Problem solve Get help with specific problems with your technologies, process and projects.

What are the risks of turning off pre-boot authentication?

In this Q&A, identity management and access control expert Joel Dubin discusses the dangers associated with turning off pre-boot authentication (PBA)?

I recently read about full-disk encryption (FDE) products that turn off pre-boot authentication to provide transparent...

single sign-on and help with patch management. What are the risks of turning off PBA.

The risks associated with turning off pre-boot authentication (PBA) are actually quite high, and it's not a recommended best practice. Pre-boot authentication is the whole point of full-disk encryption (FDE) and, in fact, is what makes FDE such a powerful tool for protecting data.

First, let's briefly explain what pre-boot authentication is and its role in FDE. Pre-boot authentication is a process that requires a user to authenticate prior to the operating system loading. In other words, on a system with pre-boot authentication installed, the user is prompted for a user ID and password before the system boots up. Once the user successfully logs in, then the operating system starts. If the user enters the wrong user ID and password, the operating system won't load and the computer locks up.

Pre-boot authentication prevents the common hacker trick of using a Linux boot disk, like Knoppix, to bypass the operating system authentication and enter the system without login credentials. Pre-boot authentication operates at a lower level than the operating system. If the OS doesn't load, then the tools that try to bypass it won't work and attackers won't even get a chance to maliciously enter the system.

Pre-boot authentication is also cross-platform. It not only blocks Linux CDs but also blocks Windows emergency disks that might be used to gain access to Microsoft systems.

Pre-boot authentication doesn't operate alone; it works hand-in-hand with FDE, operating as a front-end to FDE applications. Products such as SafeBoot, SafeGuard and SafeNet, which offer FDE, encrypt the hard drive silently in the background. The pre-boot authentication generates the key needed to encrypt the hard drive and then decrypt it later when the system is booted up again.

FDE tools are great for protecting data loss from stolen laptops. If a thief -- or malicious user, for that matter -- tries to turn on the computer, he or she will be blocked by the pre-boot authentication – and a boot disk won't help them get in either. The attacker will be stuck with an encrypted hard drive.

With PBA turned off, not only could the attacker possibly get access to the machine, but the hard drive might also not be encrypted. It's not necessary to turn off pre-boot authentication to enable single sign-on (SSO) or patch management.The commercial FDE products mentioned above can be adapted to SSO, and fully integrated with common authentication systems like Active Directory and LDAP.

Finally, if something stronger than just a plain old user ID and password is required for higher-risk data, pre-boot authentication can be integrated into two-factor authentication systems such as smart cards or biometrics.

For more information:

  • Security expert Joel Dubin examines what components are necessary to create a secure authentication system.
  • Learn how data loss can be controlled with full-disk encryption.
This was last published in July 2007

Dig Deeper on Disk and file encryption tools