1205 Device Integrity Protection - For maximum security, wait for initial encryption to complete before storing sensitive information

  • Updated on Feb 6, 2026
  • 1 minute(s) read
  • VN
 Prev Next

Device Integrity Protection - For maximum security, wait for initial encryption to complete before storing sensitive information
While SecureDoc performs an invaluable service ensuring that data is protected by encryption, and that user access to SecureDoc-protected devices is locked down and governed by permitting only specific users to authenticate at Pre-Boot, there are other risks that any security-conscious organization should be aware of and include in its overall security design.

For maximum security, wait for initial encryption to complete before storing sensitive information

When performing Software Encryption of a disk drive or other media, SecureDoc performs sector-by-sector encryption, encrypting a block of information before moving on to the next block.

If a user is updating or storing sensitive data during initial software-encryption of the disk, there can be no guarantees of where the Operating System will store a given item of data;  It may be stored in already-encrypted space, in which case it is secure, or it may be stored in yet-to-be-encrypted space, in which case that data could remain in plain-text (and therefore at risk if the device were to be stolen and accessed) until the sector-by-sector encryption can get to the sectors containing the newly-written data.

To mitigate against this risk, the ideal security scenarios would entail one or more of the following:

  • Performing initial software-based encryption at a point where the device is not in use, but it can be physically secured and protected from network or other attack
  • Performing initial software-based encryption on factory-fresh equipment before deploying the equipment to an end user.  This can be accelerated by using SecureDoc's "Data only" initial encryption option (recommended ONLY for factory-fresh disk drives) which speeds up initial encryption by encrypting only the data on the disk and leaving the null bytes of a fresh disk unencrypted until they are written to.
  • Using Self-Encrypting drives, which can be placed into Managed mode within a few seconds.
Related articles