How it Works
Sophos
Loading...
SAFEGUARD
Data protection
544 pgs7.59 Mb0
help
168 pgs2.4 Mb0
Software Manual
48 pgs1.08 Mb0
startup guide
13 pgs654.39 Kb0
User and administrator help
17 pgs155.87 Kb0
User help
12 pgs946.53 Kb0
Table of contents
Loading...

Sophos SAFEGUARD help

Sophos SafeGuard® Disk Encryption 4.60
help
Document date: June 2009

Contents

1 Overview................................................................................................................................................. 4
2 Getting started...................................................................................................................................... 11
3 Local installation ................................................................................................................................. 13
5 Troubleshooting an installation with SGEInteg................................................................................. 28
7 System boot and logon ........................................................................................................................ 32
8 Administration overview..................................................................................................................... 37
9 The Administration function .............................................................................................................. 39
10 Configuration File Wizard................................................................................................................... 42
11 Changing frequently-used settings with the administrative template .............................................. 54
12 Pre-Boot Authentication (PBA).......................................................................................................... 57
13 Encryption............................................................................................................................................ 61
14 Creating user profiles........................................................................................................................... 66
16 Configuring Windows logon............................................................................................................... 87
17 Sophos SafeGuard Disk Encryption workstation lock....................................................................... 97
18 Secure Wake-On-LAN....................................................................................................................... 100
2
19 Hibernation........................................................................................................................................ 103
20 FIPS 140-2 (Level 1) certification...................................................................................................... 106
21 Sophos SafeGuard Disk Encryption and Lenovo Rescue and Recovery™...................................... 108
22 Compatibility with Absolute Computrace software ........................................................................ 118
23 Remote maintenance (Challenge/Response).................................................................................... 119
24 Saving the system kernel and creating emergency media................................................................ 128
25 Displaying Sophos SafeGuard Disk Encryption system status ........................................................ 143
26 Logging ............................................................................................................................................... 145
27 Error messages.................................................................................................................................... 148
28 Technical Support.............................................................................................................................. 166
29 Copyright............................................................................................................................................ 168
3
Sophos SafeGuard® Disk Encryption 4.60, help

1 Overview

Personal computers often contain personal data, confidential and company information or other sensitive data.
The danger caused by the theft of notebooks should not be underestimated. Highly sensitive client information on a sales representative’s notebook could fall into the hands of a competitor, resulting in serious damage for the company.
Sophos SafeGuard Disk Encryption is the ideal way to safeguard against such risks without spending too much time on implementing security measures.
How does Sophos SafeGuard Disk Encryption protect workstations against unauthorized access? The program’s most important security features are its drive encryption and pre-boot authentication which prevent unauthorized
The benefits of Sophos SafeGuard Disk Encryption are:
Simply but effectively protects the confidentiality of stored data.
access to a workstation or notebook.
Can be implemented quickly.
Is very user-friendly.
Is based on market leading encryption technology certified FIPS 140 compliant.
You will find an overview on the Sophos SafeGuard Disk Encryption in the list below. To enhance Sophos SafeGuard Disk Encryption we recommend to deploy SafeGuard Enterprise.
Sophos SafeGuard Disk Encryption (SDE) SafeGuard Enterprise
Small to medium business (< 1000 users) Medium to large business (>1000 users)
Sector-level disk encryption; Removable media encryption via SafeGuard Private Crypto
Scalable data protection platform; centralized and enforceable management of full disk encryption; removable media encryption, file & folder encryption
Logging and reporting of encryption state via Sophos Compliance and Control
Comprehensive auditing trail for compliance via detailed reports and logs.
Authentication via keyboard Authentication via keyboard, smartcards/tokens
and biometrics (Lenovo Fingerprint)
4

1.1 Central security functions

Encryption
Sophos SafeGuard Disk Encryption uses online encryption to protect the confidentiality of data that is stored on hard disks in a simple and effective manner. Here, "online" means that the data is decrypted, when it is read and loaded into RAM, and then automatically encrypted again when it is saved. The key is determined from the user’s Sophos SafeGuard Disk Encryption password, each time the PC is switched on.
Sophos SafeGuard Disk Encryption encrypts the entire contents of hard disks. For data encryption the AES-256 algorithm is provided in Sophos SafeGuard Disk Encryption.
For a broader data security solution, we recommend the modularly structured data security suite SafeGuard Enterprise. SafeGuard Enterprise supports central administration and, among other features, encryption of removable media.
Access control with Pre-Boot Authentication (PBA)
Sophos SafeGuard® Disk Encryption 4.60, help
Pre-Boot Authentication is a crucial security function in Sophos SafeGuard Disk Encryption. PBA ensures that only the Sophos SafeGuard Disk Encryption user who is registered on the system can log on to it.
When the hard disk is encrypted, any attempt to boot the computer from another data medium, such as a system floppy disk, a CD-ROM or another hard disk, will fail: the hard disk remains blocked. In fact, this means that the system actually does boot, but it is not possible to read the encrypted data on the hard disk.
5
Sophos SafeGuard® Disk Encryption 4.60, help

