Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD) vendors, including: iStorage Limited, Seagate Technology, Hitachi, Western Digital, Samsung, Toshiba, solid-state drive vendors such as OCZ, SanDisk, Samsung, Micron, Integral Memory and USB vendors such as Yubikey or iStorage Limited. The symmetric encryption key is maintained independently from the CPU, thus removing computer memory as a potential attack vector. In relation to hard disk drives, the term Self-encrypting drive (SED) is in more common usage.
Hardware-FDE has two major components: the hardware encryptor and the data store. There are currently three varieties of hardware-FDE in common use:
- Hard disk drive (HDD) FDE (usually referred to as SED)
- Enclosed hard disk drive FDE
- Bridge and Chipset (BC) FDE
Many new PCs that ship with Windows 10 will automatically have “Device Encryption” enabled. This feature was first introduced in Windows 8.1, and there are specific hardware requirements for this. Not every PC will have this feature, but some will.
There’s another limitation, too—it only actually encrypts your drive if you sign into Windows with a Microsoft account. Your recovery key is then uploaded to Microsoft’s servers. This will help you recover your files if you ever can’t log into your PC. (This is also why the FBI likely isn’t too worried about this feature, but we’re just recommending encryption as a means to protect your data from laptop thieves here. If you’re worried about the NSA, you may want to use a different encryption solution.)