sophos safeguard disk encryption, sophos safeguard easy demo guide

Sophos SafeGuard DiskEncryption, SophosSafeGuard EasyDemo guide

5.60Product version:April 2011Document date:

http://www.sophos.com/

Contents

1 Introduction..............................................................................................................................................3

2 Requirements............................................................................................................................................5

3 The demo configuration package ............................................................................................................6

4 Install the demo software..........................................................................................................................7

5 What to expect once the software has been installed..............................................................................8

6 What to expect from the full version.....................................................................................................19

7 Upgrading to the full version.................................................................................................................23

8 Uninstalling the demo software.............................................................................................................25

9 Technical support....................................................................................................................................26

10 Legal notices..........................................................................................................................................27

2

1 Introduction

This document guides you through the demo version of the SafeGuard Disk Encryption client.The demo version enables you to test the SafeGuard full disk encryption process, including theinstallation and use of the Power-on Authentication (POA, authentication in the pre-boot phase).

This demo serves as a common client demo for the following products which use the sameSafeGuard client engine:

■ Sophos SafeGuard Disk Encryption (SDE)

Full disk encryption solution for local hard drives. Provided as part of the Sophos EndpointSecurity and Data Protection (ESDP) license. Encryption policy configuration is carried outusing SafeGuard Policy Editor. For deploying policies to the endpoint computers, a licensedSafeGuard Policy Editor is required.

For further information, seehttp://www.sophos.com/products/enterprise/endpoint/security-and-control/.

■ SafeGuard Easy (SGE)

Similar to SDE, adding support for Lenovo fingerprint authentication, non-cryptographictokens and external hard drives as well as supporting a runtime environment to have twoencrypted Windows installations in parallel on the same computer. Encryption policyconfiguration is carried out using SafeGuard Policy Editor. For deploying policies to theendpoint computers, a licensed SafeGuard Policy Editor is required.

For further information, seehttp://www.sophos.com/products/enterprise/encryption/safeguard-easy/.

For evaluating the SafeGuard Disk Encryption client, a demo configuration package withpreconfigured policy settings is provided, see The demo configuration package (page 6). Thesepolicy settings cannot be edited within this demo version. The demo configuration package hasto be deployed on a test computer with an SDE/SGE 5.60 client installation, see Install the demosoftware (page 7).

You can find the demo configuration package SGNDemoClientConfig.msi in the install folder ofthe Sophos SafeGuard Disk Encryption/SafeGuard Easy product delivery. The demo configurationpackage is also available for download fromhttps://secure.sophos.com/products/enterprise/free-trials/safeguard-easy/.

If you are interested in security beyond local disk encryption, SafeGuard Enterprise is the productto go for. SafeGuard Enterprise is the flagship encryption product of Sophos, adding ActiveDirectory integrated online central management, reporting, multi-factor authentication (throughLenovo fingerprint, smartcards or crypto tokens) and advanced key management for removablemedia encryption and port control. For SafeGuard Enterprise, a separate demo version is available,including the SafeGuard Management Center and all modules. Please contact a Sophos salesrepresentative to receive this demo. For further information on SafeGuard Enterprise, seehttp://www.sophos.com/products/enterprise/encryption/safeguard-enterprise/.

3

Demo guide

http://www.sophos.com/products/enterprise/endpoint/security-and-control/

http://www.sophos.com/products/enterprise/encryption/safeguard-easy/

https://secure.sophos.com/products/enterprise/free-trials/safeguard-easy/

http://www.sophos.com/products/enterprise/encryption/safeguard-enterprise/

Once you have completed your evaluation, you will want to move to a full version of the SafeGuardencryption solution. You can upgrade the demo client to Sophos SafeGuard Disk Encryption,SafeGuard Easy or SafeGuard Enterprise. For a short overview on what to expect from licensedversions, see What to expect from the full version (page 19).

4

Sophos SafeGuard Disk Encryption, Sophos SafeGuard Easy

2 Requirements

For installing the SafeGuard Disk Encryption Demo configuration packageSGNDemoClientConfig.msi on a test computer, the following prerequisites apply:

■ Sophos SafeGuard Disk Encryption (SDE)/SafeGuard Easy (SGE) client with Device Encryptionis installed.

