Rohde & Schwarz R&S Trusted Disk 3.3.1 Administration Manual
  1. Manuals
  2. Brands
  3. Rohde & Schwarz Manuals
  4. Computer Hardware
  5. R&S Trusted Disk 3.3.1
  6. Administration manual
Rohde & Schwarz R&S Trusted Disk 3.3.1 Administration Manual

Rohde & Schwarz R&S Trusted Disk 3.3.1 Administration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Trusted Disk ‒ Standalone
®
R&S
Administration manual
(^3Ýæ2)
4603798802

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the R&S Trusted Disk 3.3.1 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Rohde & Schwarz R&S Trusted Disk 3.3.1

  • Page 1 Trusted Disk ‒ Standalone ® R&S Administration manual (^3Ýæ2) 4603798802...
  • Page 2 ® This document describes the following R&S Trusted Disk versions: ● R&S Trusted Disk 3.3.1 This product uses several valuable open source software packages. For more information, see the Open Source Acknowledgment document, which you can obtain separately. The open source software is provided free of charge. You are entitled to use the open source software in accordance with the respective license conditions as provided in the Open Source Acknowledgment document.

  • Page 3: Table Of Contents

    Contents Contents 1 About this manual..................5 Audience........................5 Related documents....................... 5 Conventions........................5 Contact, service and support..................7 1.4.1 Customer knowledge base....................7 1.4.2 Contact channels......................8 2 About R&S Trusted Disk................9 Key security features....................9 Scope of delivery......................9 3 Preparing the installation..............11 General preparations....................
  • Page 4 Contents 4.4.2 Activating setup mode (UEFI/GPT)................23 5 Command-line tools................24 FDE initialization tool....................24 5.1.1 List of parameters......................24 5.1.2 Examples........................25 Boot manager tool (UEFI/GPT).................. 27 5.2.1 InstallSBM.exe......................27 5.2.2 InstallSBM.efi........................ 27 5.2.3 List of parameters......................28 5.2.4 Structure........................29 6 Advanced tasks..................30 Updating R&S Trusted Disk..................

  • Page 5: About This Manual

    About this manual Conventions 1 About this manual Contents ● Audience........................5 ● Related documents....................5 ● Conventions......................5 ● Contact, service and support..................7 1.1 Audience This manual is for IT administrators deploying R&S Trusted Disk in medium to large enterprises and help desk personnel managing users, groups, policies, certificates and devices.
  • Page 6 About this manual Conventions Text markers Convention Examples Elements in the software (labels, buttons, "Settings" dialog boxes, menus, options, panels, "Menu" etc.) or labels on hardware are enclosed "Apply" in quotation marks. "Cancel" "MGMT1" "USB" "IN"/"OUT" Key names are enclosed in square [Enter] brackets.

  • Page 7: Contact, Service And Support

    About this manual Contact, service and support Annotations This document can contain the following annotations to indicate information which expands on or calls attention to a particular point: This annotation provides additional information that can help make your work easier. In tables and lists, this annotation is indicated by Tip: This is a note.

  • Page 8: Contact Channels

    About this manual Contact, service and support 1.4.2 Contact channels If you encounter problems with your product or need quick expert help, go to our ticket system and create a ticket. To access our ticket system, you need an account. If you do not have an account yet, send an email to our Support team.

  • Page 9: About R&S Trusted Disk

    About R&S Trusted Disk Scope of delivery 2 About R&S Trusted Disk R&S Trusted Disk is a full-disk encryption solution that encrypts user data, the operat- ing system and any temporary data. It uses a transparent real-time encryption method that ensures a smoothly running workstation. Pre-boot authentication secures the workstation from unauthorized access.
  • Page 10 About R&S Trusted Disk Scope of delivery Name Filename Description R&S Trusted Iden- TrustedIdentityManagerStandaloneSetup.msi Smart card manage- tity Man- ment solution that offers an integrated ager (Standalone) PKI and all necessary components for per- sonalizing and man- aging smart cards R&S Trusted Disk R&S Trusted Disk Setup X.X.X-VS-NfD.msi Chapter 2,...

