I am working on an encryption project – evaluating an upcoming product feature for a vendor – and the research is more interesting than I expected. Not that the feature is uninteresting, but I thought I knew all the answers going into this project. I was wrong.

I have been talking with folks on the Twitters and in private interviews, and have discovered that far more organizations than I suspected are configuring their systems to automatically skip preboot authentication and simply boot up into Windows or Mac OS X (yes, for real, a bunch are using disk encryption on Macs).

For those of you who don’t know, with most drive encryption you have a mini operating system that boots first, so you can authenticate the user. Then it decrypts and loads the main operating system (Windows, Mac OS X, Linux, etc.). Skipping the mini OS requires you to configure it to automatically authenticate and load the operating system without a password prompt.

Organizations tend to do this for a few reasons:

  • So users don’t have to log in twice.
  • So you don’t have to deal with managing and synchronizing two sets of credentials (preboot and OS).
  • To reduce support headaches.

But the convenience factor is the real reason.

The problem with skipping preboot authentication is that you then rely completely on OS authentication to protect the device. My pentester friends tell me they can pretty much always bypass the OS encryption.

This may also be true for a running/sleeping/hibernating system, depending on how you have encryption configured (and how your product works).

In other words – if you skip preboot, the encryption generally adds no real security value.

In the Twitter discussion about advanced pen testering, our very own David Mortman asked:

@rmogull Sure but how many lost/stolen laptops are likely to be attacked in that scenario vs the extra costs of pre-boot?

Which is an excellent point. What are the odds of an attacker knowing how to bypass the encryption when preboot isn’t used? And then I realized that in that scenario, the “attacker” is most likely someone picking up a “misplaced” laptop and even basic (non-encryption) OS security is good enough.

Which leads to the following decision tree:

  1. Are you worried about attackers who can bypass OS authentication? If so, encrypt with preboot authentication; if not, continue to step 2.
  2. Do you need to encrypt only for compliance (meaning security isn’t a priority)? If so, encrypt and disable preboot; if not, continue to step 3.
  3. Encrypt with preboot authentication.

In other words, encrypt if you worry about data loss due to lost media or are required by compliance. If you encrypt for compliance and don’t care about data loss, then you can skip preboot.