SafeGuard Easy User help

SafeGuard Easy User help
SafeGuard Easy
User help
Product version: 6.1
Document date: January 2014
Contents
1 About Sophos SafeGuard 6.10..................................................................................................................3
2 Sophos SafeGuard on Windows Endpoints.............................................................................................5
3 Security best practices ..............................................................................................................................7
4 Key backup for recovery...........................................................................................................................9
5 SafeGuard Power-on Authentication.....................................................................................................10
6 Logging on to Windows..........................................................................................................................18
7 Logging on with non-cryptographic smartcards or tokens..................................................................19
8 Logging on with the Lenovo Fingerprint Reader..................................................................................22
9 Disk encryption.......................................................................................................................................30
10 SafeGuard Data Exchange....................................................................................................................36
11 SafeGuard Cloud Storage.....................................................................................................................48
12 Sophos SafeGuard and self-encrypting, Opal-compliant hard drives................................................50
13 System Tray Icon and tooltips..............................................................................................................51
14 Accessing functions via Explorer extensions.......................................................................................55
15 Recovery options...................................................................................................................................58
16 Recovery with Local Self Help..............................................................................................................59
17 Recovery with Challenge/Response......................................................................................................67
18 Sophos SafeGuard and Lenovo Rescue and Recovery.........................................................................72
19 Technical support..................................................................................................................................78
20 Legal notices..........................................................................................................................................79
2
User help
1 About Sophos SafeGuard 6.10
This version of Sophos SafeGuard (SafeGuard Easy) supports Windows 7 and Windows 8 on
endpoints with BIOS or UEFI.
■
For BIOS platforms administrators can choose between Sophos SafeGuard full disk
encryption and BitLocker encryption managed by SafeGuard. The BIOS version comes with
the BitLocker-native recovery mechanism.
Note: If SafeGuard Power-on Authentication or SafeGuard full disk encryption is mentioned
in this manual, it refers to Windows 7 BIOS endpoints only.
■
For UEFI platforms BitLocker managed by Sophos SafeGuard (SafeGuard Easy) is the
component for disk encryption. For these endpoints Sophos SafeGuard offers enhanced
Challenge/Response capabilities. For details on the supported UEFI versions and restrictions
to SafeGuard BitLocker Challenge/Response support, please see the Release Notes at
http://downloads.sophos.com/readmes/readsgn_61_eng.html.
Note: Whenever the description only refers to UEFI, it is mentioned explicitly.
The table shows which components are available.
Windows 7 BIOS
SafeGuard full disk
encryption with
SafeGuard Power-on
Authentication (POA)
BitLocker with
pre-boot
authentication (PBA)
managed by
SafeGuard
YES
YES
SafeGuard C/R
recovery for BitLocker
pre-boot
authentication (PBA)
Windows 7 UEFI
YES
YES
Windows 8 UEFI
YES
YES
Windows 8 BIOS
YES
Windows 8.1 UEFI
YES
Windows 8.1 BIOS
YES
YES
Note: SafeGuard C/R recovery for BitLocker pre-boot authentication (PBA) is only available
on 64 bit systems.
SafeGuard full disk encryption with SafeGuard Power-on Authentication (POA) is the Sophos
module for encryping volumes on endpoints. It comes with a Sophos implemented pre-boot
3
SafeGuard Easy
authentication named SafeGuard Power-on Authentication (POA) which supports logon options
like smartcard and fingerprint and a Challenge/Response mechanism for recovery.
BitLocker with pre-boot authentication (PBA) managed by SafeGuard is the component that
enables and manages the BitLocker encryption engine and the BitLocker pre-boot authentication.
It is available for BIOS and UEFI platforms:
4
■
The UEFI version additionally offers an SafeGuard Challenge/Response mechanism for BitLocker
recovery in case users forget their PINs. The UEFI version can be used when certain platform
requirements are met. For example the UEFI version must be 2.3.1. For details, see the Release
Notes.
■
The BIOS version does not offer the recovery enhancements by the SafeGuard Challenge /
Response mechanism and serves also as fallback option in case the requirements for the UEFI
version are not met. The Sophos installer checks whether the requirements are met, and if not
automatically installs the BitLocker version without Challenge/Response.
User help
2 Sophos SafeGuard on Windows Endpoints
Sophos SafeGuard uses a policy-based encryption strategy to protect information on endpoints.
Data encryption and protection against unauthorized access are its main security functions. For
end users Sophos SafeGuard is very easy and intuitive to use. The Sophos SafeGuard authentication
system, SafeGuard Power-on Authentication (POA), provides powerful access protection and
offers user-friendly support when recovering credentials.
Administration is carried out with the SafeGuard Policy Editor, which is used to create and manage
security policies and to provide recovery functions. A Sophos SafeGuard protected computer
receives policies in a configuration package created with the SafeGuard Policy Editor. The
configuration package can be distributed with company distribution tools or manually on the
computer.
The following modules are available for Sophos SafeGuard protected computers.
Note: Some of the modules/features are not included in all licenses. For information on what is
included in your license, contact your sales partner.
■
SafeGuard full disk Encryption
SafeGuard Power-on Authentication
User logon is performed immediately after you switch on the computer. After successful logon
at SafeGuard Power-on Authentication you are automatically logged on to the operating system.
You can also deactivate SafeGuard Power-on Authentication. In this case user authentication
is performed by the operating system.
Volume-based encryption
All data on volumes (including boot files, swapfiles, idle files/hibernation files, temporary files,
directory information etc.) are encrypted transparently without the user having to change the
normal operating procedure or consider security.
■
BitLocker with pre-boot authentication managed by Sophos SafeGuard
Sophos SafeGuard manages the Microsoft BitLocker encryption engine. On UEFI platforms
BitLocker pre-boot authentication comes with a SafeGuard Challenge / Response mechanism
whereas the BIOS version allows to retrieve the recovery key from the SafeGuard Policy Editor.
■
SafeGuard Data Exchange
■
SafeGuard Data Exchange offers easy data exchange with removable media on all platforms
without re-encryption.
■
File-based encryption.
■
All mobile writable media including external hard disks and USB sticks are encrypted
transparently.
5
SafeGuard Easy
■
SafeGuard Cloud Storage
SafeGuard Cloud Storage offers file-based encryption of data stored in the cloud. It makes sure
that local copies of your cloud data are encrypted transparently and remain encrypted when
they are stored in the cloud.
Note: Some features described in this user help may not be available on your computer. This is
because the features available depend on the policies set by your security officer.
6
User help
3 Security best practices
By following the simple steps described here, you can keep data on your computer secure and
protected at all times.
Shut down your computer completely or put it into hibernation mode when it is not in
use
On Sophos SafeGuard protected computers, encryption keys might be accessible to attackers in
certain sleep modes where the computer's operating system is not shut down properly and
background processes are not terminated completely. Protection is enhanced when the operating
system is always shut down or hibernated properly.
When your computer is not in use or left unattended:
■
Avoid Sleep (Stand-by/suspend) mode as well as Hybrid Sleep mode. Hybrid Sleep mode
combines hibernation and sleep.
■
Do not simply lock the desktop and switch off the monitor (or close the lid of your laptop), if
this is not followed by a proper shut down or hibernation. Setting an additional prompt for a
password when you resume working does not provide sufficient protection.
■
Always shut the computer down or put it into hibernation mode.
Note: It is important that the hibernation file resides on an encrypted volume. Typically it
resides on C:\.
Follow these steps in particular when you use a laptop in public locations like airports.
When the computer is hibernated or shut down properly, SafeGuard Power-on Authentication
is always activated the next time it is used, thus providing full protection.
Choose strong passwords
Strong passwords are a vital part of protecting your data. Use strong passwords, especially for
securing the logon to your computer.
A strong password follows these rules:
■
It is long enough to be secure: A minimum of 10 characters is recommended.
■
It contains a combination of letters (upper and lower case), numbers and special
characters/symbols.
■
It does not contain a commonly used word or name.
■
It is hard to guess but easy for you to remember and type accurately.
Change your passwords at regular intervals. Do not share them with anyone or write them down.
7
SafeGuard Easy
Ensure that all drives have a drive letter assigned
Only drives that have a drive letter assigned are encrypted. Consequently, drives without a drive
letter assigned may be abused to leak confidential data in plain text.
To mitigate this threat:
8
■
Do not change drive letter assignments.
■
If you find a drive without a drive letter assigned on your computer, contact your system
administrator.
User help
4 Key backup for recovery
For logon recovery, Sophos SafeGuard offers a Challenge/Response procedure (see Recovery with
Challenge/Response (section 17)) that allows information to be exchanged confidentially.
To enable recovery with Challenge/Response, the required data has to be available to the helpdesk.
The data required for recovery is saved in specific key recovery files (.XML files).
When the Sophos SafeGuard configuration is applied to your computer the key recovery file is
created automatically at a location specified by the security officer. If the security officer has not
specified a file location, you are prompted to save the file manually.
The security officer can specify a file location for these files when creating the configuration
package. Usually the file location is a shared path. The key recovery file is created automatically
at this location.
If the specified file location is not accessible when Sophos SafeGuard tries to create the file, a
balloon tip pops up, a message is written into the system event log and Sophos SafeGuard will try
to save the file again later. If the security officer has not specified a file location, a dialog is displayed,
prompting you to save the file manually.
If the security officer has specified a network share for the key recovery file and you are logged on
to Windows with a local user account (for example, if the computer is not a domain member),
you are prompted for a network share logon. Your security officer should provide you with the
required user name and password.
Note: Save the file when prompted and make sure that the helpdesk has access to it. The file is
encrypted and can be saved to any external media, which you then can provide to the helpdesk.
You can also send the file by e-mail. If you do not save the file, you are prompted to do so every
time you restart your computer.
You can create a new key backup from the Sophos SafeGuard System Tray icon at any time.
Creating a new key recovery file may, for example, be necessary if existing key files have been
corrupted or are no longer available to the helpdesk.
9
SafeGuard Easy
5 SafeGuard Power-on Authentication
SafeGuard Power-on Authentication (POA) requires you to authenticate before the computer's
operating system is started. After you do this, Windows starts and you are logged on automatically.
The procedure is the same when the computer is switched back on from hibernation (Suspend to
Disk).
SafeGuard POA look and feel
The look and feel of the SafeGuard POA can be customized according to your company's
requirements. Your security officer does this in the policy settings in the SafeGuard Policy Editor.
The following adjustments are possible:
■
Logon image
The default logon image that is displayed in the SafeGuard POA is a SafeGuard design. This
screen is customizable by policy to show your company logo, for example.
■
Dialog text
All text in the SafeGuard POA is displayed in the default language set in the Windows Regional
and Language Options. You can change the language used in the POA by changing the default
language. The language of the dialog text can also be specified by the security officer in a policy.
5.1 First logon after Sophos SafeGuard installation
If Sophos SafeGuard has been installed with SafeGuard Power-on Authentication, the startup
procedure is different during the first system start after the installation of Sophos SafeGuard. A
number of new start messages (for example, the autologon screen) are displayed because Sophos
SafeGuard has been incorporated into the startup procedure. Afterwards, the Windows operating
system starts.
When you log on for the first time after installation, you must first log on successfully to Windows
as usual using your credentials. Afterwards, you are registered as a Sophos SafeGuard user. This
registration process is required to make sure that your credentials are recognized in the POA the
next time the system is started.
After successful registration, a tool tip informing you of this is shown on your computer.
When you restart the computer, the SafeGuard POA is activated. From now on, you enter your
Windows credentials at the SafeGuard POA. You are then logged on to Windows automatically
without any further password entry (if automatic logon to Windows is activated).
You can log on at the SafeGuard POA by using your user name and password.
Note: The settings for the computers which Sophos SafeGuard is installed on are defined by the
security officer in the SafeGuard Policy Editor and distributed to the endpoints in policy files.
10
User help
5.1.1 First logon procedure
This section describes the procedure for the first logon to your computer after Sophos SafeGuard
has been installed. The procedure will only correspond to the one described here if SafeGuard
POA has been installed and activated for your computer.
1. The computer starts, and the Sophos SafeGuard Autologon dialog is displayed.
An autouser is logged on.
2. The Windows logon dialog is displayed.
Sophos SafeGuard offers the Sophos SafeGuard and the Windows Vista/Windows 7
authentication method.
3. Windows provides two icons for each authentication method:
■
Click the icon with Other User below it to you open a dialog for entering credentials.
■ Click the second icon (with a user name displayed below it) to open a dialog that contains
the user information of the last user who has logged on to the system. You only have to
enter the password.
If your user name is displayed below a Sophos SafeGuard icon, select the relevant icon. If this
is not the case, select the icon with Other User below it.
4. Enter your Windows user credentials as usual.
The next time the system is started you only have to enter your Windows user credentials
(user name and password) in the SafeGuard POA and you are logged on automatically.
You must restart the computer to activate SafeGuard Power-on Authentication fully. After the
restart, SafeGuard POA protects your computer against unauthorized access.
5.2 Logging on at the SafeGuard Power-on Authentication
After successful activation of the SafeGuard Power-on Authentication (initial synchronization
and restart), you log on by entering your Windows user credentials in the SafeGuard POA logon
dialog. You are logged on to Windows automatically.
Note: You can deactivate automatic logon to Windows by pressing the Options >> button in the
logon dialog and clearing the Pass through logon to Windows check box. Deactivating the
automatic logon is, for example, necessary to enable other users to use SafeGuard Power-on
Authentication on the computer (see Registering further Sophos SafeGuard users (section 5.3)).
The security officer defines, in the relevant policies, whether logon pass-through to Windows is
activated or deactivated and whether you are allowed to change this setting in the logon dialog.
11
SafeGuard Easy
Logon delay on failed logon attempt
If logon at the SafeGuard Power-on Authentication fails, for example, due to an incorrect password,
an error message is displayed, and a delay is imposed before the next logon attempt. The delay
period is increased with each failed logon attempt. Failed attempts are logged.
Machine lock
After a set number of failed logon attempts, your computer will be locked. To unlock your
computer, initiate a Challenge/Response procedure, see Recovery with Challenge/Response (section
17).
5.2.1 Logon recovery
For logon recovery for example, if you have forgotten your password, Sophos SafeGuard offers
different options that are tailored to different recovery scenarios. The recovery methods available
on your computer depend on the settings specified by the security officer. For further information,
see Recovery options (section 15).
5.3 Registering further Sophos SafeGuard users
To allow another Windows user to log on to your computer at the SafeGuard Power-on
Authentication:
1. Switch on the computer.
The SafeGuard POA logon dialog is displayed. The second Windows user cannot log on at the
SafeGuard POA because they do not have the necessary keys and certificates.
