Gartner Blog Network

Full Drive Encryption is not just for Laptops

by Neil MacDonald  |  August 22, 2011  |  3 Comments

I’ve had two discussions with clients today already on the role of full drive encryption ( FDE technologies such as Microsoft’s BitLocker, McAfee Total Protection, Sophos/Utimaco, Symantec PGP, Check Point, Trend/Mobile Armor etc) for fixed desktops.

Full drive encryption should be considered mandatory for laptops and most organizations have implemented this – either with Windows 7 and BitLocker, by adding encryption into their endpoint protection platform contract or by purchasing a point solution.

However, there are several use cases where the use of FDE makes sense for fixed desktops:

1) For areas where physical security is lacking and there is a risk that the hard drive and/or physical machine may be stolen

2) For defense in depth as machines are retired to ensure that data is wiped completely. By ensuring that the key is destroyed, access to the data is impossible. Without the keys, they don’t have your data. This would supplement (and potentially replace) any manual wiping that is performed as machines are returned/retired/recycled/destroyed.

3) For protection of images in transit being shipped to remote locations – for example to remote offices.

With advances in hardware processing making the overhead of FDE nearly negligible and with the significant downward pricing pressure in the market (in the case of BitLocker. “free” if you are purchasing Software Assurance on the Windows OS), FDE may make sense for many of your fixed desktops as well.

Additional Resources

Evaluating the Security Risks to Blockchain Ecosystems

Blockchain is early in its development, and long-term investments can be risky. Security and risk management leaders must temper the hype with effective risk-mitigation techniques.

Read Free Gartner Research

Category: beyond-anti-virus  endpoint-protection-platform  security-of-applications-and-data  windows-7  

Tags: beyond-anti-virus  defense-in-depth  endpoint-protection-platform  microsoft-security  windows  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Full Drive Encryption is not just for Laptops

  1. Andre Gironda says:

    I don’t understand why companies bother with the operational nightmarish cost of application-based FDE.

    Just use SEDs. It’s hardware. You’re done!

  2. Aidan Herbert says:

    I don’t understand why computer vendors don’t make Self encrypting drives (SEDs) standard.

    Just make it easy for companies to acquire machines with SEDs.

  3. Neil MacDonald says:


    Agreed with this caveat: It’s all about key provisioning and key management. SEDs make encryption easy, but we must provision and manage the keys in a way that scales to enterprise needs across heterogeneous devices (including multiple Windows devices which may use SEDs from different manufacturers). Encryption as a standalone function is a commodity. Off-device enterprise-class key management is the key (bad pun!).

    The best encryption management solutions will handle key management and provisioning across multiple SEDs, BitLocker as well as the vendor’s native FDE solution. My colleague John Girard publishes a Magic Quadrant in this area:


Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.