So, there&aposs a new SDK available on the ISN Manageability site, and it frankly needs some explanation. Plus just some description on what Remote Encryption Management is, since it hasn・t been discussed previously.
To sum up in a sentence, Remote Encryption Management supports the ability to unlock an encrypted hard drive through vPro. This refers to both software encrypted solution (where the OS and a pre-boot authentication are involved), or FDE encrypted hard drives where the encryption is handled at the hard drive level. This helps to solve a previous conflict if someone wanted to use both encrypted hard drives and vPro to wake up and patch a system when a user wasn・t present. Previously the systems had to be left unlocked overnight, or a user had to be physically present to unlock the hard drive. Now, the credentials to unlock the systems can be passed to the system to unlock it from remotely, and allow the patching process to continue. This also enables some other use cases remotely out of band, such as securely erasing the hard drive once the machine is no longer in use to ensure that sensitive data is removed.
The SDK contains both an example console that shows how the functionality could be integrated into an existing encryption solution, and an ISO file that can be remotely booted using the IDE-R functionality to unlock the systems. It also includes the source for both of these components, to make the integration task into an existing solution easier. If the existing encryption solution already has a pre-boot authentication environment, the key component of the ISO (the ATAoverLAN bridge) can be integrated into the pre-boot authentication environment. Integration into a pre-boot authentication environment is actually a better performing solution, since the ISO image does not need to be loaded over the network before the hard drive can be unlocked.
One of the things that is interesting about this project is that since its software based, it can work with the existing vPro platforms that were released last year. This functionality is supported on full vPro systems (not Standard Manageability systems) in the current generation of AMT 4 and AMT 5 systems, as well as the next vPro generation that releases next year.
Even if someone doesn・t have an existing encryption solution to integrate this functionality into, the SDK still might be of interest. I mentioned the ISO previously, it&aposs a Linux based iso image that&aposs used through IDE-R. In addition to the ISO image itself, the source for that ISO file is provided. This iso is very compact (it・s approximately 2.5 MB), and could potentially be used for other out of band functionality.
Note that this conversation is still pretty high level and I・ve papered over some details that would be involved. If anything I・ve talked about sounds interesting, I・d recommend downloading the Remote Encryption Management SDK here: http://software.intel.com/en-us/articles/download-the-latest-version-of-Remote-Encryption-ManagementSDK/ and look at the more detailed content.
There・s also a demo video of the functionality being used here: http://software.intel.com/en-us/videos/amt-remote-encryption-management-demo/