TrustedDisk managed Administrator manual

Copyright Notice © Sirrix AG security technologies. All rights reserved. This document is for informational purposes only. SIRRIX MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Sirrix AG. SIRRIX may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from SIRRIX, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

TURAYA™, TrustedDisk, TrustedVPN, TrustedDesktop, TrustedWorkstation Agent and TrustedChannel are other registered trademarks or trademarks of Sirrix AG in the Germany and/or other countries.

Version 2.3.6 V1

2

TrustedDisk unmanaged Administrator manual

Content 1

Introduction .................................................................................................................... 4

2

Basics .............................................................................................................................. 5

3

4

2.1

Scope of delivery ...................................................................................................... 5

2.2

Support.................................................................................................................... 5

2.3

Please note ............................................................................................................... 5

2.4

Requirements for the use of TrustedDisk .................................................................... 5

Installation ...................................................................................................................... 7 3.1

Setting up the TrustedObjects Manager..................................................................... 7

3.2

Importing the active directory user certificates ........................................................... 7

3.3

Installing the Crypto provider .................................................................................... 7

3.4

TrustedWorkstation Agent ........................................................................................ 8

3.5

TrustedIdentity Manager ........................................................................................... 9

3.5.1

Security Administrator token .............................................................................. 9

3.5.2

User Token ........................................................................................................ 9

3.6

CryptoHelper ............................................................................................................ 9

3.7

TrustedDisk GUI ...................................................................................................... 10

3.8

The Full Disk Encryption .......................................................................................... 10

3.9

Enable automatic full disk encryption ...................................................................... 11

The TrustedDisk GUI ...................................................................................................... 12 4.1

User ....................................................................................................................... 13

4.2

Owner.................................................................................................................... 14

4.2.1

Encrypt partition.............................................................................................. 14

4.2.2

User & Owner Management ............................................................................ 14

4.2.3

Re-keying of partitions ..................................................................................... 14

4.3 5

Replacing certificates ..................................................................................................... 16 5.1

3

Certificate management .......................................................................................... 15 Updating certificates ............................................................................................... 16

5.1.1

Replacing the CA Certificate ............................................................................. 16

5.1.2

Replacing the Security Administrator certificate ................................................ 16

5.1.3

Exchanging the Security Administrator ............................................................. 16

5.1.4

Replacing user certificates ................................................................................ 16

6

Creating a boot partition and moving the boot loader .................................................... 17

7

Hardware list ................................................................................................................. 18

TrustedDisk unmanaged Administrator manual

1 Introduction Secure your data from theft! TrustedDisk can help you! Today's hard discs have huge storage capacities that make it possible to store a large amount of sensitive data locally. This ensures a high security risk, because mobile devices like laptops and external storage devices, such as USB sticks or portable hard drives getting stolen or lost. In order to prevent theft or loss of laptops and mobile storage devices with sensitive data are falling into the wrong hands, they must be encrypted with the help of a safe and efficient method. The most comprehensive and therefore safest method is the Full-Disk Encryption. Full-Disk Encryption with TrustedDisk The TrustedDisk Full-Disk Encryption (FDE) encrypts the entire operating system including swapand hibernating-files and personal data. TrustedDisk works with a transparent encryption method in real time. The clients can be used without restriction during the encryption process. If a user wants to start the computer, he gets asked for his identity prior the boot phase (pre-boot authentication). He must authenticate with the help of his hardware token and a PIN. If a user cannot authenticate, the system will not boot and there is no way to access the encrypted data. Device-Encryption The same principle also works for mobile encrypted media (USB drives, external hard drives). Especially these have a higher risk to get lost. Even mobile storage devices usually contain sensitive information. For this reason, it is essential to protect this data and ensure that users are able to share them only with authorized people. With TrustedDisk, the secure deployment of encrypted external devices is simple and no longer a problem, even in mixed environments! Strong Security TrustedDisk was developed based on current BSI (Federal Office for Information Security) standards. This includes a modern random number generation and a flexible re-keying according to time and / or amount of data for continuous maintenance of the high level of security. The multi-factor authentication method using hardware token ensures a high level of safety in the range of standard products for hard disk encryption with high usability. Available as stand-alone or enterprise version TrustedDisk can be easily and quickly installed and used in Windows 7 environments. In both versions, an authentication with a hardware token is required and different user privileges can easily configured and changed. The multi-user capability also enables multiple users simultaneously access to encrypted storage devices. It is also possible to define a network-wide "emergency" administrator, who is able to decrypt encrypted data in an emergency. Central Management with TrustedObjects Manager The TrustedDisk-Enterprise version also provides a centralized management for user groups and roles. With the help of the central management, updates can be installed easily in the company network. The central recovery function allows a user at losing his PIN to reset remotely the PIN.