■ The SDE/SGE client must not have been configured using a regular client configuration packagecreated with a licensed SafeGuard Policy Editor.

For installing the SDE/SGE clients with Device Encryption, the following system requirementsapply:

■ Windows XP SP2 or later (32 bit)

■ Windows Vista SP1 (32 bit)

■ Windows Vista SP1 (64 bit)

■ Windows 7 (32 or 64 bit)

■ Minimum 1 GB RAM

■ Minimum 1 GB of free disk space

■ IDE or SATA drive (no SCSI). For hardware compatibility information, seehttp://www.sophos.com/support/knowledgebase/article/107781.html

■ If you are running Lenovo Rescue and Recovery, make sure that version 4.21 or later is in use.

If in doubt regarding the supported platform, you can install the software. The installation processwill let you know if a problem is encountered and back out of the operation.

Note:

The 64 bit installer is a separate download from sophos.com.

Before you install the software make sure that you have administrative rights for the client machineon which you want to install it.

Note:

This software is provided for evaluation purposes only and must not be used on productioncomputers. To upgrade from demo to full version, valid licenses are required. For furtherinformation, see Upgrading to the full version (page 23).

5

Demo guide

http://www.sophos.com/support/knowledgebase/article/107781.html

3 The demo configuration package

For evaluating the SafeGuard Disk Encryption client, a demo configuration package withpreconfigured policy settings is provided. This configuration package has to be deployed on a testcomputer with a SDE/SGE 5.60 client installation including Device Encryption, see Install the demosoftware (page 7).

You can find the demo configuration package SGNDemoClientConfig.msi in the install folder ofthe Sophos SafeGuard Disk Encryption/SafeGuard Easy product delivery. The demo configurationpackage is also available for download fromhttps://secure.sophos.com/products/enterprise/free-trials/safeguard-easy/.

The demo configuration package includes the following client configuration:

■ All internal drives are encrypted.

■ Any user with Windows administrator rights can uninstall the software.

■ The Local Self Help recovery mechanism for logon recovery in case of forgotten passwords isenabled and preconfigured.

■ Smartcard/token logon is disabled.

■ Any user may import further SafeGuard users to enable them to log on at the Power-onAuthentication.

Note:

These preconfigured settings cannot be edited within this demo version.

6


https://secure.sophos.com/products/enterprise/free-trials/safeguard-easy/

4 Install the demo software

1. Install the Sophos SafeGuard Disk Encryption/SafeGuard Easy client including DeviceEncryption on the test computer. For further information, refer to the Sophos SafeGuard DiskEncryption/SafeGuard Easy Startup Guide.

2. Install the demo configuration package SGNDemoClientConfig.msi on the test computer.

If you try to install the demo configuration package without having installed the SophosSafeGuard Disk Encryption/SafeGuard Easy client first, an error message is displayed. Thesame applies, if the client has already been configured with a regular configuration packagecreated with a licensed SafeGuard Policy Editor.

3. Restart the test computer.

7

Demo guide

5 What to expect once the software has been installed

After you have restarted the test computer, the first screen you see is the legal notice screen. Thisis an optional policy feature that you can enable when you roll out SafeGuard Disk Encryption inyour environment. In the full version of the product, the text is fully customizable. For now, readthe legal notice and click OK.

5.1 Windows XP

5.1.1 If you already have a Windows password set

1. The Windows logon screen is displayed.

2. Enter your Windows credentials and log on to Windows

At this point, SafeGuard Disk Encryption synchronizes your Windows credentials with its Power-onAuthentication (POA) system.

Note:

SafeGuard Disk Encryption uses your Windows credentials for its Power-on Authentication.

You should activate Local Self Help now in order to have a recovery mechanism should you forgetyour credentials, see Activate Local Self Help (page 11).

8


5.1.2 If you do not have a Windows password set

If you did not configure a Windows password, you are now prompted to do so.