2. Enter your SafeGuard POA credentials.
3. In the SafeGuard POA logon dialog, click Options and clear the Pass through to Windows
check box. Log on with your credentials as the computer's owner.
The Windows logon dialog is displayed, prompting the second user to log on.
4. The second user enters their Windows credentials.
5. An entry for the second user is created in the Sophos SafeGuard system core.
The next time the computer is started, the second user can log on at the SafeGuard Power-on
Authentication.
5.4 Temporary password in SafeGuard POA
Sophos SafeGuard allows you to change the password temporarily in the SafeGuard POA. Changing
the password temporarily is recommended if you suspect that somebody has watched you enter
your password.
12
User help
Example: You start your notebook in a public place, for example at the airport. You think that
somebody watched you enter your password at the SafeGuard POA. Since you are not connected
to Active Directory (AD), you cannot change your Windows password.
Solution: You temporarily change your SafeGuard POA password, thereby ensuring that no
unauthorized person knows your password. As soon as you are connected to AD again, you are
automatically prompted to change the temporary password.
1. In the SafeGuard POA logon dialog, enter the existing password.
2. Press F8.
Note: If you do not enter the existing password before you press F8, the system interprets this
as a failed logon, and an error message is displayed.
3. In the dialog, enter the new password and confirm it.
The system reminds you that the password change is only temporary.
4. Click OK.
Note: If you cancel this dialog, you will be logged on with your old password.
The Windows logon dialog is displayed.
Note: Logon will not be passed through to Windows, even if your system is configured that
way. Enter the "old password" here. The temporary password is only valid for logging on at the
SafeGuard POA.
5. Click OK.
You are logged on to Windows.
For logging on at the SafeGuard POA, you can now only use the temporarily password. The
temporary password is valid until the password is changed at the Windows logon. Only after you
do that logon can be passed through from SafeGuard POA to Windows again.
Changing the temporary password
The password changed temporarily in the SafeGuard POA has to be changed later to synchronize
passwords again.
When you log on to Windows, Sophos SafeGuard automatically prompts you to change your
password as soon as you are connected to Active Directory again.
You can close the dialog prompting you to change the password without actually changing the
password. In this case, the dialog is shown each time you log on until you change the password.
Note: The SafeGuard POA password can also be changed temporarily while you are connected
to Active Directory. In this case, the dialog for changing the password is shown immediately after
changing the password temporarily in the SafeGuard POA. You can close this dialog without any
changes and use the "old password" for logging on. You can change the password later.
13
SafeGuard Easy
5.5 Virtual keyboard
At the SafeGuard POA, you can show/hide a virtual keyboard on the screen, and click the on-screen
keys to enter credentials, etc.
Prerequisite: The security officer has activated the display of the virtual keyboard by policy.
To show the virtual keyboard in the SafeGuard POA, click Options >> in the SafeGuard POA
logon dialog, and select the Virtual Keyboard check box.
The virtual keyboard supports different layouts. It is also possible to change the layout using the
same options used for changing the SafeGuard POA keyboard layout, see Keyboard layout (section
5.6).
5.6 Keyboard layout
Almost every country has its own keyboard layout. The keyboard layout in the SafeGuard POA is
very important when entering user names, passwords, and response codes.
By default, Sophos SafeGuard adopts the keyboard layout which is set in Windows' Regional and
Language Options for the Windows default user at the time that Sophos SafeGuard is installed. If
“German” is the keyboard layout set under Windows, the German keyboard layout will be used
in the SafeGuard POA.
The language of the keyboard layout being used is displayed in the SafeGuard POA, for example
"EN" for English. Apart from the default keyboard layout, you can also use the US keyboard layout
(English).
5.6.1 Change the keyboard layout
The SafeGuard Power-on Authentication keyboard layout (including the virtual keyboard layout)
can be changed.
1. Select Start > Control Panel > Regional and Language Options > Advanced.
2. On the Regional Options tab, select the required language.
3. On the Advanced tab, under Default user account settings, activate Apply all settings to the
current user account and to the default user profile.
4. Click OK.
The SafeGuard POA recognizes the keyboard layout used for the last successful logon and
automatically enables it for the next logon. This requires two restarts. If the previous keyboard
layout is deselected in the Regional and Language Options, it is still maintained unless you select
a different one.
Note: You must also change the language of the keyboard layout for non-Unicode programs.
14
User help
If the language you want is not available on your system, Windows may prompt you to install it.
After you have done so, you need to restart your computer twice so that, first, the new keyboard
layout can be read in by the SafeGuard POA and, secondly, the POA can set the new layout.
You can change the required keyboard layout for the SafeGuard POA by using the mouse or
keyboard (Alt+Shift).
To see which languages are installed and available on your system, select Start > Run > regedit:
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.
5.7 Supported hotkeys/function keys in the SafeGuard Power-on
Authentication
Certain hardware functionality and settings can lead to problems when starting computers, causing
the system to no longer respond. The SafeGuard Power-on Authentication supports a number of
hotkeys for modifying these hardware settings and deactivating functionality. Furthermore, a
greylist of hardware settings and functionalities that are known to cause these problems is integrated
in the .msi file installed on the computer.
We recommend that you install an updated version of the SafeGuard POA configuration file before
any significant deployment of Sophos SafeGuard. The file is updated on a monthly basis and made
available to download from here: http://www.sophos.com/support/knowledgebase/article/65700.html
You can customize this file to reflect the hardware of a particular environment.
Note: When you define a customized file, this will be used instead of the one integrated in the
.msi file. Only when no SafeGuard POA configuration file is defined or found will the default file
be applied.
To install the SafeGuard POA configuration file, enter the following command:
MSIEXEC /i <Client MSI package> POACFG=<path of the SafeGuard POA
configuration file>
The SafeGuard Power-on Authentication also supports a number of function keys.
5.7.1 Hotkeys
Shift-F3 = USB Legacy Support (on/off)
Shift-F4 = VESA graphic mode (off/on)
Shift-F5 = USB 1.x and 2.0 support (off/on)
Shift-F6 = ATA Controller (off/on)
Shift-F7 = USB 2.0 support only (off/on) USB 1.x support remains as set by Shift-F5.
Shift-F9 = ACPI/APIC (off/on)
Hotkeys dependency matrix
15
SafeGuard Easy
Shift - F3
Shift - F3
Shift - F7
Legacy
USB 1.x
USB 2.0
Comment
off
off
off
on
on
on
3.
on
off
off
off
on
on
Default
off
on
off
on
off
off
1., 2.
on
on
off
on
off
off
1., 2.
off
off
on
on
on
off
3.
on
off
on
off
on
off
off
on
on
on
off
off
on
on
on
on
off
off
2.
1. Shift - F5 disables both USB 1.x and USB 2.0.
Note: Pressing Shift - F5 during startup will considerably reduce the time it takes to launch
the SafeGuard POA. However, if your computer uses a USB keyboard or USB mouse, they
might be disabled when pressing Shift - F5.
The SafeGuard POA may use the USB keyboard via BIOS SMM. There is no USB token support.
2. If no USB support is active, the SafeGuard POA tries to use BIOS SMM instead of backing up
and restoring the USB controller. The Legacy mode may work in this scenario.
3. Legacy support is active, USB is active. The SafeGuard POA tries to back up and restore the
USB controller. The system might hang depending on the BIOS version used.
Note: The changes that can be carried out using the hotkeys may already have been specified
during Sophos SafeGuard Client installation using an .mst file.
When you change hardware settings by using the hotkeys in the SafeGuard POA, a dialog is
displayed prompting you to save the changed settings. This dialog shows an overview of the
configuration that will be saved. To save your changes, click Yes. When you restart your computer,
the new settings become active. If you click No, your changes are not saved, and the old
configuration remains active when you restart your computer.
By pressing F5 in any SafeGuard POA dialog, you can open a dialog showing the hotkeys
configuration used to start the SafeGuard POA. If hotkeys were changed during the startup, the
relevant key states will be shown in blue. Blue means that the key was used in this state to start the
SafeGuard POA, but it has not been saved yet. Unchanged values are shown in black. To close the
dialog, press F5 again or press Return.
For details see http://www.sophos.com/en-us/support/knowledgebase/107785.aspx.
16
User help
5.7.2 Function keys in the logon dialog
Note: The function keys are not hotkeys.
F2 = abort Autologon.
F5 = displays a dialog showing the hotkey configuration used to start the SafeGuard POA.
F8 = change password in SafeGuard POA. Use instead of the Enter key to trigger a password
change in the SafeGuard POA after logging on.
Alt + Shift (left-hand Alt and left-hand Shift keys) = change keyboard from German to English
(or the reverse).
Cancel and prepare SafeGuard POA for shutdown
Ctrl + Alt + Del = if authentication has failed but you need to shut down the computer safely.
This key combination has the same function as the Shutdown button.
Note: If fingerprint logon is activated, you can use Ctrl + Alt + Del to change to the SafeGuard
POA dialog for logging on with a user name and password. For further information on fingerprint
logon, see Logging on with the Lenovo Fingerprint Reader (section 8).
5.8 Password synchronization
Sophos SafeGuard automatically detects when the Windows password has been changed and no
longer corresponds to the stored one. This may happen if the Windows password has been changed
through a VPN, on another computer, or in Active Directory.
If Sophos SafeGuard detects this situation, you are informed and prompted to enter the old
password. Afterwards, the password stored by Sophos SafeGuard is updated with the new Windows
password.
Password synchronization takes place in two different situations:
■
During the logon process.
■
During a Windows lock/unlock procedure.
17
SafeGuard Easy
6 Logging on to Windows
Sophos SafeGuard offers an additional authentication method under Windows.
If you clear the Pass through logon to Windows check box in the logon dialog of the SafeGuard
Power-on Authentication, the Windows logon dialog is displayed. In this dialog, you can also
select a different authentication method.
Note: Using a different authentication method does not mean that Sophos SafeGuard is inactive
on your computer. In this case, the logon at Sophos SafeGuard is not done during the Windows
logon but after the Windows logon.
6.1 Log on with Sophos SafeGuard
Usually, you are automatically logged on to Windows after entering your password at the SafeGuard
Power-on Authentication (POA). If you clear the Pass through logon to Windows check box in
the SafeGuard POA logon dialog, and use the Sophos SafeGuard method for logging on to Windows,
Sophos SafeGuard is available with its complete functionality after you log on to Windows.
The required keys are available, and all data is encrypted and decrypted according to the policies
defined.
6.2 Log on with the Windows authentication method
In the Windows logon dialog, you can select an alternative authentication method for logging on
to Windows instead of the Sophos SafeGuard authentication method.
If you use the Windows authentication method, the logon to Sophos SafeGuard is performed after
the logon to the operating system.
After logging on to Windows, the Sophos SafeGuard authentication application is started
automatically, if necessary, to achieve full Sophos SafeGuard functionality.
Depending on the logon settings in central administration, either a dialog for entering user
credentials or a PIN entry dialog is displayed.
1. Enter your credentials or the PIN, and click OK.
Now the Sophos SafeGuard functionality is available and you can, for example, access encrypted
data, if you have the necessary key.
18
User help
7 Logging on with non-cryptographic smartcards or tokens
There are two possible types of logon with non-cryptographic smartcards or tokens:
■
Logon is only allowed with smartcards or tokens.
■
Logon on is allowed either with user name and password or with smartcard or token.
The security officer defines the allowed logon type in a policy.
Note: Sophos SafeGuard treats smartcards and tokens in the same way. So the terms "token" and
"smartcard" mean the same in the product and the manual. In the following sections, the term
"token" is used.
7.1 First logon with token after installation
The first logon with a token is identical to the logon procedure without a token.
If a token with your user credentials is available, you can use it to log on to Windows by entering
the token PIN.
Note: We recommend that you configure your token with Windows user credentials (see Store
Windows user credentials on your token (section 7.2)) before you restart the computer. The security
policies that apply to you may require using a token at SafeGuard POA. If your token does not
contain your credentials, you cannot log on at the SafeGuard Power-on Authentication.
7.2 Store Windows user credentials on your token
If your token does not contain your Windows user credentials, you can store them on the token
yourself.
Note: We recommend that you configure your token during the first logon. The security policies
that apply to you may require using a token at SafeGuard POA. If your token does not contain
any user information, you cannot log on at the SafeGuard Power-on Authentication.
1. During the first logon after installation, connect your token with the system when the Windows
logon dialog is displayed.
If the system detects an empty token, the Issue Token dialog is displayed automatically.
2. Enter your Windows user name and password.
3. Confirm your password.
4. Select or enter the domain, and click OK.
The system tries to log you on to Windows using the data entered. If logon is successful, the
data is written to the token.
You are logged on to Windows.
19
SafeGuard Easy
If token logon is defined as optional for your user (that is you have already logged on once at the
SafeGuard POA with your user name and password), you can also issue the token later.
To do so, click Options in the SafeGuard POA logon dialog and clear the Pass through to Windows
check box. The Windows logon dialog is displayed, and you can store your credentials on the
token as described.
7.3 SafeGuard POA logon with token
Prerequisites: Make sure that USB support is activated in the BIOS. Token support has to be
initialized, and the token has to be issued for you.
1. Plug in the token.
2. Switch on the computer.
The dialog for token logon is displayed.
Note: If your policy allows you to log on with your user credentials and you disconnect the
token, you are prompted to enter your user credentials for logging on. If the dialog for logging
on with a user ID and password is not displayed, you can only log at the SafeGuard Power-on
Authentication with a token.
3. Enter your token PIN.
You are logged on at the SafeGuard Power-on Authentication and to Windows as well (if the
Pass through to Windows check box is selected in the logon dialog).
7.4 Change the PIN
You can change your token PIN in the Windows logon dialog.
If Pass through to Windows is selected at the SafeGuard Power-on Authentication (POA), the
Windows logon dialog is usually not displayed. To display the Windows logon dialog, you have
to clear this option during SafeGuard POA logon.
Note: You are automatically prompted to change the PIN if the security officer has defined rules
requiring a PIN change (for example, at specific time intervals).
1. In the PIN dialog for Windows logon, select the Change PIN check box.
2. Enter your token PIN and click OK.
The PIN Change dialog is displayed.
3. Enter the new PIN and confirm it.
4. Click OK.
The token PIN is changed and Windows logon continues.
20
User help
7.5 Token logon recovery
If you have forgotten your PIN, you can regain access to your computer with one of the following
recovery methods:
■
Recovery with Local Self Help, see Recovery with Local Self Help (section 16).
■
Recovery with Challenge/Response, see Recovery with Challenge/Response (section 17).