1.2 Other security functions

Password rules
Sophos SafeGuard Disk Encryption offers several options for implementing special password rules in the PBA such as a configurable list of forbidden passwords, extended rules for special characters etc. to provide even better functionality for implementing pre-defined corporate rules.
Logging in PBA and operating system
Sophos SafeGuard Disk Encryption also logs events involving security issues, such as failed logon attempts, in the Pre-Boot phase, and later passes on these log entries to the Windows Event Log for evaluation.
Local administration
As an administrator, you can change settings for the authentication and encryption of your computer in the Sophos SafeGuard Disk Encryption Administration. As an administrator, you can set up user profiles.
Secure Automatic Logon to Windows (SAL)
Automatic logon is a function that helps to make the logon procedure more user-friendly. A user only needs to enter their Windows logon data once. In future logons, they are automatically logged on to Windows, and the user then only needs the Sophos SafeGuard Disk Encryption logon data to authenticate themselves during PBA.
Secure Wake-On-LAN support
Sophos SafeGuard Disk Encryption’s Pre-Boot Authentication offers the best-possible protection against attacks from hackers. However, maximum security is also needed when distributing software via Wake-On-LAN when active hard disk encryption is in operation, and so Sophos SafeGuard Disk Encryption offers a range of functions for that purpose.
Secure remote maintenance (Challenge/Response)
Helpdesk staff can help users who have forgotten their password. The Challenge/Response procedure is secure and ideal for mobile users, since it does not require a PC to have a direct online link with the help desk.
Windows Installer-based installation
As the installation procedure is fully compliant with the current Windows Installer (MSI) standard it can be distributed and installed easily and efficiently in Windows networks.
6
Sophos SafeGuard® Disk Encryption 4.60, help
Customization of Pre-Boot Authentication for legal requirements
When a user is logging on, Sophos SafeGuard Disk Encryption can also add an additional message, specified by the administrator, that informs the user of legal requirements, ownership of the device, or similar.
Emergency boot from CD, USB memory stick, and diskette
Sophos SafeGuard Disk Encryption accepts CDs and floppies alongside USB memory sticks as emergency media. Boot media are supported for both MS DOS and Windows PE.
Sophos SafeGuard design for Windows logon dialog
Customers may customize the default logon to Windows and use a dialog that is based on the Sophos SafeGuard design instead of the Windows logon design.
Hibernation (Suspend to Disk) support
Hibernation is especially useful for mobile device users who usually avoid booting by simply "pausing" and then later "restoring" their current work session, because these options are provided by modern operating systems. Sophos SafeGuard Disk Encryption supports use of hibernation mode. This provides round-the-clock security, reduces power consumption and saves time, in comparison with normal boot procedures that are currently in use.
Compatibility with Absolute’s Computrace software
When Computrace is installed, a stolen computer can report its location via a network. Sophos SafeGuard Disk Encryption has been prepared to ensure it is compatible with Computrace. This compatibility with Sophos SafeGuard Disk Encryption implies that this feature also works with encrypted hard disks.
Support for Lenovo’s ThinkVantage - Rescue and Recovery 4.20
Sophos SafeGuard Disk Encryption supports Lenovo’s Rescue and Recovery (RnR). This means customers can use this efficient backup and recovery method along with Sophos SafeGuard Disk Encryption encrypted operating system partitions. This functionality is unique amongst disk encryption products. Backups from encrypted Sophos SafeGuard Disk Encryption systems can be stored on any disk drive used by RnR. Therefore, in an emergency, a system can be restored by loading a backup from CD/DVD, a network drive, a second internal hard disk or a USB hard disk or stick.
Certification to FIPS 140-2 Level 1
Sophos SafeGuard Disk Encryption complies with the guidelines of FIPS 140-2 Level 1 (FIPS= Federal Information Processing Standard) certification set out by the American National Institute of Standards and Technology (NIST). NIST defines the security criteria for encryption products used by the American government.
7
Sophos SafeGuard® Disk Encryption 4.60, help

