My question is basically this: What are people's experiences with hardware-based full disk encryption, esp from a security-auditing standpoint?
More info: I'm specifically looking at the Seagate Momentus FDE drive with Wave's Embassy Suite (If you have experiences with other self-encrypting drives (SEDs) and/or s/w suites, pls opine as well.)
Facts: Self-encrypting drives (that have been configured) will auto-lock when they are powered off (computer shutdown or hibernation, or just pulling the plug). A password, token, or whatever is required to access any of the data on the drive, which itself is encrypted (typically AES-128). However, a reboot does not cause the user to have to re-authenticate with the drive.
The response I got from Wave is that they force hibernation mode (on Dell systems w/ Windows), even if standby mode is selected by the user. But I'm concerned about the following attack scenario:
- the machine is on* (like if the user locks his screen & walks away for a moment), and then
- someone steals the laptop (leaving it on), and then
- restarts the machine using a boot disc or bootable USB stick.
Begging the question: Are there ways of mitigating that avenue of attack beyond just changing the boot sequence in the BIOS & password-protecting the BIOS setup?
* I understand many other vulnerabilities exist on running operating systems, such as buffer overflow attacks on system services via the network, but I find that avenue of attack less likely than simply using a boot disc (as described above), esp as self-encrypting drives become more widespread.
We went with bitlocker for our laptops because we couldn't get a good answer to this very question from Wave, and we thought the same scenarios was likely to be non-vendor specific.
You could password protect the BIOS setup and remove the CD drive and USB Key from the boot sequence.
That way they would have to turn off the computer to clear the bios password (jumping pins on the motherboard), so they would be locked out of the HD.