What Full Disk Encryption Actually Protects You From, and What It Does Not
A plain English primer on threat models: what BitLocker, FileVault, and LUKS defend against, what they quietly do not, and why 'encrypted' is not a yes or no answer.
Someone leaves a work laptop in the back of a taxi. A few hours later, panic sets in around the office. Is the company data safe? Almost everyone reaches for the same reassuring line: "It is fine, the disk is encrypted." And they might be completely right, or completely wrong, and the difference comes down to details that most people never think about. That gap between "we encrypted it" and "we are actually safe" is what this article is about.
"Is your disk encrypted?" is a poor question. Not because encryption does not matter, it matters enormously, but because the honest answer is always another question. Encrypted against what? This is a friendly walk through the one idea that makes the rest of security click into place: the threat model. Do not let the phrase scare you. A threat model is just a clear answer to "what am I protecting, and from whom?"
What full disk encryption actually does
Full disk encryption, which shows up as BitLocker on Windows, FileVault on macOS, and LUKS on Linux, scrambles everything on your drive so that reading the raw storage gives you meaningless noise instead of files. "Encryption" here means turning readable data into a jumble using a secret key, so that only someone with the key can turn it back into something useful. Without the key, the bytes on the drive are gibberish.
The critical detail, the one that decides everything else, is this: the data is only scrambled while the key is absent. The moment your machine unlocks the drive so it can actually run, the data becomes plaintext, meaning ordinary readable data, to anything running on that machine. The encryption has done its job and stepped aside. So full disk encryption protects against exactly one situation.
Someone gets your storage while it is locked.
That is it. That is the whole guarantee. It is a genuinely valuable guarantee, but it is a narrow one, and everything else depends on the details.
The core idea
Encryption at rest protects data at rest, a powered off, locked device. It does almost nothing for a device that is already running and unlocked.
The phrase "at rest" is worth pausing on. Data "at rest" is data sitting still in storage, not being used. The opposite is data "in use", which is data the running system has already unlocked and is actively working with. Full disk encryption guards the first and is simply not designed to guard the second.
What it protects against
When the device is genuinely off and locked, and only the storage itself falls into the wrong hands, full disk encryption is exactly the right tool.
- A stolen, powered off laptop. The thief gets a lump of hardware, not your files. This is the classic taxi scenario, and it is where encryption shines.
- A drive pulled out and read in another machine. Take the physical disk, plug it into a different computer, and all you get is ciphertext, the scrambled version with no key to unlock it.
- Improper disposal. A decommissioned encrypted drive is mostly safe to throw out or recycle, because whatever remains on it is unreadable without the key.
Notice the common thread. In every case the attacker gets the storage while it is locked, and the running system, with its unlocked key in memory, is nowhere in the picture.
What it does not protect against
Here is where the reassuring line falls apart. In each of these cases the disk may be fully encrypted and it makes no difference at all, because the data is no longer at rest.
- Malware on your running machine. By the time malware is running, the operating system has already decrypted everything for its own use. The malware simply reads the files like any other program. For more on how that malware arrives, see what is malware.
- Someone using your unlocked, logged in session. You walked away without locking the screen. To the person sitting down at your desk, the disk is plain readable data. The encryption is wide awake and helping them.
- A weak or absent unlock secret. If the key is released automatically with no human input, an attacker who controls how the machine starts up may be able to grab it too. This is exactly the hole behind the WinRE BitLocker bypasses.
- Cloud backups, synced files, or an unlocked phone. Once your data has been copied off to the cloud, synced to another device, or opened on a phone, it has left the encrypted drive entirely. The protection stayed behind with the disk.
An unlocked device is an open book
The single most common misunderstanding is thinking encryption keeps working once you have logged in. It does not. From the moment you unlock, your files are as readable as they would be with no encryption at all. Locking your screen when you step away is not a nicety, it is the thing that actually re engages the protection.
The "it depends" in the middle
Between the clear wins and the clear misses sits a grey area, and it is the most interesting part. Whether full disk encryption saves you against an attacker who has physical access and time with your machine depends entirely on one setting: how the key gets unlocked. This unlocking mechanism is often called the protector.
TPM only (auto unlock) weakest. Key released with no human secret.
TPM plus PIN strong. Attacker needs something you know.
Passphrase at boot strong, if the passphrase is good.A quick word on the jargon. A TPM, or Trusted Platform Module, is a small secure chip inside the machine that can store the key and hand it over automatically when the computer starts. That is convenient, because the disk just unlocks and you never type anything, but convenience is the problem. If the key is released with no secret only you know, then an attacker who gets the whole machine, chip and all, may be able to coax the key out. Add a PIN, a short code you type at startup, or a full passphrase, and suddenly the attacker needs something inside your head, which they cannot steal along with the laptop.
Same feature, wildly different real world strength. "Encrypted, yes or no" told you nothing useful. The protector told you everything. Two identical laptops, both honestly described as "encrypted", can offer strong protection or almost none, purely based on this one choice.
Convenience and security are trading places
Auto unlock feels great because you never think about it. That is precisely why it is weaker. Every time a security control asks nothing of you, ask what it is no longer able to promise. Usually you have traded a bit of protection for the convenience.
How to actually think about it
Instead of asking the vague question "am I secure," build a tiny threat model with three questions. You can do this in your head in under a minute, and it works for far more than encryption.
- What am I protecting? The files, the saved credentials, a signing key, the whole device? Be specific.
- Who is the attacker, and what can they do? Someone remote over the internet, someone with physical hands on the device, or a colleague already logged in next to you? These are very different people with very different powers.
- Does this control actually stop that attacker? Match the answer from question two against what the control genuinely does.
Run encryption through that filter and the picture becomes clear. Encryption at rest is a great answer to lost or stolen hardware. It is the wrong tool for malware, and the wrong tool for someone borrowing your unlocked laptop, because in both of those cases the data is no longer at rest. Match the control to the threat, and never let a green "Encrypted" tick lull you into thinking the job is finished.
Next step
Want to see what happens when the answer to "who is allowed to unlock it" is wrong? Read our writeup on the 2026 WinRE BitLocker bypass wave. It is this exact lesson playing out in the real world.
The takeaway
Full disk encryption does one thing very well: it protects data at rest, on a device that is powered off and locked, so that stolen or discarded storage is just noise to whoever holds it. It does almost nothing once the machine is running and unlocked, because at that point your files are already plain readable data to any program, any malware, and any person sitting at the keyboard. In the grey area of a determined attacker with physical access, your safety comes down to the protector: an automatic unlock is weak, while a PIN or a strong passphrase is genuinely strong. So stop asking "is it encrypted" as if it were a yes or no answer. Ask what you are protecting, who you are protecting it from, and whether this particular control actually stops that particular attacker. That habit, the threat model, is the idea that makes all the rest of security finally click.