manualshive.com logo in svg

Rohde & Schwarz R&S Trusted Disk 3.3.1, Administration Manual, Page: 23 / 49

Share
Download
Rohde & Schwarz R&S Trusted Disk 3.3.1 Administration Manual Download Page 23

Installation and full-disk encryption

23

Administration manual 4603.7988.02 ─ 03

vate setup mode, see 

Chapter 4.4.2, "Activating setup mode (UEFI/GPT)"

,

on page 23.
To complete the full-disk encryption, restart the workstation.

The workstation starts the pre-boot authentication. After a successful authentica-
tion, the workstation boots and the selected partitions are encrypted.

4.4.2

 

Activating setup mode (UEFI/GPT)

On UEFI-based workstations, R&S

 

Trusted

 

Disk needs to replace pre-installed Secure

Boot certificates with Rohde

 

&

 

Schwarz

 

Cybersecurity GmbH certificates. For

R&S

 

Trusted

 

Disk to do this, you need to activate setup mode after initializing the full-

disk encryption. Only then can the workstation boot and the hard disk drive be encryp-
ted.

Please note that different systems use different UEFI menu structures, i.e. this chapter
is not a "one fits all" instruction on enabling Secure Boot. It is only supposed to be a
rough guideline. For more detailed instructions, refer to the user documentation of the
hardware.

Usually, current systems offer one of the following options to activate setup mode:

Activating setup mode directly

Deleting all pre-installed Secure Boot certificates

To activate setup mode, proceed as follows:

1. After the full-disk encryption is initialized, restart the system.

2. Access the UEFI.

Note: 

For instructions on how to access the UEFI, see 

Chapter 3.4.2, "Enabling

Secure Boot"

on page 18.

3. In the UEFI, navigate to the Secure Boot settings.

4. Enable setup mode or delete all pre-installed certificates.

5. To save and exit, follow the instructions of the UEFI.

With setup mode active, R&S

 

Trusted

 

Disk now starts the system takeover, i.e the

pre-installed certificates are replaced. This process takes only a few seconds and
creates no output on the screen. The workstation then restarts again and displays
the pre-boot authentication screen. After a successful authentication, the worksta-
tion boots and the selected partitions are encrypted.

For examples of how to activate setup mode, see 

Chapter 7.1, "Activating setup mode

(UEFI/GPT)"

on page 41.

Initializing the full-disk encryption

Summary of Contents for R&S Trusted Disk 3.3.1

Page 1: ...R S Trusted Disk Standalone Administration manual Administration manual Version 03 4603798802 3 2...

Page 2: ...Rohde Schwarz would like to thank the open source community for their valuable contribution to embedded computing 2019 Rohde Schwarz Cybersecurity GmbH M hldorfstr 15 81671 Munich Germany Phone 49 89...

Page 3: ...tributable 11 3 2 2 PKCS 11 module 12 3 2 3 R S TD CryptoHelper 13 3 3 Configuring R S Trusted Identity Manager 13 3 3 1 Installing R S Trusted Identity Manager Standalone 14 3 3 2 Creating a root cer...

Page 4: ...7 5 2 3 List of parameters 28 5 2 4 Structure 29 6 Advanced tasks 30 6 1 Updating R S Trusted Disk 30 6 2 Configuring the PIN policy 31 6 3 R S Trusted Disk key update 32 6 4 Stealth mode 33 6 4 1 UEF...

Page 5: ...ers groups policies certificates and devices This document assumes basic device networking and security knowledge including the following Setup and configuration of endpoint hardware Partitioning form...

Page 6: ...separated by angle brack ets Each UI item is enclosed in quotation marks User Authentication Local Users Settings Device Management Parameters and placeholders are capital ized in monospaced font The...

Page 7: ...ting your network security at risk In tables and lists this annotation is indicated by NOTICE 1 4 Contact service and support We provide technical support as detailed in your service level agreement T...

Page 8: ...n email to our Support team If you require additional support after creating a ticket you can contact our Support team by phone or email indicating your ticket ID Ticket system https myrscs rohde schw...

Page 9: ...g smart cards Use of algorithms AES XTS 512 for encryption and SHA 2 512 for hashing Support of RSA 2048 bit 3072 bit and 4096 bit Fulfillment of compliance requirements based on audit logs in authori...

Page 10: ...s an integrated PKI and all necessary components for per sonalizing and man aging smart cards R S Trusted Disk R S Trusted Disk Setup X X X VS NfD msi R S Trusted Disk Setup X X X eToken msi See Chapt...

Page 11: ...g For maximum compatibility we highly recommend updating the BIOS UEFI firm ware to the newest version 3 2 Installing the middleware and dependencies All workstations need the following middleware and...

Page 12: ...he smart card The middleware differs depending on whether you use CardOS smart cards or Gemalto eTokens CardOS API for CardOS smart cards 12 SafeNet Authentication Client for Gemalto eTokens 12 3 2 2...

Page 13: ...is not required For more information see Chapter 5 1 FDE initialization tool on page 24 If you install the application with the parameter quiet the installation takes place with out user interaction T...

Page 14: ...hecked while you type 5 Click Next Execute Backup R S Trusted Identity Manager Standalone data To ensure access to the root CA smart card information and all certificates in case the administrator wor...

Page 15: ...Open CardOS Viewer b Select your card reader from the list c Click Card Initialize Card d Fill in the required information e Click OK 3 Open R S Trusted Identity Manager Standalone 4 Select the tab To...

Page 16: ...te 3 Select the administrator s smart card 4 Click Next 5 Select the destination folder 6 Click Next Execute The administrator certificate is saved 7 Rename the exported certificate to SecurityAdminCe...

Page 17: ...the smart card You can reset the smart card PIN with the PUK Additionally the PUK is needed to unlock the smart card if the PIN was entered incorrectly three times You can enter the PUK incorrectly up...

Page 18: ...ot status 18 Enabling Secure Boot 18 3 4 1 Checking the Secure Boot status 1 Start Windows PowerShell with administrator rights 2 Enter Confirm SecureBootUEFI 3 Press Enter If the return value is True...

Page 19: ...played Tip You can access the UEFI by pressing a hotkey right after you power on the workstation The hotkey differs between systems the most frequent being F2 DEL and ESC 2 In the UEFI navigate to the...

Page 20: ...g the middleware and dependencies on page 11 The latest cumulative Windows update is needed on Windows 10 1507 10240 UEFI We only support Windows versions that are still supported by Microsoft For mor...

Page 21: ...lid i e not expired 1 Create a folder on the workstation 2 Transfer SecurityAdminCertificate crt and the R S Trusted Disk installer to the folder 3 In the folder create a subfolder CACerts Note To ens...

Page 22: ...rary data on a workstation Only the admin and users with permission can access an encrypted workstation using a smart card and PIN for pre boot authentica tion Contents Full disk encryption wizard 22...

Page 23: ...iled instructions refer to the user documentation of the hardware Usually current systems offer one of the following options to activate setup mode Activating setup mode directly Deleting all pre inst...

Page 24: ...The tool is located in the R S Trusted Disk installation folder i e C Program Files x86 Sirrix AG TrustedDisk Contents List of parameters 24 Examples 25 5 1 1 List of parameters You can execute fdeini...

Page 25: ...FDE initializa tion tool Not VS NfD approved Initializing the full disk encryption without a smart card is not VS NfD approved 1 Start a command prompt 2 Enter the command fdeinit exe 3 Add the parame...

Page 26: ...e l 4 Press Enter The list displays all partitions that can be encrypted with the parameter 5 Enter the command fdeinit exe 6 Add the parameter o for the directory containing owner certificates Exampl...

Page 27: ...istrator rights in Windows The tool is located at C Program Files x86 Sirrix AG TrustedDisk InstallSBM exe 5 2 2 InstallSBM efi InstallSBM efi can be executed before Windows boots i e you need to acce...

Page 28: ...SBM efi is located on with the command fs X X is placeholder for the respective partition number Example fs0 cd EFI RSCS InstallSBM efi help 5 2 3 List of parameters You can execute InstallSBM exe Ins...

