Sophos SAFEGUARD Software Manual

mкзСЙллбзе~д=fqJpЙЕмкбну=Сзк=узмк=`зкйзк~нбзе

p~ÑÉdì~êÇ∆=oÉãçî~ÄäÉjÉÇá~

sЙклбзе=OKMM

www.utimaco.com

tбеЗзпл=um

tбеЗзпл=sблн~

CONTENT

CHAPTER 1

CHAPTER 2

CHAPTER 3

CHAPTER 4

What is SafeGuard RemovableMedia? .......................................... 1

1.1 Supported media........................................................................................... 2

Installation........................................................................................ 3

2.1 Interactive installation .................................................................................. 3

2.2 Installation without user interaction ........................................................... 4

2.2.1 Installation program components ..................................................... 5

2.2.2 Key distribution via Setup (console)................................................. 5

Quick Start: You want to ................................................................ 6

3.1 Secure data on your removable media ....................................................... 6

3.2 Exchange data securely using removable media ...................................... 8

3.3 Enforce the exclusive use of encrypted data on removable media ....... 10

Detailed description ...................................................................... 12

4.1 The control dialog ....................................................................................... 13

4.1.1 Configuring SafeGuard RemovableMedia ...................................... 14

4.2 List of removable devices .......................................................................... 14

4.3 Encrypt new and modified files ................................................................. 15

4.4 Keys.............................................................................................................. 15

4.5 Manage/Manage Keys................................................................................. 16

4.5.1 Creating keys .................................................................................... 17

4.5.2 Importing key from file ..................................................................... 18

4.5.3 Setting a key to passive ................................................................... 19

4.5.4 Backup ............................................................................................... 19

4.5.5 Restore............................................................................................... 20

4.6 Selecting keys ............................................................................................. 21

4.7 Encrypt existing files .................................................................................. 22

4.8 Allow access to plain files.......................................................................... 22

CONTENT

4.9 Use these settings for all new drives except CD/DVD ............................. 22

4.10Private store ’My Safe’ ................................................................................ 23

4.10.1Activating private store ’My Safe’ ................................................... 23

4.10.2Unlocking and locking private store ’My Safe’ .............................. 24

4.11Tray icon ...................................................................................................... 24

4.12SafeGuard RemovableMedia and DVD/CD-RW drives............................. 25

4.12.1Writing encrypted files to CD

using the Windows CD Writing Wizard ........................................... 25

4.12.2Windows Vista................................................................................... 26

4.13Explorer extensions .................................................................................... 27

CHAPTER 5

CHAPTER 6

SafeGuard Portable ....................................................................... 28

5.1 Editing files using SafeGuard Portable..................................................... 29

5.1.1 Setting encryption keys ................................................................... 30

5.1.2 Encrypting ......................................................................................... 30

5.1.3 Decrypting ......................................................................................... 31

5.1.4 Encrypting new files using SafeGuard Portable ............................ 31

5.1.5 Encryption state ................................................................................ 31

5.1.6 Open................................................................................................... 32

5.1.7 Delete ................................................................................................. 32

5.1.8 Copy to............................................................................................... 32

5.1.9 Exit ..................................................................................................... 32

Administration ............................................................................... 33

6.1 Settings ........................................................................................................ 33

6.1.1 Key handling ..................................................................................... 34

6.1.2 Local file encryption ......................................................................... 34

6.1.3 Floppy drive....................................................................................... 34

6.1.4 Event log............................................................................................ 35

6.1.5 Drive policy (under Drive policy node) ........................................... 35

6.1.6 Force control dialog ......................................................................... 36

CONTENT

6.1.7 Allow default settings ....................................................................... 36

6.1.8 Plain directory ................................................................................... 36

6.1.9 File types to be encrypted................................................................ 37

6.1.10Copy SafeGuard Portable ................................................................ 37

6.1.11Enforce policy selection................................................................... 37

6.1.12Control dialog (under Control node) ............................................... 37

6.1.13Overlay Icon ...................................................................................... 38

6.1.14Explorer extensions.......................................................................... 38

6.1.15Tray Icon ............................................................................................ 38

6.2 SafeGuard RemovableMedia management API ....................................... 39

6.3 SafeGuard RemovableMedia console application ................................... 39

What is SafeGuard RemovableMedia?

