Is Microsoft really claiming pre-boot authentication (PBA) for Full Disk Encryption (FDE) is not necessary? One could certainly get that impression from recent articles (HERE and HERE) posted by the organization. The first article on “Types of attacks for volume encryption keys” lists a few known historical attacks that “could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution”, and the second makes statements like “For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented.”
It has been a while since I have written about UEFI, Secure Boot and their impact on Full Disk Encryption (FDE) pre-boot authentication (PBA) so it’s time for an update on what is new in this area, but first here is a recap because this is a bit of an arcane technical subject. UEFI stands for “Unified Extensible Firmware Interface”. The UEFI specification defines a standard model for the interface between personal-computer operating systems and platform firmware. It provides a standard environment for booting an operating system and running pre-boot applications such as the PBA for FDE. It replaces the traditional legacy BIOS interface that was used with Windows 7 and older systems. Now that Windows 10 is being widely adopted I expect to see UEFI used on almost all new machines.
If you have been following our blogs you know that the ideal FDE architecture has two main components. The actual encryption component is a separate layer from the key management. The encryption can be done by the OS (e.g. BitLocker for Windows or FileVault2 for Mac), by Self-Encrypting Drives (SEDs) or by ISVs such as WinMagic’s FIPS140-2 validated software cryptographic engine.
As I was reviewing Gartner’s 2014 Magic Quadrant (MQ) for Mobile Data Protection, not surprisingly I found that nearly every competitor on that grid offers more than just data encryption. With anti-virus and firewall solutions being the primary focus, data encryption literally seems to be a check mark on their existing arsenal.
Our previous blog posting established that storage encryption technologies, such as full disk encryption (FDE), and their associated key management functions should be separated from each other.
Staffordshire University in UK reported that a laptop containing applicant information was stolen from a car belonging to a staff member. Due to the size of the data file, the information was held locally on the hard drive of the laptop.
The never-ending torrent of high-profile data breaches encourages companies to evaluate security fundamentals. Among them is full-disk encryption (FDE), a security best practice that protects information on servers, laptops and other devices while they are at rest.