Endpoint Encryption

I have users on Ge 8.7 and Ge 9.5.3 that I will be upgrading to SEE 8.0.1sp2.

In the past when I tested sleep, it correctly prompted me with a GE pre-boot authentication screen.    I'm not sure when the behavior changed (I'm guessing GEHD 8.7 still works) but from my tests both GEHD 9.5.3 and SEE 8.0.1sp2 go directly to the windows prompt after sleep.

The only thing I can see to do here is to disable sleep.   

At first I was thinking this was a hybrid sleep issue but I repeated the problem on XP.

any other ideas?

...this is intended behaviour :-(

Placing any disk encrpyted machine into sleep/standby is generallay a bad idea, as the decryption keys used to access the disk remain in the memory, and may be retrieved should an unscrupulous individual gain physical access to the machine.

Best practice dictates that any disk encrypted machine is either entirely shutdown, or hibernated, and should remain in the user's presence for a few minutes after the power has cut out, to allow time for the keys to clear from memory.  The good news is you are using SEE which can employ protection from cold boot attacks (http://www.symantec.com/docs/TECH96464).

The way I see it, is that the Pre-Boot Authentication screen is there to protect your encryption keys and therefore access to your hard disks.  If the keys are already loaded into memory (as in sleep mode), then it adds no additional protection (plus you're not really booting the machine anymore).

thanks, I already use that setting, but didn't see that article when searching yesterday.  

I would argue that if the cold boot prevention setting worked, it wouldn't matter that sleep is keeping the ram "warm".   

I guess I better get my best mordac reasoning ready because users are going to have to lose more usability (the ability to go into sleep) in the name of security.