Full disk encryption (FDE) primarily protects your data when a device is powered off and physically stolen, lost, or decommissioned. It converts everything on your hard drive into unreadable scrambled data that can only be unlocked with the correct password or key. Without that key, even removing the hard drive and plugging it into another computer yields nothing useful. But FDE has clear boundaries: it does nothing to protect you while you’re logged in and actively using the device.
Physical Theft and Lost Devices
This is the core scenario FDE was designed for. If someone steals your laptop from a car, pulls a hard drive from a recycled office computer, or finds a phone left on a park bench, the data on that device is gibberish without the decryption key. Every file, every cached password, every document is locked behind encryption that would take an impractical amount of time to crack by brute force.
This matters most for laptops and portable devices. A desktop sitting in a locked server room faces lower theft risk than a laptop carried through airports. Organizations that handle sensitive data (medical records, financial information, client files) use FDE specifically because devices inevitably go missing, and encryption ensures that a lost device is a hardware problem, not a data breach.
How the Lock Works Before You Boot
FDE systems use something called pre-boot authentication. Before your operating system even begins to load, the encryption software demands credentials. Nothing on the hard drive can be read until you provide the right password, PIN, or hardware token. The boot sequence goes: firmware starts, encryption check happens, you authenticate, and only then does the operating system load.
Where the encryption key is stored makes a significant difference. Most modern Windows machines use a Trusted Platform Module (TPM), a small security chip soldered to the motherboard. The TPM stores the encryption key in hardware, tied to that specific computer. If someone removes the hard drive and puts it in a different machine, the key stays behind in the TPM, and the data remains locked. The recovery key for a TPM-backed system is a 48-digit number, making brute-force attacks essentially hopeless.
Without a TPM, the system relies on a password you type at every boot. This is less secure because the password’s strength depends entirely on you. Most people won’t use a 20-character passphrase, and shorter passwords can potentially be cracked given enough time and computing power.
What FDE Does Not Protect Against
Once you’ve entered your password and your operating system is running, full disk encryption is effectively transparent. The data is decrypted on the fly as you use it. This means any threat that reaches your device while it’s unlocked bypasses FDE entirely.
Malware, ransomware, phishing attacks, and remote exploits all operate while your system is active and your files are accessible. If you click a malicious link and install malware, that malware reads your files the same way any legitimate program would. FDE offers zero protection here. It’s a lock on your front door, not a security guard inside the house.
Similarly, if someone accesses your computer while you’re logged in (you walk away from your desk, you share your password, a remote attacker gains access through a software vulnerability), FDE doesn’t help. The drive is already unlocked.
Cold Boot Attacks
There’s a narrow but real vulnerability that sits between “powered off” and “actively in use.” When your computer is running, the encryption keys are held in RAM (your computer’s short-term memory). Contrary to what most people assume, RAM doesn’t instantly lose its contents when power is cut. At room temperature, data in RAM chips degrades over a period of seconds, with the slowest chips tested holding data for around 35 seconds. If the memory chips are cooled, the window extends dramatically. In one experiment, researchers submerged a memory module in liquid nitrogen for 60 minutes and found only 0.17% data decay, suggesting data could be recoverable for hours or even days with sufficient cooling.
A practical attack looks like this: an attacker with physical access to a running or recently sleeping machine quickly reboots it into a custom lightweight operating system that reads whatever remains in RAM, including the encryption keys. This is called a cold boot attack. It requires physical access, technical skill, and a machine that was recently powered on or in sleep mode. Fully shutting down your computer (rather than putting it to sleep) and waiting even a few seconds significantly reduces this risk.
Evil Maid Attacks
Another physical attack targets the boot process itself. If someone gets access to your device while you’re away (the classic example: an attacker in your hotel room while you’re at breakfast), they can tamper with the unencrypted bootloader, the small piece of software that runs before your encryption kicks in. They might install a backdoor that captures your password the next time you type it. This can sometimes work even with Secure Boot enabled, due to vulnerabilities in signed boot code or outdated revocation lists in the firmware.
Built-In FDE Tools by Operating System
All three major operating systems include FDE tools, and they share the same core encryption approach (XTS mode, which is specifically designed for disk encryption), but differ in how they handle key management.
- BitLocker (Windows): Integrates tightly with TPM hardware and supports two-factor authentication, combining a TPM-stored key with a PIN or an external USB key. Hardware-accelerated encryption is built in.
- FileVault 2 (macOS): Generates two recovery passwords and supports single sign-on, so your login password doubles as your decryption password. The experience is seamless on Apple hardware.
- LUKS/dm-crypt (Linux): The most flexible option, with support for authenticated encryption and multiple configuration choices. TPM support exists but requires external tooling rather than being built in.
Performance Impact on Modern Hardware
Modern processors include dedicated circuitry for encryption (called AES-NI), which makes FDE dramatically faster than it used to be. Hardware-accelerated encryption runs up to 13.5 times faster than software-only encryption and uses about 90% less energy. For most users on modern hardware, the performance hit from full disk encryption is imperceptible during normal use: opening files, browsing the web, and launching applications feel the same.
Heavier workloads show more impact. Database benchmarks with encryption enabled show roughly 22% to 28% slowdowns compared to unencrypted systems. But these numbers reflect sustained, intensive read/write operations, not typical daily computing. If you’re not running a database server on your laptop, you’re unlikely to notice any difference.
Recovery Keys: The Risk You Create
FDE introduces one risk that doesn’t exist without it: permanent data loss from a lost encryption key. If you forget your password and don’t have a recovery key, your data is gone. The same encryption that keeps thieves out keeps you out too.
For individuals, this means storing your recovery key somewhere safe and separate from the device it protects. For organizations, it means centralized key management: multiple copies of recovery keys stored in secure locations, regular testing of recovery procedures, and documentation that doesn’t depend on any single person’s memory. Without these backups, a routine password reset can turn into a catastrophic data loss event.