES-XTS-128, hardware-accelerated)
- Windows: BitLocker (AES-128/256, requires TPM for best security)
- Linux: LUKS/dm-crypt (flexible, supports AES, Serpent, Twofish)
- iOS: Enabled by default when you set a passcode
- Android: Enabled by default on modern devices
What It Protects Against
- Laptop/phone theft
- Border searches of powered-off devices
- Data recovery from disposed/recycled devices
- Physical forensic extraction (when device is off)
What It Doesn't Protect Against
- Access while the device is unlocked/running
- Malware with root access
- Compelled decryption (legal, depending on jurisdiction)
- Cold boot attacks (in some configurations)
Related Terms
AES-GCM
A mode of AES encryption that provides both confidentiality and authentication in a single operation, widely used in TLS and disk encryption.
Encryption at Rest
Encryption applied to data stored on disks, databases, or other storage media. When data is 'at rest' (not actively being transmitted), encryption protects it from unauthorized access if storage devices are stolen or compromised.
Trusted Platform Module (TPM)
A specialized security chip built into most modern computers that provides hardware-based cryptographic functions and secure key storage.
Have more questions?
Use our guided flow to get the right next privacy step for Disk Encryption.
Open Guided Flow