  • Page 11: Preparing The Installation

    Preparing the installation Installing the middleware and dependencies 3 Preparing the installation Contents ● General preparations....................11 ● Installing the middleware and dependencies............11 ● Configuring R&S Trusted Identity Manager............13 ● Configuring Secure Boot (UEFI/GPT)..............18 3.1 General preparations Before installing R&S Trusted Disk on a workstation, we recommend making the fol- lowing preparations: ●...

  • Page 12: Pkcs #11 Module

    Preparing the installation Installing the middleware and dependencies To install the Microsoft Visual C++ Redistributable, proceed as follows: 1. Execute both installers. 2. Follow the instructions of the installers. The R&S Trusted Disk installer checks for the latest version of the x86 Microsoft Vis- ual C++ Redistributable.

  • Page 13: R&S Td Cryptohelper

    Preparing the installation Configuring R&S Trusted Identity Manager SafeNet Authentication Client is not delivered with R&S Trusted Disk. For more infor- mation, refer to https://safenet.gemalto.com. 3.2.3 R&S TD CryptoHelper The R&S TD CryptoHelper package provides the disk encryption driver and tools. 1.

  • Page 14: Installing R&S Trusted Identity Manager (Standalone)

    Preparing the installation Configuring R&S Trusted Identity Manager 3.3.1 Installing R&S Trusted Identity Manager (Standalone) ► Execute TrustedIdentityManagerStandaloneSetup.msi. You have installed R&S Trusted Identity Manager (Standalone). 3.3.2 Creating a root certificate authority The first step of creating an internal PKI is to create a root CA to validate the identity of subordinate certificates (e.g.

  • Page 15: Personalizing A Smart Card For The Administrator

    Preparing the installation Configuring R&S Trusted Identity Manager 3.3.3 Personalizing a smart card for the administrator The administrator's smart card has a key role in the R&S Trusted Disk infrastructure: In addition to the specific user's smart card, all workstations are secured with the adminis- trator's smart card to protect your company from data loss.

  • Page 16: Personalizing A Smart Card For The User

    Preparing the installation Configuring R&S Trusted Identity Manager You can reset the smart card PIN with the PUK. Additionally, the PUK is needed to unlock the smart card if the PIN was entered incorrectly three times. You can enter the PUK incorrectly up to ten times before the smart card is irreversibly locked.
  • Page 17 Preparing the installation Configuring R&S Trusted Identity Manager ● Country: Use only ISO 3166 Alpha-2 country codes, e.g. EN. ● Common name: This field is mandatory. ● Email: This field is checked while you type. Note: For increased security, we commend using the key size "4096". 7.

  • Page 18: Configuring Secure Boot (Uefi/Gpt)

    Preparing the installation Configuring Secure Boot (UEFI/GPT) 6. Click "Next" > "Execute". The user certificate is saved. 3.4 Configuring Secure Boot (UEFI/GPT) For the full-disk encryption on UEFI-based workstations, Secure Boot is required. After initializing the full-disk encryption, R&S Trusted Disk replaces pre-installed Secure Boot certificates with Rohde &...
  • Page 19 Preparing the installation Configuring Secure Boot (UEFI/GPT) 1. Access the UEFI. a) With [Shift] pressed, restart the workstation. b) On the "Choose an option" page, click "Troubleshoot" > "Advanced Options" > "UEFI Firmware Settings" > "Restart". The workstation restarts and the UEFI is displayed. Tip: You can access the UEFI by pressing a hotkey right after you power on the workstation.

