3 Replies Latest reply on Mar 26, 2013 12:32 PM by SafeBoot

    Endpoint Encryption 7 Without Pre-Boot Authentication



      Have any of you implemented Endpoint Encryption 7 without pre-boot authentication?  The documentation says "If you enable this option, be aware that the McAfee Endpoint Encryption software doesn't protect the data on the drive when it is not in use."  What does that mean?


      Thank you,




        • 1. Re: Endpoint Encryption 7 Without Pre-Boot Authentication

          There are hundreds of discussions here on that topic.


          Basically, if you use any product without authentication, you end up storing the key on the hard drive thus defeating the point of encryption.

          • 2. Re: Endpoint Encryption 7 Without Pre-Boot Authentication

            Thanks, and by any chance can you point me to any documentation that describes how exacty the EEPC encryption works, with and without preboot authentication?  The product guide isn't very descriptive about how the encryption and decryption processes take place.


            From what I understand, the drive is encrypted, and there is a key to decrypt it.  This key can either be the user's pre-boot password or it can be stored somewhere on an unencrypted portion of the drive (boot partition?).


            If pre-boot authentication isn't used, and the key is stored on the boot partition, does that mean that anyone who is authenticated with Windows now has access to the drive?  What if somebody removed the drive?  Are you saying that they can obtain the key from the boot partition, and somehow access the data?  How?


            What has your users' experience been with pre-boot authentication?  Are there many cases where users can't log in and call the service desk?  When does this happen?   What about EAP-Fast wifi authentication, would that work with single sign on?


            What if multiple users log onto the PC?  Which key is used?

            • 3. Re: Endpoint Encryption 7 Without Pre-Boot Authentication

              This is really a discussion you need to have with your McAfee team. It's too long and complex to have here. The discussion was probably already had with your CISO/CIO as part of the product RFP process.


              Basically though - any encryption product which can decrypt itself without user input - you have to ask yourself where the key is? If the machine can get at it, what's stopping anyone else doing the same?


              Pretty much everyone uses pre-boot auth - you bought the product to secure your machines so you didn't have to confess to any data loss. Turning off preboot pretty much negates that benefit.