Page 1
User Guide
IronKey Workspace
Models: W500
Updated: September 2013
PAGE 1IRONKEY WORKSPACE W500 USER GUIDE
Page 2
Thank you for your interest in IronKey™
Workspace W500 by Imation.
Imation’s Mobile Security Group is committed
to creating and developing the best security
technologies and making them simple-to-use and
widely available. Years of research and millions of
dollars of development have gone into bringing this
technology to you.
We are very open to user feedback and would
appreciate hearing about your comments,
suggestions, and experiences with this product.
Feedback:
securityfeedback@imation.com
User Forum:
https://forum.ironkey.com
PAGE 1IRONKEY WORKSPACE W500 USER GUIDE
Page 3
CONTENTS
About my device...........................................3
IronKey Workspace W500 ................................................3
How is it different than a regular ash drive? .................................3
What systems can I use it on? .............................................4
Device Security........................................................5
Product specications....................................................5
Recommended best practices .............................................6
About IronKey Control Panel..............................................6
Start the Control Panel..................................................7
How do I...? ...............................................8
Set up the host computer.................................................8
Set the host computer to boot from USB....................................8
Set up the device........................................................8
Activate a managed device...............................................9
Start the secure Workspace for the rst time................................10
Access the secure Workspace ............................................10
Boot from the device to access the secure Workspace .........................10
Unlock and lock the device ..............................................11
Unlock device ........................................................11
Lock device..........................................................11
Unplug the device .....................................................12
Access my device if I forget my password ...................................12
Change my password ...................................................13
Update my device .....................................................13
Find information about my device .........................................13
Manage my online account settings ........................................14
Change device nickname ...............................................14
Manage account settings ..............................................14
Where can I get Help? ....................................16
For more information...................................................16
To contact support ....................................................16
PAGE 2IRONKEY WORKSPACE W500 USER GUIDE
Page 4
About my device
IronKey Workspace W500
IronKey Workspace W500 is a trusted, secure USB ash drive. The Microsoft-certied
Windows To Go device, IronKey Workspace W500, allows you to use virtually any computer
as your own secure personal workspace, capable of using all host system resources. Your
IronKey Workspace W500 device contains a fully functional version of Windows 8.
If your device is managed by IronKey Enterprise Server, you will receive update notications
and policy changes for the device when the device connects to the server. The IronKey Control
Panel application lets your device communicate with the IronKey Enterprise Server.
This guide refers to two different device environments:
» Host environment—Also called the “non-boot environment”. Describes the scenario when
you are using the operating system of the host computer and the device is just a USB device
and is not booted into Windows To Go.
» Secure Workspace—Describes when you boot the Windows To Go operating system on the
device.
How is it different than a regular ash drive?
Hardware Encryption
Inside your device is the IronKey Cryptochip, which protects your data to the same level as
highly classied government information. This security technology is always on and cannot be
disabled.
Password-Protected
Unlock the device with a password using the Unlocker software that is carried on the device.
Do not share your password with anyone. That way, even if your device is lost or stolen, no one
else can access your data.
Self-Destruct Sequence
If the Cryptochip detects physical tampering by a hacker, or if a specied number of consecutive
incorrect password attempts have been entered, it initiates a permanent self-destruct sequence
that securely erases all onboard data using ash-trash technology—so remember your
password.
PAGE 3IRONKEY WORKSPACE W500 USER GUIDE
Page 5
Simple Device Management
Your device includes the IronKey Control Panel, a central management area for editing
your preferences, changing your device password and safely locking your device. For more
information about the IronKey Control Panel, see “About IronKey Control Panel” on page 6.
Waterproof and Tamper-Resistant
Designed to survive the extremes, IronKey Workspace W500 has a rugged metal encasing that
is injected with an epoxy compound that makes it not only tamper-resistant, but waterproof to
military specications (MIL-STD-810F).
What systems can I use it on?
» Windows
» Windows
PCs that are certied for use with Windows 7 or Windows 8 can be congured to boot directly
from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to
boot from USB.
NOTE: The computer must have a USB 3.0 or 2.0 port for high-speed data transfer. A USB 1.1
port or powered hub will also work, but will be slower. Each computer must be congured to
allow you to boot an operating system from a USB device. For more information, see “Set up
the host computer” on page 8.
®
8
®
7
How secure is it?
IronKey Workspace W500 has been designed from the ground up with security in mind. A
combination of advanced security technologies are used to ensure that only you can access
your data. Additionally, it is a physically secure device, to prevent hardware-level attacks and
tampering, as well as to make the device rugged and long-lasting.
