Rohde & Schwarz R&S Trusted Disk 3.3.1 Скачать руководство пользователя страница 32 | Manualshive

Страница: 32 / 49

background image

Advanced tasks

32

Administration manual 4603.7988.02 ─ 03

Key

Possible values

Default

Characters

"InitialPINChars"

0

‒

digits only

1

‒

at least 1 digit + 1 letter

2

‒

at least 1 digit, 1 1 special character

100

‒

no limitations

100

Length

"InitialPINLength"

6

‒

16 characters

6

These keys are synchronized with

pba.config

(UEFI/GPT)/

pinPolicy.config

(Legacy BIOS/MBR) on the boot partition during the full-disk encryption and when
the R&S

Trusted

Disk application is closed.

6.3

R&S

Trusted

Disk key update

If you want to update the key used for encryption to a new key, e.g. because you want
to migrate to a stronger bit length key, but keep the same smart card, you have to put
another key and certificate on the smart card. If you use the R&S

Trusted

Objects

Man-

ager PKI (starting with version 19.08.1), you can add another Trusted

Disk

certificate/key to the smart card profile.

After adjusting the smart card profile and updating the smart card with R&S

Trus-

ted

Identity

Manager, you can perform the key update with R&S

Trusted

Disk. For the

system volume, the key update is performed when the R&S

Trusted

Disk application is

started. For external devices, the key update is performed when the device is mounted.

R&S

Trusted

Disk chooses the certificate with the strongest bit length and the longest

validity, whereas bit length wins over validity.

For more information on updating a smart card profile, refer to the R&S

Trusted

Iden-

tity

Manager administration manual.

●

R&S

Trusted

Disk updates the key if a new valid key with a larger key length or a

longer validity is available on the smart card.

●

Only certificates with Trusted

Disk extended key usage are selected to update

existing keys. OID: 1.3.6.1.4.1.30205.13.1.1.

●

The best key for the key update is determined automatically; keys with a larger key
length are preferred over keys with a longer validity.

●

Existing 2048-bit RSA keys can be updated to a new 2048-bit RSA key. Downgrad-
ing from an RSA key larger than 2048-bit to a 2048-bit RSA key is not possible.

R&S

Trusted

Disk key update

«
...
30
31
32
33
34
...
»

Содержание R&S Trusted Disk 3.3.1

Страница 1: ...R S Trusted Disk Standalone Administration manual Administration manual Version 03 4603798802 3 2...

Страница 2: ...Rohde Schwarz would like to thank the open source community for their valuable contribution to embedded computing 2019 Rohde Schwarz Cybersecurity GmbH M hldorfstr 15 81671 Munich Germany Phone 49 89...

Страница 3: ...tributable 11 3 2 2 PKCS 11 module 12 3 2 3 R S TD CryptoHelper 13 3 3 Configuring R S Trusted Identity Manager 13 3 3 1 Installing R S Trusted Identity Manager Standalone 14 3 3 2 Creating a root cer...

Страница 4: ...7 5 2 3 List of parameters 28 5 2 4 Structure 29 6 Advanced tasks 30 6 1 Updating R S Trusted Disk 30 6 2 Configuring the PIN policy 31 6 3 R S Trusted Disk key update 32 6 4 Stealth mode 33 6 4 1 UEF...

Страница 5: ...ers groups policies certificates and devices This document assumes basic device networking and security knowledge including the following Setup and configuration of endpoint hardware Partitioning form...

Страница 6: ...separated by angle brack ets Each UI item is enclosed in quotation marks User Authentication Local Users Settings Device Management Parameters and placeholders are capital ized in monospaced font The...

Страница 7: ...ting your network security at risk In tables and lists this annotation is indicated by NOTICE 1 4 Contact service and support We provide technical support as detailed in your service level agreement T...

Страница 8: ...n email to our Support team If you require additional support after creating a ticket you can contact our Support team by phone or email indicating your ticket ID Ticket system https myrscs rohde schw...

Страница 9: ...g smart cards Use of algorithms AES XTS 512 for encryption and SHA 2 512 for hashing Support of RSA 2048 bit 3072 bit and 4096 bit Fulfillment of compliance requirements based on audit logs in authori...

Страница 10: ...s an integrated PKI and all necessary components for per sonalizing and man aging smart cards R S Trusted Disk R S Trusted Disk Setup X X X VS NfD msi R S Trusted Disk Setup X X X eToken msi See Chapt...

