background image

PAGE  6

IRONKEY ENTERPRISE USER GUIDE

Technical & Security Notes

We are endeavoring to be very open about the security architecture and 

technology that we use in designing and building the IronKey devices and 
online services. There is no hocus-pocus or handwaving here. We use 
established cryptographic algorithms, we develop threat models, and we 
perform security analyses (internal and third party) of our systems all the 
way through design, development and deployment.  

Your IronKey is FIPS 

140-2 Level 2 validated (Certificate #938).

IRONKEY DEVICE SECURITY

Data Encryption Keys

» 

AES keys generated by onboard Random Number Generator

 

(FIPS 186-2)

» 

AES keys generated by user at initialization time and encrypted

» 

AES keys never leave the hardware and are not stored in NAND flash

Self-Destruct Data Protection

» 

Secure volume does not mount until password is verified in hardware

» 

Password try-counter implemented in tamper-resistent hardware

» 

Once password try-count is exceeded, all data is erased by hardware

Additional Security Features

» 

USB command channel encryption to protect device communications

» 

Firmware and software securely updateable over the Internet

» 

Updates verified by digital signatures in hardware

Physically Secure

» 

Solid, rugged metal case

» 

Encryption keys stored in the tamper-resistent IronKey Cryptochip

» 

All chips are protected by epoxy-based potting compound

» 

Exceeds military waterproof standards (MIL-STD-810F)

Device Password Protection

The device password is hashed using salted SHA-56 before being trans-
mitted to the IronKey Secure Flash Drive over a secure and unique USB 
channel.  It is stored in an extremely inaccessible location in the protected 

hardware. The hashed password is validated in hardware (there is no “get-
Password” function that can retrieve the hashed password), and only after 

the password is validated is the AES encryption key unlocked. The pass-
word try-counter is also implemented in hardware to prevent memory 
rewind attacks. Typing your password incorrectly too many times initi-

ates a patent-pending “flash-trash” self-destruct sequence, which is run in 

hardware rather than using software, ensuring the ultimate protection for 

your data.

Summary of Contents for Secure Flash Drive Enterprise

Page 1: ...PAGE IRONKEY ENTERPRISE USER GUIDE User Guide IronKey Enterprise Secure Flash Drive ...

Page 2: ...lions of dollars of development have gone into bringing this tech nology to you in the IronKey For a quick product overview you can also view our online demos at https www ironkey com demo We are very open to user feedback and would greatly appreciate hearing about your comments suggestions and experiences with the IronKey Standard Feedback feedback ironkey com Anonymous Feedback https www ironkey...

Page 3: ...ing the IronKey Control Panel Using the IronKeyVirtual Keyboard Using the Onboard Firefox Secure Sessions Service Using the IronKey Password Manager Using the Secure Backup Software Using RSA SecurIDTM on your IronKey Importing a Digital Certificate into the IronKey Using my ironkey com UsingYour IronKey in Read Only Mode Using the IronKey Malware Scanner Product Specifications What s Next Where c...

Page 4: ...ly store 1 2 4 or 8 gigabytes of documents applica tions files and other data The IronKey Cryptochip inside the IronKey protects your data to the same level as highly classified government infor mation and cannot be disabled or accidently turned off Self Destruct Sequence If the IronKey Cryptochip detects any physical tampering by a hacker it will self destruct Similarly after too many consecutive...

Page 5: ...owsingTechnology Surf the Web safely and privately through almost any network even across unsecured wireless hotspots with IronKey s Secure Sessions Service It can be easily toggled through the onboard Mozilla Firefox web browser Self Learning Password Management Securely store and backup all your online passwords as you go with the IronKey Password Manager It allows you to automatically log into ...

Page 6: ...ally impossible to tamper with its protected data or reset the password counter If the Cryptochip detects a physical attack from a hacker it will destroy the encryption keys making the stored encrypted files inaccessible Up to 8 gigabytes of secure storage INCLUDES Flash Trash technology for complete data erasure SMART Stores data up to 10 times longer than ordinary flash drives RELIABLE Waterproo...

Page 7: ... by hardware Additional Security Features USB command channel encryption to protect device communications Firmware and software securely updateable over the Internet Updates verified by digital signatures in hardware Physically Secure Solid rugged metal case Encryption keys stored in the tamper resistent IronKey Cryptochip All chips are protected by epoxy based potting compound Exceeds military wa...