The recovery methods available on your computer depend on the settings specified by the security
officer.
To initiate recovery, click the Recovery button in the token logon dialog.
7.6 Unblocking tokens
If you enter your PIN incorrectly several times, your token is blocked. The security officer can
configure Sophos SafeGuard to display the Unblock Token dialog in this case.
The security officer has to provide you with the administrator PIN defined for your token.
1. In the Unblock Token dialog, enter the administrator PIN.
2. Enter a new PIN and confirm it.
The PIN you enter is subject to the rules defined for PINs (for example, specific character
combinations may be required, PINs already used may be banned from being used again).
3. Click OK.
The token is unblocked and logon continues.
Note: If this function is not available on your computer, you can regain access to your computer
with Challenge/Response. But you cannot change the PIN or your user credentials with
Challenge/Response.
7.7 Remote Desktop Connection
Under Windows XP, it is not possible to establish a Remote Desktop Connection to a computer
if the user has logged on locally by using a token.
21
SafeGuard Easy
8 Logging on with the Lenovo Fingerprint Reader
Note: Logon with the Lenovo Fingerprint Reader is only supported for Windows 7 (BIOS)
endpoints.
Users must remember many different passwords and PINs in order to access their computers,
applications, and networks. With a fingerprint reader, all you need to do is swipe your finger over
the reader to log on instead of using a password.
You cannot lose or forget your credentials. Nor can any unauthorized individuals guess this
information. Using fingerprint readers thus simplifies the logon process and increases security.
Sophos SafeGuard supports fingerprint logon for SafeGuard Power-on Authentication as well as
the Windows logon phase. For example, you can log on to a Lenovo notebook simply by swiping
your finger over the fingerprint reader integrated into the notebook. The rest of the logon procedure
then runs automatically. You can also lock and unlock your desktop in Windows by swiping your
finger over the fingerprint reader.
Fingerprint readers are integrated directly into certain Lenovo notebooks. However, you can also
use an external USB keyboard for a fingerprint logon.
Note:
■
Only one fingerprint reader may be connected to a computer at any given time.
■
Token and fingerprint logon procedures cannot be combined on the same computer.
■
Remote fingerprint logon is not supported.
8.1 Requirements
The following requirements must be satisfied in order to use fingerprint logon:
General requirements
■
Lenovo hardware
■
Lenovo Fingerprint Reader in the notebook or a USB keyboard with a fingerprint reader
■
The latest BIOS (recommended)
■
Sophos SafeGuard
■
The recommended vendor-specific software version must be installed before Sophos SafeGuard:
■
ThinkVantage Fingerprint for AuthenTec
or
■
22
ThinkVantage Fingerprint for UPEK.
User help
■
The security officer must have activated fingerprint logon by policy.
System requirements
■
Windows XP, 32 bit
■
Windows Vista, 32 bit, 64 bit
■
Windows 7, 32 bit, 64 bit
Supported hardware
For information on supported fingerprint logon hardware, refer to
http://www.sophos.com/support/knowledgebase/article/108789.html.
Supported software
For information on supported fingerprint software, refer to
http://www.sophos.com/support/knowledgebase/article/111626.html.
8.2 Enroll fingerprints
In order to log on to your notebook/PC with a fingerprint, you must first enroll one or more
fingerprints using the recommended vendor-specific software. The enrollment process links your
enrolled fingerprint with your credentials (user name and password).
Prerequisites: The following procedure assumes that both the recommended vendor-specific
software and Sophos SafeGuard are installed.
1. Log on at the SafeGuard Power-on Authentication (POA) by entering your user name and
password.
2. Register one or more of your fingerprints by using the installed vendor-specific software. This
registration links your fingerprint with your Windows credentials.
a) Refer to the documentation for the ThinkVantage Fingerprint software for instructions on
how to enroll a fingerprint.
b) Enable the option POA password in BIOS. (UPEK only. For AuthenTec this step is not
necessary)
c) To use fingerprint logon in the SafeGuard POA, you first have to log on to Windows once
with your fingerprint to transfer your credentials to the fingerprint reader. For UPEK you
only have to swipe an enrolled fingerprint over the fingerprint reader. For AuthenTec you
also have to enter your Windows password at first logon.
3. Restart your PC/notebook.
4. To test your enrolled fingerprint, swipe your finger over the fingerprint reader after restarting
the computer.
If your fingerprint matches the enrolled one, you are automatically logged on to Windows.
23
SafeGuard Easy
8.3 Log on to SafeGuard Power-on Authentication with a fingerprint
Prerequisites:
■
The security officer must have set up the fingerprint option in the relevant Authentication
policy.
■
You must have enrolled one or more fingerprints.
1. Restart your computer.
The SafeGuard POA dialog for logging on with a fingerprint is displayed.
2. Swipe one of your enrolled fingers over the reader.
If the software recognizes your fingerprint, SafeGuard Power-on Authentication reads your
credentials and sends them to Windows.
The logon procedure uses icons with short text messages as prompts, notifications, and warnings
(see Icons used in the logon process (section 8.3.1)).
You are automatically logged on to Windows without any further requests for your data.
Note:
■
If the enrollment process in Windows was not completed successfully (for example, after
enrolling fingerprints, you have not logged off from and logged on again to Windows) a match
with the fingerprints enrolled will be found in the SafeGuard POA.
However, there will not be any credentials. In this case, an error message is displayed, prompting
you to log on with your user name and password, although this does not pass you through to
Windows. Your credentials are transferred to the fingerprint reader.
■
24
In the policies that apply to you, the security officer specifies whether pass-through to Windows
has been enabled or disabled and whether you can change these settings in the SafeGuard POA
dialog for logging on with a user name and password (see Log on with a user name and password
(section 8.3.3)).
User help
8.3.1 Icons used in the logon process
When you log on at the SafeGuard Power-on Authentication with a fingerprint, the system uses
icons as prompts, notifications, and warnings. These icons are displayed during the logon process,
along with a short text message.
Prompts you to swipe your finger over the
fingerprint reader.
Indicates that fingerprint logon is not currently
enabled. This can occur, for example, if the
25
SafeGuard Easy
fingerprint logon module has not yet been
initialized.
Indicates that the fingerprint reader is working and
is busy.
Indicates that the fingerprint was read successfully
and a match was found.
Indicates that the fingerprint was read successfully,
but no match was found.
Indicates that the fingerprint could not be read.
Swipe your finger across the fingerprint reader
again.
Indicates that you have placed your finger too far
to the left (or too far to the right). Move your finger
to the center of the fingerprint reader.
Indicates that your finger swipe was too skewed.
Swipe your finger across the fingerprint reader
again.
26
User help
Indicates that you moved your finger too fast. Swipe
your finger across the fingerprint reader again.
Indicates that your finger swipe was too short. Swipe
your finger across the fingerprint reader again.
8.3.2 Failed logon attempts
If the system is unable to read your fingerprint after five attempts, it considers this to be a failed
logon attempt and logs it as an event. In this case, a logon delay goes into effect.
If the system was able to read your fingerprint without errors, but did not find a match with the
registered fingerprint after five attempts, it also considers this to be a failed logon attempt and
logs it as an event. In this case, a logon delay also goes into effect.
The logon delay period increases with every failed logon attempt.
27
SafeGuard Easy
8.3.3 Log on with a user name and password
Even if fingerprint logon is enabled, you can still log on at the SafeGuard Power-on Authentication
with your user name and password, for example, if your fingerprint reader does not work.
1. Press the Esc key or Ctrl+Alt+Del in the SafeGuard POA dialog for logging on with a fingerprint.
The SafeGuard POA dialog for logging on with a user name and password is displayed.
Note: If you press Ctrl+Alt+Del in the SafeGuard POA dialog for logging on with a user name
and password, the computer shuts down. In this dialog, Ctrl+Alt+Del corresponds to the
Shutdown button.
The SafeGuard POA dialog for logging on with a user name and password is also displayed
automatically if a fingerprint reader is unavailable or if the system does not find any user data
on the fingerprint reader.
Note: Logging on with a user name and password is also enabled automatically if the local
cache is corrupt. If this happens, your computer will be locked, and you must log on using a
Challenge/Response procedure.
2. Optionally, press Esc again to return to the SafeGuard POA dialog for logging on with a
fingerprint.
If you pressed Esc to switch to the SafeGuard POA dialog for logging on with a user name and
password, you can still log on by swiping your finger over the fingerprint reader without having
to return to the SafeGuard POA fingerprint logon dialog first.
8.4 Change your password
1. If fingerprint logon is enabled in SafeGuard Power-on Authentication, you can change your
password in Windows by pressing Ctrl+Alt+Del.
When you change your password, the system prompts you to swipe your finger over the
fingerprint reader in order to transfer your new password to the fingerprint reader.
Note: Whenever you change your password, the change applies to all your enrolled fingerprints.
8.4.1 Synchronize your password
If your Windows password no longer matches the password stored on the fingerprint reader, for
example in cases where you changed your password, but the new password was not transferred
to the fingerprint reader, you can synchronize your password:
1. Restart your computer.
2. Press the Esc key or Ctrl+Alt+Del in the SafeGuard POA dialog for logging on with a fingerprint.
The SafeGuard POA dialog for logging on with a user name and password is displayed.
28
User help
3. Click Options, and clear the Pass through logon to Windows check box.
Note: In the policies that apply to you, the security officer specifies whether pass-through to
Windows has been enabled or disabled and whether you can change these settings in the
SafeGuard POA dialog for logging on with a user name and password.
4. Log on with your password.
5. The Windows logon dialog is displayed. Swipe one of your enrolled fingers over the fingerprint
reader.
6. The system recognizes the fingerprint, but Windows rejects the password linked to the
fingerprint. This is not viewed as a failed logon attempt, however, so no logon delay goes into
effect.
A message indicating that the password was changed is displayed, and the system prompts you
to enter your current Windows password.
7. Enter the correct Windows password.
Note: If you enter an incorrect Windows password here, a failed logon attempt is logged, and
a logon delay goes into effect. If you close the input prompt without entering a password, a
failed logon attempt is likewise logged, and a logon delay goes into effect.
A successful transfer of the password completes the password synchronization process and you
can then use the password for your logon.
8.5 Fingerprint logon recovery
If fingerprint logon does not work and you have forgotten the password required to log on, Sophos
SafeGuard offers the following recovery methods:
■
Recovery with Local Self Help (section 16).
■
Recovery with Challenge/Response (section 17).
The recovery methods available on your computer depend on the settings specified by the security
officer.
To initiate recovery, click the Recovery button in the fingerprint logon dialog.
Note: Due to a recovery procedure, you may have to change your password, when you start your
computer, for example if you have forgotten your password. In this case, the system also offers to
update your fingerprint credentials.
29
SafeGuard Easy
9 Disk encryption
For disk encryption, Sophos SafeGuard offers the following depending on the operating system
in use on the endpoints:
■
■
Windows 7 endpoints:
■
SafeGuard full disk encryption with SafeGuard Power-on Authentication, see SafeGuard
full disk encryption (section 9.1).
■
BitLocker Drive Encryption with Windows logon, see BitLocker Drive Encryption (section
9.2).
Windows 8 endpoints: BitLocker Drive Encryption with Windows logon, seeBitLocker Drive
Encryption (section 9.2).
9.1 SafeGuard full disk encryption
Sophos SafeGuard provides transparent full disk encryption in a volume-based manner. In the
security policies, your security officer defines the volumes (drives) that are to be encrypted.
9.1.1 Transparent encryption
The files on an encrypted drive are encrypted transparently. You do not see any prompts for
encryption or decryption when opening, editing, and saving files. When you open the files, they
are decrypted and you can edit them. When you close or save the files, they will be encrypted
again.
If you copy or move files (also with Save as) from an encrypted drive to an unencrypted file location
on your computer, they are decrypted. The files are stored in the new file location in plaintext.
9.1.2 Initial encryption
After the first encryption policy has been deployed to your computer, initial encryption is performed
according to the policy received. Depending on the encryption policy settings, initial encryption
is started automatically or you have to start it manually.
Note: During initial encryption of the system partition (that is the partition where the hiberfil.sys
file is located) do not hibernate the computer. After initial encryption of the system partition is
completed, restart the computer to make sure that hibernation works properly again.
30
User help
9.1.3 Volume-based full disk encryption
On a Sophos SafeGuard protected computer, an automatically generated computer key is used
for volume-based data encryption.
If a policy specifying an encryption of this type applies to your computer, the data is encrypted
automatically. No further keys can be added to the volume.
During the encryption process, an Encryption Viewer shows the encryption progress of the volume
to be encrypted. If available, it also shows existing encrypted volumes. The Encryption Viewer is
shown in minimized view on the Windows taskbar. You can open it by clicking the icon. If you
want the Encryption Viewer minimized, you can request a notification that encryption has been
completed by selecting Show notify before close. The viewer automatically closes when encryption
is complete. You can use the encrypted volume like any unencrypted volume on your computer.
Note:
■
Volume-based encryption/decryption is not supported for drives without a drive letter assigned.
■
For Windows 7 Professional, Enterprise and Ultimate, a system partition is created on endpoints
without a drive letter assigned. This system partition cannot be encrypted by Sophos SafeGuard.
■
If an encryption policy exists for a volume or a volume type and encryption of the volume fails,
the user is not allowed to access it.
■
Endpoints can be shut down and restarted during encryption/decryption.
■
If decryption is followed by an uninstallation, we recommend that the endpoint is not suspended
or hibernated during decryption.
■
If after volume encryption a new policy is applied to an endpoint that allows decryption, the
following applies: After a complete volume-based encryption, the endpoint must be restarted
at least once before decryption can be started.
9.1.4 Volume access restrictions
Sophos SafeGuard denies access to volumes in the following cases:
Volumes with failed encryption
If a policy exists that specifies that a volume or a volume type is to be encrypted, and the encryption
process fails, access to the volume is denied.
When you try to access the volume, a relevant message is displayed.
Unidentified File System Objects
Unidentified File System Objects are volumes that cannot be clearly identified as plain or encrypted
by Sophos SafeGuard.
31
SafeGuard Easy
If a policy exists that specifies that a volume of this type is to be encrypted, access to this volume
is denied. When you try to access the volume, a relevant message is displayed.
If there is no encryption policy for an Unidentified File System Object, you can access the volume.
9.2 BitLocker Drive Encryption
BitLocker Drive Encryption is a full disk encryption feature with pre-boot authentication that is
included in Windows operating systems. It is designed to protect data by providing encryption
for boot and data drives.