1 What is SafeGuard RemovableMedia?

SafeGuard RemovableMedia is a software package with which you can encrypt data on any removable media that are connected to your computer. To do this, it uses file based encryption technology which implements the state-of-the-art AES 256 algorithm. It runs exclusively on your computer. You do not need to install any additional software on the removable medium! All encryption/decryption tasks run transparently on your computer with minimal user interaction.

As soon as you connect a removable medium to your computer, it is identified by SafeGuard RemovableMedia and a dialog appears in which you can decide how to handle the data on it. If you decide to allow only encrypted access to the removable medium, SafeGuard RemovableMedia will prompt you to create a key. This key is then used to encrypt the data on the medium. Only the person who owns this key can read the content of the encrypted files on the removable medium. All subsequent encryption tasks run transparently. For the user, transparent encryption means that all data stored in an encrypted format is automatically decrypted when it is opened by an application. When the file is saved, it is automatically encrypted again. During your everyday tasks, you will be unaware that you are working with encrypted data. However, if you disconnect the removable medium, the files on it remain encrypted and are therefore protected against unauthorized access. Unauthorized users may be able to access these encrypted files physically. But unless they have SafeGuard RemovableMedia and the corresponding key they will not be able to read them.

CHAPTER

When you install SafeGuard RemovableMedia on your computer, the default setting is to prohibit access to any removable media until you tell SafeGuard RemovableMedia how to handle the files on the removable medium. You do this in the dialog which appears when you connect a removable medium to your computer. You can configure SafeGuard RemovableMedia to only allow encrypted files on removable media. In this case, all files already stored on the particular medium will be encrypted and all files which are saved to the medium after this will be stored there in encrypted format. If you decide not to encrypt all existing files, you can allow access to unencrypted files which are already stored on the medium. In this case SafeGuard RemovableMedia will not encrypt the unencrypted files it finds when you connect removable media to the system, but it will encrypt all new files you store on this media. As a result, you can read plaintext files that are present on the removable media, but they are encrypted as soon as you save them there.

You can also use SafeGuard RemovableMedia to exchange encrypted files that are already present on the removable medium. There are two ways you can do this:

1. The recipient of these files must have SafeGuard RemovableMedia installed on their computer and

have already received the key from you.

2. Along with the encrypted data, the recipient also receives a SGPortable.exe file which is located on

the removable medium. The recipient can then use SafeGuard Portable and the corresponding key to decrypt and then re-encrypt the encrypted files without having to install SafeGuard RemovableMedia on their machine.

SafeGuard RemovableMedia 1

SafeGuard RemovableMedia offers companies a means of enforcing specific company policies concerning the use of removable media. For example, it can be configured in such a way as to make it mandatory to store data on removable media in encrypted form only and therefore ensure that no plaintext data leaves the company. You can even predefine which keys are to be used. Company policies are enforced by using an administrative template, which is used to grant or deny certain rights to users.

SafeGuard RemovableMedia supports the use of what is known as a "key ring". A user can own several keys which they then use to encrypt or decrypt data. The files on removable media can be encrypted with different keys.

Although SafeGuard RemovableMedia is a simple and easy-to-use tool it is nevertheless extremely powerful and can be used in many ways.

1.1 Supported media

SafeGuard RemovableMedia supports the following removable media:

 USB sticks

 USB hard disks

CHAPTER

What is SafeGuard RemovableMedia?

 CD-RW drives (UDF)

 DVD-RW drives (UDF)

 FireWire

 Diskettes

 Storage cards in USB card readers.

SafeGuard RemovableMedia 2

2 Installation

HINT:

You can only install SafeGuard RemovableMedia if you have Windows Administrator privileges.

2.1 Interactive installation

1. To start the interactive installation program double-click sgrm.msi. An Installation Wizard guides

you through the uncomplicated installation process for SafeGuard RemovableMedia.

2. The License contract dialog then appears. If you accept the terms of this license, select the "I accept

the license contract" checkbox and click Next. If you do not accept the license terms, the installation procedure is cancelled.

3. The Infofile dialog appears. SafeGuard RemovableMedia is continually undergoing further

development. For this reason, your version may include new features that are not described in this manual. This Infofile contains the latest information that you should read very carefully before you continue with the installation.

CHAPTER

Installation

4. The target folder window opens. This shows you the target folder in which the installation will be

performed. You can also change this target folder in the dialog you see next by clicking Select functions. Click Next.

