How do boot-time disk access products work?

[news]

Reading the many recent reports of stolen laptops containing sensitive
information, I decided it was about time to install a disk access
protection product on my own laptop. I have looked into products like
SafeBoot etc, but have come to the conclusion that I don't understand
how they really work.

When you power up the laptop, you go straight to the product's login
screen, provide a password, and then (assuming the correct password)
Windows starts up.

Question is, what does providing the correct password actually do? It
obviously unlocks something, but what? I used to think it performed a
decryption of the hard disk, but this can't be right because there is no
way it can decrypt a 100GB disk in the time it takes to start the
Windows boot. (And, in any case, how was the encryption performed in the
first place?)

The real question, however, is whether these products are of any use if
someone steals the laptop, takes out the hard drive and fits it into
another machine. Is it then possible to bypass the protection and read
the disk directly?

--
Ian

[news]

In message <MPG.1fce27e756cc0b6d989ea0@news.readfreenews.net> , Far Canal
<me@privacy.net> writes
>
>
>Eh. All the answers are provided by the companies.
>http://www.safeboot.com/products/
>

Please someone tell me where my specific questions are answered on the
SafeBoot site.

SafeBoot talks about encrypting data "on-the-fly". What does this mean?
What data? On-the-fly doing what? Saving a file that you have just
written? What about all the other tens of thousands of files that you
haven't written since you installed SafeBoot? Are they also encrypted?
If so, when?

Read the words on their site carefully. In the context of my questions,
they don't make sense to me.

--
Ian

[bobrayner]

news wrote:

> In message <MPG.1fce27e756cc0b6d989ea0@news.readfreenews.net> , Far Canal
> <me@privacy.net> writes
> >
> >
> >Eh. All the answers are provided by the companies.
> >http://www.safeboot.com/products/
> >
>
> Please someone tell me where my specific questions are answered on the
> SafeBoot site.
>
> SafeBoot talks about encrypting data "on-the-fly". What does this mean?
> What data? On-the-fly doing what? Saving a file that you have just
> written? What about all the other tens of thousands of files that you
> haven't written since you installed SafeBoot? Are they also encrypted?
> If so, when?
>
> Read the words on their site carefully. In the context of my questions,
> they don't make sense to me.

About Safeboot, specifically:

All the disk's contents are encrypted. This is a relatively slow
one-off process that occurs when you first install Safeboot. Safeboot
also installs something like a disk driver, which sits between Windows
and the actual hard disk (driver). Consequently, Windows does not know
or care that the disk is encrypted.

In routine use, Windows asks the Safeboot "driver" a question like
"read file X" - then Safeboot will go find the relevant part of the
hard disk, read the contents, decrypt them, and pass them back to the
blissfully ignorant Windows. This is what they mean by "On the fly"; it
does have a small performance disadvantage, but it's not too bad in
most cases.

There's no need to touch all the other unused files. They were
encrypted when you installed safeboot and they'll stay that way.
There's no need to decrypt them until, one day, you decide to use the
file - at which time Safeboot will decrypt it for you, without you (or
Windows) ever noticing that anything unusual is happening.

Providing the correct password at boot-time does not mean that the
whole disk gets encrypted/decrypted at boot-time. You're just getting
access to a "key" that can be used to read (and write) whatever files
are needed during the boot process.

The whole disk is encrypted; so if you take it out and put it in a
different computer, all you'll see is lots of random-looking junk. This
is one of the main attractions over (say) EFS. Before you ask - no,
passwords (or keys) aren't simply written on an obvious part of the
disk. ;-)

This is a brief oversimplification based on my experience of corporate
Safeboot stuff. Other products (and personal installations) may vary.
May contain nuts.

[---Fitz---]

<SNIP>
> May contain nuts.
>

I like that!

[news]

In message <1164218319.008067.196570@e3g2000cwe.googlegroups. com>,
bobrayner <bob.rayner@bt.com> writes
>
>About Safeboot, specifically:
>
[Snip a very clear explanation]

Click. The light has come on!

Many thanks, Bob, for your constructive and helpful response.

(And I like nuts...)

--
Ian