Navigation
 
Lösungen » WinMagic »

WinMagic Q & A
SecureDoc Control Center

What is SecureDoc Disk Encryption?

SecureDoc Disk Encryption is WinMagic's software tool that provides full disk encryption to your entire hard drives or removable media.

How do I know if SecureDoc is installed?

SecureDoc provides an icon in your task manager bar. On the bottom right of your screen, you should see a box with a green key inside, if the icon is completely red nothing has been encrypted on your computer. If the icon is half yellow and half red, the disk is not completely encrypted. If the icon is completely yellow, the whole hard disk has been encrypted.

Why do I need to create key files before encrypting the disks?

Before you can start using the SecureDoc Control Center, you must create an Administrative key file to log in. You will create your Admin key file in 1 of 2 places: SecureDoc Enteprise Server or Key Management.

Do all SecureDoc users have the same privileges?

No. You can decide what privileges a user can have. This also applies to an Administrator.

What is the relationship between Boot Control and Boot Logon?

Boot Control is located in the SecureDoc Control Center and is used by the Administrator to configure Boot Logon. Boot Logon is the login screen that displays when your computer is started. From Boot Control, you can install and uninstall Boot Logon, change Boot Logon text/color, and configure which users can log into this computer. Remember, if your disk is encrypted, the key file logging in through Boot Logon will need to have the Key used to encrypt the disk.

Can I control how many unsuccessful login attempts there are allowed on my computer?

Yes. You can configure a computer to not start after the maximum number of unsuccessful login attempts has been met. After this, only an Administrative key file can unlock the computer.

Will I know if someone has tried to log into my computer while I was away?

Yes. Every time there is an unsuccessful login attempt, SecureDoc logs it. The next time you successfully log into your computer, a message will be displayed showing the number of unsuccessful login attempts.

How long will it take to encrypt my disk?

There are several factors to keep in mind: 1) Size of disk and 2) Processor Speed. The average time to encrypt a 30G hard drive on 1,8 GHz Pentium 4 processor is roughly 1 hour. This of course will vary depending on the computer.

Which encryption algorithms are supported by SecureDoc?

SecureDoc Disk Encryption supports the following encryption algorithms: AES (256-bit), 3DES (168-bit), DES (56-bit).

Once SecureDoc has encrypted my computer, can I share and restrict access to other users?

Yes. SecureDoc provides several ways to accommodate this.

Can I work on my computer while the encryption is in process?

Yes.

If a power failure occurs during my encryption process will my data be accessible?

Yes. When your computer restarts, SecureDoc will continue the encryption process where it left off.

SecureDoc Enteprise Server (Formerly Central Database)

What is the SecureDoc Enterprise Server?

SecureDoc Enterprise Server is an Administrative tool used to store the key file information of SecureDoc users. This information is securely kept in a centralized database. Larger Enterprises will benefit from the list of features available. A few include: Remote Installation, Password Recovery, Multiple generation of key files, etc.

What is the difference between SecureDoc Enterprise Server and Key Management?

SecureDoc Enterprise Server provides Network Administrators the comfort and convenience of administering large user bases. Key Management is used to support a lower number of users. If you are Administering SecureDoc Users with SecureDoc Enterprise Server, you should not use Key Management.

What happens if a user forgets their password?

SecureDoc Enterprise Server provides a Password Recovery tool. The Administrator will create a response password based on the Challenge password of the user's key file. The response password will be used to log into the User's computer. This is a one time response password.

Our Enterprise consists of over 5000 users. do I have to create 5000 user profiles individually?

No. SecureDoc Enterprise Server allows you to create multiple user profiles at one time.

Do I have to go around to each users computer to encrypt their disk?

No. SecureDoc Enterprise Server offers a tool called remote installation that creates the necessary files needed to install SecureDoc and encrypt the users disks. Before you can create the remote installation files, you must create the user key file information. You will need a distribution software product such as Microsoft SMS, Tivoli or Novell Zenworks to push the files onto the users computer. Once completed, it is as simple as double clicking an .exe file.

What are key files?

Only authorized personnel can access information protected with SecureDoc. The process of validating a user's authorization is called authentication. SecureDoc needs two pieces of information to authenticate you and to get the right Keys to access disk data: your key file password and the Key used to encrypt your disk. A key file contains the Keys assigned to the user, the user's privileges and more information. This file is encrypted by a Key, which can be derived from a password or hardware token. The key file can be stored on a floppy or hard disk.