  • Page 20: Installation And Full-Disk Encryption

    Installation and full-disk encryption Prerequisites 4 Installation and full-disk encryption Contents ● System requirements....................20 ● Prerequisites......................20 ● Installing R&S Trusted Disk..................21 ● Initializing the full-disk encryption................22 4.1 System requirements Before installing R&S Trusted Disk on a workstation, make sure it fulfills the following hardware and software requirements: General requirements Operating system...

  • Page 21: Installing R&S Trusted Disk

    Installation and full-disk encryption Installing R&S Trusted Disk ● Secure Boot enabled on UEFI-based workstations (see Chapter 3.4, "Configuring Secure Boot (UEFI/GPT)", on page 18) ● PKI configured for R&S Trusted Disk – Smart card personalized for the administrator – At least one smart card personalized for a user –...

  • Page 22: Initializing The Full-Disk Encryption

    Installation and full-disk encryption Initializing the full-disk encryption Note: A restart is required. Please note that shutting down the workstation might only put it to hybrid shutdown, i.e. the workstation is not really restarted at its next startup. To make sure that the workstation is restarted properly, do one of the fol- lowing: ●...

  • Page 23: Activating Setup Mode (Uefi/Gpt)

    Installation and full-disk encryption Initializing the full-disk encryption vate setup mode, see Chapter 4.4.2, "Activating setup mode (UEFI/GPT)", on page 23. To complete the full-disk encryption, restart the workstation. The workstation starts the pre-boot authentication. After a successful authentica- tion, the workstation boots and the selected partitions are encrypted. 4.4.2 Activating setup mode (UEFI/GPT) On UEFI-based workstations, R&S Trusted Disk needs to replace pre-installed Secure Boot certificates with Rohde &...

  • Page 24: Command-Line Tools

    Command-line tools FDE initialization tool 5 Command-line tools Contents ● FDE initialization tool....................24 ● Boot manager tool (UEFI/GPT)................27 5.1 FDE initialization tool R&S Trusted Disk is delivered with an FDE initialization tool (fdeinit.exe), a com- mand-line application to initialize the full-disk encryption. The tool offers the following options: ●...

  • Page 25: Examples

    Command-line tools FDE initialization tool Parameter Description -e [--encrypt] Starts the encryption process immediately after initialization Prerequisite: R&S TD CryptoHelper is installed with the parameter /a, Note: After the installation of R&S TD CryptoHelper with the parameter /a, a restart is required. -l [--list-partitions] Lists partitions that can be encrypted with the parameter --partitions -p [--partitions]...
  • Page 26 Command-line tools FDE initialization tool To complete the full-disk encryption, restart the workstation. After the restart, the workstation displays the pre-boot authentication screen. After a successful authentication, the workstation boots and the selected partitions are encrypted. 5.1.2.2 Full-disk encryption of multiple partitions You can initialize the full-disk encryption for multiple partitions and without a smart card using the FDE initialization tool.

  • Page 27: Boot Manager Tool (Uefi/Gpt)

    Command-line tools Boot manager tool (UEFI/GPT) To complete the full-disk encryption, restart the workstation. After a restart, the workstation displays the pre-boot authentication screen. After a successful authentication, the workstation boots and the selected partitions are encrypted. 5.2 Boot manager tool (UEFI/GPT) R&S Trusted Disk is delivered with a boot manager tool, a command-line application to configure the UEFI pre-boot authentication.

  • Page 28: List Of Parameters

    Command-line tools Boot manager tool (UEFI/GPT) Please note that you have to deactivate Secure Boot for the UEFI boot menu to start this UEFI shell because it is not signed by Rohde & Schwarz Cybersecurity GmbH. If the full-disk encryption has been initialized, the UEFI shell can be loaded with Secure Boot active.

  • Page 29: Structure

    Command-line tools Boot manager tool (UEFI/GPT) Name Parameter Description Enable/Disable use of a --replacefatdriver-enabled Uses a FAT driver that is part of R&S Trus- dedicated FAT driver ted Disk instead of the FAT driver contained in the UEFI firmware by default Note: The dedicated FAT driver does not use an internal cache and does not update the last access timestamps of the FAT file system.