4

TrustedDisk unmanaged Administrator manual

2 Basics 2.1 Scope of delivery TrustedDisk consists of the following installation packages: TrustedWorkstation Agent (only in managed Version)

CryptoHelper

The „TrustedWorkstation Agent“ establishes a secure connection between the user's system (workstation) and the TrustedObjects Manager. The component "Crypto Helper" contains the necessary drivers and program files for the operation of TrustedDisk. This component has to be installed separately because of licensing reasons.

TrustedDisk

The software for full-disk encryption and the encryption of removable storage.

CardOS API

Middleware for the communication of TrustedDisk with the Smartcard

(if not already installed)

2.2 Support If you have further questions about our product or need assistance, please contact us at via [email protected]

2.3 Please note  

From TrustedDisk 2.0 the application is PKCS #11 compatible. Erasing a token will delete the all keys, certificates and the PIN. The PUK is set to 00000000.

2.4 Requirements for the use of TrustedDisk To use TrustedDisk you need to fulfill the following hardware and software requirements.

      

BIOS: legacy Boot mode, not UEFI mode BIOS: SATA AHCI (or compatible mode) HDD: MBR formatted, not GPT Windows 7 / 8 / 8.1 Windows installation on two partitions (boot partition + system partition) Original Microsoft MBR (not an OEM MBR) Supported smartcard and smartcard reader

The default configuration is compatible on a wide range of hardware. Nevertheless, it is possible that a modification of the BIOS settings and / or kernel parameters are necessary for specific hardware. The appendix "hardware list" shows systems, which need necessary adjustments to be TrustedDisk compatible.

5

TrustedDisk unmanaged Administrator manual

Independent of TrustedDisk, Windows and Linux must support your smartcard reader. Without any driver, you cannot use it with TrustedDisk. Another requirement is a standard installation of Windows 7. On Partition 1 (NTFS) boot loader has to be installed and on Partition 2 (NTFS) the operating system. Whether Windows 7 is installed on this matter, you can look up under Start  Computer  Manage  Disk Manager. In addition, the hard drive has to be formatted using "Master Boot Record" (MBR). Whether a disk is MBR or GPT formatted, you can look up under Start  Computer  Manage  Disk Manager Properties of the disc Please note, that a disk is formatted by using GPT, when you start Windows 7 64-bit / 8 installation in UEFI boot mode. In all other cases, the hard disk will be formatted by using MBR. You can select UEFI or normal boot mode during POST. In the boot menu are two entries for the appropriate drive. One entry starts with a prefix UEFI for the UEFI boot, the second entry without prefix starts the legacy boot mode. The respective boot mode uses the appropriate installer on the installation DVD. The later creation of a separate boot partition describes the appendix in this manual.

6

TrustedDisk unmanaged Administrator manual

3 Installation Please note that the terms tokens and smartcards are used interchangeably in this manual. A token represents a security key with integrated smart card. Disable (using group policy or registry) the fast user switching. Otherwise, users regardless of their rights, have complete access to mounted external TrustedDisk volumes of other users.

3.1 Setting up the TrustedObjects Manager First, some basic settings (passwords, LDAP connectivity, backup, etc.) should be configured on the TrustedObjects Manager. Please refer to the TrustedObjects Manager administrator's guide. After configuration of the general settings, the following TrustedDisk specific settings have to be made. 

Switch Automatic activation of workstations under Company > Properties > Workstation "new workstations are automatically accepted" on and set the corresponding parameters of the workstation running the Configure button. After installation of all systems, the automatic activation of the workstations should be deactivated. If you do not want to use automatic activation, each workstation must be accepted manually after installing the Trusted Workstation Agent!



Download the WokstationConfigurationInstaller.ba file under Company > Properties > Workstations

3.2 Importing the active directory user certificates It is possible to import existing user certificates from active directory into to the TrustedObjects Manager. This option can be activated in the LDAP configuration under Company > Properties > LDAP. Run the wizard with the option "Edit current configuration" again and activate in step 4 the "import user certificates" option. The TrustedObjects Manager automatically imports all the certificates that are in the field "user certificates" from Active Directory.

3.3 Installing the Crypto provider Prior the installation of TrustedDisk, a PKCS #11 crypto provider has to be installed. TrustedDisk delivers therefore the CardOS API. Please install the appropriate package for your platform CardOS_API_Setup.exe (32Bit) or CardOS_API_Setup_x64.exe (64Bit).