9.2.1 Encryption policies for BitLocker
A security officer can create a policy for encryption in the SafeGuard Policy Editor and distribute
it to BitLocker endpoints where it is executed. It triggers the BitLocker encryption of the volumes
specified.
9.2.2 Encryption on a BitLocker-protected computer
Before encryption starts, the encryption keys and decryption keys are generated by BitLocker.
Depending on the system used and the installed Sophos SafeGuard Bitlocker support the behaviour
differs slightly.
Endpoints with TPM
BitLocker stores its own encryption and decryption keys in a hardware device called the Trusted
Platform Module (TPM) security hardware. The keys are not stored on the computer’s hard disk.
The TPM must be accessible by the basic input/output system (BIOS) during startup. When you
start your computer, BitLocker will get these keys from the TPM automatically.
Your security officer can define TPM, TPM+PIN or TPM + USB Memory Stick as logon mode
for BitLocker. If Sophos SafeGuard activates BitLocker the BitLocker startup key is stored on the
TPM.
Note: The TPM has to be activated and ownership has to be taken, before Sophos SafeGuard can
manage BitLocker encryption.
Endpoints without TPM
If your computer is not equipped with a TPM, you can create a BitLocker startup key using a USB
flash drive to store the encryption keys and decryption keys. You will have to insert the flash drive
each time you start the computer.
If Sophos SafeGuard activates BitLocker you are prompted to save the BitLocker startup key. A
dialog appears displaying the valid target drives to store the startup key.
Note: For boot volumes it is essential that you have the startup key available when you start your
endpoint. Therefore storing the startup key is restricted to removable media.
32
User help
For data volumes you can store the BitLocker startup key on an already encrypted boot volume.
If the volume is encrypted it is displayed under Valid target drives an can be selected.
BitLocker recovery keys
For BitLocker recovery, Sophos SafeGuard offers a Challenge/Response procedure that allows
information to be exchanged confidentially and the possibility to retrieve the BitLocker recovery
key from the helpdesk, see Challenge/Response for BitLocker users (section 17.6) and BitLocker
recovery key (section 17.7).
To enable recovery with Challenge/Response, the required data has to be available to the helpdesk.
The data required for recovery is saved in specific key recovery files.
When the Sophos SafeGuard configuration is applied to your computer the key recovery file is
created automatically at a location specified by the security officer. Usually the file location is a
shared path. The key recovery file is created automatically at this location. If the security officer
has not specified a file location, you are prompted to save the file manually. You have to save the
recovery files for each volume to be encrypted.
If the specified file location is not accessible when Sophos SafeGuard tries to create the file, a
balloon tip pops up, a message is written into the system event log and Sophos SafeGuard will try
to save the file again later. Sophos SafeGuard keeps prompting you, until you save the file.
You can save the recovery files manually or create a new key backup from the Sophos SafeGuard
System Tray icon at any time. Creating a new key recovery file may, for example, be necessary if
existing key files have been corrupted or are no longer available to the helpdesk.
Note: If a BitLocker-encrypted hard disk in a computer is replaced by a new BitLocker-encrypted
hard disk, and the new hard disk is assigned the same drive letter as the previous hard disk, Sophos
SafeGuard only saves the recovery key of the new hard disk.
If a volume has already been encrypted with BitLocker before installing the BitLocker support of
Sophos SafeGuard, you need to back up the keys of the previously encrypted volume by using the
backup mechanisms offered by Microsoft.
Managing already BitLocker encrypted drives
In case there are any already BitLocker encrypted drives on your computer when Sophos SafeGuard
is installed, Sophos SafeGuard takes over the management of these drives.
Encrypted boot drives
■
Depending on the Sophos SafeGuard Bitlocker support used, you may be prompted to reboot
the computer. It is important that you reboot the computer as early as possible.
■
A Sophos SafeGuard encryption policy applies for the encrypted drive:
■
Sophos SafeGuard BitLocker Challenge/Response is installed: Management is taken over
and Sophos SafeGuard Challenge/Response is possible.
■
Sophos SafeGuard BitLocker is installed: Management is taken over and Sophos SafeGuard
recovery is possible.
33
SafeGuard Easy
■
No Sophos SafeGuard encryption policy applies for the encrypted drive:
■
Sophos SafeGuard BitLocker Challenge/Response is installed: Management is not taken
over and Sophos SafeGuard Challenge/Response is not possible
■
Sophos SafeGuard BitLocker is installed: Sophos SafeGuard recovery is possible.
Encrypted data drives
■
A Sophos SafeGuard encryption policy applies for the encrypted drive:
Management is taken over and Sophos SafeGuard recovery using the SafeGuard Policy Editor
is possible.
■
No Sophos SafeGuard encryption policy applies for the encrypted drive:
Sophos SafeGuard recovery using the SafeGuard Policy Editor is possible.
Note: It may happen that Sophos SafeGuard is not able to take over the management of an already
encrypted drive. Sophos SafeGuard recovery for a Bitlocker drive like this is not possible. In this
case contact your security officer.
9.2.3 Decryption with BitLocker
Computers encrypted with BitLocker cannot be decrypted automatically. They must be decrypted
by using the Microsoft tool "Manage-bde".
9.2.4 Authentication with BitLocker
BitLocker offers a range of authentication options. BitLocker users can either authenticate with a
Trusted Platform Module (TPM), a USB stick or a combination of both.
A security officer can set the various logon modes in a policy in the SafeGuard Policy Editor and
distribute it to BitLocker endpoints.
The following logon modes exist for Sophos SafeGuard BitLocker users:
■
TPM only
■
TPM + PIN
■
TPM + USB Memory Stick
■
USB Stick only (TPM-less)
Trusted Platform module (TPM)
TPM is a smartcard-like module on the motherboard performing cryptographic functions and
digital signature operations. It can create, store and manage user keys. It is protected against
attacks.
34
User help
USB stick
The external keys can be stored on an unprotected USB stick.
Authentication at the BitLocker computer
During preboot of your BitLocker computer you are asked to enter the TPM PIN or to insert the
USB memory stick for authentication.
35
SafeGuard Easy
10 SafeGuard Data Exchange
SafeGuard Data Exchange allows you to encrypt data stored on removable media that are connected
to your computer, and exchange it with other users. All encryption and decryption processes are
run transparently and involve minimum user interaction.
Only users who have the appropriate keys can read the contents of the encrypted data. All
subsequent encryption processes are run transparently. Transparent encryption means that data
that has been encrypted and saved is automatically decrypted by an application when the data is
accessed again.
When you save the relevant file, it is automatically encrypted again. During daily work you will
not notice that the data is encrypted. However, when you disconnect the removable media, the
data remains encrypted and is protected against unauthorized access. Unauthorized users can
access the files physically, but they cannot read them without SafeGuard Data Exchange and the
relevant key.
Note: The behavior of SafeGuard Data Exchange on your computer is defined in a policy by the
security officer.
The security officer defines how data on removable media is handled. The security officer can, for
example, define encryption as mandatory for files stored on any removable media. In this case,
all unencrypted files existing on the device are initially encrypted. In addition, all new files saved
to removable media are encrypted. If existing files are not to be encrypted, the security officer can
choose to allow access to existing unencrypted files. In this case, SafeGuard Data Exchange does
not encrypt the existing unencrypted files. However, new files are encrypted. So you can read and
edit the existing unencrypted files, but as soon as you rename them, they are encrypted. The
security officer can also specify that you are not allowed to access unencrypted files, and they
remain unencrypted.
There are two ways to exchange encrypted files stored on removable media:
36
■
Sophos SafeGuard is installed on the recipient's computer: You can use keys available to both
of you, or you can create a new key. If you generate a new key, you have to provide the data
recipient with the passphrase for the key.
■
Sophos SafeGuard is not installed on the recipient’s computer: Sophos SafeGuard offers
SafeGuard Portable. This utility can be automatically copied to the removable media in addition
to the encrypted files. Using SafeGuard Portable and the relevant passphrase, the recipient can
decrypt the encrypted files and encrypt them again without SafeGuard Data Exchange being
installed on their computer.
User help
10.1 Settings for handling removable media
If SafeGuard Data Exchange is installed on your computer, removable media will be handled as
predefined by your security officer. A security officer can define the following settings for SafeGuard
Data Exchange (a combination of several settings is also possible):
■
Initial encryption of all files: In this case, encryption of all data on removable media starts as
soon as the device is connected to your computer. This setting ensures that the removable
media contain only encrypted data. When encryption starts, you are asked to select a key, or
a predefined key will be used.
■
User may cancel initial encryption: When initial encryption starts, a dialog is displayed that
allows you to cancel initial encryption.
■
User is allowed to access unencrypted files: No: In this case, SafeGuard Data Exchange only
accepts encrypted data on removable media. If unencrypted data exists on removable media,
the system will not allow you to access it. Only after encryting the files will you be able to access
the data.
■
User may decrypt files: In this case, you can explicitly decrypt files on removable media. A file
that has been explicitly decrypted remains as plain text on the removable storage medium, if
it is, for example, transferred to a third party.
■
User may define a media passphrase for devices: You are prompted to enter a media passphrase
the first time you connect removable media.
■
Plain text folder: The security officer may define a plain text folder that will be created on all
of your removable media. Files in this folder will not be encrypted by SafeGuard Data Exchange.
■
User is allowed to decide about encryption: When you connect removable media to your
computer, a message box is displayed asking you whether you want to encrypt the files on the
attached media. In addition, your security officer can allow you to select whether your choice
is to be remembered for the relevant media. If you select Remember setting and do not show
this dialog again, the message box will not be displayed again for the relevant media. In this
case, the new command Re-activate encryption becomes available in the right-click menu of
the relevant device in Windows Explorer. Select this command to revert your decision about
encryption for the relevant device. If this is not possible, for example because you do not have
the relevant rights for the device, an error message is displayed. After you have reverted your
decision, you are prompted to decide about encryption for the relevant device again.
10.2 Single media passphrase for every removable device connected to
the computer
SafeGuard Data Exchange supports the definition of a single media passphrase that will give you
access to all removable devices connected to your computer. This is independent of the key that
is used for encrypting the individual files.
37
SafeGuard Easy
If specified, access to encrypted files can be granted by entering only one media passphrase. The
media passphrase is bound to the computers.
A media passphrase is useful in the following scenarios:
■
You want to use encrypted data on removable media on computers where Sophos SafeGuard
is not installed (SafeGuard Data Exchange in combination with SafeGuard Portable)
■
You want to exchange data with external users: by providing them with the media passphrase,
you can give them access to all files on the removable media with one single passphrase,
regardless of which key was used for encrypting the individual files.
You can also restrict access to all files by only providing the external user with the passphrase
of a specific key. In this case the external user will only have access to files that are encrypted
using this key. All other files will not be readable.
Supported media
SafeGuard Data Exchange supports the following removable media:
■
USB sticks
■
External hard disks connected by USB or FireWire
■
CD RW drives (UDF)
■
DVD RW drives (UDF)
■
FireWire
■
Memory cards in USB card readers
10.3 Encrypting removable media
10.3.1 Initial encryption
Encryption of unencrypted data on removable media either starts automatically as soon as you
connect the media to the system, or you have to start the process manually. If you are entitled to
decide whether files on removable media should be encrypted, you are prompted to do so when
you attach removable media to your computer.
To start the encryption process manually:
1. Select File encryption > Start encryption from the right-click menu in Windows Explorer. If
no specific key has been defined, a dialog is displayed for key selection.
2. Select a key.
If the dialog for key selection does not contain any keys, close the dialog and first create one
or more keys. To do so, right-click the System Tray Icon and select Create new key).
3. Click OK.
38
User help
All data contained on the removable media is encrypted.
The default key is used as long as no other key is set as the default. If you change the default
key, the new one is used for initial encryption of removable devices that are connected to the
computer afterwards.
If Encrypt plain files and update encrypted files is selected, encrypted files with an existing key
will be decrypted and encrypted again using the new key.
Cancelling initial encryption
If initial encryption is configured to start automatically, you may have the right to cancel initial
encryption. In this case, the Cancel button is activated, a Start button is displayed, and the start
of the encryption process is delayed for 30 seconds. If you do not click the Cancel button during
this time period, initial encryption starts automatically after 30 seconds. If you click Start, initial
encryption is started immediately.
Initial encryption for users with media passphrase
If the usage of a media passphrase has been defined in a policy, you are prompted to enter the
media passphrase before initial encryption. The media passphrase is valid for all of your removable
media and is bound to your computer or to all computers for which you have logon permission.
Initial encryption will not start before you have entered the media passphrase. After you have done
so, initial encryption will start automatically.
After entering the media passphrase once, initial encryption will start automatically when you
connect a different device to your computer.
Note: On computers where your media passphrase is not set, initial encryption will not start.
10.3.2 Transparent encryption
If the settings defined for your computer specify that files have to be encrypted on removable
media, all encryption and decryption processes run transparently.
The files are encrypted when they are written to removable media and decrypted when they are
copied or moved from removable media to another file location.
Note: The data is only decrypted if it is copied or moved to a location for which no other encryption
policy applies. The data is then available at this location in plaintext. If a different encryption
policy applies to the new file location, the data is encrypted accordingly.
Media passphrase
If specified by a policy, you are prompted to enter the media passphrase, when you connect a
removable device for the first time after the installation of SafeGuard Data Exchange.
If the dialog is displayed, specify a media passphrase. You can use this single media passphrase to
access all encrypted files on your removable media, regardless of the key that was used to encrypt
them.
39
SafeGuard Easy
The media passphrase is valid for all devices you connect to the computer. The media passphrase
can also be used with SafeGuard Portable and allows you to access all files, regardless of the key
that was used to encrypt them.
Change/reset media passphrase
You can change your media passphrase at any time using Change Media Passphrase from the
System Tray Icon menu. A dialog is displayed in which you enter the old and new media passphrases
and confirm the new one.
If you have forgotten your media passphrase, this dialog also provides an option to reset it. If you
activate the Reset Media Passphrase option and click OK, you are informed that your media
passphrase will be reset at the next logon.
Log off immediately and log on again. You are informed that there is no media passphrase on
your computer and prompted to enter a new one.
Media passphrase synchronization
The media passphrase on your devices and on your computer will be synchronized automatically.
If you change the media passphrase on your computer and connect a device that still uses an old
version of the media passphrase, you will be informed that the media passphrases have been
synchronized. This is true for all computers for which you have logon permission.
Note: After you have changed your media passphrase, you should connect all your removable
media with your computer. This ensures that the new media passphrase is used on all your devices
immediately (synchronization).
Defining a default key
By defining a default key you specify the key to be used for encryption during normal operation.
