0
The organisation I work for has laptops outfitted with FDE-drives, i.e. drives that encrypt data on the fly such that in the case of a stolen laptop, no data can be retrieved by removing the HDD. While this protects us against malicious outsiders, evil employees can still switch the drive to a computer that they own (and of which they control the BIOS), and enable root/administrator privileges in the OS for themselves.
In short, what would solve this problem is having (a part of) the encryption key saved in the BIOS, such that another computer would be unable to decrypt the drive. Is there a way to do this, or, how do other organisations deal with this security risk?
"switch the drive to a computer that they own (and of which they control the BIOS), and enable root/administrator privileges in the OS for themselves" Are you sure this is possible to do? Why could a thief Not do the same thing as the evil employee? – Moab – 2012-09-16T16:47:44.667
Moab: Thief is unable to decrypt the disk. Employee knows passphrase to unlock his drive. – pberlijn – 2012-09-17T13:30:00.303
Why does the evil employee have passphrase to someone else's drive? – Moab – 2012-09-17T15:00:47.570
He has the passphrase to his own drive. The drive which holds the OS that he is not allowed root privileges on (with a number of reasons). – pberlijn – 2012-09-17T22:03:34.200