Page 8: ...licat ed public key cryptography handshake with IronKey s services using RSA 2048 bit keys After successful authentication your encrypted block of password data is securely transmitted over SSL to your encrypted Online SecurityVault MakingTor Faster and More Secure IronKey has extended the public Tor network with its own high perfor mance servers This improves the overall security in at least two ...

Page 9: ... data transfer An Internet connection for the online services An email from your System Admin with an Activation Code Activation and Initialization Windows only When you open the package you will find one IronKey Secure Flash Drive one lanyard with keyring and a Quick Start Guide Your IronKey can only be setup on a Windows computer Below is a brief description of the standard way of setting up an ...

Page 10: ...tem Admin can email you a reminder 6 The IronKey will initialize During this process it will generate the AES encryption keys create the file system for the secure volume and copy over secure applications and files to the secure volume 7 Set up your personalized login in formation for your my ironkey com account by clicking the Login to my ironkey com button If enabled you continue the setup proce...

Page 11: ...ree attempts you must unplug and reinsert the IronKey NOTE Some operations require that your IronKey connect to the Internet before unlocking If it cannot connect click on Edit Proxy Settings to configure how your IronKey connects to the Internet 2 Choose which action to take when you unlock it By selecting the corresponding checkboxes before unlocking your IronKey you can view your secure files l...

Page 12: ...ndows and Linux computers Depending on your Linux distribution you may need root privileges to use the program iron key found in the Linux folder of the mounted virtual CD ROM If you have only one IronKey attached to the system simply run the program from a command shell with no arguments e g ironkey If you have multiple IronKeys you will have to specify the device name of the one you wish to unlo...

Page 13: ...re you have permissions to mount external SCSI USB devices Some distributions do not mount automatically and require the following command to be run mount dev name of the device media name of the mounted device The name of the mounted device varies depending on the distribution The names of the IronKey devices can be discovered by running ironkey show 3 Permissions You must have permissions to mou...

Page 14: ... strong and always on security 2 Updating device firmware soft ware The IronKey can securely update its software and firmware through signed updates that are verified in hardware This allows users to keep their devices up to date and protect themselves from future malware and online threats To check for available updates click the Check for Up dates button If an update is available you can choose ...

Page 15: ...ings import the proxy settings from Windows Internet Options UseWPAD Enter the URL to where your Web Proxy Auto Detect file is located Manual Proxy Enter the URL and port number for your proxy server If proxy authentication is required you can enter your username and password in the appropriate fields 5 Creating a Lost Found Message If editing is enabled this feature allows you to create a message...

Page 16: ...y Clicking Lock Drive will exit open IronKey applica tions and lock the device It is then safe to unplug it from your computer Do not unplug your IronKey while applications are still running This could result in data corruption UsingThe IRONKEYVIRTUAL KEYBOARD Windows Only If you are using your IronKey on an unfamiliar computer and are concerned about keylogging and screenlogging spyware use the I...

Page 17: ... clicked on If you do not wish to use this protection simple dis able it in the options menu next to the close button You can also have theVirtual Keyboard automatically launch when it encounters password fields This too is configured in the options menu UsingThe Onboard FIREFOX Secure Sessions Service windows If enabled a Firefox web browser is already onboard your IronKey so none of your cookies...

Page 18: ...er websites and ISPs You can check this out by going to a site such as whatismyip com or ipchicken com 3 Using the Secure Sessions Tools Network Map Bandwidth Meter and Changing Identities At any point while using Secure Sessions you can launch additional tools form the IronKey System Tray Menu that show you more information regarding your web traffic and current session The Network Map will show ...

Page 19: ... can access and decrypt your passwords The IronKey Password Manager does not store your passwords in a file on the file system of the flash drive so malware will not be able to simple copy off your password database Step Description 1 Adding Portable Bookmarks To make a bookmark work in both the onboard Firefox and the local PC s Internet Explorer simply click the Add Website button on the IronKey...

Page 20: ...ssword Manager automati cally fill in your webform data such as names phone numbers addresses credit card data and email ad dresses First set up this information by clicking on the Set tings button in the IronKey Toolbar Then to fill a webform simply click the Form Filler button 6 Generating strong and random passwords You can use the Password Generator located within the IronKey Control Panel to ...

