Whole Disk Encryption with UEFI and Windows Fails

We have tested products from 5 vendors offering whole disk (really partition) encryption for Windows 7 in a UEFI (EFI) based motherboard. UEFI is a replacement for the traditional IBM compatible BIOS and is currently vigorously promoted by Intel and Microsoft. The results are disappointing, but see the letter at the end of this page for a promising possibility.

The OS was Windows 7 Ultimate SP1. Because Windows defaults all user files to the boot drive, it is essential to us that this partition be subject to full disk encryption. Various schemes to move user default directories to other locations are documented on the web, however all are unsupported by MS, quite complicated and online complaints about subsequent difficulties are rife.

These tests were conducted on January 5-8, 2012. The OS was reinstalled for each test.

In summary, Bitlocker was the only package able to encrypt user files, however storing keys on a USB drive seems unsafe to us. We would be pleased to hear of any alternatives, or effective updates to the packages listed above.

Update

On September 6, 2012 I received an interesting email from shaun@cryptosol.com saying that "DriveCrypt Plus Pack has had UEFI support since last december [2011]. We still have to resolve Secure Boot; at this time it needs to be disabled."

On April 17, 2013 I received the following message out of the blue from Jetico, in Finland. I haven't tested the software, but it would be worth looking at. There is a free trial download available. If you try it out, please tell me how it works out. Note that "two-factor" authentication mentioned in the message would not really qualify as two factors, rather it is more like two passwords.

Date: Wed, 17 Apr 2013 14:31:23 +0300
From: "[iso-8859-1] Kari Hytönen" 
To: 'Daniel Feenberg' 
Subject: RE: Jetico Solution

Hello Daniel,

Yes our product can encrypt both boot and System volumes. We create our own
bootloader that is used to do the end user verification. Also our bootloader
can also reside on a USB stick that allows two factor authentication where
any user needing access to the hard drives would require to have a USB
stick/token at the time of boot and they need to enter a correct password to
be able to start up the system.

More information about the System and Boot volume encryption:
http://www.jetico.com/web_help/bcve3/html/04_usage/01_volume_encryption/03_s
ystem_boot_volumes.htm
(the whole help file: http://www.jetico.com/web_help/bcve3/)


Regards,

--
Kari Hytönen
Technical Sales Manager

Daniel Feenberg
feenberg@nber.org