The IronKey Cryptochip is hardened against physical attacks such as power attacks and bus
snifng. It is physically impossible to tamper with its protected data or reset the password
counter. If the Cryptochip detects a physical attack from a hacker, it destroys the encryption
keys, making the stored encrypted les inaccessible.
We strive to be very open about the security architecture and technology that we use in
designing and building this product. We use established cryptographic algorithms, we develop
threat models, and we perform security analyses (internal and third party) of our systems all the
way through design, development and deployment.
PAGE 4IRONKEY WORKSPACE W500 USER GUIDE
Page 6
DEVICE SECURITY
Data Encryption Keys
» AES key generated by onboard Random Number Generator
» AES key generated at initialization time and encrypted with hash of user password
» No backdoors: AES key cannot be decrypted without the user password
» AES key never leaves the hardware and is not stored in NAND flash
Data Protection
» Windows To Go partition is not accessible until password is verified in hardware
» Password try-counter implemented in tamper-resistant hardware
» Once password try-count is exceeded, all data is erased by hardware
» Secure box architecture accessible only to firmware to store sensitive data and settings
Device Password Protection
» USB command channel encryption to protect device communications
» Password-in-memory protection to protect against cold-boot and other attacks
The device password is hashed using salted SHA-256 before being transmitted to the device
rmware over a secure and unique USB channel. It is stored in an extremely inaccessible
location in the protected Cryptochip hardware. The hashed password is validated in hardware
(there is no “getPassword” function that can retrieve the hashed password), and only after the
password is validated is the AES encryption key decrypted. The password try-counter is also
implemented in hardware to prevent memory rewind attacks. Typing your password incorrectly
too many times initiates a permanent “ash-trash” self-destruct sequence, which is run in
hardware rather than using software, ensuring the ultimate protection for your data.
Product specications
For details about your device, see “Device Info” in the IronKey Control Panel settings.
Specication Details
Capacity* Up to 32GB, 64GB, 128GB
Dimensions 82mm X 21.1mm X 9.1mm
Weight 1.12 oz (32 grams)
Operating Temperature 0C, 70C
Operating Shock 16G rms
Hardware Encryption • Data: 256-bit AES (CBC mode)
• Hardware: 256-bit AES
• Hashing: 256-bit SHA
PAGE 5IRONKEY WORKSPACE W500 USER GUIDE
Page 7
Specication Details
Hardware • USB 3.0 (Super speed) port recommended, USB 2.0 (High-Speed),
USB 1.1
• Water-resistant MIL-STD-810F
• Dust-resistant
• Shock-resistant
• Ruggedized
OS Compatibility • Windows 8, Windows 7 (any PC certied for use with Windows 7 or
Windows 8)
Accessibility IronKey Control Panel is designed to be Section 508 compliant. Users
with disabilities have keyboard navigation and screen reader support.
Designed and Assembled in the U.S.A.
* Advertised capacity is approximate. Some space is required for Windows To Go software.
Recommended best practices
» Never unplug the device when the LED is on
» Never share your device password
» Perform a computer anti-virus scan before setting up the device
In the host environment:
» Lock the device:
• when not in use
• before unplugging it
• before the system enters sleep mode
In the secure Workspace (Windows To Go):
» Do NOT unplug the device while you are booted into WTG as it can result in loss of data.
or possibly cause irreparable damage to the operating system.
» If your WTG operating system is in Hibernate mode, do not unplug the device and move it
to another computer. Hibernate mode does not support roaming between computers and
could corrupt your device.
About IronKey Control Panel
IronKey Control Panel connects a managed device to the IronKey Enterprise Server. It also
allows you to modify device settings, for example, you can change your password. There are two
IronKey Control Panel applications on your device. Some IronKey Control Panel operations are
only available in one of the device environments.
PAGE 6IRONKEY WORKSPACE W500 USER GUIDE
Page 8
1. IronKey Control Panel on the USB drive (in the host environment)
• This application is accessible only from the USB drive.
• Connects to the server to receive and allow you to download device updates and policy
changes.
• Allows you to unlock and lock your USB device in the host environment.
• Opens automatically after you Activate the device.
2. IronKey Control Panel on your Windows To Go operating system (in the secure Workspace
environment)
• This application opens automatically and is accessible in the taskbar only when the device
is booted in Windows To Go.
• Connects to the server to receive device update notifications and policy changes. You can
download device software updates only in the Control Panel in the host environment.
• Does not have a “lock device” option.
