Unattended mount at restart


BestCrypt Volume Encryption utilizes Trusted Platform Module (TPM) hardware available on many motherboards for the purpose of unattended reboot of computers with encrypted boot/system disk volume.

The feature is necessary to manage servers that are required to function all around the clock. If such a server has boot/system volume encrypted, every reboot of the server requires manual entering of password at boot time. It becomes a problem when the server must be rebooted automatically. For example, installation of updates for the operating system requires reboot of the server. The administrator often configures automatic reboot to happen at the time when minimum activity runs on the server, at midnight, for example. If system/boot disk of the server is encrypted, during reboot the server will display password prompt at earlier boot time. The operating system will not boot until the administrator enters password when he/she appears in front of the server console next morning. All the time before that the server will not work.

The option to reboot the computer without requiring to enter password at boot time exposes a security risk. For example, someone can turn off the computer, take it out of the company, turn it on again and get its boot/system volume mounted. If Mount At Boot Time option is set for not system data volume, it will also be mounted for access automatically.

To minimize the security risk as much as possible, BestCrypt Volume Encryption does the following:

To set the option run command Options->Unattended Mount At Restart. The following dialog window will appear.

Unattended Mount At Restart dialog

The window explains the security concerns that the user should understand and requires marking corresponding checkbox to activate the option.

The dialog window also explains how the user may set restrictive settings for the option to make its use more secure: to limit the time period when the option is active and limit number of times the computer can be reboot in unattended mode.

The Unattended Mount At Restart option can be activated only on computers with Trusted Module Platform (TPM) hardware.

Only the user with administrating privileges can set the option or change its settings.

Secure unattended reboot option can be activated only if boot/system disk volume is encrypted with with version 3 of the software. If the functionality is required, you should decrypt the volume and encrypt it again with version 3 of BestCrypt Volume Encryption.



See also: