Académique Documents
Professionnel Documents
Culture Documents
For more information regarding local SafeBoot representatives please take a look at:
www.safeboot.com
Copyright © 2007 SafeBoot N.V. All rights reserved. Printed in The Netherlands.
Welcome
Audience
This guide was designed to be used by qualified system administrators
and security managers. Knowledge of basic networking and routing
concepts, and a general understanding of the aims of centrally managed
security is required.
SafeBoot can only contribute to information security within your
organisation as part of a coherent and well-implemented organisational
security policy.
For information about cryptography topics, readers are advised to
consult the following publications: -
i
Welcome
Document Conventions
The following conventions are used in this guide:
Convention Use Examples
Bold font Indicates a user entry - a • Click the option to set
command, menu, option, it.
button or key - or the
name of a file, directory, or
utility.
Italic font Identifies a chapter or sub- • See Creating Users
chapter of this guide for more information.
Square Brackets ( [] ) Enclose optional keywords • SBServer [username]
and values in command [password]
syntax
Vertical Bar ( | ) Separates two or more • SBServer start | stop
possible options in
command syntax
Related Documentation
The following materials are available from our web site,
http://www.safeboot.com, and from your SafeBoot Distributor,
• Device Encryption 5 PC Administrators Guide (this document)
• Management Center 5 Administrators Guide
• Device Encryption 5 PC QuickStart Guide
• SafeBoot Enterprise Technical Overview
• SafeTech Engineers Guide
ii
© SafeBoot N.V.
Acknowledgements
SafeBoot’s Novell NDS Connector and LDAP Connectors make use of
OpenLDAP (www.openldap.org) and OpenSSL (www.openssl.org). Due
credit is given to these organisations for their free API’s.
iii
© SafeBoot N.V.
Table of Contents
SafeBoot N.V...................................................................................................i
WELCOME ........................................................................................................... I
ABOUT THIS GUIDE.................................................................................................I
AUDIENCE............................................................................................................I
DOCUMENT CONVENTIONS ........................................................................................ II
RELATED DOCUMENTATION ....................................................................................... II
CONTACTING TECHNICAL SUPPORT ............................................................................. III
ACKNOWLEDGEMENTS ............................................................................................ III
TABLE OF CONTENTS .......................................................................................... I
FIGURES ............................................................................................................. I
1. INTRODUCTION.......................................................................................1-1
1.1 WHY SAFEBOOT DEVICE ENCRYPTION?................................................................. 1-1
1.2 DESIGN PHILOSOPHY ...................................................................................... 1-1
1.3 HOW SAFEBOOT WORKS ................................................................................. 1-2
1.3.1 Protection ........................................................................................... 1-2
1.3.2 Management .......................................................................................1-3
1.3.3 Objects, Entities, and Attributes explained............................................... 1-3
1.4 THE SAFEBOOT COMPONENTS ........................................................................... 1-4
1.4.1 SafeBoot Administration Center (SBAdmin) ............................................. 1-4
1.4.2 SafeBoot Server (SBServer) .................................................................. 1-5
1.4.3 SafeBoot Object Directory ..................................................................... 1-6
1.4.4 SafeBoot Device Encryption PC Client ..................................................... 1-7
1.4.5 SafeBoot File Encryptor ........................................................................ 1-8
1.4.6 SafeBoot Connector Manager................................................................. 1-9
1.5 COMPONENT DESIGN ...................................................................................... 1-9
1.5.1 SafeBoot Device Encryption Client ........................................................ 1-10
1.5.2 SafeBoot Administration ..................................................................... 1-10
1.5.3 SafeBoot Connection Manager ............................................................. 1-10
1.6 INSTALL AND DEPLOYMENT ............................................................................. 1-10
2. INSTALLING SAFEBOOT ADMINISTRATION.............................................2-1
i
Table of Contents
ii
© SafeBoot N.V.
iii
Table of Contents
iv
© SafeBoot N.V.
v
© SafeBoot N.V.
Figures
i
Figures
ii
Introduction
1. Introduction
NOTE - For end users, SafeBoot allows users to work as usual, including the security and
network services. Apart from the initial Logon, SafeBoot offers completely
transparent security.
1-1
Introduction
NOTE - Even if a Data Recovery agency tries to retrieve information from a SafeBoot-
protected hard drive, without access to the SafeBoot System via the passwords or
recovery information there is no way of accessing this data – total security.
1-2
Introduction
1.3.2 Management
Every time a SafeBoot protected device boots, and optionally every time
the user initiates a dial-up connection or after a set period of time,
SafeBoot tries to contact its "Object Directory". This is a central store of
configuration information for both machines and users, and is managed
by SafeBoot Administrators. The Object Directory could be on the user’s
local hard disk (if the user is working completely stand-alone), or could
be in some remote location and accessed over TCP/IP via a secure
SafeBoot Server (in the case of a centrally managed enterprise).
The SafeBoot protected machine queries the directory for any updates
to its configuration, and if needed downloads and applies them. Typical
updates could be a new user assigned to the machine by an
administrator, a change in password policy, or an upgrade to the
SafeBoot operating system or a new file specified by the administrator.
At the same time SafeBoot uploads details like the latest audit
information, any user password changes, and security breaches to the
Object Directory. In this way, transparent synchronization of the
enterprise becomes possible.
1-3
Introduction
1-4
Introduction
1-5
Introduction
The SafeBoot Object Directory is the central configuration store for the
SafeBoot 5 Device Encryption and is used as a repository of information
for all the SafeBoot entities. The default directory uses the operating
systems file system driver to provide a high performance scalable
system which mirrors an X500 design. Alternative stores such as LDAP
are possible – contact your SafeBoot representative for details. The
standard store has a capacity of over 4 billion users and machines.
Typical information stored in the Object Directory includes
• User Configuration information
• Machine Configuration information
• Client and administration file lists
• Encryption key and recovery information
• Audit trails
• Secure Server Key information
1-6
Introduction
1-7
Introduction
1-8
Introduction
1-9
Introduction
From the above diagrams, you can see that all SafeBoot components
share a common communication backbone. This design has the benefit
that the security information source is transparent to the driving
application, and the end store can be changed with no modifications to
the administration, client, or synchronization engines.
1-10
Introduction
1-11
Installing SafeBoot Administration
NOTE Readers unfamiliar with SafeBoot should follow the “Device Encryption 5 PC
QuickStart Guide” which walks through setting up a SafeBoot enterprise before
tackling any of the topics in this guide.
SBAdmin is the Administration part of SafeBoot and is the core tool for
managing all SafeBoot aware applications. If this is the first time you
have installed a SafeBoot application, you should read the SafeBoot
QuickStart Guide. You will find this either in your SafeBoot box, or on
your SafeBoot CD in the “DOCS” directory.
Install SBAdmin by running the appropriate “setup.exe” from the
“SafeBoot5…” directory on your SafeBoot CD. You should run this first
on the machine which you want to be the “master” or administrators
machine. If you have a multi-language CD, select the language (for
example “English”) you want to install.
2-1
Installing SafeBoot Administration
The SafeBoot management suite adds some items to your start menu.
“SafeBoot Administration” starts the SafeBoot management console;
“SafeBoot Database Server” starts the communication server which
provides encrypted links between clients and the configuration.
2-2
Device Encryption User Policies
NOTE: In the case of hard tokens, creating the token does not necessarily set the user to
actually use that token. This must be accomplished separately from the users
“Token” properties page.