What is the relationship between Boot Control and Boot Logon?

Boot Control is located in the SecureDoc Control Center and is used by the Administrator to configure Boot Logon. Boot Logon is the login screen that displays when your computer is started. From Boot Control, you can install and uninstall Boot Logon, change Boot Logon text/color, and configure which users can log into this computer. Remember, if your disk is encrypted, the key file logging in through Boot Logon will need to have the Key used to encrypt the disk.

What is the difference between a password based key file and token based?

A password based key file is protected only by a strong password. A token based key file is protected by a token.

Can I use Certificates already on my token to protect my key file?

Yes. SecureDoc should be able to work with existing Certificates already being used throughout your enterprise provided the tokens are supported.

What is the best way to administer SecureDoc key files?

You will administer SecureDoc based on your own company operations. This of course will be different from company to company. Most times you will simply have 1 SecureDoc Enterprise Server database that will contain all your SecureDoc users.An example where you may need to use a different approach:
A larger enterprise may have separate groups (Sales, Accounting, etc) that are being administrated by separate Administrators. Each Administrator may wish to keep the groups data confidential between each other. In a case such as this, a Centralized Database will have to be created for each group so that only the authorized Administrator can access the key file information.


Key Management

What is Key Management?

Key Management is an application used to create SecureDoc user key files. If your organization is using the SecureDoc Central Database you will not need to use the Key Management.

I have SecureDoc, is Key Management installed too?

Yes. Key Management is installed along side of SecureDoc Control Center.

How do I log into Key Management the first time?

Before you can log into Key Management, you have to create a key file. After opening Key Management, you will click on a button "Create key file" on the main screen.

Do all User key files share the same privileges?

No. You can set the privileges for a key file accordingly. This also applies to an Administrative key file.

Can I use Certificates already on my token to protect my key file?

Yes. SecureDoc will work with any existing Certificates already being used throughout your enterprise.

Can I set up a user key file with an expiry date?

Yes. You can set up an expiry date for any user key file. There is also an option to provide the user with warning messages. Once the key file is expired, it can no longer be used.

I have created a new encryption key for my key file, but I can't see it in the SecureDoc Control Center Disk Encryption tab.

The reason could be: You have not updated your key file in the Boot Control. Each time you modify the key file, you must update it in the Boot Control tab. Follow these steps to update a key file:
1.    Open up SecureDoc Control Center
2.    Click on the Boot control tab
3.    Find the key file in the list, and click it once
4.    Click the Add/Update key file
5.    Browse to find the key file and double click it


Token Hardware

How are tokens and readers implemented with SecureDoc -- What are they?, and does my stand alone PC need them?

Tokens are hardware devices such as smart cards or USB cryptographic tokens, usually with computing capability used to decrypt and sign in private key operations. Hardware tokens generally offer a higher level of security then passwords because they limit the amount of login attempts and thus attackers cannot try e.g. "passwords dictionary attack" on them.

Tokens are not needed to run SecureDoc disk encryption. A strong password is secure when used in SecureDoc. Although, in large enterprises using products such as PKI, eCommerce, and network logon applications, hardware tokens may already exist. SecureDoc can work with these tokens to cut down the number of passwords a users needs to remember.

What token readers are supported by SecureDoc?

Currently SecureDoc supports the following readers:
  • 02 Micro:
    • 02Micro - pcmcia
  • ActivCard: 
    • ACTR-01 - serial
    • ActivCard USB v2 
  • Axalto:
    • Reflex v2 - USB
    • Reflex 20 - pcmcia
  • Datakey:
    • 10SR - serial
    • DKR 600 - pcmcia
    • DKR 630 - USB
    • DKR 711 - serial
    • DKR 730 - USB
  • Gemplus:
    • GPR 400 - pcmcia
    • GEM PC430 - USB
    • GemPC Twin - USB
  • Infineer:
    • DT 3000 - serial
    • DT 3500 - pcmcia
    • DT 4000 - pcmcia
  • Kobil:
    • Kobil KAAN ADV - USB
    • Kobil KAAN Base - USB
  • OMNIKEY:
    • CardMan 2011 - serial
    • CardMan 2020 - USB
    • CardMan 3121 - USB
    • CardMan 4000 - pcmcia
    • CardMan 4040 - pcmcia
  • SCM:
    • SCR 201 - pcmcia
    • SCR 241 - pcmcia
    • SCR 243 - pcmcia
    • SCR 331 DI - USB
    • SCR 3310 - USB
    • SCR 331 USB
  • Thales:
    • Thales - pcmcia
What tokens are supported by SecureDoc?

