As part of my Symantec Endpoint Encryption (SEE) upgrade, I verified that the new version worked with our main computer models. During that testing, I looked at how boot/shutdown times changed, and verified that the system could still reboot and enter/exist sleep and hibernate correctly. The only problem that came out of that testing was when standby was used, the user no longer had to do a preboot authentication before logging into Windows. Previously GuardianEdge Hard Disk (GEHD) Encryption provided full disk encryption on a cold boot and on returning from standby or hibernate. Further testing found GEHD 9.5.3 also had this problem, I just didn’t know it.
Since the cold boot was announced, it has been best practice to not allow computers using Full Disk Encryption (FDE) to enter sleep. The encryption key typically remains in memory while the computer is in sleep mode and is thus susceptible to the attack.
As a side note, hibernate is also dangerous if your FDE product doesn’t encrypt the hibernate file. SEE should not have this issue.
Personally I refrain from using hibernate or sleep. In my experience, it is unreliable. So I’m not the most sympathetic person here. There is always a tradeoff between security and usability. If sleep is insecure and you fail to disable sleep then you only have the appearance of security. You’ve checked the encryption box without actually protecting the data.
Management’s first response to this documented need to disable sleep is to ask for a report comparing sleep versus quarantine shutdown times. In my experience, getting off XP is the first step toward having decent shutdown times. The second step is reloading the system once it has the crud. The effect of creeping crud will be more noticeable now that we are on three-year leases.
For more information on protection against cold boot attacks with Symantec Endpoint Protection see their knowledgebase.