Technical Brief Compatibility with Encryption Products Overview The purpose of this document is to describe the integration between Persystent Suite 4.5 and disk encryption products such as McAfee Endpoint Device Encryption, GuardianEdge Hard Disk Encryption, WinMagic SecureDoc Disk Encryption, PGP Desktop Whole Disk Encryption, and Sophos Safeguard Enterprise Device Encryption. Compatibility Persystent Suite 4.5 has been tested and is compatible with only the following versions of third party products: McAfee Endpoint Device Encryption (5.2.4) GuardianEdge Hard Disk Encryption (9.5.0) WinMagic SecureDoc Disk Encryption (4.6) PGP Desktop Whole Disk Encryption (10.0.0) Sophos Safeguard Enterprise Device Encryption (5.4) Best Practices While it is not required to have a separate server when setting up Persystent Suite 4.5 with disk encryption technologies, it is recommended that you use a separate server for clients that will be using encryption technologies. By doing this, you ensure that all functions of Persystent Suite are available to clients that are not using encryption technologies. Persystent Suite must be installed before any encryption product is installed on the client. If encryption software is currently installed it must be uninstalled prior to installing Persystent Suite. Please note that a computer cannot be PXE booted once encryption is installed, unless you are trying to rebuild the computer. Offline mode must be used to ensure correct operation with encrypted disks. 1
Implementation Enabling Encryption Compatibility: Server Install The first thing you want to do when installing Persystent Suite 4.5 with disk encryption technologies is to select the supported product from the dropdown menu in the server installer as seen below. After choosing the product and installing the server, the next step is only needed if you are using a separate server for your encryption clients. Enabling Encryption Compatibility: WebUI In addition to being able to set encryption compatibility during the server install, the setting can later be changed through the WebUI. To do this: 1. Launch the WebUI web console by clicking Start All Programs Persystent Persystent Suite WebUI. 2. Log into the web console. 3. In the left navigation pane under Servers select the server that will be encryption compatible. 4. In the main navigation area select the Manage tab. 5. Under the Server section locate Encryption Compatibility dropdown box. Select the encryption product that you wish to use in conjunction with Suite. 6. Click Save. 2
WebUI Repair Configuration You will need to make a few changes to the WebUI configuration to support disk encryption products. With encryption, if you are not using a separate server then it is recommended to assign those clients to a specific group, and to set the repair mode to OS Secure if you want to enable repair policies on the computers. If you assign System Secure or System Secure Profile Safe repair, you will need to define filters for the encrypted systems so that they will be properly protected on a System Secure repair. CAUTION Failure to define these filters and repairing the system with System Secure or System Secure Profile Safe will render the client systems inoperable on any repair event. The only way to recover the data is to use the encryption manufacturer s recovery methods. Including and Filtering Encryption Keys Persystent recommends that you include the encryption keys in your Repair Points, and then filter them out so that they are not repaired. The following are the basic steps to include and filter files. Repair Point Includes Configuration 1. Launch the WebUI web console by clicking Start All Programs Persystent Persystent Suite WebUI. 2. Log into the web console. 3. In the left navigation select Filters. 4. Under File Filters select the Include Files- Folders filter. 5. In the File Path field enter the path to the file or folder to be included in the Repair Point. 6. Click Add. 7. Repeat steps 5-6 as necessary for additional files or folder. 3
Repair Point Filter Configuration 1. Launch the WebUI web console by clicking Start All Programs Persystent Persystent Suite WebUI. 2. Log into the web console. 3. In the left navigation select Filters. 4. Under File Filters select the Exclude from Repair filter. 5. In the File Path field enter the path to the file or folder to be excluded from repair. 6. Click Add. 7. Repeat steps 5-6 as necessary for additional files or folder. TIP When typing paths, it is not necessary to type c:\ and the paths are not case sensitive. All backward slashes will be converted to forward slashes. Encryption Keys The following are encryption keys that should be included in a Repair Point and then filtered so that they are not repaired. McAfee Endpoint Device Encryption Configuration The following file should be backed up and excluded from repair: Safeboot.fs Safeboot.rsv The default location of these files is the root of the C drive Drive. If the files are not located on the root of the C drive, consult the McAfee Endpoint Device Encryption setup for more information on the location of these files. GuardianEdge Hard Disk Encryption Configuration The following files should be backed up and excluded from repair: EP0.vol, EP1.vol, EP2.vol, EP3.vol, EP4.vol, EP5.vol The default location of these files is the root of the C drive. If the files are not located on the root of the C drive, consult the GuardianEdge documentation for more information on the location of these files 4
WinMagic SecureDoc Configuration The following file should be backed up and excluded from repair: C:\MyKey.dkb (MyKey represents the name of the key that was entered during installation) The default location of this file is the root of the C drive. If the file is not located on the root of the C drive, consult the WinMagic documentation for more information on the location of this file. PGP Desktop Whole Disk Encryption Configuration The following files should be backed up and excluded from repair: C:\PGPWDExx (xx represents a two digit number) C:\Users\<User>\Documents\PGP (Windows Vista and 7) C:\Documents and Settings\<User>\My Documents\PGP (Windows XP) pubring.pkr pubring-bak.pkr secring.skr secring-bak.skr The above locations are the default locations for the key files. If the files are not located there, consult the PGP Desktop documentation for more information on the location of these files. Sophos Safeguard Enterprise Device Encryption Configuration No extra filters are needed to support Sophos Safeguard Enterprise Device and Persystent Suite 4.5. Client Configuration and Installation In Persystent Suite 4.5, we support full disk encryption from the supported vendors list, and only if clients exist in Persystent Suite and are in offline mode before installing encryption software. 5
Preparing Encryption Clients This part of the guide will explain the process of inheriting the client that is going to be running full disk encryption into Persystent Suite, and then proceeding with the encryption software install. The first step is to launch the Offline Inherit MSI Builder: 1. Launch the Client MSI Generator by clicking Start All Programs Persystent Client MSI Generator. 2. Choose Create Offline Inherit MSI from the list. Click Next. Once the MSI is launched you will want to select the server the client will join and the group that the computer will belong to. You are also given the option to run any Client Build Tasks that you have defined such as creating a repair point or joining a domain. Inheriting Clients After you have built the MSI, you will want to install it on your target systems using your preferred installation method (the MSI does support silent installs and most basic msiexec switches, so you can use group policy if you choose), and reboot. As soon as the computer is done rebooting, check the Persystent WebUI to verify it is joined to the correct server and group and the client is in Offline Mode. To verify the client is in offline mode, click the computer name in the WebUI and check the Pre-Boot tab. If Offline Mode says yes then you are ready to proceed with installing your full disk encryption software, and encrypting the hard drive of the client computer. Deploying Base Image and Configuring Encryption Deploy base image to the clients using either Client Build Screen or Scheduled task. Make sure that a repair point is created and Offline mode is set after installing base image. As soon as the client is finished building, check the Persystent WebUI to verify that the client is in offline mode. To verify the client is in offline mode, click the computer name in the WebUI and check the Pre-Boot tab. If Offline Mode says yes then you are ready to proceed with installing your full disk encryption software, and encrypting the hard drive of the client computer. 6
Utopic Software 1215 East 6 th Ave. Tampa, FL 33605 Phone: (813) 444-2231 Fax: (813) 421-6523 Email: Sales@UtopicSoftware.com Web Site: www.utopicsoftware.com Copyright 2011 Utopic Software, LLC. All rights reserved. Printed in the United States of America. Information in this document is subject to change without notice. Utopic Software makes no warranties, express, implied, or statutory, as to the information in this document. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, without written permission of Utopic Software, LLC 1215 East 6 th Ave., Tampa, FL 33605, except as specified in the Product Warranty and License Terms. Utopic Software, LLC logos are registered trademarks; Persystent Suite is a trademark of Utopic Software, LLC. Microsoft, Windows Server 2008, Windows Server 2003, Windows XP, Windows Vista, Windows 7, Active Directory, SQL Server, SQL Express, and.net are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other registered trademarks and service marks mentioned are the property of their respective owner. 7