Yesterday, I was assembling some notes on the benefits of having Full Disk Encryption (FDE) being available across all Linux distros. I awoke to a high severity CVE concerning OpenSSL, which is generally used to secure communications on the (OSI) transport level but sometimes used for file-level encryption. The takeaway is nothing less than that (AES) encryption is everywhere.
Your data can be reasonably safe except with FDE enabled. It shouldn't be anything less than mandatory, even if it's not always "enough" on its own. A stolen laptop or phone can be a source of data exfiltration without it. App-centric password, and platforms that manage identity and access control, layer on more assurance to keep your information safe. This isn't a topic that should only interest auditors and regulators: FDE should be a policy that your organization implements cross-OS.
There's always a tendency to overreact when a device goes missing and some pricey security systems are available to can track lost equipment. Risk management professionals use formulas to determine whether the cost justifies the solution. A laptop being stolen is an uncommon occurrence (ARO), so FDE is the most practical and effective solution to mitigate the risk of stolen data.
