The loss, theft, or misappropriation of the organization’s endpoint systems could expose
sensitive corporate information such as intellectual property, personnel records or government
secrets, producing disastrous effects for the organization. Full disk encryption, combined with
an extra layer of security in the form of pre-boot authentication, can provide an integral layer of
security against data loss, and can help address one of the most critical areas of exposure for an
organization: unprotected files housing sensitive data.
Enhancing the Security of Full Disk Encryption Solutions with Pre- Boot Authentication Security Guide
1. Enhancing the Security of
Full Disk Encryption Solutions with Pre-
Boot Authentication
SECURITY GUIDE
Table of Contents
Introduction ........................................................................................................................ 2
Full-Disk Encryption: Not As Secure as You Might Think .................................................... 2
Double Protection with SafeNet’s ProtectDrive and eToken PRO ......................................... 2
How Does the Combined Solution Increase Security?.......................................................... 2
More About ProtectDrive and eToken PRO ........................................................................... 3
About SafeNet..................................................................................................................... 3
Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 1
2. “...people who encrypt their Introduction
hard drives, or partitions on The loss, theft, or misappropriation of the organization’s endpoint systems could expose
their hard drives, have to realize sensitive corporate information such as intellectual property, personnel records or government
that the encryption gives them secrets, producing disastrous effects for the organization. Full disk encryption, combined with
an extra layer of security in the form of pre-boot authentication, can provide an integral layer of
less protection than they
security against data loss, and can help address one of the most critical areas of exposure for an
probably believe…The defenses
organization: unprotected files housing sensitive data.
are basically two-factor
authentication: a token you don’t Full-Disk Encryption: Not As Secure as You Might Think
leave in your hotel room for the In the summer of 2009, Joanna Rutkowska implemented a series of attacks known as the “Evil
maid to find and use.” Maid” attacks, which were designed to crack a computer protected by a full disk encryption
solution by using a USB stick infected with the “Evil Maid” Sniffer. The Evil Maid Sniffer, stored
Bruce Schneier on a USB stick, infects the protected laptop and sniffs out the disk encryption passphrase
when the user enters it next time. It was thus called because it can be used against laptops left
unattended in hotel rooms where an attacker (presuming to be the hotel maid) surreptitiously
reboots the laptop from the Evil Maid USB Stick, infecting the laptop with the sniffer software.
During 2009 and 2010, additional attacks – all developed by various security researchers – were
also carried out. These include the Cold Boot Attack, Stoned Boot Attack and Bitlocker Boot
Process Attack, which infect the protected device with malware. The malware scans the memory
or changes the Master Boot Record to enable passphrase sniffing.
Following the success of these attacks, Bruce Schneier, one of the most accredited security
experts today, pointed out in his blog, that FDE might be creating a sense of false complacency:
“...people who encrypt their hard drives, or partitions on their hard drives, have to realize that the
encryption gives them less protection than they probably believe…The defenses are basically two-
factor authentication: a token you don’t leave in your hotel room for the maid to find and use.”
The attacks described above underscore the relative ease with which attackers can crack the
passwords used to unlock full disk encryption solutions. For these solutions to provide the
expected level of defense and maintain the integrity of the data they are designed to protect, an
extra layer of security, in the form of pre-boot strong authentication, is required.
Double Protection with SafeNet’s ProtectDrive and eToken PRO
SafeNet’s ProtectDrive is an award-winning full-disk encryption (FDE) product that secures
the hard drives in laptops, workstations, and servers, as well as removable media. ProtectDrive
provides an outstanding security and robustness level and is validated by a number of security
certification bodies including FIPS 140-2 and Common Criteria.
To provide maximum protection and security, and prevent the malicious attacks that could
potentially crack the password used to unlock the disk encryption, ProtectDrive combines with
SafeNet’s eToken PRO certificate-based strong authentication USB device. With eToken PRO,
organizations can easily and effectively improve data security for ProtectDrive as well as other
FDE solutions and provide cost-effective protection against the types of attacks discussed above.
How Does the Combined Solution Increase Security?
When encrypting a hard drive or partition, ProtectDrive creates a machine unique master
security key, also referred to as a Master Security Certificate (MSC). The MSC is associated
with the machine’s Pre-Boot Authentication (PBA) mechanism and determines that only after
successful pre-boot authentication, is ProtectDrive able to decrypt the disk.
To protect against attacks such as “Evil Maid” and increase security, eToken PRO, the leading
USB Smart-Card authentication device is used to create and store the MSC in the secure
environment of the smart card which resides on the eToken PRO device. Users who want to boot
their computers, must have both their personal eToken PRO device and eToken PRO password.
Only when these are provided together, can the MCA be retrieved from the secure environment of
the eToken PRO, and used for successful pre-boot authentication which subsequently enables
Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 2