What is Device Encryption and why do you need it?

Hexnode
9 min readMar 10, 2021

--

Device Encryption — Encrypting a laptop

When storing and accessing confidential information on laptops and mobile devices, it is essential to encrypt them. With the advent of the Covid pandemic and the introduction of remote work, the chances of corporate espionage have increased drastically. According to a 2020 data breach report by RiskBased security, almost 36 billion corporate records were breached in the first half of 2020. Also, as claimed by a 2021 financial data risk report from Varonis, officials discovered that nearly two-thirds of all organizations have more than 1,000 sensitive files open to every employee. These figures highlight the need to incorporate device encryption policies into your organization.

Device encryption is the process of scrambling data into illegible code and making it indecipherable to anyone without a password or a recovery key. The data (referred to as ‘plaintext’) is encoded using an encryption algorithm to turn it into an unreadable format (referred to as ‘ciphertext’). This gibberish data can only be decoded by users with access to the recovery key or password.

What are the different types of Encryption?

An encrypted laptop
An encrypted laptop

While there are many encryption techniques available, here we’ll look at the most predominant forms of encryption that most enterprises and businesses employ to secure and encode their data.

Symmetric and Asymmetric encryption techniques

Symmetric Encryption is a popular encryption technique that uses the same key for the encryption and decryption process. Here, the plaintext is encrypted using a key, and the same key is used to decrypt the ciphertext at the receiving end. Since the algorithm behind Symmetric Encryption is simple and has faster execution, it is widely used in encryption algorithms like AES-128 and AES-256 to transmit data in bulk.

Asymmetric Encryption is more secure as it uses two keys (public key and private key) for the encryption process. The public key is available to all, but the private key remains undisclosed. When data is encrypted using a public key, the receiving user can only decrypt it with the private key. In contrast, when a message is encrypted using a private key, the user can decrypt it with a public key. The chief shortcoming of this encryption technique is that the encryption process is quite lengthy. Encryption algorithms — including RSA and DSA — make use of this encryption technique.

AES and RSA encryption algorithms

Advanced Encryption Standard (AES) is a block cipher that uses symmetric encryption to encode data. It is used by governments and everyday businesses and is a universal method that most encryption software recommends using. AES encrypts data in a single block instead of as individual bits of data. AES-128 (encrypts blocks of a 128-bit size), AES-256 (encrypts blocks of a 256-bit size) are examples of AES block encryption.

Rivest-Shamir-Adleman (RSA) is another popular encryption algorithm. It uses the asymmetric encryption technique, where the sending and receiving parties will have a public and private key to encrypt/decrypt the data. RSA is a secure encryption method to send information between people who may not know each other and need to transfer data without exposing their personal information. However, it takes a long time to encrypt data and is not a practical solution for a large number of files.

File-Level and Hard-Drive Encryption processes

File-Level Encryption (FLE) encodes data in particular files and folders on a drive, making the selected information indecipherable to unauthorized individuals. This is most commonly used on personal data files, such as word documents and spreadsheets. FLE does not encrypt all the information on the hard drive. It cannot encrypt Operating System and critical files. However, it lets IT admins choose precisely what information must be encrypted. Since FLE decrypts one file at a time, the impact on device performance is insignificant.

Hard-Drive Encryption (HDE) is the process of using encryption software to convert all data on your disk into unreadable code. This code can only be accessed and read by a user who has the decryption key or password. Unlike File-level Encryption, Hard-Drive Encryption encrypts all the data in your drive, including the OS and its critical files. Hence, the system boots up only after providing the decryption password or recovery key. Since all new files are automatically encrypted on creation, HDE eliminates the need to encode your corporate files manually. Microsoft’s BitLocker and Apple’s FileVault are two examples of hard-drive encryption software.

What is BitLocker?

Introduced on January 30th, 2007, BitLocker is a hard-drive encryption software developed by Microsoft. It employs AES 128/256-bit encryption algorithm to scramble all the data in your drive and protect it from unauthorized access. BitLocker is available for machines running Windows Vista or 7 (Enterprise/Ultimate), Windows 8.1 (Pro/enterprise), or Windows 10 Pro. When used along with a Trusted Platform Module (TPM), it is possible to run authentication checks on your PC’s hardware, software and firmware. If the TPM detects unauthorized changes, it makes the system boot up in safe mode. BitLocker can be used by individuals and enterprises that require complete encryption of their devices.

BitLocker with Hexnode

Hexnode provides a centralized way to configure BitLocker policies to your corporate devices in bulk. You can mandate Encryption for your OS drives, fixed data drives or removable drives with AES-CBC 128/256-bit or XTS-AES 128/256-bit encryption algorithms. You can also store and manage your BitLocker recovery password on your enterprise Azure Active Directory. With Hexnode, it is also possible to keep track of BitLocker-enabled devices using compliance reports.

BitLocker password on system startup
BitLocker password on system startup

What is FileVault?