7

TrustedDisk unmanaged Administrator manual

3.4 TrustedWorkstation Agent Make sure to store the WorkstationInstallerConfiguration.ba file from TrustedObjects Manager in the same directory as the TrustedWorkstationAgentSetup.msi. Run the TrustedWorkstationAgentSetup.msi. The installation and configuration takes only a few seconds and requires no manual interaction. You can verify the successful installation and configuration, at the TrustedObjects Manager (in the case of auto-accept workstations). The workstation are listed under Company> All workstations. Otherwise, the workstation must activated first under "pending workstations" (see TrustedObjects Manager Administration Guide). If a recovery of all TrustedDisk rights at a later reinstallation should be possible, backup up the following values of the registry for any reinstallation of the system: 32bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sirrix\Trusted Workstation Agent 64bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sirrix\Trusted Workstation Agent If you upgrade / reinstall the TrustedWorkstation Agent, do not delete any entry in the registry! The entries contain all keys to identify the workstation against the TrustedObjects Manager. If you delete the entries in the registry, the workstation creates new key material and a new identity, which occupies an additional license in the TrustedObjects Manager. The old identity does not exist any longer, but is not automatically freed from the TrustedObjects Manager. Once the license is exhausted by new identities, new workstations cannot longer be activated!

8

TrustedDisk unmanaged Administrator manual

3.5 TrustedIdentity Manager If no existing external PKI should be used, the TrustedIdentity Manager needs to be installed. This application manages the Smartcards and is responsible for initialization, deletion, and modification of the PINs. Skip this section if an external PKI is used. 

Normal Installation Install the TrustedIdentity Manager by double clicking TrustedIdentityManagerSetupCredentials.msi. The installation takes only a few seconds and requires no manual intervention. After successful installation, you will find a shortcut on the desktop.



Installation in administrator mode1 Install the TrustedIdentity Manager using msiexec.exe /i TrustedIdentityManagerSetupCredentials.msi INSTALLLEVEL=10

3.5.1 Security Administrator token Start the just installed TrustedIdentity Manager and click personalize token. Authenticate with username and password against the TrustedObjects Manager, select a 6 - 16 chars as PIN and a name for the token. Follow the instructions of the wizard and do not interrupt the initialization process. After successful initialization, the wizard returns to the main menu. This token represents the security administrator. It will have full access to all encrypted systems. So please save this token to a particularly secure place. 3.5.2 User Token If no external PKI is used, all required user token have to be personalized with the TrustedIdentity Manager.

3.6 CryptoHelper The CryptoHelper provides libraries and file system drivers for transparent encryption. Run the TDCryptoHelper.xxx.exe and follow the instructions of the installer. If you install the application with the /a parameter and reboot your computer, a restart after the initialization of encryption may be delayed. With the parameter /quiet, the installation takes place without any user interaction

The administrator mode requires an additional function on the TrustedObjects Manager, which has to be separately licensed. 1

9

TrustedDisk unmanaged Administrator manual

3.7 TrustedDisk GUI To install TrustedDisk, the CA certificate and the certificate of the security administrator is required. If you use an external PKI please contact the appropriate site to obtain the required certificates. If you use the internal TrustedDisk PKI, certificates can be downloaded from the TrustedObjects Manager. The CA certificate can be downloaded from Company > Properties > General > Download CA Certificate The certificate of the security administrator can be downloaded from > Company > Locations> [Location Name] > Users > [User Name] > Properties > Identities > Download TrustedDisk Certificate Save the file in the same directory where the TrustedDiskSetup.msi SecurityAdminCertificate.der and the CA certificate in a folder named CACerts.

is

as

Please note the correct spelling of the two files, otherwise an installation is not possible. With provision of the certificates all the necessary requirements for the installation are given. Run the TrustedDiskSetup.msi and follow the instructions of the installer. The installation takes only a few moments. The installation of TrustedDisk is complete.

3.8 The Full Disk Encryption The system encryption (Full Disk Encryption (FDE)) is best carried out by the end user himself and is described in the manual. In this way, the user automatically gets owner rights on the device. At the first start, a wizard guides you through the FDE activation and subsequent encryption of the system. For the FDE activation, the user needs a token. Please note that after installing TrustedDisk unencrypted partitions are hidden on internal hard disks and therefore are not accessible. Only contiguous partitions can be encrypted. It is not possible to encrypt two separate, noncontiguous partitions.

Figure 1: Volume selection for encrypting

10

TrustedDisk unmanaged Administrator manual

If the system does not restart correctly this is probably an ACPI problem. Restart the system with SHIFT key pressed during POST. It will display a boot menu where you can use the arrow keys to change the items. Select the entry "ACPI - Mode". This setting stored for all future boots.

