Pre-boot encryption (PBE) is an additional security measure you can take to protect the data at rest on your dedicated server.
More precisely, we refer to full disk encryption (including system, data, backup or swap partitions).
PBE works at the BIOS/UEFI level (a trusted authentication layer that serves as a tamper-proof environment outside the operating system), so you can prevent unauthorized access to the system before the operating system boots.
What PBE does?
- Full disk encryption includes almost everything (swap space, temporary files), leaving only an unencrypted volume to boot from, while the volume containing the operating system is fully encrypted;
- Mitigate data theft from physical access: If the attacker somehow gains physical access to the hardware, they would not be able to read or exfiltrate the data without the decryption credentials;
- In some cases, it is legally required for organizations to comply with privacy regulations (such as GDPR, HIPAA) that require the protection of stored data, and this way there is a reduced risk of penalties and data breaches;
- Since the encryption is done at the hardware level, PBE prevents the attackers to use offline methods to gain access to your data;
- Makes it so that destroying the cryptographic keys renders the contained data useless.
What PBE doesn't do?
- Protect against common vulnerabilities such as malware and rootkits, because once the operating system is booted and running, PBE is not involved in mitigating them in any way (in such cases should use antivirus software, apply security patches often, etc);
- Unauthorized access once the OS is running, so it's important to have firewalls and intrusion detection system (IDS) properly set up, as well as doing regular patching;
- It's still vulnerable to phishing/social engineering attacks, so it's important to limit/control access to who has the decryption credentials to mitigate the threat.
*Note: in the context of a VPS, configuring PBE would not provide much value, since the VM's memory contains decrypted data and keys, so an attacker can potentially just dump the RAM of the VPS, this way gaining access to the encryption key.
To set up PBE, we recommend using LUKS for Linux environments, which can be set up during the installation process, or Veracrypt (https://www.veracrypt.fr/en/CompilingGuidelineWin.html) for Windows servers.