3-1
Device Encryption User Policies
NOTE: Some hard tokens may not be able to be reset using SafeBoot - for example
Datakey Smart Cards. In this case contact the manufacturer of your token to
determine the correct re-use procedure.
3.1.8 Properties
Displays the properties of the selected object.
3-2
Device Encryption User Policies
Auto-boot users
The special user id “$autoboot$” with a password of “12345” can be
used to auto-boot a SafeBoot protected machine. This option is useful if
an auto-boot of a machine is needed, for example when updating
software using a distribution package such as SMS or Zenworks. This ID
should be used with caution though, as it effectively bypasses the
security of SafeBoot.
Enabled
Shows whether the user account is enabled or not. The enabled status
is always user selectable.
3-3
Device Encryption User Policies
NOTE - If you want to force a SafeBoot machine to synchronize (and hence immediately
stop the user from accessing the machine), you can use the "force sync" option to
force an update. For more information see the SafeBoot DE Administrators Guide,
Chapter 0.
3.2.2 Devices
3-4
Device Encryption User Policies
NOTE: If you need to take detailed control of the devices which are available to your
users, please see SafeBoot’s Port Control product which provides granular device
access.
3-5
Device Encryption User Policies
3-6
Using Tokens with Device Encryption
4-1
Using Tokens with Device Encryption
4-2
Using Tokens with Device Encryption
NOTE: When learning how to use SafeBoot, we advise you always leave at least one
password-only user assigned to machines in case you make a mistake when
setting up token support.
4-3
Using Tokens with Device Encryption
4-4
Using Tokens with Device Encryption
4-5
Using Tokens with Device Encryption
ActivIdentity (Stored
Estonian National ID
Datev (PKI Mode)
ActivIdentity (PKI
Siemens CardOS
Smart Card
(Stored Value)
(Stored Value)
IZN Certificate
SafeBoot Red
Value) T=0
Mode)
Card
Reader
Generic 9 9 9 9 9 9 9 9 9
USB CCID
4-6
Using Tokens with Device Encryption
ActivIdentity (Stored
Estonian National ID
Datev (PKI Mode)
ActivIdentity (PKI
Siemens CardOS
Smart Card
(Stored Value)
(Stored Value)
IZN Certificate
SafeBoot Red
Value) T=0
Mode)
Card
Reader
Reader
Omnikey
3021 CCID
9 ? ? 9 ? 9 ? 9 9
ACR38
USB 9 9 9 9 9 9 9 9 9
Reader
GemPC
430 USB
9 9 9 9 9 9 9 9 9
Dell D620
Integrated 9 9 9 9 9 9 9 9 9
reader
SCM
SCR243 9 9 9 9 9 9 9 9 9
PCMCIA
PCI
Integrated
8 9 9 9 9 9 9 9 9
SCM
SCR201
9 9 9 9 9 9 9 9 9
CISCO /
PSCR 9 9 9 9 9 9 9 9 9
PCMCIA
Cardman
4040
9 9 9 9 9 9 9 9 9
TI
Embedded
(Dell 9 9 9 9 9 9 9 9 9
D610, HP
NC6400)
O2 Micro
Embedded
( Dell
9 9 9 9 9 9 9 9 9
D600 etc)
4-7
Using Tokens with Device Encryption
Some USB key tokens are in fact a combined USB Smart Card reader
and USB Device in one unit, so you also need to add USB CCID Smart
Card reader support to your Device Encryption clients for them to work.
Actividentity Activkey
(Certificate)
RSA SID800
(Storage)
(Storage)
Reader
Generic
Not
USB CCID 9 9 9 9 9 Required 9
Reader
4-8
Using Tokens with Device Encryption
Note: When you wish to use the TPM as a token for SafeBoot
Administration, you must ensure that the UserID is not used on any
other PC with a TPM as it will be locked to that PC from then on.
The embedded TPM chip is in its simplest form can be envisaged as a
smart card physically attached to the motherboard of the PC. The TPM
(Trusted Platform Module) can perform similar cryptographic operations
to PKI smart cards, such as encryption, decryption, key generation,
signing of data etc.
With the SafeBoot TPM module, the TPM chip is used to secure a users
logon credentials. This means once initialized the users unique secret
key is removed from the SafeBoot environment and secured by the TPM
chip. The user from this stage onwards will only be able to login to that
particular machine.
Conversion from password mode to TPM mode is automatic and occurs
as soon as the user uses their account on a TPM protected machine.
From activation onwards, that SafeBoot user will only be able to log into
the machine on which the TPM chip holds their keys.
Pre-Requisites for SafeBoot Pre-Boot TPM Support
• SafeBoot V5.0
• PC with Infineon TPM Chip installed (TCG Spec. Version 1.2)
SafeBoot's TPM module also requires that the TPM be "initialised". This
involves creating the Endorsement Key, Storage Root Key and setting
an Owner password. If this is not done, SafeBoot will find the TPM and
try to convert the user to use it at first logon, but the operation will fail
and the user will not be able to logon.
• Infineon TPM Professional Package (Version 2.5)
The TPM initialisation process is performed by the Infineon software
after you install it.
• The TPM Chip must be enabled in the BIOS on the target PC.
The TPM has to be enabled in the BIOS (which it isn't by default). Until
it is enabled, is essentially not present as far as SafeBoot and Infineon
software is concerned. If you try to install the Infineon software with
TPM disabled, it will warn you that the "Infineon TPM not found" and
abort the install (exactly as it does on machines without a TPM).
SafeBoot has been tested with the following TPM Components:
Infineon TPM Professional Package v2.5 HF2
Chip State = Enabled
Owner State = Initialized
4-9
Using Tokens with Device Encryption
4-10
Using Tokens with Device Encryption
4-11
Using Tokens with Device Encryption
3. SafeBoot V5.0
The following instructions detail how to enable Sony Puppy Support for
a User. For this you will need to have a new Sony Puppy or Reset an
exiting one using the Sony Puppy Administration Tools.
Step 1. Setup the Sony Puppy Fingerprint Reader
1. Install the Sony Puppy software - SC-API 810 setup (Basic)
2. Plug the Sony Puppy finger-print reader into an available USB Port
3. Click Start -> All Programs -> FIU-810 tools -> User Manager
4. Follow the on screen instructions to register a UserName and
Fingerprint / Password for the device
5. When you have successfully created the Sony Puppy User and
registered your fingerprint(s) exit the application.
Step 2. SafeBoot DE 5.0 setup
1. Install SB5.0 with Sony puppy support
2. Login to SBADMIN
3. Click on Devices and from SafeBoot Machine Groups add a new
Machine Group
4. Right click on the Machine Group and select properties
5. Click on the Files icon and select Sony Puppy Client Files
6 Apply these settings,
7. Click on the User’s tab and create a SafeBoot User (Keep a note of
the UserID)
8. Right click on the new SafeBoot user and select properties
9. Assign a Puppy token to the User and apply these settings
(Note the configure option does not work with the Puppy token).
10. Assign the user to the machine group and
11. Create an install set from the machine group.
Step 3. Installing SafeBoot with Puppy Support
1. Install SafeBoot on the Client PC using the newly created install set
2. Once installed, start SbPuppytrainer.exe from default SafeBoot
directory.
3. Select Train Puppy from the menu.
4-12
Using Tokens with Device Encryption
4. Select Use SafeBoot Username and enter the UserID and Password of
the SafeBoot user and click the Logon with Password button.
You will be asked to verify your fingerprint,
5. Place your finger on the reader and it should verify "OK"
The training is complete. You may Reboot the machine and logon at
PBA by selecting the Sony Puppy token.
Step 1.
4-13
Using Tokens with Device Encryption
Create a user and assign their finger within the USB Phantom by
running SMCforUSB.exe (this is the USB Management utility):
1. Create user
2. Enrol user i.e. register finger!
3. Assign a partition to the user
Step 2.
1. Within the SafeBoot Management Center create a user account
for the user name created in step 1.
2. Assign SafeBoot for USB token to user (default token is
password) Note: Default in DE is to create a default password of
12345
Step 3.
Define Machine Policy which should include file sets:
• DE 5.x client files
• READER: USB CCID smart card
• TOKEN V5x: SafeBoot for USB Phantom client files
Step 4.
Create on line installation set note: assign user or user group to the
machine as part of machine policy.
Step 5.
Install Safeboot5x.exe on client PC
After the second reboot of the client should see the pre boot
authentication screen which will have password and SafeBoot for USB
token options.
Step 7.
Select SafeBoot for USB which should generate a SafeBoot Biometric
challenge screen
1. Attach USB phantom to PC.
2. Swipe enroled finger on USB Phantom
3. Tick the box for user listed “Provide User Name”
4-14
Using Tokens with Device Encryption
The standard SafeBoot logon screen should appear which will require
the SAME user name to be entered as the one registered with the USB
Phantom. At this point you will need to enter the default DE password of
12345 which will marry the DE Safeboot client with the USB phantom.
This step has completed the integration of the SB DE client with the
USB phantom.
The PC should now boot into Windows. After rebooting the client you
should only be prompted to authenticate via the USB Phantom
biometric reader.
4-15
Creating and Configuring Machines
5-16
Creating and Configuring Machines
NOTE: This does not affect the machines network name which can be seen from the
General Properties page.
5-17
Creating and Configuring Machines
5.1.3 Delete
Deletes the machine entry – you will be given the opportunity to
Permanently Delete the machine, or to move the machine to the
Recycle Bin (where it can be later restored)
5-18
Creating and Configuring Machines
NOTE: There are some instances when Windows will prevent remote rebooting of a
system, e.g. while the screen-saver is active.
5.1.14 Properties
Displays the properties of the selected object.
5-19
Creating and Configuring Machines
Description
You can enter a text description for a machine group, such as the
physical location of the machines.
5-20
Creating and Configuring Machines
5.2.2 General
Boot Protection
The status of SafeBoot can be set in one of four modes. Both the
desired and current protection status is shown.
Disabled – SafeBoot is installed and listening, but is not securing the
computer. You can change the status to another mode and this will be
reflected at the next synchronization
Enabled – SafeBoot is protecting the machine, and requiring users to
logon.
Remove – SafeBoot will decrypt and uninstall itself at the next
synchronization
Remove and Reboot – as above, with the addition that SafeBoot will
automatically reboot the machine after uninstalling.
Removed – SafeBoot is no longer installed on the machine, and its entry
can be deleted from the directory.
5-21
Creating and Configuring Machines
TIP – If you select “Remove” and let the machine uninstall SafeBoot, remember to either
delete the entry from the directory, or set the protection back to “Enable” before
re-installing SafeBoot. If you forget this, then as soon as the new install connects,
it will remove itself again.
Description
A text description of the machine, such as its specification, model or
physical location.
Network Name
The machines logical network name - you can find and filter the
Machine tree for the machines name using the Object/Filter option.
Options
Windows Logon
• Require SafeBoot Logon – SafeBoot takes control of the normal
windows logon screen, and screen saver logon. Users will be
prompted for their SafeBoot credentials.
• Attempt automatic Windows Logon – SafeBoot tracks the user’s
Windows id, password and domain, and presents these
automatically to windows logon boxes. This mechanism means
once the user has authenticated to SafeBoot at the boot screen,
they do not need to enter any more passwords for Windows.
NOTE – If the user’s Windows credentials are different from their SafeBoot credentials,
SafeBoot stores the windows credentials the first time they are used. It may take
two reboots before the single sign on becomes active.
5-22
Creating and Configuring Machines
NOTE: This option is not available with SafeBoot version 4.1 or later.
Virus Protection
• Enable MBR Virus protection – SafeBoot monitors boot sector
activity, and prevents any program writing to it. SafeBoot also
monitors the bios signature to further prevent boot viruses.
NOTE – If you have this option enabled and you move a protected hard disk between two
machines, SafeBoot will detect this as a possible virus and prevent the machine
being used until a virus reset has been performed. For information on this
procedure, see Chapter 20
Miscellaneous
• Do not display previous user name – Hides the ID of the last
logged on user in all SafeBoot logon dialogs, and changes the
“Incorrect Password” and “Unknown User ID” error messages to a
generic message.
• Reject Suspend/Hibernate Requests - Stops the machine
performing an insecure power action.
• Disable Checking for AutoBoot - switches off the $autoboot$ user
support on this machine. If the machine has many users
assigned, this option can speed up the boot time.
• Do not lock after AutoBoot is removed – normally SafeBoot locks
the workstation if the current logged in user is removed or
disabled as part of a synchronization event. This is to prevent the
machine being used in the event that there is no current user.
Switching this option on stops the autolock happening if the
$autoboot$ user is removed, and may be useful in the case of
automated software updates.
5-23
Creating and Configuring Machines
5-24
Creating and Configuring Machines
5.2.3 Encryption
5-25
Creating and Configuring Machines
NOTE – Partial encryption is designed to encrypt the directory structure and file allocation
table on FAT drives – it does not stop a competent hacker reassembling file data
from the drive.
Recovery key
You can boot a machine, or close the SafeBoot screen saver without
logging on using the recovery process – this involves the user reading a
small “challenge” of 18 characters from the machine to an
administrator, then typing in a larger “response” from the
administrator. The recovery key size defines the exact length of this
code exchange. For more information see Chapter 14. A recovery key
size of “0” disables the machine recovery system.
Removable Devices
You can configure Device Encryption to also encrypt removable drives
such as USB/Firewire hard disks, Flash drives etc. Normally, Device
Encryption only protects physically attached hard disks – for example
IDE or SCSI hard disks. This is because SafeBoot Device Encryption is
related to the machine, not the user – it’s impossible to share drives
encrypted with Device Encryption between different machines. If you
need to share data amongst users and machines, please consider
SafeBoot Content Encryption.
• Manually Select – Normally removable drives will not be show in
the encryption list. Selecting this option makes them visible.
• Always Encrypt – Forces encryption of removable drives.
• Never Encrypt – Prevents SafeBoot from attaching its drivers to
removable disks – this is the default option.
5-26
Creating and Configuring Machines
5.2.4 Users
You can add both groups of users, and individual users to a machine (or
machine group) – either drag the user(s) from the user tree into the
machine properties user tab, or use the “user picker” to select them.
Although SafeBoot supports many hundreds of users on a single
machine, we STRONGLY recommend that the actual number of users
assigned is minimized to the fewest possible. Every user added to a
machines is another possible account for a hacker to gain entry via.
There is no purpose in adding entire departments of users to laptops
which are used by only one person.