3.9 Enable automatic full disk encryption If TrustedDisk rights of a workstation should be restored before activating the hard disk encryption and the prior saved TrustedWorkstationAgent registry key must be restored. As administrator, the key can be imported using import example.reg. Since Release 2.0 the full disk encryption can be activated automatically without a token. If the activation of the full disk encryption is executed without token, no random data of the token for generation of the key material is used. The FDE activation without a token is performed by the command line application fdeinit.exe.

TrustedDisk FDE Initialization Tool -------------------------------------------------------------Generic options: -h [ --help ] shows this help string -v [ --version ] shows version information Configuration options: -u [ --usercerts ] arg path to a directory containing user certificates -o [ --ownercerts ] arg path to a directory containing owner certificates -n [ --notoken ] ignore that no token is plugged in and therefore no entropy from token is collected, (optional) -r [ --restore] Restore previous system configuration. Connection to the TrustedObjects Manager necessary -e [--encrypt] encrypt hard disk volume after initialization. TDCryptoHelperSetup has to be executed before this with '/a' option and the system must be rebooted after this at least once. Example: Fdeinit.exe -u x:\installation\TrustedDisk\usercerts –o x:\installation\TrustedDisk\ownercerts -n The parameter -u -o (or --user certs and --owner certs) are mandatory, the parameter -n (-notoken) is optional. The certificate file can exist as either DER-encoded file (extension .der) or in PEM-format (extension .crt). If the -r parameter is used, all previous certificates and rights for activation of FDE are automatically restored. The subsequent setting up the rights for user / owner on the Trusted Disk GUI is omitted in this case. We recommend not to use -n. It should only be used when no token is available. If encryption should be started immediately after initialization (-e), TDCryptoHelperSetup.exe has to be installed with the /a parameter.

11

TrustedDisk unmanaged Administrator manual

4 The TrustedDisk GUI For the use of TrustedDisk a token is required, which needs to be created before. During the personalization a PIN and PUK must be set. The PIN protects the token from unauthorized use and should be known only by you. By using the PUK, an administrator is able to reset the PIN. In case of loss of your PIN, please contact your helpdesk or administrator. TrustedDisk distinguishes between two user roles: 1. User: A user can enable and disable TrustedDisk volumes. Furthermore, a user is able to view the event log, to change the PIN and to import certificates from other users or export and delete them locally. 2. Owner: The owner of a TrustedDisk volume has all the rights of the user. Additionally, an owner can change permissions, encrypt volumes, and delete volumes. When creating a TrustedDisk volume, the user is automatically owner of this volume. After starting TrustedDisk, the window in Figure 1 appears. The TrustedDisk interface is divided into three parts: User, Owner and Management.

Figure 2 Start screen of the TrustedDisk application Figure 1 Start screen of the TrustedDisk application

Basics Overview to TrustedDisk GUI Displays all information about the software and licenses. Displays the profile information, for example the encryption algorithms. Where this button is available, it allows to return to the start screen. Where available, it enables a refresh of the GUI, for example, after a USB stick is inserted.

12

TrustedDisk unmanaged Administrator manual

4.1 User As the owner of a TrustedDisk volume, you can grant access rights to other users or revoke them.

Figure 3 Functions for a volume-user



Activate Device Here you can select the encrypted devices to open and use it.



Deactivate Device Here you can include or eject a disabled device again.



Eventlogger Displays any changes made on TrustedDisk.

Figure 4 View of the Eventlogger

13

TrustedDisk unmanaged Administrator manual

4.2 Owner As the owner of a TrusteDisk volume, you can grant access rights for other users or revoke them.

Figure 5 Functions for volume owner

4.2.1 Encrypt partition Here you can encrypt your own device, for example an USB device. To give someone else access rights for this device, you must switch to "User and Owner management." Only external USB / SATA discs are supported. Back up all important data of the device you want to encrypt. During encryption all data will be erased.

Figure 6 Encrypt partition

4.2.2 User & Owner Management Here you can grant access rights to other users, if you are an owner of this device. To give another user rights to an encrypted device, the certificate of this user needs to be imported already. 4.2.3 Re-keying of partitions An encrypted partition can be re-keyed. A new encryption key is created and used for this action. During the re-keying process, the symmetric key, with which the data is encrypted on the hard disk, will replaced. For this, the data blocks of the harddisk are successively decoded with the old key, and encrypted with a new key afterwards. The access rights of the users are not changed.

