Is Microsoft really claiming Pre-Boot Authentication for Full Disk Encryption is not necessary?

Is Microsoft really claiming pre-boot authentication (PBA) for Full Disk Encryption (FDE) is not necessary? One could certainly get that impression from recent articles (HERE and HERE) posted by the organization.  The first article on “Types of attacks for volume encryption keys” lists a few known historical attacks that “could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution”, and the second makes statements like “For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented.

Full Disk Encryption, UEFI, Secure Boot and Device Guard

It has been a while since I have written about UEFI, Secure Boot and their impact on Full Disk Encryption (FDE) pre-boot authentication (PBA) so it’s time for an update on what is new in this area, but first here is a recap because this is a bit of an arcane technical subject. UEFI stands for “Unified Extensible Firmware Interface”. The UEFI specification defines a standard model for the interface between personal-computer operating systems and platform firmware.   It provides a standard environment for booting an operating system and running pre-boot applications such as the PBA for FDE.   It replaces the traditional legacy BIOS interface that was used with Windows 7 and older systems.   Now that Windows 10 is being widely adopted I expect to see UEFI used on almost all new machines.

Think Safety, Stay Secure

Safety is one of the most important aspects today – for people, for organizations, for governments and for countries. There is a lot of talk around the safety of people in general and data, which is critical to businesses.

NVMe and Self-Encrypting Drives – The Perfect Match

NVMe technology had a big presence at the Intel Developer Forum (IDF), held in San Francisco of September this year. There were products and demonstrations from about a dozen leading vendors including Intel and Micron. I also attended quite a few sessions, but the one on NVMe was the only one that was overflowing with people.

Revisiting the TPM

TPMs have been shipping for nearly 8 years now.  WinMagic was an early adopter and supported TPM version 1.1 for full disk encryption before most.  We expanded our support to the more main stream version 1.2 TPMs when they started shipping.  Now more than 100 Million TPMs are out there in laptops and other devices, and soon many, many  Version 2.0 TPMs will join them.  TPM 2.0 and disk encryption will be a good topic for a future blog but today I am going to set the ground work on where we are today.

Managing Security and Compliance

One of the more common IT headaches in medium to large sized organizations is managing mixed environments. It’s not just different operating systems and software applications but also devices of various form factors, be it servers, desktops, laptops, tablets and ultra-portables, smartphones, etc.

Come one, come all

Last week we announced the results of the Ponemon Institute study we commissioned and had co-sponsored by leading industry SED partners. We wanted to take this opportunity to remind readers that next week we’ll be reviewing the data via a webinar we’re hosting on Tuesday, April 30th at 1pm ET.