1.3 System requirements

Supported operating systems
The minimum requirements for supported 32 bit versions of the operating systems are as follows (tested service packs in brackets):
Windows 2000 Professional Service Pack 4 (SP 4)
Windows XP Home Edition Service Pack 2 (SP 3)
Windows XP Professional Edition Service Pack 2 (SP 3)
Current Service Packs are recommended.
Upgrading Windows Service Packs
It is possible to upgrade a service pack while Sophos SafeGuard Disk Encryption is installed. For example, you may upgrade from Windows XP Home Edition SP 2 to SP 3 while Sophos SafeGuard Disk Encryption is installed. §
Supported file systems
FAT-32
NTFS
Supported memory media
Hard disks (IDE, SCSI, serial ATA, Firewire, USB)
RAID 0 (Hardware-RAID 0)
Sophos SafeGuard Disk Encryption does not support:
additional RAID classes
Software-RAID 0
Supported processors
AMD
Intel
Multi-processors/hyperthreading
We recommend to use AMD or Intel processors.
8
Hardware requirements
Hard disk capacity
Sophos SafeGuard Disk Encryption requires ca. 25 MB of disk space. Sophos SafeGuard Disk Encryption has the same minimum requirements as the operating system currently in use.
Although Sophos SafeGuard Disk Encryption runs smoothly and without any problems on the systems described, encryption comes at a cost. For this reason we recommend that you use hardware that exceeds these requirements.
Number of hard disks
Sophos SafeGuard Disk Encryption supports a maximum of 4 devices per machine, with a maximum of 8 partitions per device. The system displays a warning if an unsupported partition type is found.

1.4 Documentation

Sophos SafeGuard Disk Encryption is supplied with a startup guide and this help.
Sophos SafeGuard® Disk Encryption 4.60, help

1.5 General notes

In normal operation, the following points should be taken into account:
Sophos SafeGuard Disk Encryption does not support Windows XP’s "Fast User Switching".
After Sophos SafeGuard Disk Encryption has been installed, the Welcome screen switches off automatically.
If the workstation is integrated in a peer-to-peer LAN, parts of hard disks must not be assigned
to other users of this LAN.
Hard disk encryption and decryption are protected against power cuts and similar disruptions.
As soon as the power is restored, the process continues from the correct place without any need for a user action.
Hint: The initial encryption of hot-pluggable hard disks must not be interrupted! For further notes on the encryption of hot-pluggable hard disks see About hard disk encryption on page 61.
When you leave the workstation for a short time, you should enable Windows screen-blanking
(Lock workstation button). If you want to leave the workstation for a longer period of time, switch off the PC and then switch it on, and reboot it, when you return.
By correctly setting the recommended installation system configuration, you prevent logical
access to hard disks after booting from diskettes. To further protect the system against trojan viruses that might be used to find out a Sophos SafeGuard Disk Encryption password, use a mechanical lock or any other internal measure to protect the workstation from being booted from diskette.
9
Sophos SafeGuard® Disk Encryption 4.60, help

1.6 License note

All cases of unauthorized duplication of this help or the software supplied by Sophos SafeGuard Disk Encryption will be pursued in law. You can only install Sophos SafeGuard Disk Encryption on one PC.
If you misuse the backup copy to install Sophos SafeGuard Disk Encryption on several PCs, you will contravene the terms of the license and be liable to punishment. If you want to protect several PCs you must purchase a license for each PC.
Patent rights of Ascom Tech Ltd. given in EP, JP, US. IDEA is a trademark of Ascom, Tech Ltd.
Credits:
Special thanks go to Dr. Brian Gladman, whose AES implementation we used as the basis for building our AES encryption drivers.
10

2 Getting started

This chapter explains how to prepare for, and perform, your Sophos SafeGuard Disk Encryption installation successfully.

2.1 Preparing for installation

You must make some preparations prior to installation: please read the following list carefully and ensure that you comply with all the points.
General Preparations
Close all open applications.
Ensure that there is enough free hard disk space.
Preparations for encryption
Sophos SafeGuard® Disk Encryption 4.60, help
Create a complete back up of your data.
All the hard disks that are to be encrypted must already be connected to the PC and switched
on before Sophos SafeGuard Disk Encryption is installed.
The partitions on your hard disk should be completely formatted and should have a drive
letter assigned to them.
Check hard disk(s) for errors with this command:
chkdsk %systemdrive% /F /V /L /X
In some cases you might be prompted to restart the computer and run chkdsk again. You will find more information on this subject in the knowledgebase:
http://www.sophos.com/support/knowledgebase/article/57554.html.
If the boot partition has been converted from FAT to NTFS, and the system has not been reset
by rebooting, Sophos SafeGuard Disk Encryption should not be installed. In this case it may be that the installation will not be completed because the file system was still FAT at the time of installation while NTFS was found when it was activated. In this case you have to reboot the machine once before Sophos SafeGuard Disk Encryption is installed.

