Protection of systems in Windows lock, log off, and standby states

In a world where more and more systems stay switched on but in low-power states (Always-On Always-Connect - AOAC), Drive Encryption 7.2.0 provides an additional level of protection for these systems, and extended the protection to protect systems where the user has locked the screen or logged off.

Drive Encryption currently protects systems that are certified for Connected Standby.

How does cold-boot protection work

The AOAC model requires systems to be in low power states to enable the system to receive push-notifications from a server, or to periodically wake to pull data from servers whilst the system "sleeps". Since this process must happen automatically and without user intervention, user authentication is not possible and therefore the disk encryption key must be kept in RAM, so that the disk can be accessed during the wake period. This allows applications and services to access the hard disk even when the user is not physically with the system.

Hence the system is vulnerable to cold-boot and other sophisticated RAM-based attacks.

To help defend against this problem, Drive Encryption has implemented a new security mode called Elevated Secure Crypt using the AES256-CBC encryption algorithm. This feature is only available when using software encryption; it is not available if you are using Opal drives.

How does Elevated Security Crypt mode work

The Drive Encryption driver now operates in two modes, Standard Crypt mode or Elevated Security Crypt mode. When a Windows user is logged on to the system, the encryption driver operates in the Standard Crypt mode. When the user puts the system to Standby state, locks the screen, or logs off from Windows, the encryption driver switches to the Elevated Security Crypt mode, and the encryption key is removed from DRAM and stored elsewhere in a location that is available for use in the Elevated Security Crypt AES algorithm.

The Drive Encryption driver is therefore able to continue to access the hard disk, allowing applications and services to continue to function; since the key is no longer in DRAM, the system is harder to attack.

Note: Make sure to note that policy enforcement from McAfee ePO to the client systems is disabled when the system is in Elevated Security Crypt mode.

Until the user resumes from Standby and (importantly) authenticates through to Windows, or whilst the system sits at the Windows login or screen lock screens, the encryption driver remains in Elevated Security Crypt mode. Once the user has authenticated back into Windows, the encryption driver transfers the key back into DRAM, effectively switching back into the Standard Crypt mode.

Note: When the system is on Elevated Security Crypt mode, there is an impact on the system's performance. However, since the system gets into the Elevated Security Crypt mode only during Windows log off, lock, standby states, or during authentication, it will not be noticed when the user is logged on to the system, as the system switches to Standard Crypt mode.
Note: The two crypt modes work in conjunction with TPM-based autoboot:
  • If TPM is used to autoboot the system, the Elevated Security Crypt mode is used throughout the boot process until a Windows user has authenticated when Standard Crypt mode is used.