1

Suppose a full-disk-encrypted computer with hot-swappable hard drives is powered on (i.e. decrypted at boot by a trusted user) but is screen-locked.

In such a case, if an attacker with physical access were to remove and walk off with one of the disks (not the whole computer, just a disk), would they have free access to the data stored on it? Like, literally just mount the disk to a separate computer and start browsing? If the answer is yes, is there any way to mitigate this specific scenario?

Caveats: I understand that an attacker with physical access has a myriad of attack vectors other than the one I mentioned, and so "don't allow physical access" is the number one mitigation measure. The only similar question I can find deals with the whole computer being nabbed, not just a disk.

Community
  • 1
user1569317
  • 113
  • 4

1 Answers1

1

Full Disk Encryption encrypts data at rest.

This is the fundamental part of the technology, and it's why it is used around the world for various governments and their departments.

When you use a drive with FDE, what will typically happen is that data is "decrypted on the fly". It does this by using System Memory (RAM) to temporally hold the encrypted data, and having the CPU/GPU decrypt it.

This means if had raw access to the disk even when you were using the machine, the drive would still be encrypted. Obviously, I could attempt to decrypt it with your encryption key stored in RAM.

So yes, your data is still protected while the computer is "live". The data and encryption key are stored in RAM.

dark_st3alth
  • 3,052
  • 8
  • 23