2.2 User interface language

If you start the installation via "setup.exe", the user interface language used during and after the installation of Sophos SafeGuard Disk Encryption is the one set using the Regional Options in the Control Panel. Sophos SafeGuard Disk Encryption supports German, English and French. If, for example, "German" is the current Regional Option, the user interface is displayed in German. The same applies for "English (United States)" and "French".
11
Sophos SafeGuard® Disk Encryption 4.60, help
The online help is always available in whatever language you selected during installation. If you change the Regional Options you do not change the language in which the online help is displayed.
If you start the installation via the msi file, the user interface language is always English. To support other languages (French/German) you must perform a number of "transforms". The Windows Installer uses transform files to automatically toggle the installation package to the new language. The following transform files are currently available:
SDE_f.mst (for French) and SDE_g.mst (for German).
To change the language in which text appears during installation, run this command before installation:
msiexec /I <MSI package> TRANSFORMS=<transform file>
For example, for a German-language installation you must execute this command line:
msiexec /I SDE.msi TRANSFORMS=SDE_g.mst
Note that the TRANSFORMS parameter must always be written in capital letters!
To simplify installation you can use the language for the Installation Wizard and runs
setup.exe file which automatically selects the set
SDE.msi. SDE.msi uses the Setup.ini file in
which additional parameters can be defined, provided they are entered using the syntax
CmdLine= {Parameter1, Parameter2,..}.
Note: When using
setup.exe the parameter TRANSFORMS is not supported.
12
Sophos SafeGuard® Disk Encryption 4.60, help

3 Local installation

In a local installation, Sophos SafeGuard Disk Encryption is installed on a single stand alone computer. To perform a local installation, follow these steps.
The user who is to install Sophos SafeGuard Disk Encryption must be logged on with Windows Administrator rights, as it will be necessary to access the hard disk, and install drivers and system services that also require administrator rights.

3.1 Installing Sophos SafeGuard Disk Encryption

Do as follows:
1. Log on to your computer as an administrator.
2. Using the web address and download credentials provided by your system administrator, go to the Sophos website and download the standalone installer for your version of Windows.
3. Locate the installer in the folder where it was downloaded. Double-click the installer. In the installer window, click Install to extract the installer’s contents to your computer and start the installation wizard. The Sophos SafeGuard Disk Encryption Installer guides you through the necessary steps.
4. Accept the default on the next dialogs.
5. In Select Installation Type, select which type of installation you would like to carry out and click Next. The following installation types are available.
Distribution to networked computers
This installs the Administration Tools you use to automate the installation of Sophos SafeGuard Disk Encryption on computers on your network.
13
Sophos SafeGuard® Disk Encryption 4.60, help
Distribution and Encryption
This installs the Administration Tools and Sophos SafeGuard Disk Encryption with Pre-Boot Authentication and encryption of partition C: by default, as well as Secure Automatic Logon to Windows (SAL). The computer will be encrypted and you will have to restart it after installation.
Encryption on this computer
This installs Sophos SafeGuard Disk Encryption with Pre-Boot-Authentication enabled and encryption of partition C: by default, as well as Secure Automatic Logon to Windows (SAL). The computer will be encrypted and you will have to restart it after installation.
Custom
This enables you to select all of the above features separately. Additionally you may install the feature FIPS mode.
The next steps depend on your choices taken in Select installation type.
If you have chosen an installation involving encryption ...
You are prompted to enter and confirm passwords for the pre-defined Sophos SafeGuard Disk Encryption user types system user (SYSTEM) and default user (USER). These are the passwords that will be used to access the computer. The passwords must correspond to the Sophos SafeGuard Disk Encryption password rules.
The password for the default user (USER) is the initial password the default user needs to log
on to their computer once Sophos SafeGuard Disk Encryption is installed. The default user is prompted to change it at first logon to Sophos SafeGuard Disk Encryption.
The SYSTEM password is needed by the system user. The system user is the administrator with
the top-level administrative rights. The SYSTEM password is needed for administrative tasks and to change user settings.
Note: Please remember the passwords that are entered here. Make a note of the SYSTEM password and keep it in a safe place! If you lose it you will not be able to access your computer any more in case of an emergency!
14
Sophos SafeGuard® Disk Encryption 4.60, help
.
The default encryption and security settings (encryption of partition C: and activated Pre-Boot Authentication and Secure Automatic Logon to Windows) are set automatically.
To use the default configuration settings, just click Next to finish the installation. Then carry
out post-installation tasks on your computer (
To change or display the default configuration for general, encryption and user settings, check
see Carry out post-installation tasks on page 17).
Show Advanced Settings. Then click Next. If necessary, make the required changes in the Workstation Configuration dialogs.
If you have chosen an installation of type Distribution to networked computers ...
Click Next to finish the installation. Then create a configuration file for unattended installation to deploy Sophos SafeGuard Disk Encryption on computers on your network (
see Configuration
File Wizard on page 42).
If you have chosen an installation of type Custom ...
Select the desired features and click Next to continue.
15
Sophos SafeGuard® Disk Encryption 4.60, help