FileVault is a hard-drive encryption program available for macOS 10.3, and later that secures your Mac’s hard drive using XTS-AES 128 encryption algorithm. All newly created files are automatically encrypted under FileVault. Once the device is encrypted, users require a password on start-up to decrypt the data and boot the device. FileVault also provides a recovery key that IT admins can use to decrypt your data in case of a forgotten password.

FileVault with Hexnode

Hexnode UEM facilitates configuring FileVault policies in bulk to your enterprise devices. You can mandate Encryption with either a personal recovery key or institutional recovery key, or both. This enables IT admins to store and manage your enterprise devices’ recovery keys in the Hexnode portal. You can also monitor your device health using compliance reports.

Hard-Drive Encryption: What’s the catch?

Although it may seem like a no-brainer to set up Encryption for your enterprise devices, there are certain drawbacks to implementing full-disk encryption.

HDE only protects the system when it’s turned off. Once you decrypt your drive with the password or recovery key asked during bootup, the entire system is unlocked. This leaves your data exposed to anyone trying to access your device when it’s kept on.

HDE encrypts your entire drive and protects it with a password or a recovery key. In case this recovery key or password is lost, there is no other way to recover your data.

Employing Hard-Drive Encryption may cause an increase in the time required to access your data. Slight delays may occur while processing data, especially with large files. However, with modern Windows computers and Macs, no noticeable change can be sensed.

When should you use Hard-Drive Encryption?

Before implementing a Hard-Drive Encryption policy, it may be a good idea to take heed of this advice — would you rather lose your data than have it all exposed? — If the answer is no, then you should probably think twice before setting up HDE for your enterprise devices.

Organizations that store private or confidential information on their devices can benefit a lot from encrypting their hard drives. Companies that need to maintain — GDPR, HIPAA, CJIS compliance — will have to make use of HDE policies for their devices.

A Hard Drive
A Hard Drive

Hard-Drive Encryption and File-Level Encryption: Overview

When given a choice to implement Hard-Drive Encryption or File-level Encryption for your organization, the answer is — Use both!

Hard-Drive Encryption protects data-at-rest. That means — it protects the system when it’s not in use — Once your device is booted up, all your data gets decrypted.

In contrast, File-level Encryption protects data-at-rest as well as data-in-use. You can encrypt specific files and folders using FLE.

By making use of both Hard-Drive Encryption and File-level Encryption for your enterprise devices, IT admins can safeguard critical files from prying eyes and protect corporate drives from being breached. HDE and FLE together lets your company use the best-of-both-worlds for device encryption.

Device Encryption with Hexnode

In addition to configuring BitLocker and FileVault policies in bulk, Hexnode provides you with a whole suite of security features to manage and encrypt your corporate devices from a central console.

Try out Hexnode to manage and encrypt your devices

Configure Wi-Fi

Open Wi-Fi networks can pose a serious threat to the data within your device. With Hexnode, devices can be pre-configured with corporate Wi-Fi connections and restricted from interacting with any other network. You can create a policy with your organization’s Wi-Fi settings and associate them with the enrolled devices. You can also add or remove additional Wi-Fi configurations and manage your device connections.

Configure VPN

To mitigate the threat posed by unsecured Wi-Fi networks, Hexnode can help your company direct the flow of data using a corporate VPN. VPNs open a secure communication channel to transmit and encrypt enterprise data. By creating a policy with the authentication ID and details of your VPN provider, all your enterprise devices can be securely connected to the VPN.

Enforce Password policy

For Android devices, Full-Disk Encryption is supported for OS 5.0 to 9.0, and File-Level Encryption is supported for OS 7.0 and above.

iOS devices are encrypted when they are set with a Touch ID or passcode.

With Hexnode, strong password policies can be assigned to all your enterprise devices. You can set up restrictions on a password’s length, complexity, age, history, attempts before device wipe and screen auto-lock.

Compliance reports

With Hexnode, your organization can generate compliance reports for all your enrolled devices. This includes reports on password compliance, encryption, device inactivity and more. These reports allow you to monitor device health and keep track of all your activity.

Configure Lost mode

It is natural for employees to lose devices. In these situations, the corporate data in them must be protected at any cost. Hexnode enables IT admins to remotely lock and encrypt enterprise devices with its lost mode policy.

Best practices for Device Encryption

When you set up a Device Encryption policy for your enterprise devices, it is advisable to follow certain practices to secure your data in the best possible way.

Regularly backing up your data at specific intervals is a good practice to follow. It will let you recover your data in case of a device malfunction, corrupted hard drive, or loss of the device.

Backing up data to a Hard Drive
Backing up data to a Hard Drive

Your device encryption policy is only as strong as the password you use to protect it. Enforcing a strong password policy is of utmost importance after setting up Encryption. You can utilize Hexnode UEM to implement strict password policies for your enterprise.

Also, it is easier to manage Encryption for all your devices from a central console. This prevents the encryption process for large enterprises from being too complicated.

--

--

Hexnode
Hexnode

Written by Hexnode

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.