How do boot-time disk access products work?

TheMSsForum.com: The Microsoft Software Forum

Reading the many recent reports of stolen laptops containing sensitive
information, I decided it was about time to install a disk access
protection product on my own laptop. I have looked into products like
SafeBoot etc, but have come to the conclusion that I don't understand
how they really work.

When you power up the laptop, you go straight to the product's login
screen, provide a password, and then (assuming the correct password)
Windows starts up.

Question is, what does providing the correct password actually do? It
obviously unlocks something, but what? I used to think it performed a
decryption of the hard disk, but this can't be right because there is no
way it can decrypt a 100GB disk in the time it takes to start the
Windows boot. (And, in any case, how was the encryption performed in the
first place?)

The real question, however, is whether these products are of any use if
someone steals the laptop, takes out the hard drive and fits it into
another machine. Is it then possible to bypass the protection and read
the disk directly?

--
Ian
Top

Re: How do boot-time disk access products work? by news

news
Wed Nov 22 11:10:06 CST 2006

In message <MPG.1fce27e756cc0b6d989ea0@news.readfreenews.net>, Far Canal
<me@privacy.net> writes
>
>
>Eh. All the answers are provided by the companies.
>http://www.safeboot.com/products/
>

Please someone tell me where my specific questions are answered on the
SafeBoot site.

SafeBoot talks about encrypting data "on-the-fly". What does this mean?
What data? On-the-fly doing what? Saving a file that you have just
written? What about all the other tens of thousands of files that you
haven't written since you installed SafeBoot? Are they also encrypted?
If so, when?

Read the words on their site carefully. In the context of my questions,
they don't make sense to me.

--
Ian
Top

Re: How do boot-time disk access products work? by bobrayner

bobrayner
Wed Nov 22 11:58:39 CST 2006

news wrote:

> In message <MPG.1fce27e756cc0b6d989ea0@news.readfreenews.net>, Far Canal
> <me@privacy.net> writes
> >
> >
> >Eh. All the answers are provided by the companies.
> >http://www.safeboot.com/products/
> >
>
> Please someone tell me where my specific questions are answered on the
> SafeBoot site.
>
> SafeBoot talks about encrypting data "on-the-fly". What does this mean?
> What data? On-the-fly doing what? Saving a file that you have just
> written? What about all the other tens of thousands of files that you
> haven't written since you installed SafeBoot? Are they also encrypted?
> If so, when?
>
> Read the words on their site carefully. In the context of my questions,
> they don't make sense to me.

About Safeboot, specifically:

All the disk's contents are encrypted. This is a relatively slow
one-off process that occurs when you first install Safeboot. Safeboot
also installs something like a disk driver, which sits between Windows
and the actual hard disk (driver). Consequently, Windows does not know
or care that the disk is encrypted.

In routine use, Windows asks the Safeboot "driver" a question like
"read file X" - then Safeboot will go find the relevant part of the
hard disk, read the contents, decrypt them, and pass them back to the
blissfully ignorant Windows. This is what they mean by "On the fly"; it
does have a small performance disadvantage, but it's not too bad in
most cases.

There's no need to touch all the other unused files. They were
encrypted when you installed safeboot and they'll stay that way.
There's no need to decrypt them until, one day, you decide to use the
file - at which time Safeboot will decrypt it for you, without you (or
Windows) ever noticing that anything unusual is happening.

Providing the correct password at boot-time does not mean that the
whole disk gets encrypted/decrypted at boot-time. You're just getting
access to a "key" that can be used to read (and write) whatever files
are needed during the boot process.

The whole disk is encrypted; so if you take it out and put it in a
different computer, all you'll see is lots of random-looking junk. This
is one of the main attractions over (say) EFS. Before you ask - no,
passwords (or keys) aren't simply written on an obvious part of the
disk. ;-)

This is a brief oversimplification based on my experience of corporate
Safeboot stuff. Other products (and personal installations) may vary.
May contain nuts.

Top

Re: How do boot-time disk access products work? by ---Fitz---

---Fitz---
Wed Nov 22 16:28:23 CST 2006

<SNIP>
> May contain nuts.
>

I like that!