You can define the default key from the right-click menu of a file on removable media, or from
the right-click menu of the removable media. Additionally, you can set a key as default immediately
when you create a new local key in the Create key dialog.
Select File encryption followed by Set default key to open a dialog or key selection.
The key you select in this dialog is used for all subsequent encryption processes on the removable
storage medium. If you want to use a different one, you can define a new default key at any time.
By policy, a default key to be used for encryption can be specified. If it is not defined by policy,
you are prompted to specify an initial default key.
10.4 Exchanging data using SafeGuard Data Exchange
The following are typical examples of secure data exchange with SafeGuard Data Exchange:
■
Exchanging data with Sophos SafeGuard users who do not have the same keys as you do.
In this case, create a local key and encrypt the data using this key. Keys created locally are
secured by a passphrase and can be imported by Sophos SafeGuard. You provide the data's
40
User help
recipient with the passphrase. Using the passphrase, the recipient can import the key and access
the data.
■
Exchanging data with users without Sophos SafeGuard
For users who do not have Sophos SafeGuard installed on their machines, SafeGuard Portable
is available. To exchange data using SafeGuard Portable, local keys must also be used in
combination with a passphrase.
In addition, SafeGuard Portable has to be copied to the removable storage medium. You also
have to provide the recipient of encrypted data with the relevant passphrase. Using the
passphrase and SafeGuard Portable, the user can decrypt the encrypted files, edit them, for
example, and save them encrypted again on the removable storage medium. As SafeGuard
Portable is a self-sufficient application, no additional software needs to be installed on the
computer in order to access encrypted data.
Note: The security officer determines whether SafeGuard Portable is copied to removable media
in the security policy that applies to you.
10.4.1 Import keys from a file
If you have received removable media containing encrypted data or want to access cloud storage
data in a shared folder which has been encrypted using user-defined local keys, you can import
the key required for decryption to your private key ring.
To import the key, you need the relevant passphrase. The person who encrypted the data has to
provide you with the passphrase.
Select the relevant file on the removable device and click File encryption > Import key from file.
Enter the passphrase in the dialog that is displayed. The key is imported, and you can access the
file.
10.4.2 Create local keys
To create a user-defined local key:
1. Right-click the Sophos SafeGuard System Tray Icon on the Windows taskbar.
2. Click Create new key.
3. In the Create Key dialog, enter a Name and a Passphrase for the key.
The internal name of the key is displayed in the field below.
4. Confirm the passphrase.
If you enter an insecure passphrase, a warning message is displayed. To increase the level of
security, we recommend you use complex passphrases. You can also decide to use the passphrase
despite the warning message. The passphrase also has to correspond with the company policies.
If it does not, a warning message is displayed.
41
SafeGuard Easy
5. With the Use as new default key for drive option, you can set the new key immediately as the
default key for the displayed drive.
The default key you specify here is used for encryption during normal operation. It will be used
until a different one is set.
6. Click OK.
If you define this key as the default key, all data copied to the removable storage medium from
now on is encrypted using this key.
Local keys are not backed up and cannot be used for recovery.
For the recipient to be able to decrypt all data contained on the removable storage medium, you
may have to re-encrypt the data on the removable storage medium using the key created locally.
To do so, select File encryption > Start encryption from the device's right-click menu in Windows
Explorer. Select the required local key and encrypt the data. This is not necessary if you use a media
passphrase.
10.5 Writing files to CDs using the Windows CD Writing Wizard
SafeGuard Data Exchange allows you to write encrypted files to CDs using the Windows CD
Writing Wizard.
To do so, an encryption rule has to be specified for the CD recording drive. SafeGuard Data
Exchange adds a dialog to the CD Writing Wizard. There you can specify how the files are written
to CD (encrypted or plain).
Note: If there is no encryption rule for the CD recording drive, files are always written to the CD
in plaintext. The SafeGuard Data Exchange dialog, where the encryption state of files to be written
to the CD can be specified, is not displayed.
After you have entered a name for the CD, the SafeGuard Removable Disk Burning Extension is
displayed.
Under Statistics, the following information is displayed:
■
how many files are selected to be written to CD
■
how many of the selected files are encrypted
■
how many of the selected files are plain files
Under Status, the keys used for encrypting previously encrypted files are displayed.
For encrypting files that will be written to CD, the key that is specified in the encryption rule for
the CD recording drive is always used.
Files to be written to CD may be encrypted with different keys if the encryption rule for the CD
recording drive has been changed. If the encryption rule was deactivated when files were added,
the relevant plain files can be found in the folder for files to be copied to CD.
42
User help
Encrypt files on CD
If you want to encrypt the files when writing them to CD, click (Re)Encrypt all files.
If necessary, previously encrypted files are re-encrypted, and plain files are encrypted. On the CD,
the files are encrypted using the key that was specified in the encryption rule for the CD recording
drive.
Write files to CD in plain
If you select Decrypt all files, the files are first decrypted and then written to the CD.
Copy SafeGuard Portable to optical media
If you select this option, SafeGuard Portable will also be copied to the CD. This allows the reading
and editing of files encrypted with SafeGuard Data Exchange without having SafeGuard Data
Exchange installed.
10.5.1 Writing CDs/DVDs with Windows Vista and Windows 7
Windows Vista and Windows 7 provide a CD Writing Wizard for CDs/DVDs.
The SafeGuard Disc Burning Extension for the CD Writing Wizard is only available for burning
CDs/DVDs in Mastered format. The wizard is only displayed if files are to be written on CDs/DVDs
in Mastered format.
For the Live File System, no Recording Wizard is required. In this case, the recording drive is used
like any other removable media. If there is an encryption rule for the recording drive, the files are
encrypted automatically when they are copied to CD/DVD.
10.6 SafeGuard Portable
Using SafeGuard Portable, you can exchange encrypted data on removable media with recipients
who do not have SafeGuard Data Exchange installed on their machines. Data encrypted with
SafeGuard Data Exchange can be encrypted and decrypted using SafeGuard Portable. This is
achieved by automatically copying a program (SGPortable.exe) to the removable media.
Note: SafeGuard Portable only encrypts or decrypts files encrypted with AES 256.
Using SafeGuard Portable in combination with the relevant media passphrase gives you access to
all encrypted files, regardless of which local key was used for encrypting them. The passphrase of
a local key only gives you access to files that have been encrypted using this specific key. The
recipient can decrypt encrypted data and encrypt it again.
Note: The media passphrase or the passphrase of a local key has to be communicated to the
recipient beforehand.
The recipient can use existing keys created with SafeGuard Data Exchange for encryption, or create
a new key with SafeGuard Portable (for example, for new files).
43
SafeGuard Easy
SafeGuard Portable does not have to be installed on or copied to your communication partner’s
computer. It remains on the removable media.
Note: As a Sophos SafeGuard user, you usually do not need SafeGuard Portable. The following
description assumes that users do not have Sophos SafeGuard installed on their computer and
therefore have to use SafeGuard Portable to edit encrypted data.
10.6.1 Edit files using SafeGuard Portable
You have received removable media containing files encrypted with SafeGuard Data Exchange,
along with a folder named SGPortable. This folder contains the file SGPortable.exe.
1. Start SafeGuard Portable by double-clicking SGPortable.exe.
Using SafeGuard Portable, you can decrypt the encrypted data on the removable media and
then re-encrypt it. SafeGuard Portable offers functionality that is similar to Windows Explorer.
In addition to the file details known from Windows Explorer (name, size, etc), SafeGuard
Portable shows the Key column. This column indicates whether the relevant data is encrypted.
If a file is encrypted, the name of the key used is displayed.
Note: You can only decrypt files if you know the relevant passphrase for the key used.
2. To edit files on the removable media, select the file with a left-click, and choose the relevant
command from the context menu (with a right-click) or from the File menu.
The following menu commands are available from the context menu:
Set Encryption Key
Opens the Enter Key dialog. In this dialog, you
can generate an encryption key with SafeGuard
Portable.
Encrypt
Encrypts the activated file on your removable
media. The last-used key is used for encryption.
Decrypt
Opens the Enter Passphrase dialog. Enter the
passphrase for decrypting the selected file in this
dialog.
Encryption State
Displays a dialog and shows the file's encryption
state.
Copy to
Copies the file to a folder of your choice and
decrypts it.
Delete
Deletes the activated file from your removable
media.
You can also select the commands Open, Delete, Encrypt, Decrypt and Copy with the icons
shown on the toolbar.
44
User help
10.6.1.1 Set encryption keys
To encrypt a file on removable media, and create an encryption key:
1. From the right-click menu or from the File menu, select Set Encryption Key.
The Enter Key dialog is displayed.
2. Enter a Name and a Passphrase for the key. Confirm the passphrase, and click OK.
The passphrase has to correspond to the company policies. If it does not, a warning message
is displayed.
The key is created and will be used for encryption from now on.
10.6.1.2 Encrypt files on removable media
1. In SafeGuard Portable Explorer, select the file and, using the right-click menu, select Encrypt.
The file is encrypted with the key last used by SafeGuard Portable.
When saving new files on removable media using a drag-and-drop procedure in SafeGuard
Portable Explorer, you are asked if you want to encrypt the files.
If this is the case, and there has been no encryption using SafeGuard Portable before, a dialog
for setting the key opens. Enter the name of the key and the passphrase (and confirm the
passphrase) in this dialog. Click OK.
2. Select the file to be encrypted with the key you have just set, and select Encrypt from the context
menu or from the File menu.
The file is encrypted, and a message is displayed upon completion.
Note: The key last used and set by SafeGuard Portable is used for all subsequent encryption
processes you perform with SafeGuard Portable, unless you set a new key.
10.6.1.3 Decrypt files on removable media
1. Select the file in SafeGuard Portable Explorer, and select Decrypt from the context menu.
The dialog for entering the media passphrase or the passphrase of a local key is displayed.
2. Enter the relevant passphrase (the sender has to provide you with this passphrase), and click
OK.
The file is decrypted.
The media passphrase gives you access to all encrypted files on the removable media, regardless
of which local key was used to encrypt them. If you only have the passphrase of a local key, you
will only have access to files which are encrypted using this key.
45
SafeGuard Easy
When decrypting a file that has been encrypted using a key you have generated in SafeGuard
Portable, this file is decrypted automatically.
After decrypting files on removable media and entering the key's passphrase, you do not have to
enter it again the next time you encrypt or decrypt files that have been encrypted with the same
key.
SafeGuard Portable stores the passphrase for as long as the application is running. The last key
used by SafeGuard Portable is used for encryption.
After you decrypt the files, they are available in plaintext on the removable media. Files that have
been decrypted are encrypted again when you close SafeGuard Portable.
10.6.1.4 Encrypt new files using SafeGuard Portable
You can also copy your own files in encrypted form onto removable media using SafeGuard
Portable.
1. Move the required files into SafeGuard Portable Explorer using drag-and-drop.
The system asks you whether you want to encrypt the relevant file.
2. Confirm that you want to encrypt the file. The file is encrypted with the key last used and
copied to the removable media.
10.6.1.5 Encryption state
To determine a file's encryption state:
1. Select the file, and select the Encryption State from the right-click menu or from the File menu.
The encryption state is also indicated in the Key column next to the file name in SafeGuard
Portable Explorer.
10.6.2 Other operations using SafeGuard Portable
The following operations are also available:
■
Open: This menu command is only available from the SafeGuard Portable File menu.
When you open an encrypted file with this menu command, you are prompted to enter your
passphrase. Enter your passphrase, and click OK. The file is decrypted and opened.
■
■
Delete: Deletes the selected file.
Copy to: This menu command is only available in the right-click menu that you can open using
your right mouse button in SafeGuard Portable Explorer.
Using this command, you can copy files from removable media to another drive on your
computer.
■
46
Exit: This menu command is only available from the SafeGuard Portable File menu.
User help
Exit closes SafeGuard Portable.
47
SafeGuard Easy
11 SafeGuard Cloud Storage
The module Cloud Storage offers file-based encryption of data stored in the cloud.
It does not change the way you work with data stored in the cloud. But Cloud Storage makes sure
that the local copies of your cloud data is encrypted transparently and remains encrypted when
it is stored in the cloud.
Note: Do not add files to your Dropbox folder by dropping them onto the Dropbox icon on the
Windows desktop. These files will be copied to your Dropbox folder in plain. To encrypt files
transparently copy them directly to your Dropbox folder.
11.1 Cloud Storage auto-detection
SafeGuard Cloud Storage automatically detects your cloud storage provider. It will automatically
set the encryption policy to the folder to be synchronized.
11.2 Cloud Storage initial encryption
SafeGuard Cloud Storage does not perform an initial encryption of your data. Files which have
been stored before SafeGuard Cloud Storage was installed or was activated by a policy remain
plain.
You can encrypt these files by copying them to a folder where a Cloud Storage policy is applicable.
11.3 Set default keys
SafeGuard Cloud Storage allows you to set default keys for encrypting data in your cloud storage.
Using default keys allows you to encrypt different subfolders of your cloud storage using different
keys by setting a separate default key for each folder. You set default keys using the File encryption
> Set default key ... command from the Safe Guard Explorer Extensions, see Define a default key
(section 14.1.1).
Note: To do so, your security officer has to explicitly allow the use of default keys for Cloud
Storage. If allowed, you can select a default key from a predefined set of keys and use it for
encrypting folders of your cloud storage.
Note: If you intend to read encrypted files on Android and iOS devices with Sophos Mobile
Encryption, you must use local keys for encryption. For further information on Sophos Mobile
Encryption, see the Sophos Mobile Encryption Help.
Imagine you want to use Dropbox to provide secured data for different partners. Each partner
should have access to one subfolder of your dropbox. To do so, you only have to set a separate
default key for each of the subfolders. Sophos SafeGuard will then automatically add a copy of
SafeGuard Portable, which gives partners without SafeGuard Cloud Storage access to encrypted
48
User help
data, to each subfolder. You provide your partners with the respective passphrases for the keys.
Using SafeGuard Portable and the passphrase they can decrypt data in the folder your created for
them, but they do not have access to data stored in other subfolders, because it is encrypted with
a different key.
11.4 SafeGuard Portable for Cloud Storage
You may want to access your cloud storage from home or exchange encrypted data in the cloud
by using a shared folder in your cloud storage. SafeGuard Portable allows access to encrypted data
stored in the cloud without having SafeGuard Cloud Storage installed.
Data encrypted with SafeGuard Cloud Storage can be encrypted and decrypted using SafeGuard
Portable. This is achieved by automatically copying a program (SGPortable.exe) to your
synchronization folder.
The passphrase of a local key only allows access to files that have been encrypted using this specific
key. You or any recipient can decrypt encrypted data and encrypt it again.