5. This opens the Select function dialog. Here you can select the Target folder in which you want to

install SafeGuard RemovableMedia. If you want to perform the installation in a different folder, click Browse... and select the one you want. If you have already installed another of Utimaco’s SafeGuard products, you cannot select a different target folder. Click the Disk Cost button to display all available disk drives on your computer. Here you can see how much memory is required to install SafeGuard RemovableMedia, and whether your drives have enough memory for this. In the selection menu on the left, you can select the SafeGuard RemovableMedia components you want to install.

 Client installs the client software with SafeGuard Portable.

 Administration installs the administrative documentation, the SafeGuard RemovableMedia

console and the SafeGuard RemovableMedia API. Select the components you want to install on your computer and click Next.

SafeGuard RemovableMedia 3

6. In the next window, click Next to start installation.

If the installation is successful, a dialog appears. Click Finish to finish the installation.

HINT:

After installation is complete, you must restart your computer. The next dialog prompts you to do this.

2.2 Installation without user interaction

To perform an installation without user interaction you must call the msiexec program from the console with a specific set of parameters.

msiexec /I <path+MSI installation package name > /qn ADDLOCAL=ALL| <components>

This shows that the procedure is an installation.

<path>

CHAPTER

Installation

Drive letter and folder of the MSI file.

/qn

Does not display a user interface during installation.

ADDLOCAL=

Lists the components that are to be installed.

ALL

Installs all components

The components that are to be installed.

This folder is used as the default folder for installation:

SafeGuard RemovableMedia 4

<SYSTEM>:\Programs \Utimaco

Example:

msiexec /i D:\SGRemovableMedia\Version_1.10_Beta\sgrm.msi /qn ADDLOCAL=ALL

After installation is complete, your computer reboots automatically.

2.2.1 Installation program components

 RemovableMedia

Installs the SafeGuard RemovableMedia user documentation.

 Client

Installs the Client software with SafeGuard Portable.

 german

Installs the German language package to allow you to switch the software’s language to German. The default language is English.

CHAPTER

Installation

2.2.2 Key distribution via Setup (console)

If you want to install an existing backup file during installation, enter this command via the console. Note where the sgrm.msi file is stored on your computer and enter the correct path.

msiexec /i sgrm_German.msi RMFILE="c:\install\sgrm.rmb" RMFILEPWD="1q2w3e4r"

RMFILE = path and name of the backup key file

RMFILEPWD = password for the backup key file.

You can use the installed backup key as soon as installation is complete.

SafeGuard RemovableMedia 5

3 Quick Start: You want to ...

The following sections describe three main scenarios which are covered by SafeGuard RemovableMedia. Follow the instructions below to get your system running with the basic settings.

To fine-tune your system, you will find a more detailed description of the different options of SafeGuard RemovableMedia in the chapters that follow.

3.1 Secure data on your removable media

SafeGuard RemovableMedia can be used to secure data stored on your removable media by means of encryption. It guarantees that no unauthorized person can access your data in case of theft or loss. It can be configured in such a way that all data that is already stored on the media, and all data that is written to it after SafeGuard RemovableMedia is installed, will be encrypted. Only a person who owns the key used for encryption of the files can access the data. The example below refers to this scenario. You can secure your data in just two steps: specify how SafeGuard RemovableMedia should handle data on the removable media and create/select a key. To secure the data on your removable media, follow these steps:

CHAPTER

Quick Start: You want to ...

1. Install SafeGuard RemovableMedia on your computer.

2. Connect your removable media.

3. SafeGuard RemovableMedia displays a dialog in which you select the access mode.

4. On the left-hand side of the dialog the system displays a list of the drive letters of all removable media.

The drive letters of some removable media are only displayed when they are connected to the system (e.g. USB sticks). If your desired medium is not displayed, connect it to the system. A removable medium may also contain more than one drive. Each drive is displayed separately.

Select the drive letter for which you want to make the settings.

5. To encrypt the data on the medium, select Encrypt new and modified files.

When you select this option, all files that are written to the removable medium will be encrypted. Files that are already stored on the medium stay unencrypted (plain) but you cannot open them (access denied). This option does not affect files that are already stored on the removable medium!

6. To create a key for the selected disk drive, click the Manage... button. The Manage Keys window

appears.