Currently SecureDoc supports the following tokens:
  • ActivCard and ActivKey: (not all modes are supported)
    • Cryptoflex 16k
    • ActivCard with new client SP software
    • ActivKey token
    • Cyberflex Access 32k
    • Cyberflex Access 64k
  • Aladdin USB eToken:
    • Aladdin Pro
    • Aladdin Pro 32
    • Aladdin R2 - (not all modes are supported)
    • Aladdin eToken 64k
  • Axalto:
    • Axalto smart card
    • Axalto GSC-IS v 2.1 smart card
  • CRYPTOCard:
    • 32K JAVA
  • Datakey:
    • 330
    • 320
    • GSA-1 PKI card issued by the US Department of State High Assurance Certificate Authority
  • Department of Defense (CAC version):
    • CAC - Common Access Card
  • Eutron:
    • CryptoIdentity 5 USB Token
  • GemPlus:
    • GemPlus GemSafe GemXpresso smart card
  • Giesecke & Devrient:
    • Starcos S 2.3
    • StarKey 100
  • JUJO:
    • JUJO hard key
  • Kobil Systems:
    • mIDentity
    • KAAN SIM III
  • NTT Communications:
    • eLWISE Security Keeper
  • Precise Biometrics:
    • 250MC (Biometrics)
  • Rainbow:
    • IKey 1000 (not all modes supported)
    • IKey 2000
    • IKey 2032
    • IKey 3000
  • RSA:
    • RSA SecurID 800 Token
    • RSA Smart Card 5200
  • Schlumberger:
    • CyberFlex (not all modes are supported)
    • Cryptoflex
    • eGate
  • Siemens:
    • CardOS M4.01a
    • CardOS 4.3B
  • Sony:
    • Sony Puppy FIU-810 (Biometrics)
  • Spyrus:
    • Rosetta Smart Card (not all modes are supported)
    • Rosetta USB Token
    • 970-G (as of 4.1sr3)
    • 370-G (as of 4.1sr3)
  • Thales:
    • Thales TVPN Cards
Note: New products or variations of the tokens listed above may not be supported. Please contact Sales at: sales@winmagic.com for more information.

Are the listed tokens and readers supported at boot time?

Yes.

Our tokens and readers are not in list, can you provide a solution?

As the need for supported tokens and readers grow, WinMagic is constantly increasing the support for new vendors. WinMagic will need to work with the token vendor to use (usually proprietary) low-level protocol to interface with the token at pre-boot time. Some integration cost will apply.

I have inserted my Token and when I create a key file, SecureDoc doesn't detect that the Token is present.

Before you can start creating Token based key files, you must make sure to install the proper drivers for the reader.Note: Check to make sure SecureDoc supports your reader and Token.

My computer has the SecureDoc Screen Saver enabled with a smart card based key file. After the system standby I have to logon to Windows with my SecureDoc password, I receive the error "No Private key on token"

Your token software might not know there was a system standby, thus the card is no longer logged in. To work around this, just remove the token (after the power has been ON) and insert it again before entering the password.


Microsoft Encrypting File System (EFS)

Why don't I just use Microsoft Encrypting File System (EFS) to protect my sensitive data? EFS is included in Windows (professional versions) with no charge.

Microsoft Encrypting File System (EFS) uses file encryption to protect individual files within your NTFS file system. File Encryption is used primarily to send files over email and across the Internet. A user encrypts files he/she needs to encrypt to protect them from being examined by unauthorized users.

File encryption However, this method is slow, especially when it involves a large amount of data to process, as is the case with spreadsheets or databases. Manual File Encryption has serious limitations as a viable data security method for most organizations since it encrypts only the original file; temporary and paging files are not secured, and remain in plain text.

Therefore, EFS may be acceptable for sending a file from computer to computer as e-mail or attachments, but it cannot protect storage data efficiently or completely.