14

TrustedDisk unmanaged Administrator manual

4.3 Certificate management For each TrustedDisk user a certificate is assigned. To change the access rights of a user, the user must be known for TrustedDisk, i.e. the user's certificate must have been imported. TrustedDisk provides functions for importing, exporting, and deleting certificates from its database.

Figure 7 Functions of the Certificate management

15

Import certificate

Import a user certificate to grant rights to use an encrypted USB stick.

Export certificate

Exporting a user certificate.

Delete certificate

Deleting a user certificate that is already imported. Hereby all access rights of the user getting removed from the encryption. The certificate of the security administrator and your own certificate cannot be deleted.

TrustedDisk unmanaged Administrator manual

5 Replacing certificates 5.1 Updating certificates The CA certificate and user certificates from the TrustedDisk PKI - including the certificate of the security administrator - have a validity of 2 (certificates at Identities) or 3 years (certificates at Smartcards) from the date of download via TrustedObjects Manager. If you use an external PKI, the validity may differs. 5.1.1 Replacing the CA Certificate To exchange the CA Certificate load the certificate from the TrustedObjects Manager at Company > Properties > General > Download CA and save the file to: 

C:\Program Files (x86)\Sirrix AG\TrustedDisk\CACerts

5.1.2 Replacing the Security Administrator certificate To replace the SecurityAdminCertificate load the certificate from the TrustedObjects Manager at Company > Locations > [Location] > Users > SecurityAdmin > Properties > Identites > „Download TrustedDisk certificate“. Subsequently override the existing SecurityAdminCertificate.der at: 

C:\Program Files (x86)\Sirrix AG\TrustedDisk\Certs

5.1.3 Exchanging the Security Administrator If the previous security administrator has to be replaced by another administrator (change of public key) the following procedure must be performed: 1) Start TrustedDisk 2) Import the new security admin from file -

For external USB devices: Add the new security administrator

3) Exchange the SecurityAdminCertificate at: C:\Program Files (x86)\Sirrix AG\TrustedDisk\Certs\SecurityAdminCertificate.der 4) Rights management -> Add the new security admin as user 5) Rights management -> Remove the old security admin as user (requires re-enkeying) 5.1.4 Replacing user certificates The update of user certificates occurs via the TurstedIdentity Manager.

16

TrustedDisk unmanaged Administrator manual

6 Creating a boot partition and moving the boot loader 1. Create, with any disk management utility, a new NTFS partition; it must have at least a size of 100MB. In this partition TrustedDisk will install the Linux boot loader. Select the partition as active and assign a drive letter. Your system cannot be started at this point. Do not restart the system! 2. Move the Windows boot loader, using the console, to the partition you have created with the command bcdooot c:\windows /s x (Admin rights required!) with c: Windows x: newly created boot partition

system

partition,

3. Remove the drive letter of the new partition 4. Restart the system 5. Check the partition layout as an administrator with bcdedit. It must be visible an entry of type partition=\ Device\ HarddiskVolumeX.

After that, you can begin the installation of TrustedDisk.

17

TrustedDisk unmanaged Administrator manual

7 Hardware list Brand

Modell

tested with

BIOS

Kernel

Acer

Travelmate 6593873G32Mn

2.2.0 OK

Alienware

MX17

1.2.2 OK

Dell

D630

1.2.2 OK

Dell

Optiplex 780

1.2.2 OK

acpi=force

Dell

Optiplex 760

1.2.2 OK

acpi=force

Dell

Optiplex 790

1.2.2 OK

acpi=force

Dell

E6520

1.2.2 OK

SATA=compatibility

acpi=force

Dell

E6540

1.2.2 OK

SATA=compatibility

acpi=force

HP

Probook 640

1.2.2 OK 2.2.0 OK

SATA=IDE

acpi=force

HP

Elitebook 820 G1

2.3.0 OK

HP

Elitebook 840 G1

2.3.0 OK

HP

Elitebook 850 G1

2.3.0 OK

HP

zBook 17

2.3.6 OK

Lenovo

T61

1.2.2 OK

SATA=compatibility

Lenovo

X200s

1.2.2 OK

SATA=compatibility

Lenovo

R500

1.2.2 OK

SATA=compatibility

Lenovo

W540

1.2.2 OK

SATA=AHCI

Toshiba

R930

2.2.0 OK

SATA=AHCI

Toshiba

Z930

2.2.0 OK

SATA=AHCI

Comment

acpi=force SATA=compatibility

acpi=force

acpi=force

Bios 2.11

If you have problems installing TrustedDisk occur on unlisted hardware here, please contact us at [email protected] with the exact model number of the device.

18

TrustedDisk unmanaged Administrator manual