3.1.1 Sophos SafeGuard Disk Encryption installable features

The following table shows the available features of Sophos SafeGuard Disk Encryption and describes which installation type they are included in. This dialog is displayed when you have selected an installation of type Custom.
Installation Type Installed Feature
Distribution to networked computers
Encryption on this compute Encryption
Administration Tools: Configuration File Wizard
Automates the installation, configuration and uninstallation of Sophos SafeGuard Disk Encryption. Administrative tasks such as changing an existing Sophos SafeGuard Disk Encryption installation can be triggered using configuration files (see Creating a new
configuration file on page 42).
Response Code Wizard
Wizard permitting help desk staff to grant certain permissions to users for specific actions (for example, set new password), even if the administrator is not present (see Remote maintenance (Challenge/Response) on page
119).
This installs Sophos SafeGuard Disk Encryption with Pre-Boot-Authentication enabled and encryption of partition C: by default. Partition C: will be encrypted and you will have to restart it after installation (.
16
Sophos SafeGuard® Disk Encryption 4.60, help
Installation Type Installed Feature
Secure Auto Logon (SAL)
Remembers the Windows credentials used in initial logon so that you only need to enter the Sophos SafeGuard Disk Encryption logon data in Pre-Boot Authentication to log on to the computer (see Secure
Automatic Logon (SAL) on page 87).
Emergency Disk Wizard
Supports you in creating bootable emergency media that contains the system kernel backup and several emergency files to help you resolve Sophos SafeGuard Disk Encryption errors and access the computer again.
Installed by default with Encryption.
Distribution and Encryption All of the above features are installed.
Custom Select any of the above features and/or additionally:
FIPS Mode
Guarantees that Sophos SafeGuard Disk Encryption runs in accordance with FIPS 140-2 Level 1 (see FIPS 140-2
(Level 1) certification on page 106).

3.2 Carry out post-installation tasks

If you have chosen an installation involving encryption, carry out the following tasks on your computer after installation.
1. Restart your computer. The Windows logon dialog is displayed.
2. Enter your Windows credentials.
3. Restart the computer for a second time. The Sophos SafeGuard Disk Encryption Pre-Boot Authentication is displayed.
4. Enter the Sophos SafeGuard Disk Encryption user password defined during installation.
5. You are prompted to change this password.
6. You are prompted to enter your Windows credentials again.
7. Confirm to use Secure Automatic Logon to windows to be automatically logged on to Windows. You are logged on to your computer.
What will happen next?
Initial encryption
17
Sophos SafeGuard® Disk Encryption 4.60, help
Encryption of hard disk partition C: will start automatically by default. This will take some time. A progress indicator will be displayed. You may continue working at the computer.
Automatic kernel backup
The system kernel will be backed up automatically without the user noticing, see Automatic
system kernel backup on page 129. The system kernel contains the drivers for Sophos SafeGuard
Disk Encryption and the master boot record. You may carry on working at the computer.
Automatic pass-through to Windows
If you have confirmed to use Secure automatic logon to Windows: Next time you start the computer, you will only have to enter your Sophos SafeGuard Disk Encryption user password at the Pre-Boot Authentication and will be automatically passed through to Windows.

3.3 Initial encryption

In a default installation involving encryption, hard disk partition C: will be encrypted automatically. The encryption procedure runs entirely in the background, i.e. you can continue working at your computer throughout the encryption process. Allow between 20 and 30 minutes for Sophos SafeGuard Disk Encryption to perform initial encryption on 10 GB of data, with AES­256, on a modern notebook.
The encryption status screen is displayed: it shows the encryption progress. If very small partitions are being encrypted, the screen may not be displayed.
Encryption progress of a drive
Encryption progress of all drives
Encryption speed
If the computer is shut down before initial encryption is complete ...
If the system has not yet finished encrypting the hard disk partition when a session is ended, the computer ALWAYS reboots directly from the hard disk. It is not possible to boot from a system floppy disk in this case. This also applies to the first restart after encryption has completed.
18
Do not interrupt the initial encryption of "Hot-Pluggable" hard disks.
"Hot-pluggable" is the term used to describe USB hard disk that can be connected and disconnected without the need to reboot the computer. You must not interrupt the initial encryption of hot-pluggable hard disks.
Do not change the partitioning on the hard disk.
If the first hard disk partition was encrypted, do not add or remove partitions! To reorganize the first hard disk drive, uninstall Sophos SafeGuard Disk Encryption (=decrypt the first hard disk drive), create/remove partitions and re-install Sophos SafeGuard Disk Encryption again.
Note: For further information on hard disk encryption see About hard disk encryption on page 61.
Note: If, for any reason the initial encryption fails and the computer cannot be booted anymore,
please contact the technical support.