Note: The passphrase of a local key has to be communicated to the recipient beforehand.
The recipient can use existing keys or create a new key with SafeGuard Portable (for example, for
new files).
SafeGuard Portable does not have to be installed on or copied to your communication partner's
computer. It remains in the cloud storage.
For a detailed description of how to use SafeGuard Portable, see Edit files using SafeGuard Portable
(section 10.6.1).
Note: Double-clicking a file or selecting the open command will not cause in-place decryption
of the file since decrypted files in cloud storage synchronization folders would automatically be
synchronized to the cloud! When doing so a dialog appears asking you to choose a safe location
for the file. Decrypted files are not wiped automatically when SafeGuard Portable is closed. Changes
in files decrypted using SafeGuard Portable for Cloud Storage will not be done in the encrypted
original.
Note: Do not store cloud storage synchronization folders on removable media or the network. If
you do, SafeGuard Portable creates decrypted files in those folders. SafeGuard Portable should
not be used in such cases. Consider moving the synchronization folders to fixed disks instead.
49
SafeGuard Easy
12 Sophos SafeGuard and self-encrypting, Opal-compliant
hard drives
Self-encrypting hard drives offer hardware-based encryption of data when they are written to the
hard disk. The Trusted Computing Group (TCG) has published the vendor-independent Opal
standard for self-encrypting hard drives. Different hardware vendors offer Opal-compliant hard
drives. Sophos SafeGuard supports the Opal standard. For details, see
http://www.sophos.com/en-us/support/knowledgebase/113366.aspx.
12.1 Encryption of Opal-compliant hard drives
Opal-compliant hard drives are self-encrypting. Data are encrypted automatically when they are
written to the hard disk.
Opal-compliant hard drives are locked by an AES 128/256 key used as an Opal password. This
password is managed by Sophos SafeGuard through an encryption policy. Your security officer
defines this encryption policy in the SafeGuard Policy Editor and deploys it to your computer.
12.2 System Tray Icon and Explorer extensions on endpoints with
Opal-compliant hard drives
When Sophos SafeGuard is installed on your computer, the Sophos SafeGuard product icon is
displayed in the system tray of the computer taskbar. You can centrally access all important
functions provided by Sophos SafeGuard on your computer. Note that the features available
depend on the settings defined by the security officer.
If the security officer has enabled you by policy to decrypt Opal-compliant hard drives, the Sophos
SafeGuard Decrypt command is available in the Windows Explorer right-click menu.
50
User help
13 System Tray Icon and tooltips
The following functionality is available from the System Tray Icon:
■
Display:
■
Key ring:
Shows all keys available to you.
Note: The Sophos SafeGuard Client uses a defined computer key for volume-based
encryption and file-based encryption of drives. This key will not be displayed in the dialog.
Only keys created locally on the computer will be displayed. If you have not created any
keys, none is displayed in the dialog.
■
■
User Certificate: Shows information concerning your certificate.
■
Company Certificate: Shows information concerning the company certificate used.
Create new key:
Opens a dialog to create a new key that is used for data exchange with removable media.
■
Key backup:
Using this function, you can create a backup of the key file. This key file is necessary for logon
recovery with Challenge/Response.
■
Local Self Help:
If Local Self Help is activated for your computer in the relevant policy, the Local Self Help
command is shown on the right-click menu of the System Tray icon. Using this command,
you can launch the Local Self Help Wizard. Local Self Help is a logon recovery method that
does not require any helpdesk assistance.
■
User Machine Assignments:
Shows a list of users who can log on at the SafeGuard Power-on Authentication as Sophos
SafeGuard users (user type SGN user) and at Windows as Sophos SafeGuard Windows users
(user type SGN Windows user). A Sophos SafeGuard Windows user is not added to the
SafeGuard POA, but has a keyring for accessing encrypted files, just as a Sophos SafeGuard
user. In the dialog displayed, you can remove both user types from the list, if this has been
enabled for your computer by policy. In the User Machine Assignments dialog, Sophos
SafeGuard Windows users are marked by a tick in the SGN Windows user checkbox.
■
Status: Provides a dialog offering information on the current status of the Sophos SafeGuard
protected computer:
51
SafeGuard Easy
Field
Information
Last policy received
Shows the date and time when the computer has last
received a new policy.
Last key received
Shows the date and time when the computer has last
received a new key.
Last certificate received
Shows the date and time when the computer has last
received a new certificate
SGN user state
Shows the status of the user who is logged on to the
computer (Windows logon):
■ Pending:
The user is being assigned to the Sophos SafeGuard
installation as a Sophos SafeGuard user. Please
wait until the user data has been processed.
Afterwards, the user status will be automatically
set to SGN user, this means Sophos SafeGuard
user.
■ SGN user:
The user has been assigned to the Sophos
SafeGuard installation as a Sophos SafeGuard user.
■ SGN guest:
The user logged on to Windows is a Sophos
SafeGuard guest user. The user is allowed to log
on to Windows without being assigned to this
Sophos SafeGuard protected computer as a Sophos
SafeGuard user.
■ SGN guest (service account):
The user logged on to Windows is a Sophos
SafeGuard guest user who has logged on using a
service account for administrative tasks.
■ SGN Windows user
The user logged on to Windows is a Sophos
SafeGuard Windows user. A Sophos SafeGuard
Windows user is not added to the SafeGuard POA,
but has a keyring for accessing encrypted files, just
as a Sophos SafeGuard user. The users are added
to the User Machine Assignment as soon as they
have logged on to Windows.
■ Unknown:
52
User help
Field
Information
Indicates that the user status could not be
determined.
Local Self Help (LSH) State
Enabled
Indicates whether Local Self Help has been enabled in
a policy and whether it has been activated by the user
on the computer.
Active
■
Help
Starts the Sophos SafeGuard Online Help.
■
About Sophos SafeGuard
Shows information about your Sophos SafeGuard version.
The tool tip for the System Tray Icon indicates that the computer is a Sophos SafeGuard Client
(standalone).
Note:
A balloon tool tip indicates successful completion of initial synchronization.
Restart your computer after successful completion of initial synchronization. Only after you restart
your computer are all Sophos SafeGuard functions available.
13.1 Remove users from User Machine Assignment
All SGN users and SGN Windows users are managed in a list called "User Machine Assignment".
As an SGN user or as an SGN guest with a service account, you can remove other SGN users and
SGN Windows users. An SGN guest with a service account can carry out administrative tasks
after installation before SafeGuard Power-on Authentication is activated. SGN Windows users
can remove other SGN Windows users.
After you have removed users, an SGN user can no longer log on at the SafeGuard Power-on
Authentication and an SGN Windows user can no longer log on at Windows.
Note: If you have logged on as an SGN Windows user, you cannot remove SGN users.
Note: The user currently logged on and the last user in the list cannot be removed.
To remove an SGN user:
1. Right-click the system tray icon.
53
SafeGuard Easy
2. From the right-click menu of the system tray icon, select User Machine Assignments. The
User Machine Assignments dialog shows all Sophos SafeGuard users (SGN users) and Sophos
SafeGuard Windows users (SGN Windows users).
3. Select a user and click Remove selected user. Click Remove all SGN Windows users to remove
all Sophos SafeGuard Windows users from the list. After users have been removed, they can
no longer log on at the SafeGuard Power-on Authentication or at Windows
4. Click OK.
The users can no longer log on at the SafeGuard Power-on Authentication or at Windows.
54
User help
14 Accessing functions via Explorer extensions
You can access encryption-related functions from the corresponding entries in Windows Explorer
right-click menus.
Note: The functions displayed depend on the settings defined in the policies. They also depend
on whether the relevant function is available for the Explorer node selected. The function scope
varies depending on whether file-based or volume-based encryption was used for the relevant
volume/folder/file.
14.1 Explorer extensions for file-based encryption
You can access the functions for file-based encryption (Data Exchange, Cloud Storage) from the
corresponding entries in Windows Explorer right-click menus. The functions are available in the
right-click menus of
■
volumes
■
removable media
■
folders
■
files
The functions displayed in the menus depend on which components are installed.
The entry File encryption is added to the right-click menu. You can access the individual functions
from this menu.
If no file-based encryption policy applies to the volume selected, you can only determine the
encryption state and display the dialog for generating new keys from the right-click menu.
If a file-based encryption policy applies to the selected volume, removable media, directory, or
file, encryption-related entries are added to the right-click menu.
Note: The functions displayed depend on the settings defined in the policies. They also depend
on whether the relevant function is available for the volume selected. The function scope varies
depending on whether file-based or volume-based encryption was used for the relevant volume.
The following functions are available:
■
Start encryption: If you select this option in a volume's right-click menu, all files can be
encrypted or newly encrypted.
■
Show encryption state: Indicates whether a volume, removable media, or a file has been
encrypted, which key has been used, whether the key is included in your key ring, and whether
you have access to this file.
■
Decrypt: Decrypts the selected volume or file.
55
SafeGuard Easy
■
Default key: Shows the key currently used for new files added to the volume (by saving, copying
or moving). You can define the standard key for each individual volume or removable media
separately.
■
Set default key: Opens a dialog for selecting a different default key.
■
Create new key: Opens a dialog for creating user-defined local keys.
■
Reactivate encryption: Your security officer can allow you to decide whether files on removable
media connected to your computer are to be encrypted. When you connect removable media
to your computer, a message box is displayed asking you whether you want to encrypt the files
on the attached media. In addition, your security officer can allow you to select whether your
choice is to be remembered for the relevant media. If you select Remember setting and do not
show this dialog again, the message box will not be displayed again for the relevant media. In
this case, the new command Re-activate encryption becomes available in the right-click menu
of the relevant device in Windows Explorer. Select this command to revert your decision about
encryption for the relevant device. If this is not possible, for example because you do not have
the relevant rights for the device, an error message is displayed. After you have reverted your
decision, you are prompted to decide about encryption for the relevant device again.
14.1.1 Define a default key
By defining a default key you specify the key to be used for encryption during normal operation
of SafeGuard Data Exchange and SafeGuard Cloud Storage.
You can define the default key from the right-click menu
■
of a file on removable media
■
of removable media
■
of a Cloud Storage synchronization folder or sub-folder
■
of a file in a Cloud Storage synchronization folder or sub-folder
■
additionally, you can set a key as default immediately when you create a new local key in the
Create key dialog.
To define a default key:
Select File encryption > Set default key to open a dialog or key selection.
The key you select in this dialog is used for all subsequent encryption processes on the removable
storage medium or in your Cloud Storage synchronization folder. If you want to use a different
one, you can define a new default key at any time.
Note: If a local key is selected for encryption of Cloud Storage, SafeGuard Portable will be copied
to the Cloud Storage synchronization folder.
By policy, a default key to be used for encryption can be specified. If it is not defined by policy
and you are allowed to set default keys, you are prompted to specify an initial default key.
56
User help
14.1.2 Import keys from a file
If you have received removable media containing encrypted data or want to access cloud storage
data in a shared folder which has been encrypted using user-defined local keys, you can import
the key required for decryption to your private key ring.
To import the key, you need the relevant passphrase. The person who encrypted the data has to
provide you with the passphrase.
Select the relevant file on the removable device and click File encryption > Import key from file.
Enter the passphrase in the dialog that is displayed. The key is imported, and you can access the
file.
14.2 Explorer extensions for volume-based encryption
The entry Encryption is added to the Windows Explorer right-click menu.
If the volume is encrypted, a key symbol is displayed next to the menu entry.
Note: File encryption > Show encryption state shows the encryption status of the files on the
volume from a file-based encryption point of view. Files on an encrypted volume can also be
encrypted in a file-based manner. If this is the case, a dialog will be displayed accordingly.
57
SafeGuard Easy
15 Recovery options
For recovery (for example, if you have forgotten your password), Sophos SafeGuard offers different
options that are tailored to different recovery scenarios:
■
Logon recovery with Local Self Help
If you have forgotten your password, Local Self Help enables you to log on to your computer
without the assistance of a helpdesk. Even in situations where neither telephone nor network
connections are available (for example, aboard an aircraft), you can regain access to your
computer. To log on, you simply answer a number of predefined questions in the SafeGuard
Power-on Authentication.
For further information, see Recovery with Local Self Help (section 16).
■
Recovery with Challenge/Response
The Challenge/Response mechanism is a secure and efficient recovery system that helps you
if you cannot log on to your computer or access encrypted data. During the Challenge/Response
procedure, you provide a challenge code generated on your computer to the helpdesk officer,
who in turn generates a response code that authorizes you to perform a specific action on the
computer.
For further information, see Recovery with Challenge/Response (section 17).
Both recovery options are enabled for use on your computer by the security officer in policies.
58
User help
16 Recovery with Local Self Help
If you have forgotten your password, Local Self Help enables you to log on to your computer
without the assistance of a helpdesk.
Using Local Self Help, you can regain access in situations where neither telephone nor network
connections are available, and you therefore cannot use a Challenge/Response procedure (for
example, aboard an aircraft). You can log on to your computer by answering a specified number
of predefined questions in the SafeGuard Power-on Authentication.
The security officer can define the questions to be answered and distribute them to the endpoints.
You can also define your own questions, if the relevant policy entitles you to do so. The Local Self
Help Wizard helps you provide the initial answers and edit the questions. You can open the Local
Self Help Wizard by clicking the Sophos SafeGuard System Tray icon on the Windows taskbar.
Recovery with Local Self Help is available for the following logon methods in the SafeGuard
Power-on Authentication:
■
Logon with user ID and password
■
Logon with fingerprint
■
Logon with non-cryptographic token, provided that logon with user ID and password has also
been enabled as a possible logon mode by policy.
Prerequisites
To use Local Self Help for logon recovery, the following prerequisites must be met:
■
The security officer has enabled Local Self Help by policy and has defined the settings for this
function (for example, the right to define your own questions).
■
You have activated Local Self Help on your computer (see Activate Local Self Help (section
16.1)).
16.1 Activate Local Self Help
After the policy entitling you to use Local Self Help has become effective, you have to activate the
function by answering the predefined questions received or by defining and answering your own
questions.
Local Self Help only becomes active on your computer after you have answered and saved a
predefined number of questions. The security officer specifies how many questions you have to
answer. The Local Self Help Wizard guides you through the process and shows how many answers
are required. Depending on the policy settings, these are the possible scenarios:
■
You have received predefined questions, and you are not entitled to define your own
questions.
59
SafeGuard Easy
Answer and save the predefined questions received. The Local Self Help Wizard shows, how
many answers are required.
■
You have received predefined questions, and you are entitled to define your own questions.