You can use the Control Panel in either environment to do the following:
» Change device password
» View device information
» Modify “Unlock Message” that displays when you unlock the device
» View notifications about device software updates
» Access the Admin Console (if you are an Admin user)
START THE CONTROL PANEL
In the host environment
1. Double-click the “IronKey.exe” le from the IronKey Workspace drive on the device.
2. Type your device password and click “Unlock”. The IronKey Control Panel will open automatically.
In the secure Workspace
The Control Panel starts automatically when you boot into your Windows To Go secure
Workspace. You can access it from the Windows taskbar.
• Click the IronKey icon in the taskbar and choose IronKey Control Panel.
PAGE 7IRONKEY WORKSPACE W500 USER GUIDE
Page 9
How do I...?
Set up the host computer
Before you plug in your device, you must make sure that the host computer is able to boot
from a USB device. You should check the boot setting for each computer on which you want
to use your device. The host computer must use either a Windows 7 or Windows 8 operating
system (or be certied for use with Windows 7 or Windows 8).
Once the computer is congured to boot from a USB device, you can plug in your
IronKey Workspace W500 device. If this is the rst time booting the device into the secure
Workspace, you may have to set up some Windows installation settings.
NOTE: If your administrator has already congured the boot setting for the host computer,
you can skip this step and set up the device.
SET THE HOST COMPUTER TO BOOT FROM USB
1. Shut down the host computer if it is not already turned off.
2. Turn on the computer and enter the BIOS/UEFI.
This is a very fast step. You have only a few seconds to press the correct key to access the
BIOS/UEFI. An on-screen message will indicate the key sequence, for example, “Press the Esc
key”, or “Press F1 to enter setup”.
3. Congure the system to boot from USB by turning on USB BOOT and moving the setting
USB MassStorage to the rst position in the boot order.
4. Save the new BIOS/UEFI settings and shut down the computer.
5. You can now plug in your device and follow the steps in the section “Set up the device” on
page 8.
Set up the device
Before you can access your Windows To Go Workspace, you must activate the device. During
the activation process, the device policy from IronKey Enterprise Server is applied to the
device. Device activation is done in the host environment before you boot into the secure
Workspace.
You will need the activation code that was sent to you in an e-mail message from an
administrator. During the activation procedure, you will have to set a device password. After you
activate the device, you can start up the secure Workspace on the device.
PAGE 8IRONKEY WORKSPACE W500 USER GUIDE
Page 10
The rst time you start the Windows To Go operating system on the device, you might be
required to complete some Windows installation settings. Some administrators may congure
these settings before they give you the device.
NOTE: If your device is not managed by IronKey Enterprise Server, you do not need to activate
it. Follow the steps to start the secure Workspace. You will be asked for a device password.
This is the password your administrator gave to you. You should change the password from the
default one, see “Change my password” on page 13.
ACTIVATE A MANAGED DEVICE
1. In the host environment, plug the IronKey device into the host computer’s USB port.
2. Double-click the “IronKey.exe” file from the IronKey Workspace drive.
3. Type the Activation Code. You should have received the code in an e-mail message sent from
your Administrator.
4. Type a device password and conrm it, and then click the “Continue” button.
Your password is case-sensitive and must comply with the password policy set by the
administrator.
5. If you are prompted to provide an e-mail address for an online account, enter it now and
click the “Continue” button. (Online accounts are required for admin users).
• A message prompt will appear indicating that an e-mail has been sent to you. Follow the
instructions in the e-mail to set up your online account; this includes creating a “secret
question”.
• Once you have set up your online account, click OK in the message prompt to proceed
with the device setup.
6. The device initializes. During this process, it applies the policy for the device as congured in
IronKey Enterprise Server.
7. When the initialization is complete, the IronKey Control Panel appears.
PAGE 9IRONKEY WORKSPACE W500 USER GUIDE
Page 11
• If you want to add or modify the message that displays on the Unlocker screen, see
“Create a message that displays in the Unlocker” on page 11.
8. Safely eject the device and unplug it, then power off the host computer. The device is now
ready to boot into the secure Workspace.
START THE SECURE WORKSPACE FOR THE FIRST TIME
1. Ensure that the host computer is powered off, and then insert the W500 device into the
USB port.
2. Turn on the computer and wait for the IronKey Workspace Preboot Environment to start.
3. Type the device password (if the device is not managed by IronKey Enterprise Server, your
administrator will give this to you, otherwise, type the password that you set when you activated the device) and click Unlock.
4. The computer will reboot into the secure Windows To Go workspace.
5. Follow the on-screen instructions to congure settings for the Windows installation on the
device. This is only required the rst time you boot into the secure Workspace.