Any user of encrypted files should recognize potential weaknesses and avenues of attack. Just as it's not enough to lock the front door of a house without considering back doors and windows as avenues for a burglar, encrypting files alone isn't enough to ensure confidentiality.
  • Seek out and manage areas where plain text copies of the encrypted files or parts of the encrypted files may exist. If attackers have possession of, or access to, the computer on which encrypted files reside, they may be able to recover sensitive data from these areas, including the following:
  • Data shreds (remnants) that exist after encrypting a previously unencrypted file (see the "Special Operations" section of this paper for information about using cipher.exe to remove them)
  • The paging file (see " Increasing Security for Open Encrypted Files ," an article in the Windows XP Professional Resource Kit, for instructions and additional information about how to clear the paging file on shutdown)
  • Hibernation files (see "Increasing Security for Open Encrypted Files "
  • Temporary files (to determine where applications store temporary files and encrypt these folders as well, to resolve this issue)
  • Printer spool files (see the " Special Operations " section)
Increasing Security for Open Encrypted Files

File data is decrypted before it is sent to an application. This means that the FEK is also decrypted. Although the FEK is not exposed, file data might be.

Since the EFS File System Run-Time Library (FSRTL) is located in the Windows operating system kernel, and uses the non-paged pool to store the FEK, FEKs cannot be leaked to paging files. However, because the contents of paging files are not encrypted, the plaintext contents of encrypted files might temporarily be copied to paging files when open for application use. If the plain text contents of encrypted files are copied to a paging file, the plain text remains in the paging file until the contents are replaced by new data. Plain text contents can remain in paging files for a considerable amount of time, even after applications close the encrypted files.

A paging file is a system file, so it cannot be encrypted. (By default, the name of the paging file is Pagefile.sys.) File system security for paging files prevents any user from gaining access to, and reading paging files; in addition the security settings cannot be changed. However, someone other than the authorized user might start the computer under a different operating system to read a paging file.

To prevent others from reading the contents of paging files that might contain plain text of encrypted files, you should complete the following tasks:
  • Disable hibernation mode on your computer.
  • Configure security settings to clear the paging files every time the computer shuts down.

Disabling Hibernation Mode

When a computer hibernates, the contents of system memory and any open files are written to a storage file on the hard drive, and the system is powered off. This saves energy and allows the computer to be restarted with the same applications and files that were open when the system hibernated. However, hibernation can be a security risk because files are decrypted for use in applications. If an encrypted file is opened and then the system is hibernated, the contents of the open encrypted file will be stored in the hibernation storage file as plain text. An attacker could potentially access the storage file used during hibernation. For this reason, EFS users might want to disable hibernation so that encrypted files are not placed at risk. If you choose to use hibernation mode, be sure to close any open encrypted files before letting the system hibernate.

To disable hibernation
  1. In Control Panel , double-click Performance and Maintenance , and then click Power Options .
  2. On the Hibernate tab, clear the Enable hibernate check box.
  3. Click Apply .

Clearing the Paging File at Shutdown

When a file is encrypted or decrypted, plaintext data can be paged. This can be a security problem if an attacker boots the system by using another operating system and opens the paging file. The paging file can be cleared at shutdown by means of Group Policy.

To clear the paging file at shutdown
  1. In the Group Policy snap-in, select a Group Policy object to edit.
  2. Expand Computer Configuration and Windows Settings, Security Settings, Local Policies, and then expand Security Options.
  3. Double-click Shutdown: Clear virtual memory pagefile .
  4. Click Enabled , and then click OK .

Without discussing other characteristics of EFS such as transparency, key recovery, etc… we will focus only on one topic: SECURITY

As discussed in the article, sensitive data can still exist in clear text in several places on disk, most notably the Paging files and temporary files.
  1. While paging files can be "cleared on shutdown", the time to erase the paging files will take its toll on a user's patience and productivity. Paging files are normally set to be a bit larger than the available memory (RAM), e.g. 256 MB, or even 1000 MB on above average machines.
  2. If the computer has not been shutdown, e.g. it is on standby, or it powered off without proper shutdown, then the paging files are still on the disk.
  3. Modern recovery techniques can recover data on magnetic media even after it has been overwritten. For highly sensitive data, overwriting the sectors a few times is not enough. In addition, even if the paging files are cleared, clear text data can still be recovered. (See our White Paper for detailed information).
  4. The recommendation ("to determine where applications store temporary files and encrypt these folders as well to resolve this issue") is most likely an impossible task for most users, enterprises or governments.

SecureDoc's first and foremost job is to protect disk data. If a product does not protect disk data properly, then it should not be used for that purpose - unless you consider it "good enough".

If your attacker does not know how to use a disk editor - or cannot hire someone to do it - then EFS is probably "good enough". If however your attacker knows how to use a disk editor, or even possess forensic facility to scan your disk, they would probably find some sensitive data.