1.1 The ZENworks PBA

Pre-boot authentication is the process of authenticating a user to a device before the device boots to the primary operating system. For ZENworks Full Disk Encryption, the ZENworks Pre-Boot Authentication module, referred to as the ZENworks PBA, performs this operation on a device.

1.1.1 Security

The ZENworks PBA is hosted by a fully functional Linux system installed on the device. At device startup, the Linux system boots and displays the ZENworks PBA login.

The primary advantage of the ZENworks PBA is increased security over the standard Windows login. The Linux system is hardened, meaning that it has been explicitly configured for security and reliability. The ZENworks PBA is protected against alteration through the use of MD5 checksums, and the ZENworks PBA applies strong encryption for the keys used in the authentication process.

With standard hard disks encrypted by ZENworks Full Disk Encryption, the ZENworks PBA does not prevent intruders from seeing the encrypted partitions. However, because the partitions are encrypted, none of the data is accessible until ZENworks PBA login is successful.

1.1.2 Implementation

ZENworks Full Disk Encryption provides software-based encryption on standard, solid state, and self-encrypted hard disks using the IDE, SATA, or PATA interface standard.

A 500 MB primary partition is created on the disk for the Linux system and the ZENworks PBA. When the device boots, the ZENworks PBA login is displayed. After the user enters valid credentials (see Authentication Methods), the PBA terminates, the Windows operating system is booted, and the encrypted drives become accessible.

1.1.3 Authentication Methods

The ZENworks PBA supports the following authentication methods:

  • Standard user ID/password authentication

  • Smart card authentication based on the X.509, PKCS#11, and PC/SC standards

Both methods support the user capturing and single sign-on functionality discussed in the next two sections.

User Capturing

A user’s credentials (either user ID/password or smart card) must be added to the ZENworks PBA. You can add credentials via the Disk Encryption policy applied to the device, or you can enable the credentials to be captured by the ZENworks PBA the first time it starts after installation. This second method, referred to as user capturing, is the recommended method, especially when using smart card authentication, because it increases the accuracy of correctly defining the user’s credentials.

Single Sign-On

The ZENworks PBA login does not replace the Windows login. A user must log in to the ZENworks PBA and in to Windows. You can, however, enable single sign-on so that the user only enters credentials during the ZENworks PBA login and is automatically logged in to Windows with those same credentials. This requires that the ZENworks PBA credentials match the Windows credentials.