If disk encryption is used, how should logical access to encrypted data be managed?

When disk encryption is used, the data is protected by decryption keys, so who can actually use those keys determines who can access the plaintext. If access to decrypted data is tied to the operating system’s login, then anyone who can log into the OS could potentially unlock and read the data, which weakens the protection. The right approach is to manage the decryption keys separately from the OS authentication—use a dedicated key management system (or hardware security module) with its own authentication, strong access controls, audit logging, and separation of duties. This keeps encryption strong even if the OS is compromised and aligns with best practices for protecting encryption keys. The other options effectively couple key access to the OS or ignore the need for separate key management, which increases risk.