Full Disk Encryption versus Sleep

As part of my Symantec Endpoint Encryption (SEE) upgrade, I verified that the new version worked with our main computer models.   During that testing, I looked at how boot/shutdown times changed, and verified that the system could still reboot and enter/exist sleep and hibernate correctly.  The only problem that came out of that testing was when standby was used, the user no longer had to do a preboot authentication before logging into Windows.  Previously GuardianEdge Hard Disk  (GEHD) Encryption provided full disk encryption on a cold boot and on returning from standby or hibernate.    Further testing found GEHD 9.5.3 also had this problem, I just didn’t know it.  

Since the cold boot was announced, it has been best practice to not allow computers using Full Disk Encryption (FDE) to enter sleep.  The encryption key typically remains in memory while the computer is in sleep mode and is thus susceptible to the attack.  

As a side note, hibernate is also dangerous if your FDE product doesn’t encrypt the hibernate file.   SEE should not have this issue.

Personally I refrain from using hibernate or sleep.   In my experience, it is unreliable.  So I’m not the most sympathetic person here.    There is always a tradeoff between security and usability.   If sleep is insecure and you fail to disable sleep then you only have the appearance of security.   You’ve checked the encryption box without actually protecting the data.

Management’s first response to this documented need to disable sleep is to ask for a report comparing sleep versus quarantine shutdown times.    In my experience, getting off XP is the first step toward having decent shutdown times.   The second step is reloading the system once it has the crud.    The effect of creeping crud will be more noticeable now that we are on three-year leases. 

For more information on protection against cold boot attacks with Symantec Endpoint Protection see their knowledgebase.

2 Comments

  1. Have you noticed any issues with FDE 9.5.3 and a Legal Notice timeout (back to login window) on Windows 7? Scenario is that a user reboots their machine, logs in through FDE, but sits at the legal prompt but never times out to Windows login screen leaving a chance that someone comes in behind them unannounced and click ‘OK’ to the legal notice and gains access to the machine. Under Windows XP this is not an issue and times out as expected.

    • haven’t noticed anything new, but I havent’ specifically tested that in this version.

      In the past if you used a Windows logon banner and you didn’t click OK to it, it would intentionally not let you single sign on after a period of time. You would have to enter your windows credentials again to log in. That way if you wandered off during the book, the next person by isn’t doing work as you.

Comments are closed.