Top

Re: How do boot-time disk access products work? by news

news
Thu Nov 23 01:11:46 CST 2006

In message <1164218319.008067.196570@e3g2000cwe.googlegroups.com>,
bobrayner <bob.rayner@bt.com> writes
>
>About Safeboot, specifically:
>
[Snip a very clear explanation]

Click. The light has come on!

Many thanks, Bob, for your constructive and helpful response.

(And I like nuts...)

--
Ian
Top

Re: How do boot-time disk access products work? by Ian

Ian
Thu Nov 23 03:36:02 CST 2006

The site reads to me as typical 'corporate blurb' - 99% word-padding, with
the occasional snippet of actual info. The only thing they missed out is the
obligatory 'Leverage your investment' cliche. <g> Not sure why so many
companies publish sites like this - I can only assume they're aimed at
impressing 'executives' who don't understand IT.

Thing I would ask is, exactly what user-credentials are checked? Since it's
at boot, can we assume it's NOT going to check the user's PROPER network
logon? Or is it clever enough to do this? Reason I say this is that a system
which requires multiple, disparate logons is not going to be very convenient
in a company situation. That problem already exists with BIOS passwords, and
is the reason they aren't used much.

I might also add that if it functions similarly to BIOS disk encryption.
many laptops already possess this technology bulit-in. So you may be paying
for something you already have.



Top

Re: How do boot-time disk access products work? by David

David
Thu Nov 23 14:07:07 CST 2006

The 'credentials' are if the entered password can reveal the encryption key
that allows access to the hard disk. If it doesn't, then the system cannot
boot. This program, SafeBoot, has been a released product since the days of
DOS. True, Seagate makes notebook drives that do encryption on the drive
but this is recent development. Vista has bitlocker which is Microsoft's
entry into this type of software. I did not look at the web site, but most
are written by marketing types who don't have a clue, but then most users
are clueless too. It is simple to do this. You need some way to encrypt
the drive. You need to get your code on the hard drive in a place where it
will be loaded when the BIOS invokes the code from the MBR (master boot
record). You need to find a place in the lower 640k where your code can
survive the initial booting of the OS once you start that off. You need to
get an encryption key that will permit the drive to be read. Doing
encryption is the hardest part of the job because you don't want it to be
easy to break. When the boot drivers are loaded your driver must load and
get the encryption key from the small resident piece and when the OS
switches to the protected mode access to the hard drive your driver just
keeps on decrypting and encrypting as needed.



"Ian" <Ian@discussions.microsoft.com> wrote in message
news:4588828C-99EA-484D-809C-2BB41073166D@microsoft.com...
> The site reads to me as typical 'corporate blurb' - 99% word-padding, with
> the occasional snippet of actual info. The only thing they missed out is
> the
> obligatory 'Leverage your investment' cliche. <g> Not sure why so many
> companies publish sites like this - I can only assume they're aimed at
> impressing 'executives' who don't understand IT.
>
> Thing I would ask is, exactly what user-credentials are checked? Since
> it's
> at boot, can we assume it's NOT going to check the user's PROPER network
> logon? Or is it clever enough to do this? Reason I say this is that a
> system
> which requires multiple, disparate logons is not going to be very
> convenient
> in a company situation. That problem already exists with BIOS passwords,
> and
> is the reason they aren't used much.
>
> I might also add that if it functions similarly to BIOS disk encryption.
> many laptops already possess this technology bulit-in. So you may be
> paying
> for something you already have.
>
>
>


Top

Re: How do boot-time disk access products work? by hunt

hunt
Tue Dec 12 20:32:09 CST 2006


Bobrayner is a little off, but he has the general idea:

What really happens is the user asks the OS to open a file, the OS goes
to the file system driver, responsible for handling stuff like NTFS or
FAT, which works out what the file is by reading sectors of data off
the disk through the disk driver. SafeBoot sits between the disk
driver, and the file system driver itself, so does not have to
understand the concept of files or folders - it just gets requests to
read 512 byte sectors, and write 512 byte sectors to the disk.

see - it's quite simple, and means SafeBoot doesnt have to worry about
the complexity of the disk file system.

Transparent means that once the disk is encrypted, there's no
possibility to write plain data to the disk, and any data read from the
disk HAS to go through the SafeBoot driver before it can be understood.
Obviously, you can't assemble the logical construct of a file when some
of the sectors are encrypted...

I hope that helps.

Simon.

Top