Auto-boot users
Special user IDs containing the name “$autoboot$” with a password of
“12345” can be used to auto-boot a protected machine. This option is
useful if an auto boot of a machine is needed, for example when
updating software using a distribution package such as SMS or
Zenworks. These IDs should be used with caution though, as they
effectively bypasses the security of SafeBoot.
5-27
Creating and Configuring Machines
Security Warning
5-28
Creating and Configuring Machines
5-29
Creating and Configuring Machines
By right clicking on the SafeBoot tool tray icon, the user can force a
synchronization event by selecting the “Synchronize” option. This
feature can be disabled.
Resynchronize when RAS connection is detected
Causes a synchronization event to occur if the user dials up to the
internet / intranet. SafeBoot checks for new RAS (Remote Access
Service) connections every second.
Synchronize time with directory
Sets the local machine time to the time of the server / directory it is
synchronizing with. If the user’s machine is in a different time zone to
the server, the correct local time will be set as long as their time zone is
correct.
SECURITY TIP - This option is useful when logon hour restrictions are in place – without
this time check the user could set their system clock back to gain extra hours of
machine use.
5-30
Creating and Configuring Machines
5.2.7 Files
5-31
Creating and Configuring Machines
NOTE: If your SafeBoot user account has group permissions set, Some file groups
assigned to the machine may be outside your control - in this case they will be
marked as locked groups. To gain the ability to change them, remove any “Group”
administration restrictions on your account.
NOTE: If “secure screen saver” is disabled, then it will be possible for users to set a
screen saver which does not required a password, or set no screen saver.
5-32
Creating and Configuring Machines
5.2.9 Boot
Boot Manager
5-33
Creating and Configuring Machines
You can control the display of the partitions which the user can select to
via the file “bootmanager.ini”. For information about this file see
Chapter 18 of this guide.
Auto select After…
Allows you to select a time period which once expires, will cause the
boot manager to select the last used partition.
5-34
File Groups and Management
6-1
File Groups and Management
6-2
File Groups and Management
New files can be imported one by one into an existing deploy set using
the "Import files" menu option. Simply select the file, SBAdmin will then
import it into the directory, and add it to the deploy set. The default
options for the file mean that it will NOT automatically be downloaded
to machines using this deploy set when they synchronize. See Chapter
6 for information on how to achieve this. You can also import File Sets,
for instance to add a new option to the SafeBoot database.
NOTE – Clients maintain a link to a particular file via its object id, not its name. If you
delete a file and re-import it, its id changes, clients will still delete the original and
download the new copy.
6-3
File Groups and Management
The name of the file is the actual name, which will be used when
deploying the file on the remote machine. The ID is the Object Directory
object ID used as a reference for the file from the client PC. The version
number is an incremental version of the file. When the file is updated,
the version is incremented. This is used by the clients to check whether
an update is needed. Other information such as the name of the user
who imported the file, and its size may be shown.
6-4
File Groups and Management
6-5
Adding components to a Machine
7-1
Using SafeBoot as a File Deploy System
8-1
Using SafeBoot as a File Deploy System
Because we are importing a "Known" file type, the file location will be
set automatically to [appdir]. We will override this with the location we
want to send the file to, in this case "c:\windows\desktop". We also
want this file to be deployed on all operating systems, so we check all
the boxes.
Now, next time the machine synchronizes, it will notice the new file,
and download it into its "c:\windows\desktop" directory. If the file was
defined as a type of SafeBoot or Windows Registry file, it would be
applied. If it was marked as a "Installation Executable", it would be run.
You can test this behavior by forcing the machine to resynchronize
using either the "Force Sync" option from SBAdmin, or from the
SafeBoot client tool tray Icon right-click menu.
8-2
Using SafeBoot as a File Deploy System
The file "message.txt" should appear on the desktop, and the status
window of the client should reflect the change.
More information on the SafeBoot file deployment mechanism can be
found in Chapter 6.
8-3
Creating an Install Package
9-1
Creating an Install Package
The First step in creating an install set is to select the object you want
to create set for. Either an individual machine or a machine group can
be used. Install sets created for A MACHINE can only be used to install
that one machine - the target PC always takes the database entry the
install set was created for. Sets created for GROUPS OF MACHINES can
be used to install any number of machines in that group - each machine
looks in the deployed group for its name - if found it uses that object, if
not it creates a new object based on its network name.
For the second step you need to determine whether you expect the
machine to be online or offline at the time of install.
9-2
Creating an Install Package
NOTE: by editing the file "scm.ini" on the client before SafeBoot is activated (i.e. after
setup, but before the first reboot) the group can be changed.
NOTE- Until the transport directory containing the machine’s completed configuration is
imported back into the master directory, no connection or configuration of the
client can be performed. Also, in the case where the offline install set was created
from a group, it will not be possible to recover the machine until it has
successfully synchronized with its master database. In the case where the offline
install set was created for an individual machine, or in the case of users,
synchronization is not necessary for the machine to be recovered.
9-3
Creating an Install Package
9-4
Creating an Install Package
Step 3 involves selecting the final Object Directory that the new client
will communicate with to synchronize configuration details. The default
is the directory that the administrator is currently using, but may be
any the administrator has access to. Usually the clients will access the
Object Directory via a SafeBoot server, rather than locally. Connections
via a SafeBoot Server have the type “Remote”. You can specify multiple
connection points for machines, if you have more than one server
defined.
You can also change the order that the client will look for servers, and
enable automatic random selection of servers by using the wizard.
NOTE – For information on setting up a SafeBoot Server, see the SafeBoot Administration
Center Guide.
9-5
Creating an Install Package
In Step 4, you set the location you wish the completed install file to be
saved to, and the directory on the client you wish SafeBoot to be
installed into.
Two options for the "visibility" of the set-up process can be set, Silent
installs do not give the user any visible display of the install process,
and are used in automatic deployment environments, such as Microsoft
SMS.
After SafeBoot.exe has been run on a client machine, it needs to be
restarted before SafeBoot can be activated. An automatic restart option
is included, but note that if both silent install, and automatic restart are
enabled, the machine will restart with no user intervention - this may
cause users to loose work if they have open documents when this
process occurs.
9-6
Installing, Upgrading, and Removing Device Encryption
10-1
Installing, Upgrading, and Removing Device Encryption
10-2
Installing, Upgrading, and Removing Device Encryption
3. Update the existing SafeBoot 5.0 Client file set with the new service
pack files by right-clicking the file group, clicking “import files” and
selecting the file you copied in step 2.
4. The machines assigned to the file set will download the new files and
apply it when they next synchronize.
Method 2. Upgrade machine by machine
To upgrade between service pack or patch levels, for example from v5.0
to v5.1 you can create a new file set in the SafeBoot Object Directory.
1. Update your database and administration system as described earlier
in this chapter
2. Create a new file group for the new 5.x files.
3. Right-click the new group and select “Import File Set”. Select the file
‘SBClientFileSet.ini’ from the administration system directory (usually
c:\program files\sbadmin).
4. For each machine you want to upgrade, deselect the machines
current client file set, and select the new 5.x file set you created in step
2.
10-3
Client Software
11-1
Client Software
11-2
Client Software
11-3
Client Software
SafeBoot Client includes a simple logo screen saver. You can use any
screen saver written to the Microsoft Screen Saver standards on the
system, SafeBoot will still protect the logon of them using the standard
SafeBoot logon window.
NOTE – You can change the logo displayed in the screen saver by adding a file called
“logo.bmp” to the Windows directory. You can also deploy logo.bmp using the File
Update technology built into SafeBoot. You may find extra graphics on your
SafeBoot CD in the “tools” directory.
Users can start the screen saver through any of the normal Windows
mechanisms, or by double-clicking on the SafeBoot tool tray icon.
11-4
Client Software
11-5
Windows Sign-on and SSO
SafeBoot can ease the logon process for users by doing the Windows
logon for them, and taking responsibility for screen saver logons and re-
logon requests. The features available can be configured by clicking on
the “General” icon of a machine or machine group object.
12-1
Windows Sign-on and SSO
NOTE – If the user’s Windows id and password are different from their SafeBoot id and
password, SafeBoot stores the windows credentials the first time they are used. It
may take two boots before the single sign on becomes active.
12-2
Windows Sign-on and SSO
NOTE – For more information on SafeBoot ini files, see Chapter 18.
12-3
Windows Sign-on and SSO
12.2.4 Re Logon
If a user chooses to “log off” windows, they would normally expect to
see the standard Windows logon box. SafeBoot takes control of this in
the same way as the initial logon screen, forcing the next user to login
with their SafeBoot credentials.
12-4
Auditing
13. Auditing
13.1 Introduction
SafeBoot Device Encryption audits user, machine, and server activity.
By right-clicking on a object in the SafeBoot Object Directory, you can
select the view audit function.
Audit trails are uploaded to the central directory each time a machine
synchronizes. Until that time the audit is cached internally in the
encrypted SafeBoot file system. In SB4.1.1 and above, the last 3000
entries are cached locally; when the limit is reached the oldest 300
entries are culled. The local audit will retain approximately 2 years of
normal operation before culling begins.
The permission to view or clear an audit log can be controlled on a user
or group basis. Both the administration level, and administration
function rights are checked before allowing access to a log. For more
information on setting these permissions see Chapter 3.
Audit trails can be exported to a CDF file by using the “Audit” menu
option, or by right-clicking the trail and selecting “Export”. Also, the
entire audit of the directory can be exported using the “SBAdmCL” tool
– for information on this option please contact your SafeBoot
representative.
13-1
Auditing
The Object Directory audit logs are open-ended, i.e. they continue to
grow indefinitely, but can be cleared on mass again using SBAdmCL.
13-2
Auditing
Description Event
13-3
Auditing
Description Event
13-4
Auditing
incorrect attempts)
Machine configuration expired 08000012
Recovery failed 08000017
Database logon failed 08000081
Table 13-4. Failure Audit Events
13-5
Recovering Users and Machines
You can recover users using either the SafeBoot Management Center,
WebHelpdesk, or the procedure documented below. For information on
recovery via the Management Center WebRecovery and WebHelpdesk
options, please see the “Management Center 5 Administrators Guide”.
14-1
Recovering Users and Machines
14-2
Recovering Users and Machines
The administrator will be prompted to enter the user code in the wizard,
and if correct will be given the opportunity to check the user’s profile if
the administrator has sufficient access rights to recover the user (based
on their level and group memberships). The administrator should use
this opportunity to validate the user by asking them questions based on
the hidden information stored in their account. Only if successful should
the helpdesk actually allow the user’s password to be reset.
14-3
Recovering Users and Machines
NOTE: Some tokens do not support password resets through SafeBoot, examples of this
include the DataKey Smartcard, RSA Smartcard, and Aladdin eToken Pro. For
information on how to reset the password on these devices contact the
appropriate manufacturer. To recover a SafeBoot user who has forgotten their
password in this case, either issue them with a new token, or temporarily switch
them to use a password using the “Change Token” recovery option.
14-4
Recovering Users and Machines
NOTE – If you change a user’s token using this method, remember that next time their
machine synchronizes with the SafeBoot directory, their token will be set to
whatever is specified in their user properties. If you want the change to be
permanent remember to set their token type in the user properties window.
14-5
Recovering Users and Machines
The final step is to read the recovery code back to the user. The length
of this code is controlled by their token recovery key as set in the user’s
“token” properties, or in the case of a machine, the recovery key set in
the encryption properties.
The user simply enters the code line by line into the pre-boot dialog.
Each line is check summed. Once the code has been entered, the
elected action will occur.
14-6
Trusted Applications
15-1
Trusted Applications
Hash Count
15-2
Trusted Applications
Displays the number of file hashes stored in this object. You can remove
duplicates using the “File Hashes/Compact” function.
Description
A text description of this hash set – for example its source.
Import
Allows you to import one or many hash sets created with “SafeBoot
Hash Generator” into this hash object.
Export
Saves the contents of this hash object as a hash set.
Compact
Removes duplicate entries from this hash object – As SafeBoot
Application Control is driven by the hash (or digital signature) of a file,
not its location, only one entry per file is required.
Remove
15-3
Trusted Applications
You can also set whether to actually block the untrusted code, or to
simply log it for future analysis – this option (log with no blocking) is
useful when debugging hash sets which do not block appropriately.
15-4
Hash Generator
16.1 Introduction
SafeBoot Hash Generator creates “Hash Sets” for use with the
application control feature of SafeBoot. For more information on
application control, see Chapter 16.
The generator creates MD5 hashes of the selected files and packages
them into a SafeBoot hash set (HSH file).
16-1
Hash Generator
The progress window shows the activity. Once completed, you can
import the resultant hash set into your SafeBoot directory.
16-2
Common Criteria EAL4 Mode Operation
CESG in the United Kingdom, has certified the following products to the
standard EAL4
• SafeBoot 5.0 Device Encryption Client
To apply this standard to your implementation of SafeBoot, you need to
ensure the following criteria are met:-
Administrator Guidance
SafeBoot must be installed using the SafeBoot AES (FIPS) 256bit
algorithm.
1. Administrators must enforce the following Policy Settings
• A minimum password length of 5 characters or more
• Disabling of accounts after 10 or less invalid password attempts
• All data and operating system partitions on the machines where
SafeBoot client has been installed MUST be fully encrypted. You
can check the conformance to this issue by viewing the SafeBoot
client status window – if any drives are highlighted in red then
they are not fully encrypted.
• Administrators must enforce use of the SafeBoot Secure Screen
Saver Mode
• Use of “Autoboot Mode” is prohibited
• Machine and User recovery key sizes must be non-zero
(Machine/Encryption properties and User/Token properties)
To comply with CC regulations, these policy settings must be applied
before installing any clients.
2. There must be a system in place for maintaining secure backups that
are separately encrypted or physically protected to ensure data
security is not compromised through theft of or unauthorised access
to backup information.
3. Backups should be regular and complete to enable system recovery
in the event of loss or damage to data as a result of the actions of a
threat agent and to avoid vulnerability through being forced to use
less secure systems.
17-1
Common Criteria EAL4 Mode Operation
User Guidance
1. Users must maintain the confidentiality of their logon credentials,
such as passwords and tokens
2. Users must not leave a SafeBoot protected PC unattended in a
logged on state, unless it is protected by the secure screen saver.
3. Users must be informed of the process that they need to go through
in order that they may contact their administrator in the event of
needing to recover their PC if they forget their password or their user
account becomes disabled, either through the actions of the
administrator or repeated incorrect login attempts.
17-2
Common Criteria EAL4 Mode Operation
http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=152&id=3
36
17-3
Common Criteria EAL4 Mode Operation
17-4
Common Criteria EAL4 Mode Operation
17.2.2 SHA1
17-5
Common Criteria EAL4 Mode Operation
17.2.3 DSA/DSS
17.2.4 RNG
Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1,
PentiumIII Windows 2000
http://csrc.nist.gov/cryptval/rng/rngval.html
17-6
Common Criteria EAL4 Mode Operation
17.2.5 DES
Cert 145 CBC(e/d); CFB( 8 bits;e/d)
http://csrc.nist.gov/cryptval/des/desval.html
17-7
SafeBoot Configuration Files
18.1 sbgina.ini
Used by the SafeBoot Client to control the Windows logon mechanism.
SBGina.ini contains the references used to populate the user id,
password and domain boxes of a login dialog, and also the id of the “ok”
button.
[Global]
; The Trace option is an
; This option is an aid to implementing SSO to further
dialogs. If this option
aid to implementing
; is set to "Yes", then information about every window SSO to further
that is created when
; a logon dialog is expected is saved to the file dialogs. If this option
specified (or "LOGONWND.TXT"
; if not supplied). Note the file will always be in the
is set to "Yes", then
SafeBoot directory. information about
;
Trace.LogonWindowInfo=No every window that is
Trace.FileName=LOGONWND.TXT created during the
logon process is
[Windows.NT.Logon]
;
output to the defined
; Lists all the sections that contain information about trace file.
the logon windows for
; the NT derived versions of Windows (NT4/2000/XP).
;
; The keys should be of the form "Window" with an
incrementing number appended.
; The sections are checked in incrementing numerical
order. The numbering
; cannot contain any gaps.
;
Window1=MSGina.NT4.LogonDialog
Window2=MSGina.W2K.LogonDialog
Window3=MSGina.XP.LogonDialog
Window4=MSGina.WIN2003.LogonDialog
Window5=NWGina.NT.LogonDialog
Window6=NWGinaJP.NT.LogonDialog
[Windows.9x.Logon]
;
; Lists all the sections that contain information about
the logon windows for
; the Windows 9x versions of Windows (95/98/ME).
;
; The keys should be of the form "Window" with an
incrementing number appended.
; The sections are checked in incrementing numerical
order. The numbering
; cannot contain any gaps.
;
Window1=MSNP.9x.LogonDialog
Window2=NWNP.9x.LogonDialog
window3=NWNPJP.9x.LogonDialog
18-1
SafeBoot Configuration Files
;------------------------------------------------------
----------------------
; The logon window definition sections for NT/W2K/XP
;
[MSGina.NT4.LogonDialog]
;
; The operating system version to which this section
applies. You can specify
; the value of "Any" for either field (which is the
default if not specified).
;
OS.MajorVersion=4
OS.MinorVersion=Any
;
; The original DLL to which this section applies. If
the name is not
; specified or set to "Any", all original DLLs match.
If any part of the
; for digit file version is set to "x", then then all
values for that
; component are matched (e.g. 4.1.0.x).
;
OrigDll.Name=MSGINA.DLL
OrigDll.FileVersion=x.x.x.x
;
; Specifies information about the window that we can
use to indentifiy it.
; For both the class and title, setting a value of
"Any" will match any
; window. Starting the value with a "*" means the
remainder of the value
; is treayed as a substring, and hence if it occurs
anywhere in the window
; title/class it is matched. Otherwise the whole value
must match (case
; insensitive).
;
Window.Title=Any
Window.Class=#32770
;
; The control identifiers of controls that are used by
the SSO module to
; simulate logons.
;
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1453
Dlg.CtrlId.Password=1454
Dlg.CtrlId.Domain=1455
;
; If this is set to "Yes" then the user/password fields
are captured from the
; dialog box rather than using the values supplied by
the original gina.
;
Option.CaptureFromDlg=No
;
; These options define how text is entered into the
various fields when
; simulating a logon. Mode 0 sets the text directly
into the controls, while
; mode 1 sends characters one at a time (simulating
pressing keys) and mode 2
; selects from a combo box.
;
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2
18-2
SafeBoot Configuration Files
OrigDll.Name=MSNP32.DLL
OrigDll.FileVersion=x.x.x.x
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=21
Dlg.CtrlId.Password=23
Dlg.CtrlId.Domain=25
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=0
...
18.2 sberrors.ini
Used to increase the detail available in on-screen error messages. You
can add further descriptions to errors by amending this file.
18.3 sbhelp.ini
Used to match on-screen windows to their help file sections.
18.4 sbfeatur.ini
Controls the feature set available to SafeBoot. This file is digitally
signed by the SafeBoot team and must not be modified.
18.5 scm.ini
Configuration manager file, controls options such as which directory to
connect to, and which group to install into.
[Install]
GroupID=the ID of the group this machine will relate to
[Databases]
DatabaseID1=1
TryLastGoodFirst=Yes
LastGoodConnection=1
[Uninstall]
Sbsetup.exe=sbsetup.exe
18-3
SafeBoot Configuration Files
[Defaults]
;this section defines settings that apply before the SafeBoot is
;actually active on the machine.
You can turn on tracing of the SafeBoot client with the following section.
Trace is output to SBCM.log in the same directory of the application.
[Debug]
Trace=1 ;Trace activity, 1 = on, 0 = off
[Reboot]
Message=some text to display
Timeout=10 (seconds)
[disk]
Sbfs.defaultsize=10 ;Default size of SafeBoot.FS (in MB)
Install.clearcryptlist=1(0) ;Determines whether to clear the cryptlist
;for a drive on install, or to leave it set.
[boot]
Hookflags=… ;Internal use only – do not change.
18.6 defscm.ini
You can pre-set parameters used in the SCM.ini file created within
install sets by creating a file “defscm.ini” in the Administration system
directory containing the lines and sections you want to pre-define.
defscm.ini is used as a seed to create the unique scm.ini file for the
install set.
18.7 sdmcfg.ini
Used by the SafeBoot Client to control the connection to the Object
Directory. There may be many connections listed in the file, the multi-
connection behavior is controlled through scm.ini.
[Databases]
Database1=192.168.20.57
The ip address for
the remote server.
This can be a DNS
name.
18-4
SafeBoot Configuration Files
[Database1]
Description=SH-DELL-W2K
IsLocal=No
Authenticate=Yes
Port=5555
ServerKey=…
The public key for
the remote Server.
This is used to stop
a hacker putting a
rogue server in place
and intercepting the
traffic.
ExtraInfo=…
Padding for the
serverkey.
18.8 TrivialPwds.dat
This file provides a dictionary of forbidden passwords. Simply create a
Unicode text file, with one password per line, and deploy it to the client
machines. You need to enable the user template option “no simple
passwords”
The file needs to be deployed to the “[appdir]\SBTokens\Data” folder
18.9 Bootcode.ini
Bootcode.ini defines the behaviour of the SafeBoot pre-boot
environment. This file is not commonly modified by the end user as it is
a system only file. The file is stored in SafeBoot’s pre-boot environment
in the \boot directory.
[TokenSelect]
; the token type id of the last token the user selected.
Default=0x01000000
[Locale]
;
; the user selected language to use (reference a key in the [Languages]
section
; of the \Locale\Locale.ini file).
;
Language=EnglishUS
;
; the user selected keyboard to use (reference a key in the [Keyboards]
section
; of the \Locale\Locale.ini file).
