Implementations
There are multiple tools available in the market that allow for disk encryption. However, they vary greatly in features and security. They are divided into three main categories: software-based, hardware-based within the storage device, and hardware-based elsewhere (such as CPU or host bus adaptor). Hardware-based full disk encryption within the storage device are called self-encrypting drives and have no impact on performance whatsoever. Furthermore the media-encryption key never leaves the device itself and is therefore not available to any virus in the operating system. The Trusted Computing Group Opal drive provides industry accepted standardization for self-encrypting drives. External hardware is considerably faster than the software-based solutions although CPU versions may still have a performance impact, and the media encyption keys are not as well protected. All solutions for the boot drive require a Pre-Boot Authentication component which is available for all types of solutions from a number of vendors. It is important in all cases that the authentication credentials are usually a major potential weakness since the symmetric cryptography is usually strong.
Read more about this topic: Disk Encryption