cancel
Showing results for 
Search instead for 
Did you mean: 
ROD
Level 7

Preboot Encryption Screen

What are the advantages to having a pre-boot screen in EEPC? I am assuming that if I disable it the HD will still be encrypted, is this correct? and if it is disabled how would I do a machine recovery?

The reason for my question is that we are trying to avoid the issues of SSO synchronization if a user changes their password on an unencrypted PC.

Thanks in advance

0 Kudos
36 Replies
SafeBoot
Level 21

Re: Preboot Encryption Screen

if you turn off pre-boot, you will be storing the encryption key on the drive itself. This means you won't really be protected from any data disclosure regulations.

0 Kudos
peter_eepc
Level 15

Re: Preboot Encryption Screen

But encryption key is not stored in clear text, right? So if coded/hashed version is stored, does it also not comply with regulations?

What if preboot was configured to look for encoded private key stored on removable media instead (USB,SD,CD,floppy)? Would that comply with regulations?

0 Kudos
SafeBoot
Level 21

Re: Preboot Encryption Screen

if the key was on separate media, as long as that was not lost with the machine, then you would be in compliance.

In answer to your first question though - how can a machine boot up without any user intervention, if the key is robustly protected on the machine? Yes, it can't - so no, any form of "auto boot mode", regardless of vendor, is not compliant with regulation.

0 Kudos
peter_eepc
Level 15

Re: Preboot Encryption Screen

In answer to your first question though - how can a machine boot up without any user intervention, if the key is robustly protected on the machine? Yes, it can't - so no, any form of "auto boot mode", regardless of vendor, is not compliant with regulation.

So it is not just "storing" that key. It is the mechanism in which EEPC retriews and enables that key automatically, that is not compliant.

One might think that allowing autoboot to operate with automatic check of data on USB stick might be a solution.

User generates autoboot and stores it on USB. With USB in, computer boots seemlesly to Windows prompt. Without it, asks at EEPC preboot for credentials.

Would this scenario be regulatory compliant?

Message was edited by: peter_eepc on 8/10/10 11:48:53 AM EDT
0 Kudos
SafeBoot
Level 21

Re: Preboot Encryption Screen

as I said, as long as you did not loose the key along with the machine, you would be compliant - if you left the key in the laptop bag and it was stolen as well, no, you would not be.

So it is not just "storing" that key. It is the mechanism in which EEPC retriews and enables that key automatically, that is not compliant.

No, it's nothing to do with EEPC - you are asking a machine to decrypt itself without external input, thus, the key to the decryption must be plainly accessible to the code on the machine. This is immutable. Any product which offers this mode of operation is not compliant with regulatory data protection laws. There's no way around this and again, it's not a limitation of any particular product - ALL FDE products from all vendors have this challenge.

0 Kudos
peter_eepc
Level 15

Re: Preboot Encryption Screen

No, it's nothing to do with EEPC - you are asking a machine to decrypt itself without external input, thus, the key to the decryption must be plainly accessible to the code on the machine. This is immutable. Any product which offers this mode of operation is not compliant with regulatory data protection laws. There's no way around this and again, it's not a limitation of any particular product - ALL FDE products from all vendors have this challenge.

There would be an external input: insertion of USB key with private data on it.

Can you please provide some "regulatory data protection laws" URL examples, that have more descriptive rules explanation. Thanks.

0 Kudos
SafeBoot
Level 21

Re: Preboot Encryption Screen

0 Kudos
peter_eepc
Level 15

Re: Preboot Encryption Screen

I have followed a few links that you have provided, but they do not describe situation that is a subject of this thread.

0 Kudos
SafeBoot
Level 21

Re: Preboot Encryption Screen

correct, they describe the legal ramifications of pursuing the concept the OP mentioned?

0 Kudos