3.3.1 Defining encryption speed

Sophos SafeGuard® Disk Encryption 4.60, help
The default setting for the encryption speed is 100%, but you can use the regulator to adjust this. The higher the selected percentage, the faster encryption takes place.
percentage regulator
If you use the regulator to reduce the encryption speed, Sophos SafeGuard Disk Encryption does not save the reduced encryption speed. After the workstation is rebooted, encryption starts again at full speed (100%).
Changing encryption speed settings in the administrative template
The CPU settings can also be switched on or off via a policy in the SafeGuard administrative template (see Changing frequently-used settings with the administrative template on page 54).
You will find this policy in
Computer configuration
\Administrative templates \SafeGuard \SDE
On the Properties tab of the "SDE" policy the "Default CPU usage for encryption" and "CPU usage for encryption changeable" options are provided for this purpose.
19
Sophos SafeGuard® Disk Encryption 4.60, help
20
Sophos SafeGuard® Disk Encryption 4.60, help

4 Central installation

Administrators can set up the entire configuration for user PCs as part of central software distribution.
To do so, an Administrator creates a file on their PC that contains all necessary Sophos SafeGuard Dis k Encryption se ttings for t he user PCs. Th is file is calle d "configura tion file". Th e configurati on file is used to install Sophos SafeGuard Disk Encryption on the user PCs. You can always make changes to the Sophos SafeGuard Disk Encryption configuration later via other configuration files. Sophos SafeGuard Disk Encryption can be installed in an environment in which Active Directory is also installed, or not.
For information on creating configuration files,see Configuration File Wizard on page 42.

4.1 Installation with Active Directory

You install Sophos SafeGuard Disk Encryption on computers in an Active Directory environment by adding a (modified) MSI package ( policy object (GPO).
SDE.msi) to the software distribution function of a group
You may only modify the MSI file by creating a so-called "Transform" file (MST). To do this, you need an editor that can edit MSI files, for example ORCA. ORCA is provided in the Microsoft Windows Installer Software Development Kit (SDK).
Note: Please refer to the appropriate Microsoft documentation to learn more about modifying MSI files with ORCA.

4.1.1 Prerequisites

All the devices on which installation is to be performed must first have been added to the
organizational unit for which the configured GPO (group policy object) is used.
Client PCs are assigned to the directory domain for central software distribution, and a
computer account has been set up and is active for each PC.
There is enough disk space available on the system partition.
21
Sophos SafeGuard® Disk Encryption 4.60, help

4.1.2 Deploying MSI files

To do this:
1. Share a local drive on the Administrator’s PC (remove the write-protection) and copy all the required .msi files to this drive. Ensure that the clients can access the shared drive!
2. In Windows, click Start\Settings\Control Panel\Administrative Tools. There, select Active Directory users and computers.
3. Right-click a domain or organizational unit and select Properties.
4. Select the Group Policy tab in the Properties dialog.
5. Create a new group policy object (e.g. "GPO installation") by clicking New.
6. Click Edit.
7. Windows displays the "GPO installation" group policy.
8. Select Computer Configuration\Software Settings\Software Installation. In the Software Installation’s context menu, create a link to the file server that will deploy the software packages.
Hint: Only add msi packages to the Software installation of the Computer Configuration. Installations via User Configuration are not supported.
9. Right-click Software installation and then select New and Package.
10.Select one (or more) .msi files from the shared directory. Load the files from the real network path (UNC path)!
22
Sophos SafeGuard® Disk Encryption 4.60, help
11. When you have confirmed all the prompts, Windows adds the .msi file to the group policy object’s installation routine.
12.Close the dialog.
13.If you want the operating system language to be ignored on the client side, open the context menu of the installed .msi package and select Properties\Deployment\Advanced\Ignore language when deploying that package.
The "GPO installation" group policy object will now be used on all computers/users present within the domains of an organizational unit. The next time these workstations are rebooted, the packages will be installed on the target computers unattended.
Before rebooting the connected PCs, please check, if
the computers designated for installation have also been added to the organizational unit for
which the GPO is configured.
the computers are attached to the folder domain to perform central software distribution. In
addition, an active computer account for the client PCs must be created on the domain.
there is enough space available on the system partition.

