Pre-boot authentication

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Pre-boot authentication" – news · newspapers · books · scholar · JSTOR (April 2008) (Learn how and when to remove this message)

This article may require cleanup to meet Wikipedia's quality standards. No cleanup reason has been specified. Please help improve this article if you can. (April 2008) (Learn how and when to remove this message)

Pre-Boot Authentication (PBA) serves as an extension of the BIOS or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed he/she has the correct password or other credentials.^[1]

• Full disk encryption outside of the operating system level ^[1]
• Encryption of temporary files
• Data-at-rest protection

1. Basic Input/Output System (BIOS)
2. Master boot record (MBR) partition table
3. Pre-boot authentication (PBA)
4. Operating system (OS) boots

A PBA environment serves as an extension of the BIOS or boot firmware and guarantee a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents Windows or any other operating system from loading until the user has confirmed he/she has the correct password to unlock the door. That trusted layer eliminates the possibility that one of the millions of lines of OS code can compromise the privacy of personal or company data.

Sometimes pre-Boot Authentication is a misnomer since a basic OS can be loaded prior to the main operating system in some implementations. Pre-boot authentication can take on a number of forms, it can be a start up (BIOS) password implemented on the motherboard, or in on the boot volume itself. In the latter instance, the boot sector of a hard drive is overwritten with a small executable which starts the decryption of the hard drive and hands off the credentials to an operating system to continue booting. For example, Truecrypt and BestCrypt are full disk encryption system for which do pre-boot authentication for Windows only since you need to enter a password for the hard drive to then boot into the operating system.

Pre-Boot Authentication is generally provided by a variety of full disk encryption vendors, but can be installed separately. Some FDE solutions can function without Pre-Boot Authentication, such as hardware-based full disk encryption. However, without some form of authentication, encryption provides little protection.

The standard complement of authentication methods exist for Pre-Boot Authentication including:

1. Something you know (i.e. username / password)
2. Something you have (i.e. smart card or other token)
3. Something you are (i.e. biometric data)