Страница 11: ...g For maximum compatibility we highly recommend updating the BIOS UEFI firm ware to the newest version 3 2 Installing the middleware and dependencies All workstations need the following middleware and...

Страница 12: ...he smart card The middleware differs depending on whether you use CardOS smart cards or Gemalto eTokens CardOS API for CardOS smart cards 12 SafeNet Authentication Client for Gemalto eTokens 12 3 2 2...

Страница 13: ...is not required For more information see Chapter 5 1 FDE initialization tool on page 24 If you install the application with the parameter quiet the installation takes place with out user interaction T...

Страница 14: ...hecked while you type 5 Click Next Execute Backup R S Trusted Identity Manager Standalone data To ensure access to the root CA smart card information and all certificates in case the administrator wor...

Страница 15: ...Open CardOS Viewer b Select your card reader from the list c Click Card Initialize Card d Fill in the required information e Click OK 3 Open R S Trusted Identity Manager Standalone 4 Select the tab To...

Страница 16: ...te 3 Select the administrator s smart card 4 Click Next 5 Select the destination folder 6 Click Next Execute The administrator certificate is saved 7 Rename the exported certificate to SecurityAdminCe...

Страница 17: ...the smart card You can reset the smart card PIN with the PUK Additionally the PUK is needed to unlock the smart card if the PIN was entered incorrectly three times You can enter the PUK incorrectly up...

Страница 18: ...ot status 18 Enabling Secure Boot 18 3 4 1 Checking the Secure Boot status 1 Start Windows PowerShell with administrator rights 2 Enter Confirm SecureBootUEFI 3 Press Enter If the return value is True...

Страница 19: ...played Tip You can access the UEFI by pressing a hotkey right after you power on the workstation The hotkey differs between systems the most frequent being F2 DEL and ESC 2 In the UEFI navigate to the...

Страница 20: ...g the middleware and dependencies on page 11 The latest cumulative Windows update is needed on Windows 10 1507 10240 UEFI We only support Windows versions that are still supported by Microsoft For mor...

Страница 21: ...lid i e not expired 1 Create a folder on the workstation 2 Transfer SecurityAdminCertificate crt and the R S Trusted Disk installer to the folder 3 In the folder create a subfolder CACerts Note To ens...

Страница 22: ...rary data on a workstation Only the admin and users with permission can access an encrypted workstation using a smart card and PIN for pre boot authentica tion Contents Full disk encryption wizard 22...

Страница 23: ...iled instructions refer to the user documentation of the hardware Usually current systems offer one of the following options to activate setup mode Activating setup mode directly Deleting all pre inst...

Страница 24: ...The tool is located in the R S Trusted Disk installation folder i e C Program Files x86 Sirrix AG TrustedDisk Contents List of parameters 24 Examples 25 5 1 1 List of parameters You can execute fdeini...

Страница 25: ...FDE initializa tion tool Not VS NfD approved Initializing the full disk encryption without a smart card is not VS NfD approved 1 Start a command prompt 2 Enter the command fdeinit exe 3 Add the parame...

Страница 26: ...e l 4 Press Enter The list displays all partitions that can be encrypted with the parameter 5 Enter the command fdeinit exe 6 Add the parameter o for the directory containing owner certificates Exampl...

Страница 27: ...istrator rights in Windows The tool is located at C Program Files x86 Sirrix AG TrustedDisk InstallSBM exe 5 2 2 InstallSBM efi InstallSBM efi can be executed before Windows boots i e you need to acce...

Страница 28: ...SBM efi is located on with the command fs X X is placeholder for the respective partition number Example fs0 cd EFI RSCS InstallSBM efi help 5 2 3 List of parameters You can execute InstallSBM exe Ins...

Страница 29: ...he amount of partial write operations that could corrupt the file sys tem Reset configuration reset configuration Resets all settings to its default values Disabling logging or reducing its verbosity...

Страница 30: ...are valid i e not expired If you use intermediate CAs all CA certificates of the chain including the root CA cer tificate must be present in the CACerts folder see Chapter 4 3 1 Update the middleware...

Страница 31: ...update Manually restart the workstation Disable hybrid shutdown in your Windows settings You have updated R S Trusted Disk 6 2 Configuring the PIN policy You can require users to set up a complex PIN...

Страница 32: ...ing the smart card with R S Trus ted Identity Manager you can perform the key update with R S Trusted Disk For the system volume the key update is performed when the R S Trusted Disk application is st...