Page 21: ... up your IronKey You can create an encrypted backup of a single file or your entire IronKey to your local comput er Click on the Secure Backup button in the IronKey Control Panel select a destination folder and select which files to back up It s that simple 2 Restoring encrypted backups If you ever lose your IronKey you can restore your data from an encrypted backup Open the Secure Backup client s...

Page 22: ... selected token 4 In the Options window you can also delete tokens by clicking the Delete or Delete All button Be careful when deleting tokens as this operation cannot be undone 5 To generate a one time password select a token from the dropdown list If a PIN is required enter the PIN into the space provided and press Enter You can optionally save a PIN for each token Periodically a new one time pa...

Page 23: ...onboard Firefox web browser The import process uses IronKey s PKCS 11 interface and requires Mozilla Firefox Note that there is only space for one additional private key in the IronKey Cryptochip though that key will receive the security benefits of the Cryptochip s tamperproof hardware and self destruct mechanisms Step Description 1 Open the onboard Firefox Click on the icon in the IronKey Contro...

Page 24: ...of the PKCS 12 format certificate file file extension will be p12 in UNIX Linux pfx in Windows 6 A window will appear ask ing you to confirm where to store the certificate Choose IronKey PKCS 11 7 Enter the password that was used to protect the certifi cate If no password was used sim ply leave the text field blank 8 Your certificate is now stored securely in the IronKey Cryptochip and is availabl...

Page 25: ...IronKey you can log into Safe Mode by going to https my ironkey com log ging in the account credentials you created when you activated your account This will allow you to mark an IronKey as lost or recover a forgotten device password This depends on how your Sys tem Administrator has configured your IronKey Ask your System Administrator for information 2 Marking IronKeys as lost If you ever lose y...

Page 26: ...condary email address gives you a fail safe in case your primary email address is no longer available In the event that you ever lose your IronKey or forget your IronKey device password you can still access the site in Safe Mode a restricted mode with limited functionality This is useful for marking your IronKey as lost or recovering a forgotten password Step Description 1 Go to https my ironkey c...

Page 27: ... until you lock your IronKey Note that some features are not available in Read Only Mode because they require modifying files on your IronKey Examples of unavailable features include the onboard Firefox reformat ting updating and restoring applications and files to your IronKey and using the Applications List On Windows and Mac OS X Computers Step Description 1 When unlocking your IronKey select t...

Page 28: ... Malware Scanner Up to Date It is important to keep your IronKey Malware Scanner up to date to protect against the latest malware threats As long as you have an Internet connection the IronKey Malware Scanner will update itself before each scan The date it was last updated is displayed onscreen Your first update may take a long time to download depending on your Internet connection If your IronKey...

Page 29: ...l also appear with a report of the event 5 You can also scan your computer drives by selecting the drive you would like to scan from the IronKey Malware Scanner system tray menu NOTE The IronKey Malware Scanner is not a replacement for Anti Virus or Anti Spyware software on your computer it is not designed to clean your registry or do real time malware pre vention It is designed specifically for s...

Page 30: ...rtificate Number 938 FIPS 186 2 Certificate Numbers 305 and 380 FIPS 197 Certificate Numbers 655 and 689 HARDWARE USB 2 0 High Speed USB 1 1 OS COMPATIBILITY Windows 2000 SP4 XP SP2 Vista IronKey Unlocker for Linux 2 6 x86 IronKey Unlocker for Mac 10 4 PPC and Intel Speeds tested with 4GB device in a laboratory environment with Iometer software Actual speeds may vary Advertised capacity is approxi...

Page 31: ...igning and building the IronKey devices and online services A great deal of information can be found online on our websites forum ironkey com User forum with thousands of IronKeyologists www ironkey com General Information learn ironkey com Technical Information such as whitepapers FAQs support ironkey com Customer support information Who is the IronKey Team The IronKey Team consists of security f...

Page 32: ...om the furnishing or use of this material The information provided herein is subject to change without notice The information contained in this document represents the current view of IronKey on the issue discussed as of the date of publication IronKey can not guarantee the accuracy of any information presented after the date of publication This document is for information purposes only IronKey ma...

Reviews: