enc
SafeGuard Enterprise
Device Encryption (DE) Installation
V1.00 11/11/2010
Information Systems Services
1. SafeGuard Configuration for Endpoint Computers
In order to fully encrypt the hard drive on a client (endpoint) computer the SafeGuard Enterprise
application must be installed. The procedure is straight forward but there are some prerequisites and the procedure can take several hours from start (application install) to finish (fully encrypted drive).
The endpoint client is managed via the SafeGuard Management Centre. The client receives its policies from the SafeGuard Enterprise Server via the Internet. The connection may temporarily be disabled, for example during a business trip, but even so the endpoint computer is still managed by the SafeGuard Management Centre.
2. Restrictions
AHCI
If using Intel Advanced Host Controller Interface (AHCI) on the computer, the boot hard disk must be in Slot 0 or Slot 1. You can insert up to 32 hard disks. SafeGuard Enterprise only runs on the first two slot numbers.
Dynamic and GPT disks
Dynamic and GUID partition table (GPT) disks are not supported. In such cases, the installation will be terminated. If such disks can be found on the computer at a later point in time, they will not be
supported.
SCSI hard disks
The SafeGuard Enterprise Device Encryption Client does not support systems that are equipped with hard disks attached via a SCSI bus.
Restrictions for initial encryption of SafeGuard Enterprise Client (managed)
Initial configuration of SafeGuard Enterprise Clients (managed) may involve the creation of encryption policies that may be distributed inside a configuration package to the SafeGuard Enterprise Clients.
However, when the SafeGuard Enterprise Client is not connected to a SafeGuard Enterprise Server immediately after the configuration package is installed, but is temporarily offline, only encryption policies with the following specific settings will become immediately active on the Enterprise Client:
• Device protection of type volume based using the Defined Machine Key as encryption key For all other policies involving encryption with user-defined keys to become active on the Enterprise Client, the respective configuration package has to be reassigned to the Enterprise Client’s OU as well.
The user-defined keys will then only be created after the Enterprise Client is connected to SafeGuard Enterprise Server again.
The reason is that the Defined Machine Key is directly created on the SafeGuard Enterprise Client at the first restart after installation, whereas the user-defined keys can only be created on the SafeGuard Enterprise Client after it has been registered at the SafeGuard Enterprise Server.
Upgrading the Operating System
Once SafeGuard Enterprise is installed, it is only possible to update the Service Pack version of the operating system. You may, for example install a Windows XP Service Pack update. However, you cannot migrate from one operation system series to a different one: for instance you cannot migrate from Windows XP to Windows Vista with SafeGuard Enterprise installed.
3. Installation Packages for SafeGuard Enterprise Clients
(managed)
The following table shows the available installation packages for the Enterprise Client and states how the configuration package needs to be created:
Package Description
SGxClientPreinstall.msi Must be installed on the endpoint computers prior to the encryption software (mandatory).
Provides endpoint computers with necessary requirements for successful installation of the encryption software.
SGNClient.msi SGNClient_x64.msi
For native SafeGuard Enterprise Clients.
SafeGuard Enterprise Device Encryption(DE)
Volume based encryption with Power- on Authentication.
SafeGuard Data Exchange
Easy data exchange with removable media on all platforms without re-encryption
File based encryption SGNClient_withoutDE.msi SafeGuard Data Exchange
Easy data exchange with removable media on all platforms without re-encryption
File based encryption without Power-on Authentication
SGNClientRuntime.msi SGNClientRuntime_x64.msi
Runtime Client enabling booting from a secondary boot volume when multiple operating systems are installed and accessing these volumes when they are encrypted by a SafeGuard Enterprise
installation on the primary volume.
Available for both SafeGuard Enterprise Clients and SafeGuard Standalone Clients.
Enterprise Client Configuration Package
Created in the SafeGuard Management Center Configuration Package Tool.
4. Setting up endpoint computers locally
This chapter describes how to set up the encryption software locally at the endpoint computer. This process will install SafeGuard Enterprise in combination with SafeGuard Enterprise encryption.
Note: If you wish to install SafeGuard Enterprise volume based encryption, you should make sure that no volumes have already been encrypted with BitLocker. Otherwise the system may be harmed.
5. Prerequisites
The process of encrypting the entire hard drive places it under significant stress. To help to ensure the process completes without any errors and with minimal risk please ensure:
• There is a good, full and up to date backup of the data on the device to be encrypted
• Run a ‘Check Disk’ on the drive to ensure it’s healthy
• Defragment the drive before installing SafeGuard Enterprise (NOTE: Do not defragment the drive if it is a SSD (Solid State Disk). SSDs should never be defragmented.)
• If the machine is dual boot, or is currently running BitLocker, STOP and refer to the SafeGuard Enterprise documentation. The process is more complicated than is covered by this simplified documentation.
• SafeGuard Enterprise offers POWER ON AUTHENTICATION (POA). Ie it’s the process of booting that’s locked down and it’s the POA login screen that controls access to the encrypted data. Users should be reminded not to suspend or lock computers with SafeGuard Enterprise installed. Access to a suspended or locked computer is only controlled by Windows authentication (the decryption process is already running in the background at this point) and local administrators can gain access to encrypted data with a Windows username and password effectively bypassing the POA security.
6. Carrying out installation
Step 1
Start the preparatory installation package SGxClientPreinstall.msi. The process is very straight forward:
Step 2
Start the Client installation package from the product CD.
Accept the default on the next dialogs.
Select ‘Typical’ install type
Confirm that the installation has completed successfully.
Step 3
Install the configuration package on the endpoint computer.
Click Next
The SafeGuard Enterprise client software has now been completely installed.
Reboot the machine
7. First Boot
Login again after the machine has rebooted. As long as there is internet connectivity the SafeGuard Enterprise client will connect to the SafeGuard server and receive its policy instructions.
A bubble should appear indicating that the initial synchronization is complete. Within a minute or two the encryption process should begin
Progress can be monitored through the Base Encryption Viewer. This process may take several hours depending on the specification of the machine and the size of the hard drive.
The initial encryption process is now complete, but our work is not quite finished.
8. First Login
On login the user is now presented with a new login screen. This logon (POA) is the mechanism by which access is controlled to the encrypted data. Only users that are registered with the POA can now logon to the machine; the POA passing the credentials of an authorised users to the Windows GINA. This is a change from the traditional PC configuration where a PC registered in the Leeds Active Directory could be logged in to by any Active Directory User. A machine running SafeGuard Enterprise Device Encryption can only be accessed via accounts registered in the POA.
The first person to login through the POA becomes the ‘Owner’ and has the ability to register other users within the POA (See section 2.4 in the User Guide). The machine’s ‘Owner’ can be changed within the SafeGuard management console, but by default the ‘Owner’ is the first person who logs into a newly encrypted machine.
The SafeGuard Client will periodically synchronise to the SafeGuard Server checking for policy updates.