Страница 33: ...n encrypted system is not disclosed Stealth mode is supported on the following systems UEFI GPT 33 Legacy BIOS MBR 36 6 4 1 UEFI GPT 6 4 1 1 Preparing stealth mode Windows installation 1 Boot the work...

Страница 34: ...th mode Make this configuration before initializing the full disk encryption 1 Boot the workstation with the system that you want to encrypt see Chapter 6 4 1 1 Preparing stealth mode on page 33 2 Sta...

Страница 35: ...script UEFI GPT on page 45 You have prepared the workstation for its full disk encryption Full disk encryption During the full disk encryption deactivate the option Encrypt all sections so that the o...

Страница 36: ...B Boot partition Partition 2 Primary x GB First Windows partition Unpartitioned space 5 Select the first Windows partition 6 Install Windows Preparing the second Windows installation Before initializi...

Страница 37: ...tem 100 MB Boot partition Partition 2 Primary x GB First Windows partition Partition 3 Primary y GB Second Windows partition 3 Select the second Windows partition 4 Install Windows 5 When the installa...

Страница 38: ...our support team provides a rescue CD This feature is not intended to uninstall or remove R S Trusted Disk it only works for recovering data After the decryption you have the following options to rec...

Страница 39: ...rescue CD The program checks if encrypted partitions are available Note The SATA controller must be set to AHCI mode instead of RAID mode Oth erwise the rescue CD may not detect the encrypted hard di...

Страница 40: ...sts on the workstation R S Trusted Disk overwrites it during this procedure Optional manual update Run Setup exe with the following command line argument Setup exe ConfigFile C Users Default AppData L...

Страница 41: ...t card readers 46 7 1 Activating setup mode UEFI GPT Lenovo T460p 1 To access the UEFI press F1 right after starting the workstation 2 Navigate to the tab Security Figure 7 1 Lenovo T460p Secure Boot...

Страница 42: ...nter 5 Save and exit the UEFI With activated setup mode R S Trusted Disk starts the system takeover Possible Secure Boot menu items Name Value Description Secure Boot Enabled Disabled Enables or disab...

Страница 43: ...ot Enable menu item to allow R S Trusted Disk to perform the sys tem takeover A firmware update from the manufacturer might resolve this behavior For models that do not show this deviation you can ski...

Страница 44: ...rts the system takeover 12 If the pre boot authentication screen says Secure Boot is deactivated after exiting the UEFI reboot the system Figure 7 5 Secure Boot deactivated 13 To access the UEFI press...

Страница 45: ...info txt print false result foreach line in store if line StartsWith displayorder print true elseif Not line StartsWith print false if print data line Split foreach word in data if word StartsWith re...

Страница 46: ...Compatible smart card readers We recommend using the smart card reader models IDBridge CT30 IDBridge K30 or IDBridge K50 from Gemalto If you have any questions about the use of specific smart card re...

Страница 47: ...t f r Sicherheit in der Informationstechnik German Federal Office for Information Security C CA Certificate Authority F FDE Full Disk Encryption P PBA Pre Boot Authentication PKI Public Key Infrastruc...

Страница 48: ...TD CryptoHelper 13 SafeNet Authentication Client 12 P PIN policy 31 Pre boot authentication 18 22 23 Boot manager tool 27 PIN policy 31 Product description 9 Scope of delivery 9 Security features 9 R...

Страница 49: ...Index 49 Administration manual 4603 7988 02 03 Feature update 40 System requirements 20...

Отзывы:

Нет отзывов

Похожие инструкции для R&S Trusted Disk 3.3.1

Бренд: GE Страницы: 146

Univerge SV9300

Бренд: NEC Страницы: 26

Бренд: NEC Страницы: 20

DS2000 IntraMail

Бренд: NEC Страницы: 2

Бренд: Paradyne Страницы: 12

Бренд: T&D Страницы: 122

Бренд: Danfoss Страницы: 61

Бренд: Idis Страницы: 31

Brocade X6-8 Director

Бренд: Broadcom Страницы: 207

Бренд: IOtech Страницы: 16

AXP-100H MUSCLE

Бренд: Thermalright Страницы: 36

Бренд: ICP DAS USA Страницы: 8

Бренд: ZiLOG Страницы: 317

Бренд: Xilinx Страницы: 27

Бренд: LaView Страницы: 2

Бренд: IBM Страницы: 74

Бренд: UMAX Technologies Страницы: 27

Aeroflow FX 120 VAF-1225

Бренд: Vantec Страницы: 2

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды