Full disk encryption (FDE) protects all data on a device's storage drive by encrypting it automatically and transparently. When FDE is enabled, the entire contents of the drive, operating system, applications, and data files, are encrypted. Without the correct authentication (password, PIN, or biometric), the drive's contents are inaccessible, even if the physical drive is removed from the device.
FDE is critical for mobile devices that leave the office. Laptops are lost or stolen regularly, and without encryption, all data on the device is immediately accessible to whoever possesses it. With FDE enabled, a lost or stolen laptop is a hardware loss rather than a data breach. This distinction has significant implications for breach notification obligations and regulatory compliance.
Modern operating systems include built-in FDE capabilities: BitLocker for Windows and FileVault for macOS. Both can be managed centrally through endpoint management tools, ensuring that encryption is enabled on all devices and that recovery keys are securely stored. Organizations should use their MDM or endpoint management platform to enforce encryption policies rather than relying on individual users to enable it.
Recovery key management is an essential component of an FDE program. If an employee forgets their password or a device malfunctions, the recovery key is needed to access the encrypted data. Recovery keys should be stored in a centralized, secure location, such as Active Directory, Entra ID, or the MDM platform, and access to recovery keys should be restricted and audited.
Device encryption is specifically asked about on most cyber insurance applications, particularly for organizations with mobile workforces. Insurers recognize that encrypted devices significantly reduce breach risk from lost or stolen hardware. Many breach notification laws include safe harbor provisions for encrypted data, which directly reduces claim costs.
Organizations that can confirm that all endpoints are encrypted, and provide evidence of centralized enforcement and recovery key management, demonstrate a mature security posture. This is particularly important for organizations whose employees handle sensitive data on laptops in the field.
The HIPAA Breach Notification Rule provides a safe harbor for encrypted ePHI. If a laptop containing patient data is lost but FDE was enabled with a strong password, the incident may not require individual notification. This makes FDE one of the most financially impactful controls for healthcare organizations.
Lawyers frequently carry laptops containing privileged client information. The duty to protect confidential information under ABA Model Rule 1.6 requires reasonable measures, and FDE is considered a baseline expectation. Several state bar opinions specifically recommend encryption for mobile devices used by attorneys.
GLBA requires financial institutions to protect customer information, and FDE is a primary control for mobile devices. FFIEC guidance expects institutions to encrypt sensitive data on portable devices. Bank examiners verify encryption status as part of their IT examination procedures.
Retail managers and regional staff who access POS management systems, financial reports, and customer data on laptops must have FDE enabled. PCI-DSS Requirement 3.4 supports rendering cardholder data unreadable, and FDE contributes to this objective for devices that may contain stored PAN data.
NIST 800-171 control SC.L2-3.13.16 requires protection of CUI at rest, which includes encryption of portable devices. FIPS 140-2 validated encryption is required for federal systems. Government contractors must demonstrate that all devices accessing CUI are encrypted with approved algorithms.
Enable BitLocker on all Windows devices and FileVault on all macOS devices through centralized MDM policies
Verify encryption status across all endpoints using MDM reporting dashboards
Store recovery keys centrally in Active Directory, Entra ID, or the MDM platform with restricted access
Block access to corporate resources from devices that do not have verified encryption enabled
Include encryption verification in the device provisioning checklist for new endpoints
Want to know how your organization measures up on this control?
Take the free assessment →