What type of encryption is best: Hardware, whole disk or file- and directory-based?
Well, it's dependant on your environment. If you are trying to encrypt disks in a storage area network
(SAN) or network
attached storage (NAS) environment, you may not have a choice except to go with whatever your vendor offers. Or, you might not have any encryption options at all. So, it depends on the particular hardware you are using, the management systems that you are using, whether or not you have laptops, etc.
All this hype and noise we've been hearing over the past six months to a year really involves laptops, desktops and basic server drive encryption
. So, to answer your question in that context, I like whole-disk encryption. It really is the most foolproof and dependable that I've seen. That said, I haven't used the hardware offerings, like Seagate's Momentus drives.
I'm not a big fan of partition- or directory-based encryption because at that point you are relying on applications and/or people to make sure sensitive information gets where it's supposed to go. And, we've all learned the hard way that you simply can't rely on this. All it takes is for a user to store a document someplace outside the encrypted area, and it's completely vulnerable.
Check out the entire Storage Encryption FAQ guide.
This was first published in October 2007