  • Page 30: Advanced Tasks

    Advanced tasks Updating R&S Trusted Disk 6 Advanced tasks Contents ● Updating R&S Trusted Disk..................30 ● Configuring the PIN policy..................31 ● R&S Trusted Disk key update................. 32 ● Stealth mode......................33 ● Decryption and data recovery................. 38 ● Windows feature updates..................40 6.1 Updating R&S Trusted Disk You need the following files to update R&S Trusted Disk:...

  • Page 31: Configuring The Pin Policy

    Advanced tasks Configuring the PIN policy 3. Execute R&S Trusted Disk Setup X.X.X-VS-NfD.msi. Note: If you do a silent installation and do not want the workstation to restart auto- matically, you need to add the parameter REBOOT=ReallySuppress. 4. To complete the update, restart the workstation. Note: A restart is required.

  • Page 32: R&S Trusted Disk Key Update

    Advanced tasks R&S Trusted Disk key update Possible values Default 0 ‒ digits only Characters "InitialPINChars" 1 ‒ at least 1 digit + 1 letter 2 ‒ at least 1 digit, 1 letter + 1 special character 100 ‒ no limitations 6 ‒...

  • Page 33: Stealth Mode

    Advanced tasks Stealth mode 6.4 Stealth mode R&S Trusted Disk's stealth mode hides the existence of an R&S Trusted Disk encryp- ted system. For this, two Windows installations exist on one workstation ‒ an encryp- ted Windows installation and an unencrypted Windows installation. Boot scenarios in stealth mode: ●...
  • Page 34 Advanced tasks Stealth mode 8. Start a new installation of Windows. 9. In the unpartitioned space, create a new partition with [y] GB. 10. Select the new partition. 11. Install Windows. You have installed two Windows installations on two partitions. 6.4.1.2 Configuring stealth mode Make this configuration before initializing the full-disk encryption.
  • Page 35 Advanced tasks Stealth mode a) Enter the following commands: bcdedit /export bcd-boot.1 bcdedit /store bcd-boot.1 /bootsequence {GUID_1} bcdedit /export bcd-boot.2 bcdedit /store bcd-boot.2 /bootsequence {GUID_2} Note: After the full-disk encryption, bcd-boot.1 uses the GUID of the encrypted system and bcd-boot.2 uses the GUID of the unencrypted system. ●...

  • Page 36: Legacy Bios/Mbr

    Advanced tasks Stealth mode 5. Open T:\EFI\RSCS\pba.config. 6. Add the entry StealthMode=1. 7. Save your changes. 6.4.2 Legacy BIOS/MBR 6.4.2.1 Preparing stealth mode First Windows installation 1. Boot the workstation from a Windows installation medium. 2. Start a new installation of Windows. 3.
  • Page 37 Advanced tasks Stealth mode 7. Remove the flag "boot". 8. Set to the flag "hidden". 9. In the unpartitioned section, create a partition with the following configurations: ● New size: [y] GB ● File system: NTFS ● Type: Primary 10. To confirm, click "Apply". 11.

  • Page 38: Decryption And Data Recovery

    Advanced tasks Decryption and data recovery 6.4.2.2 Configuring stealth mode Make this configuration before activating the full-disk encryption. 1. Open C:\Program Files (x86)\Sirrix AG. \TrustedDisk\Bootloader\grub.cfg. 2. Set "tdshowplain" to 0. 3. Save your changes. You have prepared the workstation for its full-disk encryption. Full-disk encryption During the full-disk encryption, deactivate the option "Encrypt all sections"...
  • Page 39 Advanced tasks Decryption and data recovery Do not interrupt decryption If the decryption process is interrupted, your data cannot be recovered. Make sure to connect your workstation to a power source. Not VS-NfD approved Deactivating the full-disk encryption is not VS-NfD approved. 1.

