SecureDoc for Mac v6.1. User Manual

(1)

(2)

Printed in Canada

Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex and SecureDoc Central Database are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2012 WinMagic Inc. All rights reserved.

Acknowledgements

This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young ([email protected]) and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)”

WinMagic would like to thank these developers for their software contributions.

Contacting WinMagic

WinMagic

200 Matheson Blvd West, Suite 201 Mississauga, Ontario, L5R 3L7 toll free: 1-888-879-5879 phone: (905) 502-7000 fax: (905) 502-7001 Sales: [email protected] Marketing: [email protected] Human Resources: [email protected] Technical Support: [email protected] For information: [email protected]

(3)

About SecureDoc for Mac

SecureDoc for Mac securely encrypts the hard disk in your Mac computer (desktop or laptop). When the disk has been encrypted, SecureDoc's pre-boot authorization window (boot logon) appears each time you start the computer. At this window you must enter a SecureDoc password to complete the authentication and gain access to the encrypted data on your Mac.

SecureDoc for Mac can also be used to encrypt and decrypt USB flash drives, protecting them with either a password or a key.

(4)

About SecureDoc for Mac

₃

Getting Started with SecureDoc for Mac

6

SecureDoc for Mac or FileVault 2

₆

System Requirements (SecureDoc for Mac)

₆

Installing SecureDoc for Mac

6

Step 1: Installing Software

₆

Step 2: Encrypting a Hard Disk

₈

Step 3: Create Data Recovery Media

₈

SecureDoc and Boot Camp

₁₀

Silent Installation

₁₀

Accessing the encrypted hard disk

₁₀

For SED Users: Firmware Updates

₁₁

Uninstalling SecureDoc for Mac

12 Using SecureDoc for Mac

13

Customizing Boot Logon

₁₃

Encrypting USB Media

₁₄

Accessing Encrypted Removable Media

₁₆

Accessing Using Encryption Key

₁₆

Accessing Using Password

₁₇

Working with Password-Protected USB Media

₁₇

Changing your Password

18

Acceptable Passwords

₁₉

(5)

Creating a Backup Key File

₂₀

Using Recovery Media

₂₁

Performing Cryptographic Engine Tests

₂₁

Enabling/Disabling Hardware Protection (SED Boot Drive Only)

22

Enabling/Disabling Single Sign-On or Single Sign-On and Password Sync

₂₂

Communicating with the Server

₂₃

Performing Crypto-Erase

₂₃

SecureDoc and FileVault 2

24

System Requirements

₂₄

Installation and encryption

₂₄

(6)

GETTING STARTED WITH

SECUREDOC FOR MAC

SecureDoc for Mac or FileVault 2

Your SES administrator may have given you a FileVault 2 installation package. FileVault 2 is the native encryption engine on the Mac OS X operating system. SES can manage devices with both SecureDoc (i.e., SecureDoc for Mac) or FileVault 2 encryption.

If you have a FileVault 2 installation package (check the filename), then see "Securedoc and FileVault 2" on page 1.

If you have a SecureDoc for Mac installation package, then follow the instructions in this chapter.

System Requirements (SecureDoc for Mac)

Operating system and hardware requirements are listedhere.

To create data recovery media (highly recommended), you need a USB flash drive, CD, or DVD of at least 32MB capacity that can be reserved exclusively for data recovery purposes.

Installing SecureDoc for Mac

Before installing SecureDoc for Mac we recommend that you backup your computer and then run a disk utility to check the status of your hard drive.

Step 1: Installing Software

Note: If you are installing SecureDoc for Mac on a laptop, then make sure the

laptop is connected to a power supply for the duration of the installation and encryption process.

1. Log in to the Mac with an account that has administrator rights.

Note: If your Mac has multiple bootable volumes, log in to the

volume where you want SecureDoc installed. Any additional Mac bootable volumes will be encrypted but cannot be used to start your Mac (boot logon can access only your primary volume). 2. For standalone users, download the appropriate zip file (for example,

WinMagicxdSecureDocMacStandAlone) from the WinMagic web site and unzip

(7)

Installing SecureDoc for Mac

it. A folder is created, containing the SDMacintosh.dmg file.For users in an SES environment, obtain the SDMacintosh.dmg file from your SES administrator. 3. Double-click this file to mount the disk image.

4. Double-click the pkg file and, on the Welcome dialog, clickContinue. 5. Read, print or save the software license agreement. ClickContinue.

To continue, you must agree to the terms of the license agreement.

6. Confirm that the current volume is the one where you want to install SecureDoc for Mac (defaults to current volume). If you want to install on another volume, stop the installation, log in to that volume, and re-start installation.

