OPSEC52 / Week 8 — Full-disk encryption
Seven weeks of separate emails, phones, browser profiles and vaults all live on one lump of silicon. If someone powers off your laptop, walks it away, and the disk isn’t encrypted, none of your compartmentalization matters — they read everything at rest, including the password manager you were so careful about. Full-disk encryption is the single control that turns a seized device from “read my whole life” into “here’s some random noise.” It’s free, built into every OS, and most people still leave it half-off.
Threat model: physical seizure at a border, traffic stop, or arrest while the machine is off or suspended; theft; a repair shop or hotel adversary imaging the drive; forensic recovery from a discarded or sold device; unencrypted swap, hibernation, and cloud backups that leak plaintext even when the main volume is encrypted; and cold-boot / DMA attacks against a machine left running and unlocked.
Encryption at rest is the floor, not the ceiling
Every other pillar in this series protects data in motion — who sees your traffic, your identity, your logins. Full-disk encryption (FDE) protects data at rest: the bytes sitting on the drive when the device is off. Without it, an adversary who gains physical possession skips every other control you built. They don’t need your password manager’s master passphrase — they just read the vault file, your browser profiles, your shell history, your Monero wallet cache, straight off the platters. FDE is the floor the rest of your OPSEC stands on. If it’s missing, everything above it is theater.
The “off vs locked” distinction that decides everything
FDE only defends a device that is fully powered off (or hibernated to an encrypted disk). This is the detail almost everyone gets wrong:
- Powered off → the key is not in memory. The disk is genuinely opaque. This is the state you want at a border or any time the device leaves your control.
- Locked / suspended (sleep) → the encryption key is still in RAM. A lock screen is a UI prompt, not encryption. A sufficiently equipped adversary can pull the key from memory (cold-boot, DMA over Thunderbolt/PCIe) or simply wait for you to unlock it.
Practical rule: if you might lose control of the device — shut it down, don’t just close the lid. Set a short auto-lock, and prefer “hibernate” or full shutdown over “sleep” when crossing any threshold where the machine could be taken.
Turn it on — it’s already there
- Windows: BitLocker (Pro/Enterprise) or Device Encryption (Home). Verify it’s actually on and that the recovery key is not auto-escrowed to your Microsoft account if that account is real-name.
- macOS: FileVault. One toggle. Store the recovery key yourself, not in iCloud.
- Linux: LUKS, ideally chosen at install (full root + swap encryption). Encrypting only
/homeleaves logs, swap, and temp files in the clear. - Android / iPhone: on by default for years — but the strength collapses to your screen-lock. A 4-digit PIN is brute-forceable; use a long alphanumeric passphrase.
The leaks that survive “encrypted disk”
FDE on the main volume is not the whole job. Plaintext escapes through the seams:
- Swap & hibernation — if these aren’t inside the encrypted volume, secrets paged out of RAM land on disk in the clear. Encrypt swap; encrypt the hibernation file.
- Cloud backups — an encrypted laptop that auto-syncs to an unencrypted (or provider-readable) cloud backup has simply moved the plaintext somewhere else. Check what’s backing up.
- External drives & USB sticks — the encrypted laptop plus an unencrypted backup drive equals an unencrypted backup drive. Encrypt removable media too (VeraCrypt is cross-platform for this).
- The passphrase itself — FDE turns your whole device into a single secret. A weak login/boot password undoes it. This passphrase should be long, unique, and never reused (see Week 7).
This week’s drills
- Confirm FDE is actually on — not “supported,” on — on every device: laptop, phone, tablet.
- Move the recovery key off the vendor cloud if it’s escrowed to a real-name account; store it in your password manager or on paper in a safe.
- Set the pre-boot / login passphrase to a long, unique string. A locked but weakly-passworded disk is a speed bump, not a wall.
- Encrypt your backups and USB media — the weakest copy sets your real security level.
- Practice the border habit: full shutdown, not sleep, whenever the device might leave your hands.
Full-disk encryption won’t stop a running, unlocked machine, and it won’t beat a wrench that makes you type the passphrase. But it converts the single most common real-world attack — “they got the device” — from total compromise into a shrug. Everything else you’ve built this series only holds if this one is on.
Curated by Cyber Satoshi