Full disk encryption uses disk encryption technology embedded in hardware or software to encrypt data stored on a nonvolatile storage device, such as a hard disk drive. Encrypting the data makes the data essentially unreadable when unauthorized access to the disk is attempted. Full disk encryption entails encrypting all data on the disk or partition, including operating system code.
A challenge faced during the secure boot of a system with encrypted disk is during the boot process of a system that has updates made to the boot code. The secure boot process validates that software executed up to the point of decrypting the disk and running the software on the encrypted disk is unchanged using previously stored hashes of the previous code and configuration. The concepts of the Trusted Computing Group, and more particularly, a Trusted Platform Module (TPM) in a computer system, is a hardware mechanism used to securely generate and store the hash values during the boot process. Once the boot code (e.g., BIOS, etc.) is updated, the secure boot process will recognize that the boot code has changed and will be unable to complete boot process. While this recognition will thwart a malicious user's tampering with the boot code to gain access to the encrypted data, it also hampers authorized updates to the boot code that may be needed due to software bugs and the like.