Full disk encryption software uses a symmetrical encryption algorithm to encrypt every block on a hard disk or other persistent storage media (e.g., flash drives, etc.). The idea is that even if the storage device is lost or stolen, none of the contents of the filesystem will be compromised.
A key consideration with full disk encryption is generating and securing the encryption key. Normally a single, long, pseudo-random encryption key is used to encrypt the storage device. User keys are used to encrypt/decrypt the disk encryption key. User keys, in turn, may be:
The most common approach to key management on personal computers (i.e., not servers where system startup typically must proceed unattended) is to prompt the user to enter a password prior to starting the PC's operating system. The password decrypts the user's key, which in turn decrypts the data key that encrypts/decrypts hard drive contents.
Where pre-boot password authentication is used, the pre-boot password may be synchronized with the user's primary network login password -- usually an Active Directory password. This reduces the number of distinct passwords users must remember and type.
If a user forgets his pre-boot password, he must go through an unlock process. Typically the full disk encryption software presents the user with a challenge string, which the user communicates to an IT support person with access to a key recovery application. The support person enters the challenge string and reads back a response, which the user must type. A correct response will unlock the user's PC, at which time the user should choose a new password (and remember it this time!).
Hitachi ID Password Manager enables users whose PC is protected with a disk encryption software and who have forgotten the password they type to unlock their computer to reactivate their PC.
The process for key recovery is as follows: