rjanz 1 Posted May 11, 2022 Share Posted May 11, 2022 While testing the ESET Full Disk Encryption product we found that we can successfully move the drives to a new desktop (different TPM, CPU, mobo etc) and we're able to successfully boot into Windows. I read in this forum post that the ESET Encryption Boot files are stored in EFI System Partition (ESP). Why? This completely defeats the purpose of encrypting the drives with a TPM. In our configuration we don't have the login password set as the computers live in facility. If there's a smash and grab and someone takes the drives they'd be able to boot into them to try and recover data. They'll have a running OS with a network stack which can likely be exploited. I confirmed we can't read the data while the drives are docked, or by booting into another OS to read them. Why are the keys not stored in the TPM? I would expect that moving the drives to new hardware would render them inoperable. Link to comment Share on other sites More sharing options...
rjanz 1 Posted May 11, 2022 Author Share Posted May 11, 2022 Please correct me if I'm wrong. What exactly are the ESET Encryption Boot files? Does this include the encryption keys? Are those keys really stored in the TPM? I'm trying to understand why we can boot into the OS on new hardware. Link to comment Share on other sites More sharing options...
rjanz 1 Posted May 11, 2022 Author Share Posted May 11, 2022 One more, I just discovered the EFI is not encrypted so you can boot into another OS and read these files. Why!? Link to comment Share on other sites More sharing options...
ESET Staff Kstainton 35 Posted May 12, 2022 ESET Staff Share Posted May 12, 2022 Hi @rjanz, I am going to have to target specific sections of your posts to answer as best as I can for you here. Question: “While testing the ESET Full Disk Encryption product we found that we can successfully move the drives to a new desktop (different TPM, CPU, mobo etc) and we’re able to successfully boot into Windows. This completely defeats the purpose of encrypting the drives with a TPM. In our configuration we don’t have the login password set as the computers live in facility” Answer: Using the TPM with EFDE, the encryption key is protected using the TPM. This means when the user enters their password, this is used along with the TPM and other information to provide access to the Disk Encryption Key. In this situation if a disk is moved to another machine the system will not be able to boot because the original TPM is required to access the Key. Using the authentication bypass, either the “Pause Authentication” task or the “Disable FDE Authentication” policy, creates a special temporary “user” that is capable of booting the system without a password or TPM. The presence of this “user” causes the system to boot automatically. However, this does as you mentioned mean that the TPM is not used when in this mode. So it is possible to boot when the disk is put in a different computer. We do understand your observation and we are planning an update to EFDE to use the TPM when the authentication is disabled. At this stage I do not have any information as to when this might be available. Question: ” I read in this forum post that the ESET Encryption Boot files are stored in EFI System Partition (ESP). Why?” “Please correct me if I’m wrong. What exactly are the ESET Encryption Boot files? Does this include the encryption keys? Are those keys really stored in the TPM? I’m trying to understand why we can boot into the OS on new hardware” Answer: The EFDE boot files reside on the ESP as this is where the UEFI BIOS looks for the primary boot application to begin the boot process. This is quite standard, the same as the Microsoft boot files are on the ESP. The UEFI BIOS loads the EFDE bootloader, which provides the user interface for the user to enter their credentials and to perform the process necessary to decrypt the operating system as it loads. The Disk Encryption Key is not stored on the ESP. The Key is obtained cryptographically using the users credentials, the TPM if used and other information from the system. EFDE uses meta data that is stored in the main system partition. Question: “One more, I just discovered the EFI is not encrypted so you can boot into another OS and read these files. Why!?” Answer: As mentioned in the previous answer, the UEFI BIOS loads the boot file from the ESP, so it cannot be encrypted otherwise the UEFI would not be able to load and run the primary boot file. The ESP is a small FAT32 partition and should not contain any sensitive data. The main Operating System partition is always encrypted along with other data partitions depending on which policies were set from the ESET Protect console. Thank you, Kieran Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
rjanz 1 Posted May 12, 2022 Author Share Posted May 12, 2022 Thanks for the detailed reply Kieran, this helps complete my understanding of the feature set. Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
ESET Staff Kstainton 35 Posted May 13, 2022 ESET Staff Share Posted May 13, 2022 13 hours ago, rjanz said: Thanks for the detailed reply Kieran, this helps complete my understanding of the feature set. Of course, any time you have questions we will do our best to help. Thank you. Link to comment Share on other sites More sharing options...
Recommended Posts