Jump to content

Moving Encrypted drives to new hardware


rjanz
 Share

Recommended Posts

While testing the ESET Full Disk Encryption product we found that we can successfully move the drives to a new desktop (different TPM, CPU, mobo etc) and we're able to successfully boot into Windows. I read in this forum post that the ESET Encryption Boot files are stored in EFI System Partition (ESP). Why?

This completely defeats the purpose of encrypting the drives with a TPM. In our configuration we don't have the login password set as the computers live in facility. If there's a smash and grab and someone takes the drives they'd be able to boot into them to try and recover data. They'll have a running OS with a network stack which can likely be exploited. I confirmed we can't read the data while the drives are docked, or by booting into another OS to read them.

Why are the keys not stored in the TPM? I would expect that moving the drives to new hardware would render them inoperable.

 

Link to comment
Share on other sites

Please correct me if I'm wrong. What exactly are the ESET Encryption Boot files? Does this include the encryption keys? Are those keys really stored in the TPM? I'm trying to understand why we can boot into the OS on new hardware.

Link to comment
Share on other sites

  • ESET Staff

Hi @rjanz,

I am going to have to target specific sections of your posts to answer as best as I can for you here.

  1. Question: “While testing the ESET Full Disk Encryption product we found that we can successfully move the drives to a new desktop (different TPM, CPU, mobo etc) and we’re able to successfully boot into Windows. This completely defeats the purpose of encrypting the drives with a TPM. In our configuration we don’t have the login password set as the computers live in facility”
    • Answer: Using the TPM with EFDE, the encryption key is protected using the TPM. This means when the user enters their password, this is used along with the TPM and other information to provide access to the Disk Encryption Key. In this situation if a disk is moved to another machine the system will not be able to boot because the original TPM is required to access the Key.

Using the authentication bypass, either the “Pause Authentication” task or the “Disable FDE Authentication” policy, creates a special temporary “user” that is capable of booting the system without a password or TPM. The presence of this “user” causes the system to boot automatically. However, this does as you mentioned mean that the TPM is not used when in this mode. So it is possible to boot when the disk is put in a different computer.

We do understand your observation and we are planning an update to EFDE to use the TPM when the authentication is disabled. At this stage I do not have any information as to when this might be available.

  1. Question: ” I read in this forum post that the ESET Encryption Boot files are stored in EFI System Partition (ESP). Why?” “Please correct me if I’m wrong. What exactly are the ESET Encryption Boot files? Does this include the encryption keys? Are those keys really stored in the TPM? I’m trying to understand why we can boot into the OS on new hardware”
    • Answer: The EFDE boot files reside on the ESP as this is where the UEFI BIOS looks for the primary boot application to begin the boot process. This is quite standard, the same as the Microsoft boot files are on the ESP. The UEFI BIOS loads the EFDE bootloader, which provides the user interface for the user to enter their credentials and to perform the process necessary to decrypt the operating system as it loads.

The Disk Encryption Key is not stored on the ESP. The Key is obtained cryptographically using the users credentials, the TPM if used and other information from the system. EFDE uses meta data that is stored in the main system partition.

  1. Question: “One more, I just discovered the EFI is not encrypted so you can boot into another OS and read these files. Why!?”
    • Answer: As mentioned in the previous answer, the UEFI BIOS loads the boot file from the ESP, so it cannot be encrypted otherwise the UEFI would not be able to load and run the primary boot file.

The ESP is a small FAT32 partition and should not contain any sensitive data. The main Operating System partition is always encrypted along with other data partitions depending on which policies were set from the ESET Protect console.

Thank you,

Kieran

Link to comment
Share on other sites

  • ESET Staff
13 hours ago, rjanz said:

Thanks for the detailed reply Kieran, this helps complete my understanding of the feature set.

Of course, any time you have questions we will do our best to help. Thank you.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...