NOTE: When you start the secure portable Workspace on different computers, Windows
To Go will adapt to the hardware of the local system to use its unique set of hardware
components. This hardware adaptation process will not be performed with each subsequent
startup on the same computer. The device stores information for each system from which it has
been booted. It applies the hardware prole for that system as the computer boots.
Access the secure Workspace
After you set up the device you are ready to use it as your secure portable Workspace.
Each time you boot from the device, you must provide the device password to unlock the
operating system so Windows To Go can start. The steps are almost identical to starting the
secure Workspace for the rst time except that you do not have to customize the Windows
Installation.
BOOT FROM THE DEVICE TO ACCESS THE SECURE WORKSPACE
1. Ensure that the host computer is powered off, and then insert the W500 device into the
USB port.
2. Turn on the computer and wait for the IronKey Workspace Preboot Environment to start.
3. Type the device password and click the “Unlock” button.
4. The computer will reboot into the secure Windows To Go workspace.
PAGE 10IRONKEY WORKSPACE W500 USER GUIDE
Page 12
Unlock and lock the device
When you unlock the device in the host environment, the IronKey Control Panel starts
from the USB device. You should always lock the device before you unplug it from the host
environment.
When you boot the device in Windows To Go, you unlock the device during the Preboot
Environment. You cannot lock the device from the Control Panel in Windows To Go.
UNLOCK DEVICE
1. In the host environment, plug in your device to the host computer and start the Unlocker
window by opening the “IronKey Workspace” device drive and double-clicking the
“IronKey.exe” le.
2. Type your device password and click “Unlock”. The IronKey Control Panel will appear.
• Entering the wrong password a consecutive number of times—depends on the password
settings defined by the administrator—will permanently destroy the device and all your
onboard data.
• As a security precaution, you must unplug and reinsert the device after every three failed
password attempts.
TIP: If you want to boot into the secure Workspace, see “Access the secure Workspace” on
page 10.
Create a message that displays in the Unlocker
This feature, if enabled by the System Admin, allows you to create a message that appears on
the IronKey Unlocker window . For example, you can provide contact information so that if you
lose your device someone will know how to return it to you.
1. In the host environment, unlock your device and click the “Settings” button in the menu bar
of the Control Panel.
2. Click the “Preferences” button in the left sidebar.
3. Enter text in the “Unlock Message” eld.
Your message text must t the space provided (approximately 7 lines and 200 characters).
LOCK DEVICE
• In the host environment, click the “Lock” button in the bottom left of the Control
Panel to safely lock your device. You can also use the keyboard shortcut: CTRL + L. If you
want the device to automatically lock when not in use, see “Set device to automatically lock”
on page 12.
CAUTION: Once the device is locked, you can perform a safe removal operation to safely
unplug it. However, do not unplug the device when it is unlocked.
PAGE 11IRONKEY WORKSPACE W500 USER GUIDE
Page 13
NOTE: You cannot lock a device from the Control Panel in the secure Workspace. You must
shut down the Windows operating system to safely remove the device. For more information,
see “Unplug the device” on page 12.
Set device to automatically lock
If enabled by your System Admin, you can set a device time-out to automatically lock your
device after a specied period of inactivity. This will help prevent others from accessing your
secure les. This is only available in the host environment and not while you are booted into the
secure Workspace.
1. In the host environment, access the IronKey Control Panel on your device from the USB
drive of the host computer.
2. Click the “Settings” button in the menu bar.
3. Click the “Preferences” button in the left sidebar.
4. Click the checkbox for auto-locking the device and set the time-out for either 5, 15, 30, 60,
120, or 180 minutes.
Unplug the device
In host environment
» Lock the device and perform a safe removal operation of the USB drive then unplug the
device.
In the secure Workspace
» After you are finished using your secure Workspace, you must properly shut down the
operating system on the device before you unplug it. Follow the procedure in the Windows
documentation to shut down the Windows To Go operating system.
IMPORTANT: DO NOT unplug the device without rst shutting down Windows To Go; this
can result in loss of data and potentially cause irreparable damage to the operating system.
Access my device if I forget my password
If you forget your password, you must contact your administrator. Your administrator can reset
your password and you can then follow the steps in the Change my password procedure to set
it again.
PAGE 12IRONKEY WORKSPACE W500 USER GUIDE
Page 14
Change my password
Password policy settings are determined by an administrator. Sometimes you may be required
to change your password to comply with new corporate password policies. When a change
is required, the Password Change screen will appear the next time your device connects to
IronKey Enterprise Server (either when you unlock the device in the host environment or after
you boot into the secure Workspace environment).