Answer and save the required number of questions (predefined questions, your own defined
questions, or a combination of both).
■
You have not received predefined questions, and you are entitled to define your own
questions.
Define, answer, and save the required number of questions.
Note: To log on at the SafeGuard Power-on Authentication with Local Self Help, you have to
answer questions randomly selected from the questions answered in the Local Self Help Wizard.
The security officer specifies how many questions you have to answer in the SafeGuard POA.
Prerequisite: After receiving the policy, the tool tip indicates that there are unanswered Local Self
Help questions. Restart your computer to add the Local Self Help command to the right-click
menu of the System Tray Icon on the Windows taskbar.
To activate Local Self Help:
1. Right-click the Sophos SafeGuard System Tray Icon on the Windows taskbar.
2. Select Local Self Help.
The Local Self Help Wizard Welcome dialog is displayed.
For security reasons, you are prompted to enter your password.
3. Enter your password, and click Next.
The Status Overview dialog is displayed.
This dialog tells you how to activate Local Self Help. It also displays status information (for
example, the number of answered user-defined questions, the number of answered predefined
questions, etc).
4. Click Next.
If you have received predefined questions with the effective policy, the Predefined questions
dialog is displayed.
60
■
If you have received several different question themes, you can choose from the question
themes displayed in the drop-down list of the Theme field.
■
To display all themes in a continuous list, select the All Themes option (default) from the
drop-down list.
■
To answer the questions, click on the relevant question, and enter your answer in the
Answers column.
■
After you enter the answer, the text entered is hidden. To view the text, select Show answers.
User help
5. After you have finished answering the predefined questions, click Next.
6. If you are entitled to define your own questions, the User defined questions and answers
dialog is displayed.
a) To add a new question, click New Question.
A new line is added to the list of questions.
b) Enter your question in the Questions column and the answer in the Answers column.
After you enter the answer, the entered text is hidden.
c) To display the text, select Show answers.
Note: When answering the questions during a recovery process in the SafeGuard Power-on
Authentication, you will have to enter the answers exactly as you entered them in the Local
Self Help Wizard. For example, answers are case-sensitive in Local Self Help.
When entering answers in Japanese, you have to use Romaji (Roman) characters. Otherwise
the answers will not match when you answer the questions in the SafeGuard POA.
7. After you have finished defining and answering your own questions, click Next.
The last dialog of the Local Self Help Wizard shows the new status information after you answer
the questions. A message indicates whether the prerequisites for activating Local Self Help have
been met.
8. Click Finish.
The questions and answers are saved. A message is displayed indicating that Local Self Help
was activated successfully.
9. Click OK.
Local Self Help is active on your computer. You can use Local Self Help for logon recovery in the
SafeGuard Power-on Authentication.
16.2 Edit questions
After activating Local Self Help on your computer, you can edit the questions at any time:
■
For predefined questions, you can change the answers that were provided when answering the
questions initially. However, predefined questions cannot be deleted.
■
For user-defined questions, you can change the answers that were provided when answering
the questions initially, add new questions, or delete questions.
1. Right-click the Sophos SafeGuard System Tray Icon on the Windows taskbar.
61
SafeGuard Easy
2. Select Local Self Help.
The Local Self Help Wizard Welcome dialog is displayed.
For security reasons, you are prompted to enter your password.
3. Enter your password, and click Next.
The Status Overview dialog is displayed.
This dialog tells you how to activate Local Self Help. It also displays status information (for
example, the number of answered user-defined questions, the number of answered predefined
questions, etc).
4. Click Next.
a) If you have received and answered predefined questions, the Predefined Questions dialog
is displayed, containing the answered questions.
b) If you have received several different question themes, you can choose between the question
themes to be displayed in the drop-down list of the Theme field.
c) To display all themes in a continuous list, select the All Themes (default) option in the
drop-down list.
By default the answers entered are not shown as text.
d) To show the text entered, select the Show answers check box.
e) To change the answers, click the relevant questions and enter your new answer in the
Answers column.
5. Click Next. If you are entitled to define your own questions, the User defined questions and
answers dialog is displayed. By default the answers entered are not shown as text.
a) To show the text entered, select the Show answers check box.
b) To change existing answers, click the relevant question, and enter your new answer in the
Answers column.
c) To add a new question, click New Question.
A new line is added to the list of questions. Enter your question in the Questions column
and the answer in the Answers column.
d) To delete questions, click the relevant question and click Delete Question.
A message is displayed, prompting you to confirm that you want to delete the question.
Click Yes.
62
User help
6. Click Next.
The last dialog of the Local Self Help Wizard shows the new status information after you edit
the questions. A message indicates whether the prerequisites required for Local Self Help to
remain active have been met.
7. Click Finish.
The questions and answers are saved. A message is displayed indicating that the editing
procedure was successful, and Local Self Help remains active.
8. Click OK.
The modifications take effect.
Next time you launch Local Self Help in the SafeGuard Power-on Authentication, the modified/new
questions are selected randomly and displayed. The modified/new answers apply.
Note: If the number of answered questions falls below the minimum number required due to the
changes made, a warning message is displayed in the last dialog of the Local Self Help Wizard,
indicating that Local Self Help will be deactivated after you close the wizard.
If you do not want to deactivate Local Self Help, you can return to User defined questions and
Predefined questions by clicking the Back button. You can then add or answer new questions. If
you click Finish and the number of answered questions has fallen below the minimum number
required, another warning message is displayed, indicating that Local Self Help is no longer active
on your computer. However, in this case, you can reactivate Local Self Help (see Activate Local
Self Help (section 16.1)).
16.3 Changes of question parameters
The security officer can define the following parameters that apply to Local Self Help questions:
■
The number of questions you have to answer in the Local Self Help Wizard to activate Local
Self Help on your computer. The number of questions specified must be available with answers
for Local Self Help to remain active.
■
The number of questions you have to answer in the SafeGuard POA to log on with Local Self
Help. The questions displayed in the SafeGuard POA are selected randomly from the questions
you have answered in the Local Self Help Wizard.
If these two parameters change due to a new policy deployed to your computer, the following
scenarios may occur:
Condition
LSH action
User action required
The number of questions you
have to answer in the LSH Wizard
changes, but there are enough
Local Self Help remains active on
your computer.
None
63
SafeGuard Easy
Condition
LSH action
User action required
The number of questions you
have to answer in the LSH Wizard
changes and there are not enough
questions available for Local Self
Help to remain active on your
computer.
A message is displayed stating
that your Local Self Help settings
have changed. The questions
available on your computer are
no longer valid. Local Self Help
is no longer active on your
computer.
To reactivate Local Self Help,
open the Local Self Help Wizard
and follow the Wizard
instructions.
The number of questions you
have to answer in the SafeGuard
POA to log on with Local Self
Help changes.
A message is displayed stating
that your Local Self Help settings
have changed. The questions
available on your computer
remain valid. The ratio between
available questions and valid
answers has changed.
Open the Local Self Help Wizard
and follow the Wizard
instructions.
questions available for Local Self
Help to remain active on your
computer.
16.4 Changes of conditions or parameters for Local Self Help during
editing processes
Local Self Help parameters may change while you are defining or editing questions in the Local
Self Help Wizard. For example, a new policy with new Local Self Help settings and/or a new set
of Local Self Help questions may be transferred to your computer through your company-specific
distribution mechanism.
If such changes occur during the editing process, the set of questions and answers you have defined
may no longer be valid and there may not be enough questions for Local Self Help to become or
stay active on your computer.
Therefore, each time you finish defining or editing questions in the Local Self Help Wizard, the
wizard checks whether any of the following conditions apply and initiates the relevant action:
64
Condition
LSH Wizard action
Result
Local Self Help has been disabled
globally by a new policy.
The Local Self Help Wizard shows a
message stating that Local Self Help has
been disabled globally and closes.
Local Self Help can no
longer be used.
Local Self Help parameters have
been changed (for example
minimum length of answers,
right to define your own
The Local Self Help Wizard shows a
message stating that the Local Self Help
parameters have changed, saves your
changes and closes.
Local Self Help is active
on your computer and
can be used for logon
User help
Condition
LSH Wizard action
questions, the number of
questions to be answered) by a
new policy. However, Local Self
Help has not been disabled.
recovery. However, the
ratio of available
questions and valid
answers may have
changed. To regain the
initial ratio, you may
need to add or delete
questions and/or
answers.
The questions and answers you
have defined are still valid and
sufficient for Local Self Help to
be active on your computer.
Local Self Help parameters have
been changed (for example
minimum length of answers,
right to define your own
questions, the number of
questions to be answered) by a
new policy. Local Self Help has
not been disabled. However, the
questions and answers you have
defined are no longer valid and
there are not enough questions
for Local Self Help to be active
on your computer.
Result
The Local Self Help Wizard shows a
message stating that Local Self Help
parameters have changed. Local Self Help
will not be active on your computer. You
are advised to rerun the wizard. The wizard
closes.
To activate Local Self
Help, rerun the Local
Self Help Wizard and
define questions and
answers again.
Afterwards, you can use
Local Self Help for
logon recovery.
16.5 Log on at the SafeGuard POA with Local Self Help
1. In the SafeGuard POA logon dialog, click the Recovery button.
■
If only Local Self Help is activated for logon recovery, Local Self Help is started.
■
If Local Self Help and Challenge/Response are available for logon recovery, a dialog with
both recovery methods for selection is displayed. Click Local Self Help.
Note: If you usually log on to the SafeGuard Power-on Authentication with a token or
smartcard, you first have to remove the token/smartcard from your computer. After that the
SafeGuard POA logon dialog for logging on with user name and password is displayed. Enter
your user ID and click the Recovery button.
The Local Self Help Welcome dialog is displayed.
This dialog provides a short description of the next steps.
2. Click Next to start answering the questions.
The first question is displayed.
65
SafeGuard Easy
3. Enter your answer.
By default, the text entered is not displayed in the input field for security reasons. To display
the answer, clear the Hide answer check box.
4. After answering the question, click Next.
You can only click Next and continue with the next question after you have entered an answer.
5. Answer the remaining questions. After answering the last one, click OK.
In the next dialog, you can display your current password.
6. To display the password, press Enter or Spacebar or click the blue box.
Note:
Do NOT click OK. After clicking OK the startup process will continue WITHOUT showing
the password.
The password will be shown for a maximum of five seconds. Afterwards, the startup process
continues automatically.
Note: Make sure that no unauthorized person can view the contents of your screen, by chance
or on purpose. You can immediately hide your password by pressing the Spacebar, Enter, or
by clicking the blue display box.
7. You can read the password and use it for logging on at the SafeGuard Power-on Authentication
and to Windows again.
8. After reading the password, click OK. Otherwise, the startup process will continue automatically,
five seconds after showing the password.
You are now logged on to the SafeGuard Power-on Authentication and to Windows.
16.6 Failed logon attempts
If you enter a wrong answer for one or several questions, the logon fails. In this case, a message
indicating the failed logon is displayed. For security reasons, Local Self Help does not indicate
which of the answers were wrong.
A failed Local Self Help recovery procedure is considered a failed logon attempt and logged as an
event. In this case, a logon delay goes into effect. The logon delay period increases with every failed
logon attempt.
If you restart your computer after a failed logon attempt, and select logon recovery with Local Self
Help again, questions are randomly selected again.
66
User help
17 Recovery with Challenge/Response
For recovery, Sophos SafeGuard offers a Challenge/Response procedure that allows information
to be exchanged confidentially.
Note:
We recommend using Local Self Help to recover a forgotten password. Local Self Help allows you
to have the current password displayed and to continue using it. This avoids the need to reset the
password or to involve the helpdesk.
During the Challenge/Response procedure, you generate a challenge code (an ASCII character
string), and provide this code to a helpdesk staff member. Based on the challenge code provided,
the helpdesk officer generates a response code that authorizes you to perform a specific action on
your computer.
Recovery with Local Self Help is available for the following logon methods in the SafeGuard
Power-on Authentication:
■
Logon with user ID and password
■
Logon with fingerprint
17.1 Prerequisites
A prerequisite for logon recovery with Challenge/Response is that the helpdesk can access the key
recovery file. These files have to be provided to the helpdesk by shared path, e-mail, or different
media.
If you have forgotten your password, another account has to be available on the computer to reset
the password. Alternatively, you can use a password reset disk.
The Challenge/Response procedure lets you log on at the SafeGuard Power-on Authentication.
You are also allowed to log on to Windows, even if the Windows password needs to be reset.
17.2 You have entered the password incorrectly too often
If you have entered your password incorrectly too often and your computer is locked at SafeGuard
POA level, the Challenge/Response procedure enables your computer to boot through the SafeGuard
Power-on Authentication. Then the Windows logon dialog is displayed. You can enter your
Windows password in this dialog and you will be logged on.
The counter of the maximum number of password entry attempts allowed is reset.
67
SafeGuard Easy
17.3 You have forgotten your password
When recovering the password with Challenge/Response, a password reset is required.
Note: Local Self Help allows you to have the current password displayed and to continue using
it. This avoids the need to reset the password or to involve the helpdesk. For further information,
see Recovery with Local Self Help (section 16).
1. Start a Challenge/Response procedure and follow the instructions of the helpdesk. Your
computer will be enabled to boot through the SafeGuard Power-on Authentication.
2. In the Windows logon dialog, you do not know the correct password. You need to change
password at Windows level. This requires further recovery actions outside the scope of Sophos
SafeGuard using standard Windows means.
There are two possible methods to reset the password at the Windows level.
■
By using a service or administrator account available on your computer with the required
Windows rights.
■
By using a Windows password reset disk.
The helpdesk officer tells you which procedure should be used, and either provides the additional
Windows credentials or the required disk.
3. Enter the new password the helpdesk has provided at Windows level and immediately change
it again to a value that is only known to you.
4. A new user certificate for use in Sophos SafeGuard will be created automatically based on the
newly chosen Windows password. This enables you to log on to the computer again and to log
on at the SafeGuard Power-on Authentication with the new password.
5. Log on at the SafeGuard POA with the new password.
Keys for SafeGuard Data Exchange: If you have forgotten the Windows password and it has been
reset, you will not be able to use the keys already created for SafeGuard Data Exchange without
the corresponding passphrases. To continue using the already-generated user keys for SafeGuard
Data Exchange, you have to remember the SafeGuard Data Exchange passphrases needed to
reactivate these keys.
17.4 You cannot access your computer any more
If you cannot access your computer any more, the SafeGuard Power-on Authentication might be
corrupted. Even in this critical situation Sophos SafeGuard offers a Challenge/Response procedure
with helpdesk assistance enabling you to regain access to your encrypted drives. Challenge/Response
in this case is carried out through a WinPE environment. When encountering such a critical
situation, we recommend that you contact your Sophos SafeGuard helpdesk. The helpdesk officer
will provide you with the necessary files and guide you through the necessary steps to regain access
to your computer.
