Sleep and PBA

Last month I wrote about the necessity of performing Pre-Boot Authentication (PBA) in order to get the full benefit of confidentiality that Full Disk Encryption (FDE) can provide. However, there are some environments where corporate security policy might allow for a less secure configuration as tradeoff for better usability. For example, I have conceded in the past that if a user is within the physical confines of his company, say travelling from one floor to another for a meeting, that sleep / standby (S3) might be an acceptable risk.

To recap, sleep is a low power mode where memory is kept active but the screen, drive and other hardware are powered off to save battery life. When the user hits the power button the machine jumps back to life very quickly because everything is already in memory. In the case of software FDE this includes the DEK (Data Encryption Key) or with Self-Encrypting Drives (SED) the credential required to unlock the drive. Normally keeping such security sensitive variables in memory when not in use would be risky but the risk is mitigated by the physical security of being inside the company. If the user were to leave at the end of the day to go home with their laptop they should hibernate (S4) instead of sleeping. Hibernate is a mode where the contents of the memory are written to the drive before all power to the computer is removed. With software FDE or SEDs the hibernation file is encrypted and if PBA is required to resume from hibernate then hibernation is a secure state.

The problem with this scenario is that it is not reasonable to rely on end users to always remember to hibernate when leaving the building. If only there was a way to automate this action for them. This brings me to my trip last week to Intel’s Developer Forum (IDF) in San Francisco. My colleague and I participated in the Technology Show Case and demonstrated SecureDoc working with a new technology from Intel that puts a “digital fence” around the company or employee’s home.   If the computer is inside the fence it sleeps but outside the fence it wakes up and forces it to hibernate.

Here is how it works:

The ingredients for the demo were laptops that support Intel vPro, Intel Pro Opal SSD SEDs and Intel Smart Connect Technology. We had a Lenovo X1 Carbon and a HP EliteBook 810 G2 configured for the demo. Of course we were running SecureDoc with sleep enabled to manage the Opal drive. If the computer hibernates instead of sleeping then SecureDoc would perform PBA.

Intel Smart Connect Technology silently wakes the laptop up from sleep periodically; say every 15 or 30 minutes. When it wakes up it connects via a wired or wireless connection to the LAN or Internet and updates the applications running on the machine.   That way when a user resumes from sleep there is no delay while the user waits for his apps to update. With the digital fence technology Intel has introduced the concept of a trusted LAN. The SSID of the LAN can be configured to be trusted by Intel’s digital fence technology. If the computer wakes up on a trusted LAN after updating its apps with current data it will resume sleeping. If the computer wakes up, for example, in the front basket of a bicycle on the way home, and there is no trusted LAN hibernation will be forced. Resuming from hibernate requires PBA.

IDF is a developer’s forum and like much of the technology on display the digital fence capability is not yet productized or released. There is no plan of record but I do hope that we will see this capability available to our users in 2015.

Previous Post
Partner Speak – Issue 03 – September 2014
Next Post
The “Key” to Playing it Safe