It is also good security practice to regularly change your password. However, be especially
careful to remember your device password. You can change your password in the host
environment using the IronKey Control Panel on the device or in the Control Panel in the
secure Workspace environment.
1. From the Control Panel, click the “Settings” button in the menu bar.
2. Click the “Password” button in the left sidebar.
3. Enter your current password in the eld provided.
4. Enter your new password and conrm it in the elds provided.
5. Click the “Change Password” button.
Update my device
In the host environment, you can securely update software and rmware on your device
through signed updates that are veried in hardware. Keeping your device up-to-date helps
protect you from future malware and online threats.
If you are in the secure Workspace, you will be notied that your device has updates available,
however, you can only update the device from the host environment.
1. In the host environment, unlock your device and click the “Settings” button on the menu bar
of the IronKey Control Panel.
2. Click the “Tools” sidebar and in the Updates section, click the “Check for Updates” button.
3. If an update is available, click “Download” to install it.
TIP: In the host environment, you can check for updates automatically by clicking the
“Automatically check for updates” checkbox. The device will check for updates every 7 days. If
your administrator has already set this option, the check box will appear enabled and dimmed.
Find information about my device
1. In the Control Panel, click the “Settings” button in the menu bar.
2. Click the “Device Info” button in the left sidebar.
PAGE 13IRONKEY WORKSPACE W500 USER GUIDE
Page 15
On this screen you can view details about your device, including:
• Model number
• Serial number
• Software and firmware versions
TIP: You can also click the “Copy” button to copy the device information to the clipboard for
pasting in an e-mail, forum posting or support request.
Manage my online account settings
NOTE: You may not have an online account if your System Administrator has not enabled this
feature. An online account is required for Admin users. Online accounts are typically created
during device setup.
Your device supports advanced cryptographic authentication using strong PKI key pairs
generated in the Cryptochip. When you log into your online account from your device, it uses
these unique keys as your digital identity credentials. This locks down your account so that you
must have both your device and your password in order to gain access.
To log on to your online account
1. In the host environment, Unlock your device and click the “Settings” button on the menu bar
of the Control Panel.
2. Click the “Account” button in the left sidebar.
3. Click the “Manage Account Settings” button. The Admin Console displays.
CHANGE DEVICE NICKNAME
If you own more than one IronKey Workspace W500 device, you can create nicknames for each
device. Names help you tell the devices apart from each other.
1. Log on to your online account.
2. On the “My IronKeys” tab, click the “Edit” button beside the device whose nickname you
want to change.
3. Type a new nickname in the box and click the “Save” button.
MANAGE ACCOUNT SETTINGS
The following table describes some tasks you can perform when you log on to your online
account.
• Access your online account and then follow the steps in the table below.
Task Description
Review account activity Click “Account Dashboard” to monitor recent events such as logins, failed
password attempts and so on.
PAGE 14IRONKEY WORKSPACE W500 USER GUIDE
Page 16
Set up email alerts Click “Account Alerts” to have e-mail alert notices sent to you when
specic activities occur, such as an incorrect secret question attempt. You
can also sign up to be notied of new Ironkey product announcements.
Edit Secret Questions and
Answers
Click the “Edit” button to modify your Secret Question responses that
you provided during the setup of your online account. You can also edit
time zone data.
NOTE: You cannot update e-mail addresses in your online prole unless you are a System
Administrator.
PAGE 15IRONKEY WORKSPACE W500 USER GUIDE
Page 17
Where can I get
Help?
For more information
forum.ironkey.com Online forum with thousands of users and security experts
support.ironkey.com Support information, knowledgebase and video tutorials
securityfeedback@imation.com Product feedback and feature requests
https://www.ironkey.com General information
To contact support
For support, please contact your Help desk or System Administrator.
http://support.ironkey.com
securityts@imation.com
910 E. Hamilton Ave. Suite 410
Campbell, CA 95008 UNITED STATES
Monday - Friday, 6am - 5pm PST
NOTE: Imation is not liable for technical or editorial errors and/or omissions contained herein; nor for incidental or consequential damages
resulting from the furnishing or use of this material. The information provided herein is subject to change without notice.
information contained in this document represents the current view of Imation on the issue discussed as of the date of publication. Imation cannot guarantee the accuracy of any
The
information presented after the date of publication. This document is for information purposes only. Imation makes no warranties, expressed or implied, in this document. Imation, the Imation logo,
IronKey and the IronKey logo are trademarks of Imation Corp. and its subsidiaries. All other trademarks are the property of their respective owners.
© 2013 Imation Corp. All rights reserved.
PAGE 16IRONKEY WORKSPACE W500 USER GUIDE
Loading...