  • Page 40: Windows Feature Updates

    Advanced tasks Windows feature updates 6.6 Windows feature updates From version 3.2.2 on, Windows 10 feature updates are supported out-of-the-box for both UEFI and Legacy BIOS workstations with R&S Trusted Disk encrypted system drives. Requirement: Update to at least Windows 10 1607. If a SetupConfig.ini file exists on the workstation, R&S Trusted Disk overwrites it during this procedure.

  • Page 41: Appendix

    Appendix Activating setup mode (UEFI/GPT) 7 Appendix Contents ● Activating setup mode (UEFI/GPT).................41 ● Stealth mode PowerShell script (UEFI/GPT)............45 ● Compatible smart card readers................46 7.1 Activating setup mode (UEFI/GPT) Lenovo T460p 1. To access the UEFI, press [F1] right after starting the workstation. 2.
  • Page 42 Appendix Activating setup mode (UEFI/GPT) Figure 7-2: Lenovo T460p setup mode 6. Press [Enter]. 7. To save and exit, press [F10]. With activated setup mode, R&S Trusted Disk starts the system takeover. Lenovo T470s 1. To access the UEFI, press [F2] right after starting the workstation. 2.
  • Page 43 Appendix Activating setup mode (UEFI/GPT) Name Value Description Restore Factory Keys [Enter] Restores the original keys of the manufacturer Clear All Secure Boot [Enter] Deletes the current platform key and further variables Keys (KEK, db, dbx) and activates setup mode Dell E5470 This Dell model is a special case: For the E5470, you must first disable Secure Boot via the "Secure Boot Enable"...
  • Page 44 Appendix Activating setup mode (UEFI/GPT) Figure 7-4: Dell E5470 setup mode 9. To confirm, click "Yes". 10. Click "Apply". 11. Exit the UEFI. R&S Trusted Disk starts the system takeover. 12. If the pre-boot authentication screen says "Secure Boot is deactivated" after exiting the UEFI, reboot the system.

  • Page 45: Stealth Mode Powershell Script (Uefi/Gpt)

    Appendix Stealth mode PowerShell script (UEFI/GPT) 17. To confirm, click "Yes". 18. Click "Apply". 19. Exit the UEFI. 7.2 Stealth mode PowerShell script (UEFI/GPT) bcdedit /export bcd-boot.Save bcdedit /enum '{bootmgr}' /v > info.txt $store = Get-Content info.txt $print = $false $result = @() foreach ($line in $store) if ($line.StartsWith("displayorder"))

  • Page 46: Compatible Smart Card Readers

    Appendix Compatible smart card readers Write-Host $id 7.3 Compatible smart card readers We recommend using the smart card reader models IDBridge CT30, IDBridge K30 or IDBridge K50 from Gemalto. If you have any questions about the use of specific smart card readers, please contact our support team.

  • Page 47: Glossary: Abbrevations

    Glossary: Abbrevations Glossary: Abbrevations BSI: Bundesamt für Sicherheit in der Informationstechnik (German Federal Office for Information Security) CA: Certificate Authority FDE: Full-Disk Encryption PBA: Pre-Boot Authentication PKI: Public Key Infrastructure VS-NfD: Verschlusssache ‒ Nur für den Dienstgebrauch (classified material ‒ for offi- cial use only) Administration manual 4603.7988.02 ─...

  • Page 48: Index

    Index Index Pre-boot authentication ......... 18, 22, 23 Boot manager tool ............27 Appendix ................41 PIN policy ..............31 Audience ................5 Product description ............. 9 Scope of delivery ............9 Security features ............9 CardOS API ..............12, 30 Certificates Administrator certificate ..........
  • Page 49 Index Feature update ............40 System requirements ..........20 Administration manual 4603.7988.02 ─ 03...

Table of Contents

Save PDF