7. In the Manage Keys window, click the Create Key button.

SafeGuard RemovableMedia 6

CHAPTER

Quick Start: You want to ...

8. Then, in the Create Key window, enter a name and a passphrase for the key. Confirm this passphrase

and click OK.

9. To encrypt existing files on the removable medium, select Encrypt existing files and Allow access

to plain files.

This will immediately encrypt all files stored on the removable medium at this time, so that there are no more unencrypted files on it. Ensure the Allow access to plain files option is also checked, because SafeGuard RemovableMedia needs to have access to the plain files on the medium, for encryption.

10. Optionally you can select the Use this setting for all new drives except CD/DVD option. If you select this option, you will not have to specify the settings for each of your devices. The specified settings then apply to all removable media, that you connect to your system. They represent a kind of default policy for your system. If you make use of this option, you will not have to complete the dialog when you connect a different removable medium. The settings automatically apply to any connected medium. SafeGuard RemovableMedia distinguishes between CD/DVD and "all other" removable media, so this setting changes to Use this setting for all new CD/DVD drives when you select a CD/DVD drive from the list on the left-hand side.

11. Click OK.

X As a result, if you selected the Encrypt existing files option, all files on your removable medium are

immediately encrypted (initial encryption). If you did not trigger initial encryption, only files that are saved to the medium in the future will be encrypted. All files you save to the removable medium will be encrypted. All encryption/decryption tasks run transparently in the background. You will not notice that you are working with secured data. Your removable medium is secured by SafeGuard RemovableMedia!

After you have defined how the removable medium is to be handled, SafeGuard RemovableMedia automatically copies an SGPortable.exe file onto it. SafeGuard Portable allows you to exchange data with other removable media without having to install SafeGuard RemovableMedia. For further information about this tool refer to

“SafeGuard Portable” on page 28.

SafeGuard RemovableMedia 7

Quick Start: You want to ...

3.2 Exchange data securely using removable media

SafeGuard RemovableMedia can be used to exchange files on removable media in a secured way.

There are two ways of exchanging data securely with removable media.

1. The recipient of these files must have SafeGuard RemovableMedia installed on their computer and

have already received the key from you.

2. Along with the encrypted data, the recipient also receives a SGPortable.exe file which is located on

the removable medium. Using SafeGuard Portable and the corresponding key, the recipient of the encrypted files can decrypt them and the re-encrypt them without having to install SafeGuard RemovableMedia on their machine.

The example used here describes the method in which the recipient has already installed SafeGuard RemovableMedia on their computer. Chapter 5, SafeGuard Portable, contains all the information you need to use SafeGuard Portable.

To exchange data securely, follow these steps:

1. Install SafeGuard RemovableMedia on your computer.

CHAPTER

2. Connect your removable medium.

3. SafeGuard RemovableMedia displays a dialog in which you select the access mode.

4. On the left-hand side of the dialog you see a list of the drive letters for all removable media.

Some of these drive letters are only displayed when the removable media are actually connected to the system (e.g. USB sticks). If the drive letter for the medium you want to use is not displayed, connect it to the system. A removable medium may also contain more than one drive. Each drive is displayed separately.

Select the drive letter, for which you want to make the settings.

5. In order to encrypt the data on the media, select Encrypt new and modified files.

When you select this option, all files that are written to the removable media will be encrypted. Files that are already stored on the media remain in plaintext but you cannot open them (access denied). This option does not affect files that are already stored on the removable medium!

6. To create a key for the selected disk drive, click Manage...

This opens the Manage Keys window.

7. In the Manage Keys window, click the Create Key button.

8. In the Create Key window, enter a name and a passphrase for the key.

SafeGuard RemovableMedia 8

CHAPTER

Quick Start: You want to ...

Before you can exchange encrypted files it is essential, that the person with whom you want to exchange these files, owns the key that was used to encrypt them. You therefore need to provide the key (key name and passphrase) to this person. To access the files, the recipient must then add this key to their key ring.

Make sure you remember the key passphrase!

9. After confirming the passphrase click OK.

10. The key now appears in the key list in the control dialog.

If the list contains more than one key, select the one you want.

11. To encrypt existing files on a removable medium, select Encrypt existing files.

This will immediately encrypt all files that are currently stored on the removable medium. As a result this medium will no longer contain any unencrypted files.

