What type of encryption should be selected to prevent data exposure if a device is stolen and is locked or turned off?

Full-disk encryption is the appropriate choice for preventing data exposure in the event that a device is stolen and is locked or turned off. This method encrypts all the data on the disk, meaning that any unauthorized access to the physical storage would not reveal any usable data unless the correct decryption key or password is provided.

When a device is powered down, file or application-level encryption may not effectively protect sensitive data, as they generally encrypt specific files or applications while leaving the rest of the disk potentially vulnerable. Similarly, network encryption primarily secures data in transit across networks rather than data stored on a device. Consequently, full-disk encryption provides a comprehensive solution by ensuring that all stored data remains inaccessible without proper authentication, effectively mitigating the risk of data exposure from physical theft.