If you forget your password, you are indistinguishable from a hostile intruder and you will be treated as such, which means you will be locked out from your encrypted data.
Getty Images
Disk encryption is absolute magic to most non-mathematicians. And like any complex technology, it leads to uncomfortable questions.
Does encrypting a disk make it less likely that data can be recovered with utilities after a crash? Does encrypting the disk make it more likely to have errors and failures? Does encrypting the disk make it harder to transfer to a bigger boot disk? Just what are the pros and cons for the average PC user in a home or small business without a full-time IT department?
Also: How to encrypt your email and why you should
Make no mistake about it, disk encryption is a powerful security precaution. Using strong disk encryption means that your data is under your control and only your control. An unauthorized intruder who’s able to gain access to that encrypted data but doesn’t have proper sign-in credentials (your username and password) or a recovery key is able to see what looks like pure gibberish. And brute-force techniques aren’t effective. Even with the assets of the world’s most powerful intelligence agencies, it can take years or even centuries to crack that code and decrypt the underlying data.
On PCs designed for Windows 10 and Windows 11, the system disk is encrypted by default, but that encryption uses a clear key. The encryption doesn’t protect your data unless you sign in with a Microsoft account, which protects the data and also saves a recovery key in OneDrive. On PCs running the Pro and Enterprise editions of Windows, you can enable BitLocker Drive Encryption, which is capable of encrypting any disk, including removable drives such as USB flash drives.
Also: This is how fast a ransomware attack encrypts all your files
Modern Macs likewise offer built-in encryption using a feature called FileVault.
And now the bad news: If you forget the password or passphrase that is required to decrypt that data, the encryption software has no way to distinguish you from a hostile intruder, which means you are locked out from your encrypted data.
That’s not a bug, it’s a feature. A backdoor that would allow you to recover your data without the decryption key would also be available to an attacker, rendering the data protection useless.
But that’s the only difference between an encrypted disk and one where the data is stored in the clear. If your drive or controller fails, resulting in data corruption, it doesn’t matter whether the data is encrypted or not; you’ll need a backup to recover the damaged files. And on modern hardware, encryption and decryption using the AES standard takes place in the CPU, which means that any impact on data transfer speeds is negligible.
Which means your biggest challenge is to ensure that you have access to the backup encryption key for your device, for use only in the event of an emergency. On a Mac using Apple’s FileVault encryption, you can store the recovery key in iCloud or locally (follow the instructions in this support article). For devices running Windows 10 or Windows 11, follow the instructions in ZDNET’s BitLocker FAQ.
Also: How to encrypt a folder in MacOS to keep sensitive data from prying eyes
Make sure you store that recovery key in a safe place. If you can supply that key on demand, you have full access to the data on the encrypted disk.