;
Keyboard=US
[Audit]
;
; The maximum alllowed audit events
;
MaxEvents=3000
;
18-5
SafeBoot Configuration Files
18.10 BootManager.INI
This file controls the partition names specified when the SafeBoot Boot
Manager is enabled. The file is stored in SafeBoot’s pre-boot
environment in the \boot directory.
[Partition.Names]
Partition0=My secure partition
Partition1=My Insecure partition
18.11 SBErrors.XML
XML version of SBErrors.ini to allow Unicode translation. Device
Encryption uses SBErrors.XML in preference of SBErrors.ini if both exist.
18.12 AutoBoot.ini
Defines the default password for the $autoboot$ user(s)
[AutoBoot]
Password=12345
18-6
SafeBoot Program and Driver Files
19.1.2 Setup
Setup.exe is the core executable in SafeBoot’s' packaging mechanism, it
is used as an exe stub for the install package, and also handles the de-
install process. Setup takes one parameter "-Uninstall" which prompts it
to walk through sbfiles41.lst, deleting files (or marking them for
deletion if they are in use) and reversing registry settings. Setup also
re-runs any installation executables with the -Uninstall flag to remove
programs. The order of removal is reverse to the install, i.e. Installation
executables, registry settings, then lastly files.
19.2.2 sbgina
Windows login passthrough GINA driver for NT / 2000.
Usually SafeBoot monitors the GINA settings in the registry to ensure
that nothing removes or disables the login system. You can change the
behavior of this system by editing the SB-NoUpdateGina DWORD key in
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. The following
values can be set:
0 - SafeBoot will install and remove it's Gina
1 - SafeBoot will *not* install it's Gina, but will
remove it.
2 - SafeBoot will *not* remove it's Gina, but will
install it.
3 - SafeBoot will *not* install or remove it's Gina.
You can use these settings to force compatibility with other GINA
replacement login systems. If you use option 1,2,3 you are responsible
for keeping the GINA chain correct, as SafeBoot will not be monitoring
some aspects of it .
19-1
SafeBoot Program and Driver Files
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeBoot\Parameters
]
"DiskNumberMode"=dword:00000001
"DiskNumberingMode"=dword:00000001
You can block the use of Safe Mode when SafeBoot is installed by
setting the following parameters. These options are included in the
“BlockSafeMode” file group option in SafeBoot DE Build 23L and above.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SafeBoot]
;Prevent Safe Mode access if SafeBoot is activated
PreventSafeMode=dword:00000001
5.01+ SafeBoot uses several sectors of the hard disk between 1 and 63
(commonly termed the “partition gap” to store power fail information
while encryption and decryption is in progress. If you have other
applications also using these sectors, you can exclude them from the
range used by specifying registry settings as below.
For each sector you need to exclude, add a DWORD value of 1 with a
name of the decimal sector number to the following registry key as
follows:
[HKLM\Software\SafeBoot International\SafeBoot\DiskManager\ExcludedSectors]
14=dword:1
15=dword:1
You can specify any number of exclusions using this method, but be
aware that at least two sectors are required, and the smaller the
number available, the slower encryption processes will run.
You can add this information to the client NTDRV.SRG registry file to
ensure it is applied on all machines at point of install.
19-2
SafeBoot Program and Driver Files
19.3.2 SBALG.SYS
SafeBoot’s device driver crypto algorithm module.
19.3.3 SafeBoot.CSC/RSV
5.01 SafeBoot’s pre-boot sector chain for the boot loader. The
SafeBoot.csc file was renamed to SafeBoot.RSV in v5.01 for better
defrag protection.
19.3.4 SafeBoot.FS
The encrypted pre-boot environment (stored as a single file)
19-3
SafeTech
20. SafeTech
20-1
Themes & Localization
21.1 Themes
Device Encryption uses graphical “Themes” to control the look and feel
of the pre-boot environment. These Themes are stored as “Client File”
type file sets within the SafeBoot Object Directory. Only one theme can
be assigned to a machine at any time.
To assign a theme to a Device Encryption machine, simply enable its file
set from the “Files” tab of either the machine, or machine group
properties.
Themes are comprised of the following components:
File or Description
Directory
Graphics Master definition file for the graphical theme. This file
dictates the overall look of the theme, the button an d
Graphics.ini window positions, and the various graphical elements
21-1
Themes & Localization
21.2 Keyboards
21.2.1 Physical Keyboard Layouts
Device Encryption 5 supports many physical keyboard layouts, and also
supports automatic detection of the Windows keyboard layout in an
attempt to choose the most appropriate pre-boot layout.
Having the correct layout selected pre-boot is essential when
authenticating, for example, imagine the user has the French keyboard
enabled in Windows, but has the USA keyboard enabled in Device
Encryption Pre-Boot.
Row 2 of the French keyboard begins “azerty…” whereas row 2 of a USA
keyboard begins “qwerty…” – so if the users password contains either
“a” or “z”, then they will not be able to press the same keys in pre-boot
to authenticate.
Defining and adding layouts to the SafeBoot PBA
Device Encryption 5 can support an unlimited number of different
keyboard layouts. To define which layouts are available, usually you
simply need to select the appropriate file group for a machine and the
layout will be added.
21-2
Themes & Localization
;B5100
mapfile=043B_E.MAP
OSK=043B_OSK.XML
21-3
Themes & Localization
Node Description
[keyboards] under the definition name 0414.
Table 21-2. Keyboard definition in Local.ini
;----
0x02=0x0031,0x009F,0x0000 ;-normal
0x02=0x0021,0x009F,0x0010 ;-shift
0x02=0x0000,0x009F,0x0009 ;-altgr
0x02=0x0031,0x009F,0x0080 ;-caps
0x02=0x0000,0x009F,0x0090 ;-shiftcaps
0x02=0x0000,0x009F,0x0019 ;-shiftaltgr
0x02=0x0000,0x009F,0x0089 ;-altgrcaps
0x02=0x0000,0x009F,0x0099 ;-shiftaltgrcaps
The keyboard map source file is comprised of the following components:
Node Description
21-4
Themes & Localization
Node Description
0x00000040 Tilde
0x00000080 Caron
0x00000100 Apostrophe
0x00000200 Cedliia
0x00000400 Breve
0x00000800 Ogonek
0x00001000 Dotabove
0x00002000 DoubleAcute
0x00004000 Degree
0x00008000 Tonos
0x00010000 Middle Dot
0x00020000 Low Nine
0x00040000 Dialytika
0x00080000 Quotation
0x00100000 Polish Programmers Tilde
0x00200000 Ring Above
0x00400000 Macron
0x80000000 Extended Mode (should always be
enabled)
Name The keyboard name
Key definitions Each key (scan code) behaviour is defined in a
number of entries which state the Unicode character
which should be produced. Each key may have many
states (normal, shifted, caps etc) so there may be
multiple entries per key.
The possible states are defined with a mask (which
keys to consider) and a state (the key state itself)
The possible keys you can use in the mask and
keystate are:
RIGHT_ALT_PRESSED 0x0001
LEFT_ALT_PRESSED 0x0002
RIGHT_CTRL_PRESSED 0x0004
LEFT_CTRL_PRESSED 0x0008
SHIFT_PRESSED 0x0010
NUMLOCK_ON 0x0020
SCROLLLOCK_ON 0x0040
CAPSLOCK_ON 0x0080
21-5
Themes & Localization
Node Description
ENHANCED_KEY 0x0100
So as an example, to define key 2 (the number 1 key
on a USA keyboard) you would add an entry for scan
code 0x02 (the scan code of this key) followed by a
number of possible key states.
