1 2 3 4 Previous Next 36 Replies Latest reply on Jun 9, 2011 3:08 PM by DLarson

    Preboot Encryption Screen

    ROD

      What are the advantages to having a pre-boot screen in EEPC? I am assuming that if I disable it the HD will still be encrypted, is this correct? and if it is disabled how would I do a machine recovery?

       

      The reason for my question is that we are trying to avoid the issues of SSO synchronization if a user changes their password on an unencrypted PC.

       

      Thanks in advance

        • 1. Re: Preboot Encryption Screen

          if you turn off pre-boot, you will be storing the encryption key on the drive itself. This means you won't really be protected from any data disclosure regulations.

          • 2. Re: Preboot Encryption Screen

            But encryption key is not stored in clear text, right? So if coded/hashed version is stored, does it also not comply with regulations?

             

            What if preboot was configured to look for encoded private key stored on removable media instead (USB,SD,CD,floppy)? Would that comply with regulations?

            • 3. Re: Preboot Encryption Screen

              if the key was on separate media, as long as that was not lost with the machine, then you would be in compliance.

               

              In answer to your first question though - how can a machine boot up without any user intervention, if the key is robustly protected on the machine? Yes, it can't - so no, any form of "auto boot mode", regardless of vendor, is not compliant with regulation.

              • 4. Re: Preboot Encryption Screen

                In answer to your first question though - how can a machine boot up without any user intervention, if the key is robustly protected on the machine? Yes, it can't - so no, any form of "auto boot mode", regardless of vendor, is not compliant with regulation.

                 

                So it is not just "storing" that key. It is the mechanism in which EEPC retriews and enables that key automatically, that is not compliant.

                 

                One might think that allowing autoboot to operate with automatic check of data on USB stick might be a solution.

                User generates autoboot and stores it on USB. With USB in, computer boots seemlesly to Windows prompt. Without it, asks at EEPC preboot for credentials.

                Would this scenario be regulatory compliant?

                 

                 

                Message was edited by: peter_eepc on 8/10/10 11:48:53 AM EDT
                • 5. Re: Preboot Encryption Screen

                  as I said, as long as you did not loose the key along with the machine, you would be compliant - if you left the key in the laptop bag and it was stolen as well, no, you would not be.

                   

                  So it is not just "storing" that key. It is the mechanism in which EEPC retriews and enables that key automatically, that is not compliant.

                  No, it's nothing to do with EEPC - you are asking a machine to decrypt itself without external input, thus, the key to the decryption must be plainly accessible to the code on the machine. This is immutable. Any product which offers this mode of operation is not compliant with regulatory data protection laws. There's no way around this and again, it's not a limitation of any particular product - ALL FDE products from all vendors have this challenge.

                  • 6. Re: Preboot Encryption Screen

                    No, it's nothing to do with EEPC - you are asking a machine to decrypt itself without external input, thus, the key to the decryption must be plainly accessible to the code on the machine. This is immutable. Any product which offers this mode of operation is not compliant with regulatory data protection laws. There's no way around this and again, it's not a limitation of any particular product - ALL FDE products from all vendors have this challenge.

                     

                    There would be an external input: insertion of USB key with private data on it.

                    Can you please provide some "regulatory data protection laws" URL examples, that have more descriptive rules explanation. Thanks.

                    • 8. Re: Preboot Encryption Screen

                      I have followed a few links that you have provided, but they do not describe situation that is a subject of this thread.

                      • 9. Re: Preboot Encryption Screen

                        correct, they describe the legal ramifications of pursuing the concept the OP mentioned?

                        1 2 3 4 Previous Next