We have Drive Encryption licenses. Is there a way to just encrypt the drives but not have the preboot screen? I've unchecked SSO, thinking that would get not include it but it appears to still be present.
Yes - depending on what version of EEPC you're using - look up "autoboot" in your admin guide.
Note - that some options involve you storing the encryption key on the drive itself - which is obviously completely insecure and against all data protection regulations.
Encryption is just a way to prevent people bypassing authentication.
So after reading up on autoboot, having it enabled, it will still encrypt the hard drive but what does it mean when it says "The Drive Encryption software doesn't protect the data on the drive when it is not in use. So when the hard drive is now powered on, the data is unsecured even though the drive is encrypted?
Can you tell me where you're getting that quote from? It seems to be incorrect.
You are right though - if you use autoboot mode and you save the key to the hard disk, the machine will just boot up - so there's no security. Though the data stored on the drive is encrypted, the operating system will happily decrypt it on demand for any process.
Got it - it makes more sense in context.
What it's telling you is that if you use the autoboot feature - you should not consider the machine protected. You're not compliant with NIST800-111, or any US/European data protection law, or PCI.
Storing the key along with the data is considered bad practice. It's like leaving your car keys in the ignition.
What if I choose to disable that in the future to enable PBA. Will the computer have to re-encrypt? (Will it decrypt and re-encrypt itself?) or will PBA be active on the next reboot the machine does?