7. Choose a location for the installation.

8. ClickInstall. You are prompted to re-enter the administrator userid and password.

Note: In an SES environment, recovery keys are sent to the

server at this point.

9. For standalone users, you are prompted to enter an initial password.

10.You are warned that installing the software requires a restart and prompted to choose whether to continue.

11.Installation progress is shown. When installation is complete, you are prompted to clickRestartto restart your computer.

12.When the computer restarts, the SDForm dialog appears, showing the identifying information for your computer. ClickSubmit.

In a standalone environment, if you did not already do so, you will be asked to set a password (you can change this password later, if necessary). In an SES environment, this information is communicated to SES.

Note: In an SES environment, if at any time communication with SES fails,

(8)

Getting Started with SecureDoc for Mac Installing SecureDoc for Mac

Step 2: Encrypting a Hard Disk

Note: Encryption will continue even if you log off.

1. Encryption starts automatically.

Note: If you are not in an SES environment, and you have an

SED device, you are prompted to choose hardware or software encryption. If you chooseHardware, the encryption process will be very fast; if you chooseSoftware, the encryption process is slower.

2. A progress indicator shows the percentage of the hard disk encrypted (in an SES environment, this indicator may be hidden). The length of this process depends on the size of the hard disk: approximately 28-40 GB is encrypted per hour.

Note: You may continue with other work while the encryption

takes place.

3. Once the hard disk has been encrypted, SES users are prompted for a new password to replace the temporary password (this was provided by your SES administrator) used during initial encryption. See “Acceptable Passwords” on page 19 for instructions on how to choose a password. SES users may also be prompted to answer self-help password recovery questions.

Note: Remember your new password: you will need it to login to your

computer (at pre-boot) and to login to the SecureDoc Control Center.

Step 3: Create Data Recovery Media

Note: In an SES environment, data recovery media is usually created by the

SES administrator, but you can also create it yourself.

Data recovery media can be used to access encrypted data if for some reason boot logon does not appear.

You can choose to create recovery media on a USB drive or a CD/DVD.

Be sure you have available a USB flash drive of at least 32MB capacity, a CD, or a DVD that can be reserved exclusively for data recovery purposes.

Note: If you use a USB flash drive, the entire contents of the

drive are overwritten. Once this process is complete, you cannot use the USB flash drive for any other purpose.

(9)

Installing SecureDoc for Mac

2. Choose the type of media to use for data recovery. If you choose to use a USB, connect the USB flash drive and click OK. If you choose a CD/DVD, you will be prompted to insert it at the appropriate time.

(10)

Getting Started with SecureDoc for Mac SecureDoc and Boot Camp

SecureDoc and Boot Camp

If you use Boot Camp to boot into another OS (which must be on a self-encrypting drive), you must

1. Enter your username and password but do not press Enter. Instead, press F12. 2. When the machine re-boots, hold the ALT key. You will be prompted to choose

the OS you want to boot into.

Silent Installation

Your SES administrator may have used silent installation, which allows SecureDoc to be installed without your involvement. The first phase of installation is done before you log on to your Mac account, at which time the second phase of installation occurs. If installation is not completed when you log out, it will continue until complete, at which point you will have access to SecureDoc.

Accessing the encrypted hard disk

Once SecureDoc for Mac is installed and your disk is encrypted, you will see boot logon each time you restart your computer. It prompts for two things:

• key file — just press Return to use the default key file, either stored on the computer itself or, if in an enterprise environment where Preboot Networking is being used, on the network

• SecureDoc password.

If preboot authentication is done through the network and the network is not currently available, you will see an error message: clear the userID field to authenticate locally.

Note: SED users who chose hardware encryption will see boot logon only

when they turn the computer on and off again.

Note: SES users may not see boot logon at all.

If you want to boot to a CD/DVD or any other bootable Mac media (for example, for repairing an encrypted fixed disk), press and hold ALT after entering your key file and password. You are prompted to choose from a list of available bootable devices. You can change the password at any time, as described in “Using SecureDoc for Mac” on page 13.

SES users may have a limit set to the number of attempts they can make to log in. After this limit is reached, the computer may reboot or become locked, requiring administrator support.

(11)

For SED Users: Firmware Updates

(12)

Getting Started with SecureDoc for Mac Uninstalling SecureDoc for Mac

Uninstalling SecureDoc for Mac

Note: If you are uninstalling SecureDoc for Mac from a laptop,

then make sure the computer is connected to a power supply for the duration of the uninstallation and decryption process.

1. If you encrypted any removable media, decrypt it (following the steps in “Using SecureDoc for Mac” on page 13) before proceeding. Once SecureDoc for Mac is uninstalled, your computer can no longer access data on removable media encrypted by SecureDoc for Mac.

2. Locate the Applications\ WinMagic folder. Double-click the uninstall file SecDocUninstall. You are prompted to confirm that you want to remove protection.

3. Enter your SecureDoc password and click OK. 4. You are prompted to confirm again.

5. All data is decrypted. This process takes approximately the same amount of time as encryption.

(13)

USING SECUREDOC FOR MAC

Customizing Boot Logon

In most cases your administrator will have customized the appearance of the boot logon screen. You can change or remove these settings, but we recommend that you contact your administrator before attempting to do so.

1. Click the SecureDoc icon on the menu bar and select the the SecureDoc Control Center.

2. SelectAdvanced Actions.

3. Select thePreboot Customizationtab and clickSet Defaultto restore the default setting.

You can personalize your SecureDoc by adding a different background image for boot logon. ChooseAdd Customizedand browse to the location of the new background image, which must be 24 bit, PNG format, 1024 x 768 and, when zipped (SecureDoc zips the file for you), no larger than 0.5MB.

(14)

Using SecureDoc for Mac Encrypting USB Media

Encrypting USB Media

If your installation has been configured to allow this, you can choose to encrypt USB media (including, optionally, SED removable media) with any of the following:

• the default key used to encrypt your hard disk (advisable only if you will not be sharing your media, since anyone with access to that key also has access to your encrypted hard disk data);

• another key in your key file; • a password you specify.

This allows you to share your media with another user. The other user will need one of the following:

• a Mac with SecureDoc on it and either the key or the password used to encrypt the media;

• a Windows machine with SecureDoc installed on it and either the key or the password used to encrypt the media;

• a Windows machine with the free Media Viewer (available from WinMagic) installed on it and the password used to encrypt the media.

1. Connect the USB media to the Mac.

Note: Enterprise users may have media encrypted

automatically, with or without warning.

2. Click the SecureDoc icon on the menu bar and select the SecureDoc Control Center.

(15)

Encrypting USB Media

4. Choose the desired media from the list.

5. Choose how you want the media protected (if you clickChoose Key, you see a list of available keys to choose from). If you click Password Based, you are prompted for a password (see below).

6. Choose the method you want to use for encryption:

• fast mode encrypts only the sectors in use at the moment, then encrypts all new data written to the drive, and is best used for media that has never contained sensitive information;

(16)

Using SecureDoc for Mac Accessing Encrypted Removable Media

7. ClickEncrypt.

The encryption process may take a few minutes depending on the size of the media. A message appears when the process is complete.

8. If encrypting SED removable media, you will be prompted to create recovery media and define a recovery password for the removable media. This can be used to access the encrypted removable media without the encryption key.

9. Once encryption is complete, you may remove the media.

Accessing Encrypted Removable Media

Accessing Using Encryption Key

(17)

Working with Password-Protected USB Media

Click Browse Key File and navigate to the appropriate key file, then enter the Password and clickOK. If the removable media is a SED, you can, alternatively, navigate to the recovery file path and enter the recovery password.

Accessing Using Password

When encrypted removable media is inserted into a machine that does not have SecureDoc installed on it, the user is prompted for the password or, for SEDs, for the password or the recovery file and password.

Working with Password-Protected USB Media

1. Connect the USB media to the Mac.

(18)

Using SecureDoc for Mac Changing your Password

3. Select the removable media with which you want to work.

4. To change the password, clickSet New Passwordand, when prompted, enter a new password.

To remove the password, leaving the media inaccessible, click Remove Password. You are prompted to confirm.

To decrypt the media, click onDecrypt.

Changing your Password

You can change your password at any time after installation and encryption. You may find that your SecureDoc and Mac passwords have been synchronized, so that

changing one changes the other automatically.

1. Click the SecureDoc icon on the menu bar and select SecureDoc Control Center.

2. SelectSecureDoc Users.

(19)

Acceptable Passwords

4. Enter the old (current) password, then enter and confirm the new password. 5. Optionally, to display a hint that can help you remember your password, enter

the hint in the Password Hintbox (the box appears if your password rules permit it).

Note: Be sure the hint does not contain enough information for

an illegitimate user to determine the password, or the password itself.

6. ClickOKto accept the change.

Acceptable Passwords

To make sure that your password is secure and difficult to guess, you must use a password that contains at least one of each of the following:

• upper case letter (A - Z) • lower case letter (a - z) • numeric character (0 - 9)

• non-alphanumeric keyboard character (any other character, such as #, ? @, etc.) IMPORTANT: Ensure that you remember your new password: once the

(20)

Using SecureDoc for Mac Changing or Setting Self-Help Answers

Changing or Setting Self-Help Answers

Use this feature to define a set of self-help questions and answers to be used for password recovery. If your installation was configured to use this feature, you can change the answers to questions originally posed at installation.

Click the SecureDoc icon on the menu bar and select the SecureDoc Control Center. ChooseChange Self-Help Answers.

Enter questions and the corresponding answers, then clickOK. Enterprise users will not be able to change the questions.

Recovering from a Lost Password

If you can’t remember your password, at boot logon, pressEnter, then pressF8and follow the instructions to perform a challenge/response password recovery or press

F9to provide answers to the self-help password recovery questions you provided when your drive was initially encrypted. When you have answered all the questions, your answers are compared to those you gave originally. If you answered any of the questions incorrectly, you are returned to the boot logon screen to try again. If you successfully answered all of the questions your Mac starts up as normal. You are immediately taken to theChange Passwordscreen to assign a new password.

Creating a Backup Key File

A backup key file can be used if you forget your password or make an error when changing your password. The backup contains your encryption keys and requires no password or token to gain access, so it must be kept safe and secure at all times.

(21)

Using Recovery Media

3. Re-enter the password used to access your encrypted hard disk.

4. Enter a recovery password and browse to the location where the key file should be created.

5. Click OK.

This function creates a file called Securdoc.dbk (note the lack of an “e”) in the

specified location. Note that a backup key file is not the same thing as a copy: a copy requires the key file password to access.

Using Recovery Media

If for some reason boot logon does not appear, use your data recovery media (you may need to get this media from your SES administrator). Connect or insert the data recovery media, then hold down Option while restarting your computer. Choose to reboot from the drive containing the recovery media and follow the instructions that appear.

Note: You will need to know the SecureDoc password that was in effect when

you created the media.

Performing Cryptographic Engine Tests

You can run tests to ensure the cryptographic engine is running correctly, or to check the integrity of your computer’s boot files to ensure they have not been tampered with or corrupted on boot-up.

2. SelectAdvanced Actions.

(22)

Using SecureDoc for Mac Enabling/Disabling Hardware Protection (SED Boot Drive Only)

Enabling/Disabling Hardware Protection (SED Boot Drive Only)

Under normal circumstances, you would not disable hardware protection for your SED boot drive, since doing so makes the drive available to anyone. However, to upgrade SecureDoc you need to disable hardware protection (you will be prompted to enable it again as soon as the software is upgraded. The option to disable and enable

hardware protection appears on the SecureDoc options menu.

Enabling/Disabling Single Sign-On or Single Sign-On and Password Sync

Single sign-on means that when you log on to boot logon, you automatically also log on to your Mac. Password sync means that changes to your boot logon password affect your Mac password, and vice versa. In an SES environment, these options may have been configured for you.

To enable or disable these features, click the SecureDoc icon on the menu barand select SecureDoc Control Center. ChooseAdvanced Actions, thenSettings, then

(23)

Communicating with the Server

Note: If your account password is changed or the account is deleted, you will

be prompted, after logging on to boot logon, to enter the new password, define a new account for Single Sign-On, or disable the option.

Communicating with the Server

Normally communication between your computer and the server is done, at intervals, in the background. If you want to manually establish communication with the server (for example, on the request of your administrator) you can do so.

Click the SecureDoc icon on the menu bar and selectCommunicate with Server.

Performing Crypto-Erase

At pre-boot or after the Mac OS has started, you can crypto-erase your computer, removing the encryption key and rendering it inaccessible. This is done only under exceptional circumstances.

(24)

SECUREDOC AND FILEVAULT 2

System Requirements

Operating system requirements are listedhere.

Installation and encryption

1. Login to the Mac with an account that has administrator rights.

2. Double-click on the SDFVMac.pkg file (from your SES administrator).

3. Click Continue to review the ReadMe and the license agreement.

(25)

Installation and encryption

(26)

SecureDoc and FileVault 2 Giving local accounts access to the encrypted drive

5. Click Restart.

When the computer restarts, you are asked to login to the local administrator

account that was created during the installation. The password for this account is set by your SES administrator. This account gives SecureDoc the ability to manage access to the encrypted drive for all the local accounts on the computer. The encryption continues once you have logged into this account.

The encryption process takes place in the background and could take a few hours. During this time you can continue working normally on your computer; you can even log off or turn off your computer.

Giving local accounts access to the encrypted drive

(27)

Removing SecureDoc and FileVault 2 encryption

Any accounts that are created after encryption are automatically added to the "unlock" list.

Removing SecureDoc and FileVault 2 encryption

To uninstall SecureDoc and disable FileVault 2 encryption on the drive, run