12. Alternatively, you can select the Use this setting for all new drives except CD/DVD option. If you do this, you will not need to specify the settings for each of your devices. The specified settings will apply to all removable media you connect to your system. If you select this option, you will not need to complete the dialog when you connect a different removable medium. The settings automatically apply to any medium you connect. If you do not select this option, you can specify different settings. SafeGuard RemovableMedia distinguishes between CD/DVDs and "all other" removable media. Therefore this setting changes to Use this setting for all new CD/DVD drives when you select a DVD/CD-ROM drive in the list on the left-hand side.

13. Click OK.

14. Provide the key (key name and passphrase) to the person with whom you want to exchange data.

They must then enter this data in the SafeGuard RemovableMedia control dialog in order to add this key to their key ring.

15. You can now give your medium to this person.

As SafeGuard RemovableMedia has the correct key, no user interaction is necessary when the recipient connects the media to the system. All encryption and decryption tasks run transparently in the background. This works for all persons who have SafeGuard RemovableMedia installed on their computer and who own the key you used to encrypt your data.

X As a result, both persons now own the same key and therefore are able to access the files. Every time

you select another key from your key ring and use it to encrypt files, you have to provide the relevant key to the person with whom you want to exchange these files.

SafeGuard RemovableMedia 9

Quick Start: You want to ...

3.3 Enforce the exclusive use of encrypted data on removable media

Companies may want to enforce certain security policies. For example, they may decide that every file that enters or leaves the company on removable media must be encrypted. SafeGuard RemovableMedia not only allows the company to ensure that files saved to removable media are always encrypted, but it also prevents plaintext files from being brought into the company, by only accepting encrypted files from removable media. This can be enforced on client computers by using group policy settings that are defined via a SafeGuard RemovableMedia administrative template. SafeGuard RemovableMedia settings can be specified for computers or users. To ensure that only encrypted files are used on removable media, proceed as follows:

1. Install SafeGuard RemovableMedia on your client computers.

2. Add the administrative template SGuard.adm to your group policy (under User Configuration).The

template is stored in

3. Specify the following setting in the ADM template:

Activate Encrypt new and modified files under

Computer Configuration\

Administrative templates\

SafeGuard

\RemovableMedia\

Drive Policy\

Drive Policy

This triggers the encryption of all files that are written to removable media. Files that are already stored on the media remain in plaintext, but users cannot open them (access denied). As SafeGuard RemovableMedia does not permit access to plaintext files until you explicitly activate the corresponding option, you can no longer access the plaintext files on the removable media. When SafeGuard RemovableMedia detects a removable medium it displays its control dialog. Users cannot access the medium until they create an encryption key that can be used for it.

<Installation Drive>\Program Files\Utimaco\ADM).

CHAPTER

4. You can also specify the key that is to be used to encrypt the files on the removable medium. To do

so, follow these two steps: Specify an encryption key name in the adm template. Then create a key using the sgrmcmd command line tool ( page 39): To do so this, specify the following settings under:

Computer Configuration\

Administrative templates\

SafeGuard\

“SafeGuard RemovableMedia console application” on

SafeGuard RemovableMedia 10

CHAPTER

Quick Start: You want to ...

RemovableMedia\

Key Handling

Enter a name for the key to be used in field Encryption Key Name.

5. Using the sgrmcmd command line tool to create a key with this name.

sgrmcmd must run on the user’s machine under the user’s account.

This setting means that you must use the specified key. As no user interaction was explicitly allowed in the ADM template, the SafeGuard RemovableMedia control dialog does not appear.

X Once these settings are made on the client computers, users can only use encrypted files on their

removable media. When they connect a medium, SafeGuard RemovableMedia instantly displays the dialog for selecting a key. Alternatively, they can use the predefined key for all encryption tasks that involve removable media.

This means the company can be sure that only encrypted files are read from and saved to the users’ removable media.

Users cannot access plaintext files on their removable media.

SafeGuard RemovableMedia 11

+ 33 hidden pages

Sophos SAFEGUARD Software Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

1 What is SafeGuard RemovableMedia?

1.1 Supported media

2 Installation

2.1 Interactive installation

2.2 Installation without user interaction

2.2.1 Installation program components

2.2.2 Key distribution via Setup (console)

3 Quick Start: You want to ...

3.1 Secure data on your removable media

3.2 Exchange data securely using removable media

3.3 Enforce the exclusive use of encrypted data on removable media