Disk encryption is the protection of stored data on a device by keeping it unreadable without the required cryptographic key or unlock process.
Disk encryption is the protection of stored data on a device by keeping it unreadable without the required cryptographic key or unlock process. In plain language, it helps protect data at rest if a laptop, workstation, or storage device is lost, stolen, or accessed without authorization.
Disk encryption matters because many incidents involve device loss rather than a remote compromise. If the storage is readable as-is, sensitive files may be exposed even when the operating system account itself was not fully breached.
It also matters because protecting stored data is different from protecting data in transit or during active use.
Disk encryption appears in managed laptops, mobile devices, endpoint compliance policy, and regulated data-protection programs. Teams connect it to Device Compliance, Mobile Device Management, Secure Boot, Symmetric Encryption, and Remote Wipe.
It is one of the most practical safeguards for portable devices that carry sensitive information.
A company laptop is stolen from a car. Because the device uses full-disk encryption and the attacker does not have the proper unlock path, the stored files remain far harder to access than they would on an unencrypted device.
Disk encryption is not the same as TLS. TLS protects data in transit, while disk encryption protects stored data at rest.
It is also not a full answer to endpoint security. Once a device is already unlocked and in use, many other controls still matter.