4.2 Installation without Active Directory

To install Sophos SafeGuard Disk Encryption without an Active Directory environment you need software distribution programs from third-party suppliers.
1. Use your own tools to create and distribute an installation package to be installed on the end user computers. The package must include:
installation package SDE.msi which you will find in the downloaded product folder.
generated base configuration file Install.cfg
a script with the command line for the pre-configured installation
2. Create a folder Software on the administrator computer to use as a central store for all applications.
3. Create the script.
4. Distribute the installation package to the end user computers.
5. Communicate the default SDE user password to the end users and inform them about post­installation tasks.
23
Sophos SafeGuard® Disk Encryption 4.60, help

4.2.1 Command line syntax for unattended installation

If you to install Sophos SafeGuard Disk Encryption without Active Directory, use the MSIEXEC program. MSIEXEC comes as standard with Windows 2000 and Windows XP. If the system administrator creates configuration files, this installation program is used to run them automatically. In this program the system administrator can specify both the source and target for installation, so that a uniform installation can be performed on a number of PCs.
Command line syntax
msiexec /i <path+msi Package Name> /qn ADDLOCAL=ALL |
<features> <setup parameters+configuration file>
The command line syntax contains the following information:
parameters used by Windows Installer that, for example, log warnings and error messages in
a file during installation.
Sophos SafeGuard Disk Encryption features that are to be installed with a Sophos SafeGuard
Disk Encryption packet (for example, Response Code Wizard).
Sophos SafeGuard Disk Encryption’s own parameters, used, for example, to specify which
configuration files are to be used.
a configuration file, for an installation with the "Installation" property.
Example:
msiexec /i C:\Software\Sophos\SDE.msi /L*VX \\%distributionserver%\Sophos\%computername%_SDE_inst.log
CFGFILE=C:\Software\Sophos\Install.cfg /QN
Sophos SafeGuard Disk Encryption is installed with the default feature set in the default installation folder
The log file
C:\Program Files\Sophos\SafeGuard Disk Encryption.
SDE_inst.log is created on the network.
The pre-configured settings for Sophos SafeGuard Disk Encryption are stored in the
Install.cfg configuration file.
24
Sophos SafeGuard® Disk Encryption 4.60, help

4.2.2 Selected options used by Windows Installer

Hint: Run msiexec.exe from the Windows command prompt. The system then displays all available Windows Installer options.
/i <path + file name>
Installs the Sophos SafeGuard Disk Encryption installation package from the specified storage location to the default installation directory
Encryption.
The following is installed by default: encryption of partition C: including
activation of the Pre-Boot Authentication and Secure Automatic Logon to Windows.
/qn
Installs without user interaction and does not display a user interface.
ADDLOCAL=
Lists the features that are to be installed. If this parameter is not specified, the default features Pre­Boot Authentication, partitioned encryption and Secure Automatic Logon are installed. For a complete list of feature names and their parents, see Sophos SafeGuard Disk Encryption installable
features on page 26.
C:\Program Files\Sophos\SafeGuard Disk
Note: List the individual features, separated only by a comma, with no additional blank spaces. Ensure you spell the names of individual features using the correct upper and lower case letters. If you select a feature you must also add all the parent features to the command line!
ALL
Installs all available features.
REBOOT=Forcerestart | NORESTART
Forces or prevents restart after installation. If you do not specify a value, restart is forced after installation (default = Force).
/L*VX <path + file name>
Logs all warnings and error messages in the specified log file. and creates a useful log file that can be analyzed automatically by using
wilogutl.exe.
To always be able to access the installation log file when you deploy the encryption software on the end user computers, ensure to save it to a UNC path on the network.
V expands the logging option to verbose mode.
To only log error messages, enter the parameter
Installdir= <folder>
/Le <path + file name>.
Specifies the folder in which Sophos SafeGuard Disk Encryption is installed. If you do not specify a value, the default installation folder is used: <SYSTEM>:\Program Files\Sophos.
25
Sophos SafeGuard® Disk Encryption 4.60, help

4.2.3 Sophos SafeGuard Disk Encryption installable features

The following tables show all the Sophos SafeGuard Disk Encryption features that can be installed automatically with the Sophos SafeGuard Disk Encryption’s .msi file. They are exactly the same as the features that can be selected during a Custom stand alone installation.
Features that can be installed with SDE.msi
Feature Feature Parent Description
Encryption SDE Installs a working Sophos SafeGuard Disk
Encryption (incl. SafeGuard GINA). PBA is installed and partition C: will be encrypted by default.
SGSAL Encryption Installs SAL, Secure Automatic Logon that
enables pass-through to Windows.
FIPS Encryption Installs FIPS mode.
AdmTools SDE Installs the administration tools
(Configuration File Wizard, Response Code Wizard).
CfgWiz AdmTools Installs the Configuration File Wizard.
RcWiz AdmTools Installs the Response Code Wizard.