68
User help
17.5 The Challenge/Response procedure
The Challenge/Response procedure must be initiated:
■
if you have entered the password incorrectly too often.
■
if you have forgotten your password.
■
to repair a corrupted local cache.
Note: By default, logon recovery is deactivated when the local cache is corrupted. This means that
it will be restored automatically from its backup. In this case, no Challenge/Response procedure
is required to repair the local cache. However, logon recovery can be activated by policy, if the
local cache is to be repaired explicitly with a Challenge/Response procedure. In this case, you are
prompted automatically to initiate a Challenge/Response procedure, if the local cache is corrupted.
Note: When you generate the challenge, a time period of 30 minutes is available within which to
enter the response generated by the helpdesk. After 30 minutes, the response code will no longer
be valid and can no longer be used.
1. In the SafeGuard POA logon dialog, click Recovery.
■
If only Challenge/Response is activated for logon recovery, the Challenge/Response procedure
is started.
■
If Challenge/Response and Local Self Help are available for logon recovery, a dialog with
both recovery methods is displayed. Click the Challenge/Response button to start the
Challenge/Response procedure.
A dialog is displayed, indicating the name of the file required for the Challenge/Response
procedure.
2. Call your helpdesk. Tell the helpdesk officer the name of the file.
3. Click Next.
Your user data and a random challenge code are displayed. To enhance readability, the code
is subdivided into blocks of five characters each. Tell the helpdesk officer the challenge code.
(If you need help stating the challenge code, you can click the Spelling Aid button).
4. Click Next.
The Challenge/Response - Step 3 out of 3 dialog is displayed.
The helpdesk officer provides you with the response code by phone or SMS.
5. Enter the response code in the input fields of the Challenge/Response - Step 3 out of 3 dialog.
If you have entered the response code incorrectly, the character block containing the error is
marked in red.
6. Click OK.
69
SafeGuard Easy
You are logged on at the SafeGuard Power-on Authentication.
17.6 Challenge/Response for BitLocker users
Note: Prerequisites for using the feature described below are:
■
A PC with UEFI, version 2.3.1 and higher and additional platform requirements (see the release
notes).
■
Operating system: Windows 8
General hints on using mouse and/or keyboard
■
You can select controls by using the mouse and/or the keyboard. To jump from one control
to the next with the keyboard press the Tab key. To get back into the previous control use
Shift+Tab.
■
Confirm selections by pressing the Enter key.
Challenge/response procedure
If you need to get a BitLocker recovery key, proceed as follows:
1. Reboot the PC. After rebooting, a yellow message appears. Press any key within the next three
seconds.
2. The Sophos Challenge/Response screen appears.
3. In Step 2 information required to call the helpdesk is provided to you.
4. Provide the following information to the helpdesk:
Computer, for example Sophos\<Computer name>
Challenge code, for example ABC12-3DEF4-56GHO-892UT-Z654K-LM321. Hover with the
mouse over the characters to display a spelling aid. Or press F1 several times to display this
help box. The code expires after 30 minutes leading to an automatic shutdown of the PC.
5. Then enter the response code from the helpdesk (six blocks with two text fields each and five
characters required per field).
■
If a text field is completely filled with characters, the focus is automatically switched to the
next text field.
■
If you accidentally enter a wrong character in a block, the corresponding block will be
highlighted in red. Use the Delete or the Backspace key to correct entries.
6. After you have successfully entered the response code, click Continue or press Enter to complete
the challenge/response action.
Note:
If you want to shut down or restart the system, click with the mouse on the shut down button or
press the Tab key until the shut down button is highlighted.
70
User help
17.7 BitLocker recovery key
As a BitLocker user on a system that does not support SafeGuard Challenge Response, you can
request a BitLocker recovery key from your helpdesk.
General hints on using mouse and/or keyboard
■
You can select controls by using the mouse and/or the keyboard. To jump from one control
to the next with the keyboard press the Tab key. To get back into the previous control use
Shift+Tab.
■
Confirm selections by pressing the Enter key.
Requesting the recovery key
If you need to get a BitLocker recovery key from your helpdesk, proceed as follows:
1. Reboot the PC. After rebooting, a yellow message appears. Press any key within the next three
seconds.
2. The screen for entering a Windows BitLocker Drive Encryption key appears.
3. In Step 2 information required to call the helpdesk is provided to you.
For example: <Computer name> C: 9/25/2013
4. Provide the Computer name to the helpdesk.
5. Then enter the BitLocker recovery key from the helpdesk (eight blocks with six characters
required per field).
6. After you have successfully entered the response code, click Continue or press Enter to complete
the recovery action.
Note:
If you want to shut down or restart the system, click with the mouse on the shut down button or
press the Tab key until the shut down button is highlighted.
71
SafeGuard Easy
18 Sophos SafeGuard and Lenovo Rescue and Recovery
Note: Lenovo Rescue and Recovery is only available for Windows 7 endpoints.
You can restore complete operating system backups on an encrypted partition without decrypting
the hard disk first. This saves time when performing disaster recovery. Sophos SafeGuard has been
officially certified by Lenovo for this functionality.
The main function of Lenovo Rescue and Recovery is to restore data at the press of a key. Even if
the primary operating system is damaged and no longer starts, Rescue and Recovery saves data
through an emergency environment (WinPE). You can access the rescue tools from the Microsoft
Windows Desktop or by pressing the blue "ThinkVantage" key integrated in Lenovo systems.
Lenovo Rescue and Recovery is most useful for mobile users who do not have administrative
support. For example, on a business trip, they can use it to restore their computers.
For information on the Lenovo Rescue and Recovery (RnR) versions supported by Sophos
SafeGuard, see http://www.sophos.com/support/knowledgebase/article/108383.html
18.1 Overview
Sophos SafeGuard is integrated with Rescue and Recovery functionality and supports Lenovo
features such as the "ThinkVantage" blue button on the keyboard of Lenovo notebooks, or the
blue "Enter" button on Lenovo PC keyboards.
This integrated functionality lets you pair this efficient backup and recovery method with Sophos
SafeGuard encrypted operating system partitions. Backups from encrypted Sophos SafeGuard
systems can be stored on any disk drive used by RnR. Therefore, in an emergency, a system can
be restored by loading the backup from a virtual or service partition or from a removable device
such as a CD/DVD or a USB hard disk.
Sophos SafeGuard is unaffected by a system restore and all the encryption settings are still in place,
so there is no need to reinstall any software. You do not have to restart encryption.
In a Sophos SafeGuard environment Rescue and Recovery is based on WinPE recovery. WinPE
can be started from:
■
a virtual or service partition.
■
a removable device such as a CD/DVD or a USB hard disk.
18.2 Requirements
72
■
Latest BIOS for the PC/notebook.
■
For information on compatibility of Rescue and Recovery versions with Sophos SafeGuard
versions, see: http://www.sophos.com/support/knowledgebase/article/108383.html.
User help
■
Lenovo Rescue and Recovery can be used to recover Sophos SafeGuard encrypted volumes.
The SGNClient.msi installation package must be installed.
■
For Rescue and Recovery, volumes must be encrypted with the defined machine key. For
volumes encrypted with any other keys, Rescue and Recovery is not supported.
18.3 Installation
When Rescue and Recovery software is installed on a hard disk without a service partition, the
following applies:
The Rescue and Recovery environment is installed on a virtual partition on the computer's hard
disk "C:" partition (primary partition of the master hard disk).
In the sections that follow, note the sequence in which Rescue and Recovery and Sophos SafeGuard
are installed. We recommend that you install Lenovo Rescue and Recovery first, and Sophos
SafeGuard afterwards.
18.3.1 Install both Rescue and Recovery and Sophos SafeGuard
The following installation sequence is recommended:
1. Install the latest version of Rescue and Recovery.
2. Install the latest version of the Sophos SafeGuard Device Encryption module
(SGNClient.msi).
Sophos SafeGuard checks if Rescue and Recovery is installed, and adds its own files and
configurations to the Lenovo recovery environment.
3. Check that the SafeGuard Power-on Authentication is activated, so no unauthorized backups
can be restored.
You activate the SafeGuard Power-on Authentication when installing Sophos SafeGuard.
18.3.2 Rescue and Recovery is already installed
RnR WinPE is located on the first hard disk on a service or virtual partition.
In this case all necessary drivers and files are copied to the corresponding locations of RnR WinPE,
and the necessary registry entries are added to the registry files of WinPE.
Install the latest version of the Sophos SafeGuard Device Encryption module (SGNClient.msi).
Sophos SafeGuard checks if Rescue and Recovery is installed and adds its own files and
configurations to the Lenovo recovery environment (WinPE).
73
SafeGuard Easy
18.4 Upgrade
Upgrade implies that Sophos SafeGuard and Rescue and Recovery are installed, and you want to
upgrade one or both to a newer version.
Upgrade Sophos SafeGuard
If you upgrade Sophos SafeGuard, this updates the entire system, so you will not need to set any
further configurations.
18.5 Uninstallation
When uninstalling the software products:
■
We recommend that you uninstall Sophos SafeGuard first, and then Rescue and Recovery. If
Sophos SafeGuard is uninstalled while Rescue and Recovery is still installed, all Sophos
SafeGuard specific modifications, such as added drives, files, and registry entries are removed
from RnR WinPE.
■
Do not uninstall Sophos SafeGuard immediately after the system has been restored. After a
system restore, start the computer once and then uninstall Sophos SafeGuard.
■
If Rescue and Recovery is removed while Sophos SafeGuard is still installed, then RnR
modifications of the MBR boot sector are removed, and the original MBR boot sector is restored.
18.6 Boot environment and recovery options
Sophos SafeGuard allows you to boot into the Rescue and Recovery environment after successfully
having logged on at the SafeGuard Power-on Authentication (POA).
From the local hard disk
■
The virtual partition on the local hard disk or the local service partition.
■
The volumes must have been encrypted in Sophos SafeGuard with the defined machine key.
All necessary drivers must have been added to RnR WinPE. Then the defined machine key is
available in the RnR WinPE environment and the volumes can be accessed again.
Note: Sophos SafeGuard does not allow you to boot into the Rescue and Recovery environment
when booting directly from BIOS.
From a bootable CD/DVD or any bootable removable media
■
74
In this case no authentication at the SafeGuard POA is performed, and there are no keys
available, so encrypted volumes cannot be accessed. If Rescue and Recovery is started directly
from BIOS, the operating system will be recovered. Sophos SafeGuard will be removed during
the restore process. To secure the system again, Sophos SafeGuard must be reinstalled.
User help
18.7 Creating a backup
You create backups using Rescue and Recovery in Windows. On computers on which Rescue and
Recovery is already installed, and on which Sophos SafeGuard is installed later, a message is
displayed prompting the user to create a new backup of the system.
Before creating a backup of your system using Rescue and Recovery, please read the documentation
provided by Lenovo.
Sophos SafeGuard only provides support for saving the backups to:
■
local hard disk
■
second hard disk
■
USB hard disk
■
network
■
USB memory stick
■
CD/DVD
By default the backups are saved in the C:\RRUbackups folder. This folder is protected by
Rescue and Recovery if it is stored on a local partition on the primary hard disk drive. If so, it
cannot be deleted or removed.
18.8 Restoring file backups
Rescue and Recovery can restore files or folders from backups in which Sophos SafeGuard is
installed. Simply start Windows, and then Rescue and Recovery, and restore the selected files. You
do not have to restart your machine after the restore is completed, you can work with your files
immediately.
18.9 Restore the Sophos SafeGuard system
To restore a system backup that includes Sophos SafeGuard, boot into the Rescue and Recovery
environment. The RnR environment appears as soon as you press one of following keys during
the startup process:
■
"Thinkvantage" (Lenovo Notebooks)
■
Blue "Enter" key (Lenovo Desktop PCs)
75
SafeGuard Easy
■
F11 with other keyboards
1. If you use a Lenovo computer:
a) Start the Rescue and Recovery environment from a local hard disk by pressing the blue
"ThinkVantage" button on the Lenovo notebook keyboard, or the blue "Enter" button on
a Lenovo PC keyboard.
The SafeGuard Power-on Authentication is displayed.
b) Enter the Sophos SafeGuard credentials.
2. If you do not use a Lenovo computer:
a) Log on at the SafeGuard POA with your Sophos SafeGuard credentials.
b) While the computer continues starting up, press F11 to start the Rescue and Recovery
environment.
The user interface for Rescue and Recovery is displayed. The welcome screen is displayed.
3. Click Next.
4. On the left-hand side menu, select Restore Backup.
A dialog is displayed in which you can select the backup.
5. Select the backup and restore it.
18.10 Service and factory recovery partitions
Lenovo supplies new computers with special pre-installed partitions:
■
Lenovo service partition: contains the Rescue and Recovery boot environment.
■
Factory recovery partition: contains all information about the computer's factory settings and
factory recovery functions.
These partitions are visible in Windows under separate drive letters.
Note: When these partitions are available on the computer, they will never be encrypted even if
an encryption policy is defined to, for example, encrypt all volumes.
If there are no such partitions on the computer, but you would like to create one, do so before
installing Sophos SafeGuard. For further information, refer to the Lenovo documentation.
18.11 Disabled SafeGuard POA and Lenovo Rescue and Recovery
If the SafeGuard Power-on Authentication is disabled on your computer, the Rescue and Recovery
authentication should be enabled for protection against access to encrypted files from the Rescue
and Recovery environment.
76
User help
For details on activating the Rescue and Recovery authentication, refer to the Lenovo Rescue and
Recovery documentation.
77
SafeGuard Easy
19 Technical support
You can find technical support for Sophos products in any of these ways:
78
■
Visit the SophosTalk community at http://community.sophos.com/ and search for other users
who are experiencing the same problem.
■
Visit the Sophos support knowledgebase at http://www.sophos.com/en-us/support.aspx/.
■
Download the product documentation at http://www.sophos.com/en-us/support/documentation/.
■
Send an email to [email protected], including your Sophos software version number(s),
operating system(s) and patch level(s), and the text of any error messages.
User help
20 Legal notices
Copyright © 1996 - 2014 Sophos Group. All rights reserved. SafeGuard is a registered trademark
of Sophos Group.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you
are either a valid licensee where the documentation can be reproduced in accordance with the
license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.
You find copyright information on third party suppliers in the Disclaimer and Copyright for 3rd
Party Software document in your product directory.
79
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement