Disk encryption is the protection of stored data on a device by keeping it unreadable without the required cryptographic key or unlock process.
Disk encryption is the protection of stored data on a device by keeping it unreadable without the required cryptographic key or unlock process. In plain language, it helps protect data at rest if a laptop, workstation, or storage device is lost, stolen, or accessed without authorization.
Disk encryption matters because many incidents involve device loss rather than a remote compromise. If the storage is readable as-is, sensitive files may be exposed even when the operating system account itself was not fully breached.
It also matters because protecting stored data is different from protecting data in transit or during active use.
For portable devices, disk encryption is often one of the highest-value baseline controls because it limits what an attacker can learn from a stolen laptop or mobile device without first getting through the cryptographic unlock path.
Disk encryption appears in managed laptops, mobile devices, endpoint compliance policy, and regulated data-protection programs. Teams connect it to Device Compliance, Mobile Device Management, Secure Boot, Symmetric Encryption, and Remote Wipe.
It is one of the most practical safeguards for portable devices that carry sensitive information.
Security teams usually pair disk encryption with recovery-key handling, secure startup controls, and device-compliance policy. Encryption is strongest when the organization can both enforce it consistently and recover safely from legitimate lockouts.
A company laptop is stolen from a car. Because the device uses full-disk encryption and the attacker does not have the proper unlock path, the stored files remain far harder to access than they would on an unencrypted device.
Disk encryption is not the same as TLS. TLS protects data in transit, while disk encryption protects stored data at rest.
It is also not a full answer to endpoint security. Once a device is already unlocked and in use, many other controls still matter.
It is also different from selective file encryption. Full-disk encryption protects broad storage contents by default, while narrower file-level protections may cover only specific data or workflows.