I am not a fan of full disk encryption. That’s not to say that I don’t believe there are plenty of use cases where it is prudent or useful — I very much do, in fact — but the current trend of suggesting that everyone everywhere encrypt their disks is one that I can’t get behind. I understand that this is not a popular viewpoint among technologists today, and security experts everywhere shudder when they hear me say that, but over the years that opinion has solidified for me.
There are people for whom securing all the data on their devices is important. Journalists protecting their sources come to mind. Or employees with very sensitive trade secrets (surely Colonel Sanders’ laptop would be encrypted to protect the 11 herbs and spices). Health care professionals with patient data. There are thousands of examples of people who absolutely should encrypt their entire disk.
But for most common, ordinary, everyday people, I find that full disk encryption leads to far more trouble than it’s worth.
For one, the data they have just isn’t really that important. Almost all financial documents are stored online (and are encryped by the banks and financial services companies). Health records are typically stored in patient portals (and are, again, encrypted). Most of what people have on their hard drives are things like digital photos, home movies, notes, recipes, and things of that nature. While you want to keep those things private, I think the much more important thing (if you have to choose one or the other) is keeping them well preserved and accessible.
I can’t tell you the number of times, when working as a technician, that encryption has made a data recovery process either more difficult, or completely impossible. When someone’s computer dies it’s more important that I be able to easily grab the data off the old one and make sure it stays safe (because inevitably nobody keeps backups, despite my pleas for them to do so). Sure, there are ways to pull data off encrypted drives, but then you run into issues where people forget their passwords or don’t manage keys properly, and then there’s nothing I can do but say sorry and reformat the disk.
Or, in another example, in the event of an unexpected death, sometimes the person who needs access to the data never knew the password in the first place. It can be argued whether dying entitles someone else to access your data (hopefully that would already be settled up front in a digital will or advanced directive), but the point stands. If I kicked the bucket tomorrow, I like knowing that my friends and family can have access to the photos I’ve kept safe for them for so long.
And in general, without being able to provide any useful metrics or statistics, I just fine the errors related to encryption to not be worth it. Speaking specifically as a Mac tehnician, I can’t count on one hand the number of times a Mac has suddenly developed issues booting or developed otherwise unpredictible SSD issues after enabling FileVault.
So yes, I love that full disk encryption is getting to be a more prevalent option, and there are indeed many people who should use it. But my advice? For most people, the headache isnt worth the protection you get in the end.