4.2.4 Sophos SafeGuard Disk Encryption setup parameters

Hint: You must use upper case letters to enter all the parameters in the command line syntax.
AUTOBACKUP=0|1
Specifies whether the Emergency Disk Wizard is to run automatically, to generate a system kernel backup, after a successful installation. By default it runs automatically (AUTOBACKUP=1).
CFGFILE=<configuration file>
This parameter specifies the complete name of a Sophos SafeGuard Disk Encryption configuration file for an installation.
PARTCHECK=0|1
Specifies whether the partition types present support known file systems (FAT32, NTFS). If the partition type is unknown, the installation is cancelled. By default the check is active (PARTCHECK=1).
26
GINASYS=0|1
Sophos SafeGuard® Disk Encryption 4.60, help
Specifies whether the SafeGuard GINA system is to be installed to control Windows logon. The default setting is that SafeGuard GINA is installed (GINASYS=1).
Notice: We recommend that you always implement the SafeGuard GINA. The SafeGuard GINA system is an important element of Sophos SafeGuard Disk Encryption. A missing GINA might impair future migrations. If you do not install the SafeGuard GINA, some Sophos SafeGuard Disk Encryption functions will not be available after installation:
The dialog for encryption/decryption (ECVIEW) will not be displayed if the user is not logged
on.
SAL logon does not work.
Windows logon cannot be blocked with active Wake-On-LAN.
27
Sophos SafeGuard® Disk Encryption 4.60, help

5 Troubleshooting an installation with SGEInteg

If the initial installation has not been successful despite the fact that all preparations have been followed, you may use the repair program SGEInteg to troubleshoot the installation. SGEInteg reports both repairable and fatal errors.
You can run the repair program SGInteg from the product folder.
Useful SGEInteg parameters
You may call the following useful parameters:
SGEINTEG [/?] [/c] [/v]
/?
Help Displays all parameters.
/c
/v
Starts the analysis of the file system.
Activates Verbose mode Verbose mode displays more detailed status/error
messages on screen.
Example
sgeinteg.exe /c /v > C:\Software\SGEInteg.log
The repair program SGEInteg is called.
The file system is analyzed.
Detailed status and error messages are stored in the specified log file.
28
Sophos SafeGuard® Disk Encryption 4.60, help

6 Uninstallation

The uninstallation of Sophos SafeGuard Disk Encryption has the following effects:
All formerly encrypted areas of the hard disk(s) are decrypted.
Pre-Boot Authentication is removed.
The original Windows logon appears again if SAL was installed.
All Sophos SafeGuard Disk Encryption files are deleted.
All Sophos SafeGuard Disk Encryption registry entries are removed.
By default, Sophos SafeGuard Disk Encryption can only be uninstalled by the SYSTEM user. If another person has been granted the uninstall right, this person can also carry out an uninstall.
Do not attempt to remove Sophos SafeGuard Disk Encryption by simply deleting the files. If Sophos SafeGuard Disk Encryption is not uninstalled correctly, its registry entries will remain. This may prevent Sophos SafeGuard Disk Encryption from being re-installed. In this case you must re-install your operating system.

6.1 Local uninstallation

Select Start\Settings\Control Panel\Add\Remove Programs and then "Sophos SafeGuard Disk Encryption".
If you select Remove and click Next, in the welcome screen, you access the Logon to Sophos SafeGuard Disk Encryption dialog.
29
Sophos SafeGuard® Disk Encryption 4.60, help
The user who wants to uninstall the program is prompted to enter their Sophos SafeGuard Disk Encryption user name and password. This user must have the right to remove Sophos SafeGuard Disk Encryption. After entering the correct user data, click Next and confirm the security check. Sophos SafeGuard Disk Encryption will be removed automatically.

6.2 Uninstall with Challenge/Response

If a Sophos S afeGuard Disk Encryption user is not authorized to uninstall Sophos SafeGuard Disk Encryption, according to their user profile, the Administrator can assign them this right by using the Challenge/Response procedure. To do this, the user and the administrator exchange a challenge code and response code.
The person generating the response code (Administrator) must know a Sophos SafeGuard Disk Encryption user profile on the user PC that is permitted to uninstall Sophos SafeGuard Disk Encryption. This user profile must also always have at least the same rights as the user, on the user’s computer.
How to uninstall Sophos SafeGuard Disk Encryption with Challenge/Response:
1. The user initiates the uninstall procedure (see Local uninstallation on page 29) and reaches the Logon to Sophos SafeGuard Disk Encryption dialog.
2. In Logon to Sophos SafeGuard Disk Encryption dialog, they enter their Sophos SafeGuard Disk Encryption data, request the challenge code and use the telephone, SMS or e-mail to pass it to the administrator.
1. Enter SDE credentials
3. Pass on to administrator
2. Request challenge code
4. Enter response code administrator
from
30
Loading...
+ 138 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use