Moved this from a private discussion area to our Encryption area for better attention.
1 of 1 people found this helpful
You should always be getting a pre-boot password - SSO takes care of the Windows login for you.
If you want your users not to have a pre-boot login, that's the "autoboot" feature - but be warned, that makes the machines insecure. You can't expect machines in autoboot mode to protect you against data loss and regulations like HITECH, HIPPA, PCI etc.
We're looking at deploying EEPC and it was suggested that we disable the preboot password by using "autoboot". I'm concerned that this is a security risk as you suggest but can't explain how it could be compromised to my colleagues. Can you give any examples?
it's simply like leaving the key in your front door.
For the machine to boot up and decrypt itself, it needs the decryption key - if it does not require any input, where does it get the key from?
Future versions of EEPC will be able to get the key from the network if you have Intel AMT etc, but at the moment to boot a machine without input means storing the key on the machine.
Key from the nework sounds great and looking forward to seeing that.
Sorry for my ignorance but with autoboot enabled would you be able to slave the drive and read the contents or would you have to attack the PC/drive with hacking tools?
you couldnt see the drive simply by slaving it at the moment because no "hacking tool" exists that I am aware of, but there are other tools to hack other products which use this mode - passware for example will happily decrypt bitlocker and truecrypt...
If this mode of operation was popular, then I expect they would release a version for EEPC.