Page 29: ...he amount of partial write operations that could corrupt the file sys tem Reset configuration reset configuration Resets all settings to its default values Disabling logging or reducing its verbosity...

Page 30: ...are valid i e not expired If you use intermediate CAs all CA certificates of the chain including the root CA cer tificate must be present in the CACerts folder see Chapter 4 3 1 Update the middleware...

Page 31: ...update Manually restart the workstation Disable hybrid shutdown in your Windows settings You have updated R S Trusted Disk 6 2 Configuring the PIN policy You can require users to set up a complex PIN...

Page 32: ...ing the smart card with R S Trus ted Identity Manager you can perform the key update with R S Trusted Disk For the system volume the key update is performed when the R S Trusted Disk application is st...

Page 33: ...n encrypted system is not disclosed Stealth mode is supported on the following systems UEFI GPT 33 Legacy BIOS MBR 36 6 4 1 UEFI GPT 6 4 1 1 Preparing stealth mode Windows installation 1 Boot the work...

Page 34: ...th mode Make this configuration before initializing the full disk encryption 1 Boot the workstation with the system that you want to encrypt see Chapter 6 4 1 1 Preparing stealth mode on page 33 2 Sta...

Page 35: ...script UEFI GPT on page 45 You have prepared the workstation for its full disk encryption Full disk encryption During the full disk encryption deactivate the option Encrypt all sections so that the o...

Page 36: ...B Boot partition Partition 2 Primary x GB First Windows partition Unpartitioned space 5 Select the first Windows partition 6 Install Windows Preparing the second Windows installation Before initializi...

Page 37: ...tem 100 MB Boot partition Partition 2 Primary x GB First Windows partition Partition 3 Primary y GB Second Windows partition 3 Select the second Windows partition 4 Install Windows 5 When the installa...

Page 38: ...our support team provides a rescue CD This feature is not intended to uninstall or remove R S Trusted Disk it only works for recovering data After the decryption you have the following options to rec...

Page 39: ...rescue CD The program checks if encrypted partitions are available Note The SATA controller must be set to AHCI mode instead of RAID mode Oth erwise the rescue CD may not detect the encrypted hard di...

Page 40: ...sts on the workstation R S Trusted Disk overwrites it during this procedure Optional manual update Run Setup exe with the following command line argument Setup exe ConfigFile C Users Default AppData L...

Page 41: ...t card readers 46 7 1 Activating setup mode UEFI GPT Lenovo T460p 1 To access the UEFI press F1 right after starting the workstation 2 Navigate to the tab Security Figure 7 1 Lenovo T460p Secure Boot...

Page 42: ...nter 5 Save and exit the UEFI With activated setup mode R S Trusted Disk starts the system takeover Possible Secure Boot menu items Name Value Description Secure Boot Enabled Disabled Enables or disab...

Page 43: ...ot Enable menu item to allow R S Trusted Disk to perform the sys tem takeover A firmware update from the manufacturer might resolve this behavior For models that do not show this deviation you can ski...

Page 44: ...rts the system takeover 12 If the pre boot authentication screen says Secure Boot is deactivated after exiting the UEFI reboot the system Figure 7 5 Secure Boot deactivated 13 To access the UEFI press...

Page 45: ...info txt print false result foreach line in store if line StartsWith displayorder print true elseif Not line StartsWith print false if print data line Split foreach word in data if word StartsWith re...

Page 46: ...Compatible smart card readers We recommend using the smart card reader models IDBridge CT30 IDBridge K30 or IDBridge K50 from Gemalto If you have any questions about the use of specific smart card re...

Page 47: ...t f r Sicherheit in der Informationstechnik German Federal Office for Information Security C CA Certificate Authority F FDE Full Disk Encryption P PBA Pre Boot Authentication PKI Public Key Infrastruc...

Page 48: ...TD CryptoHelper 13 SafeNet Authentication Client 12 P PIN policy 31 Pre boot authentication 18 22 23 Boot manager tool 27 PIN policy 31 Product description 9 Scope of delivery 9 Security features 9 R...

Page 49: ...Index 49 Administration manual 4603 7988 02 03 Feature update 40 System requirements 20...

Reviews:

No comments