0x02=0x0031,0x009F,0x0000
0x02=0x0021,0x009F,0x0010
If you wish to create a custom keyboard map, you will need to have it
compiled by SafeBoot before it can be used.
21-6
Themes & Localization
OSK’s are defined in SafeBoot pre-boot using an XML file which controls
the layout (key spacing, number of rows etc), and the display char for
each key. The OSK file (keyboardID_OSK.XML) is usually stored in the
SBFS\Locale directory.
The can be many OSK’s installed, and each physical keyboard map can
choose one of the installed OSK’s to display on request.
Administrators can choose to always display an OSK for the user by
selecting the “always display on-screen keyboard” option of the
Machine/General properties.
NOTE: Though the OSK displays the character for each possible state, the OSK sends the
scan code and modifier (shift/alt etc) to the selected keyboard driver for
conversion, so the actual character printed will be a result of the keyboard driver,
NOT necessarily the one displayed on the OSK.
Options/font The name of the font used by this OSK. This should
be defined in graphics.ini and needs to be an OnTime
Binary font
Layout ID The name of this OSK layout – displayed in the title
21-7
Themes & Localization
Node Description
bar of the OSK
Key/ID
A decimal representation of the key – usually the
decimal scan code ID
To set which OSK is displayed per keyboard map, add an “OSK=” tag to
the keyboard definition in locale.ini, for example:
[Keyboard.043B]
name=Norwegian with Sami
mapfile=043B_E.MAP
OSK=043B_OSK.XML
Node Description
Mapfile The name of the map file to use to map the key
presses to chars
21-8
Themes & Localization
Node Description
;B5100
0404=Lang.0404
0C04.Language=0404
Both the major and minor language can be
0404.Keyboard=0404 checked, so in this example both Windows
0804.Keyboard=0804 languages 0804 and 0004 use the SafeBoot
pre-boot definition section 0804. If the
primary variant for example 0F04 is found in
Windows, then 0004 will be used in SafeBoot
[Lang.0804] This section defines a language.
;Name=Chinese Simplified (PRC) The Name tag is the name displayed in the
NameW=,0020,0050,0052,0043,0029 pre-boot selection list. You can supply a
NameW tag instead which takes a comma
separated list of char codes. This enables
ID=0804
21-9
Themes & Localization
Node Description
be the ANSI recognised ID for this
languages.
The StringFile describes the actual compiled
definition file to use (stored in \locale).
The FontSection describes the section in
Graphics.ini which contains the fonts to be
used for this particular language.
Each language can use its own fonts, or can
use fonts shared by other languages.
Table 21-6. Pre-Boot Language Definition
1=确定
2=取消
3=SafeBoot
4=是
5=否
50=请插入一张引导用的软盘或者按取消从硬盘引导。
100=SafeBoot登录
101=用户名:
102=密码:
103=修改密码
51=您不允许从软盘引导,系统将从硬盘引导。
You can obtain a pre-boot English master text file from your SafeBoot
distributor. Once translated, the file needs to be compiled by SafeBoot.
Normally Language and keyboard layouts are defined within the
SafeBoot Database, and each language has a locale.ini file configured as
a “Merge Ini”. This system enables administrators to add and remove
languages without having to define the exact set prior to distribution. As
all keyboards and Languages are defined in the same Locale.ini file,
without merge INIs you would have to create a locale.ini file describing
the exact combination of keyboards and locales prior to sending it to a
Device Encryption client.
21-10
Themes & Localization
Node Description
<SbTokenInformation>
21-11
Themes & Localization
21-12
Troubleshooting PCs
22-1
Error Messages
Please see the file sberrors.ini for more details of these error messages.
You can also find more information on error messages on our web site,
www.safeboot.com.
1c00 IPC
a100 ALG
c100 Scripting
23-1
Error Messages
23-2
Error Messages
23-3
Error Messages
23-4
Error Messages
23-5
Error Messages
23-1
Error Messages
23-2
Error Messages
23-3
Error Messages
23-4
Error Messages
[e0010012] The password has already been used before. Please choose
a new one.
[e0010013] The password content is invalid
[e0010014] The password has expired
[e0010015] The password is the default and must be changed.
[e0010016] Password change is disabled
[e0010017] Password entry is disabled
[e0010020] Unknown user
[e0010021] Incorrect user key
[e0010022] The token is not the correct one for the user
[e0010023] Unsupported user configuration item
[e0010024] The user has been invalidated
[e0010025] The user is not active
[e0010026] The user is disabled
[e0010027] Logon for this user is not allowed at this time
[e0010028] No recovery key is available for the user
[e0010030] The algorithm required for the token is not available
[e0010040] Unknown token type
[e0010041] Unable to open token module
[e0010042] Unable to read token module
[e0010043] Unable to write token module
[e0010044] Token file not found
[e0010045] Token type not present
[e0010046] Token system class is not available
[e0018000] Sony Puppy requires fingerprint
[e0018001] Sony Puppy requires password
[e0018002] Sony Puppy not trained
Table 23-10. Token Errors
23-5
Error Messages
23-6
Error Messages
23-7
Error Messages
23-8
Error Messages
23-9
Error Messages
23-10
Error Messages
23-11
Error Messages
23-12
Error Messages
23-13
Error Messages
23-14
Error Messages
23-15
Error Messages
23-16
Technical Specifications and Options
The following options are available from SafeBoot but may not be
included on your install CD, or be appropriate for your version of
SafeBoot. Please contact your SafeBoot representative for information if
you wish to use one of these optional components.
24.1.2 RC5-18
CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks, PassMark 20.7
(100%)
The 18 round RC5 variant is designed to prevent the theoretical “Known
Plaintext” attack.
24-1
Technical Specifications and Options
24.1.6 Blowfish
CBC Mode, 448 bit key, 20 rounds, 64 bit blocks, PassMark 19.9 (96%)
Withdrawn from general distribution - special order only.
24-2
Technical Specifications and Options
24.3 Tokens
24.3.1 Smart Cards
The following Smart Cards are supported. For more information, please
contact the smart card vendor, and see the additional notes in the file
“created.html” on the SafeBoot distribution CD.
• SafeBoot Blue Smart Card (G&D Starcos 2.1 T=1)
• SafeBoot Red Smart Card (G&D Starcos 2.1 T=0)
• ActivIdentity Smart Card
• DataKey Smart Card
• Datev PKI Smartcard
• DOD CAC smart cards (all types)
• Estonian National ID Smart Card
• HP ProtectTools Smart Card (Branded ActivIdentity smart card)
• PToken Certificate Card
• RSA SecurID RSA5100 Smart Card
• Setec Certificate Card
• Siemens CardOS 4.3b / 4.01a Smart Card
• Telesec Certificate Card
• TEID /IZN Certificate Card
24-3
Technical Specifications and Options
24-4
Technical Specifications and Options
24-5
Technical Specifications and Options
24.5.1 Client
Windows NT4.0, 2000, XP, 2003 Server, Vista 32bit (all versions), Vista
64bit (all versions)
128MB RAM, or OS Minimum specification
5-35MB Free hard disk space depending on localization and number of
desired users)
Pentium compatible processor, multi-processor (up to 32 way), dual-
core and hyper threading processors, Pentium-compatible processors
such as AMD processors.
For remote administration, a TCP/IP network connection is required.
24-6
Index
25. Index
7
Index