cancel
Showing results for 
Search instead for 
Did you mean: 
wlampert
Level 9

Encrypt Drive without preboot screen?

We have Drive Encryption licenses. Is there a way to just encrypt the drives but not have the preboot screen? I've unchecked SSO, thinking that would get not include it but it appears to still be present.

0 Kudos
7 Replies
SafeBoot
Level 21

Re: Encrypt Drive without preboot screen?

Yes - depending on what version of EEPC you're using - look up "autoboot" in your admin guide.

Note - that some options involve you storing the encryption key on the drive itself - which is obviously completely insecure and against all data protection regulations.

Encryption is just a way to prevent people bypassing authentication.

0 Kudos
wlampert
Level 9

Re: Encrypt Drive without preboot screen?

So after reading up on autoboot, having it enabled, it will still encrypt the hard drive but what does it mean when it says "The Drive Encryption software doesn't protect the data on the drive when it is not in use. So when the hard drive is now powered on, the data is unsecured even though the drive is encrypted?

0 Kudos
SafeBoot
Level 21

Re: Encrypt Drive without preboot screen?

Can you tell me where you're getting that quote from? It seems to be incorrect.

You are right though - if you use autoboot mode and you save the key to the hard disk, the machine will just boot up - so there's no security. Though the data stored on the drive is encrypted, the operating system will happily decrypt it on demand for any process.

0 Kudos
wlampert
Level 9

Re: Encrypt Drive without preboot screen?

Capture.JPGQuote is from McAfee's "Best Practices Guide for McAfee Drive Encryption" PDF.

0 Kudos
SafeBoot
Level 21

Re: Encrypt Drive without preboot screen?

Got it - it makes more sense in context.

What it's telling you is that if you use the autoboot feature - you should not consider the machine protected. You're not compliant with NIST800-111, or any US/European data protection law, or PCI.

Storing the key along with the data is considered bad practice. It's like leaving your car keys in the ignition.

0 Kudos
wlampert
Level 9

Re: Encrypt Drive without preboot screen?

What if I choose to disable that in the future to enable PBA. Will the computer have to re-encrypt? (Will it decrypt and re-encrypt itself?) or will PBA be active on the next reboot the machine does?

0 Kudos
SafeBoot
Level 21

Re: Encrypt Drive without preboot screen?

Enabling or disabling the feature won't require reencryption.

0 Kudos