1. An Invalid Password message is displayed followed by the Change dialog for defining apassword.

2. As you do not have a password, leave the Old Password field blank.

3. In the New Password field, type a word or phrase that you will remember. Repeat it in theConfirmation field.

You must remember the password in order to access the encrypted drive and start the computer.


5.2 Windows Vista and Windows 7

Windows Vista and Windows 7 have a different authentication mechanism than Windows XP. Ifyou are using these operating systems, the following behavior can be expected.

5.2.1 If you already have a Windows password set

1. After the operating system loads you are passed straight to the desktop, just as before. Onlythis time, the following dialog is displayed:

2. Enter your password.

9

Demo guide

The desktop loads and SafeGuard Disk Encryption synchronizes your credentials. Next time yourestart the computer you can log on to the Power-on Authentication with these credentials.

If for some reason you do not see the key-hole icon, select Switch user and select this icon beforelogging on.


5.2.2 If you do not have a Windows password set

After you select OK in the legal notice dialog, Windows loads and you are taken directly to thedesktop as usual. Due to the demo configuration, your Windows credentials must be synchronizedwith the Power-on Authentication mechanism.

Note:

SafeGuard Disk Encryption uses your Windows credentials for its Power-on Authentication.

1. For synchronization, the Sophos SafeGuard Logon dialog is displayed.

2. As you have no password, simply click OK.

A Sophos SafeGuard Password Change message is displayed.

This happens because SafeGuard Disk Encryption does not accept a zero length password.

3. Click OK.

You are now prompted to change your password. The Change dialog for defining a passwordis displayed.

As you do not have a password, leave the Old Password field blank.

4. In the New Password field, type a word or phrase that you will remember. Repeat it in theConfirmation field.

You must remember the password in order to access the encrypted drive and start the computer.


5.3 Hard drive encryption process

When you have logged on to Windows, a tab is displayed in the task bar:

Click this tab to see the initial encryption progress.

10


Note:

During initial encryption, you may experience a slowdown in system performance.

At this point you can continue to work or shut down the computer. If you shut down the computer,the initial encryption process continues where it left off.

5.4 Activate Local Self Help

After you have logged on to your desktop, a message is displayed:

This is an advisory message to let you know that you can now activate Local Self Help. Local SelfHelp allows you to recover your forgotten logon credentials by answering questions for which youhad previously provided answers during Local Self Help Activation.

To activate Local Self Help:

1. Right-click on the shield icon in your task bar and select Local Self Help.

11

Demo guide

2. You are prompted to re-enter your credentials:

3. Enter your Windows user name and password and click Next.

12


4. This page provides a status. Click Next.

13

Demo guide

5. In the Predefined Questions dialog, select a language in the Theme drop-down list. You cannow start to answer the questions.

Keep in mind that the answers are case sensitive.

Note:

For Japanese, the appropriate language support must be installed under Windows XP. Otherwise,the Japanese questions may not be displayed correctly.

Once you have answered six questions the status at the bottom of the dialog changes.

14


6. Click Next and then Finish.

Local Self Help is activated.

15

Demo guide

5.5 Next time you restart

Next time you restart the computer the Power-on Authentication is enabled. The first screen isthe legal notice.

1. Click Accept to proceed.

In the full product, both the legal notice and the following dialogs seen here are customizableallowing you to minimize the visual impact on your end users. Naturally, in this demo versionthe impact is highly visible and not configurable.

16


2. Once you have passed the legal notice, you can log on to the Power-on Authentication. Enteryour credentials in the fields provided and click OK.

SafeGuard Disk Encryption validates the credentials and then allows Windows to load. Until youenter a valid set of credentials, the data on the drive will be inaccessible to anyone.

At this point, there is nothing else that needs to be done to configure the software. The exactfunctionality available in the full version depends on which version of the product (SophosSafeGuard Disk Encryption (ESDP bundle)/SafeGuard Easy or SafeGuard Enterprise) you purchase.You can find full details on the Sophos web site.

5.6 Password recovery with Local Self Help

If you have forgotten the password that you used to access Windows when configuring SafeGuardDisk Encryption, you can recover your password with Local Self Help. If you have followed thesteps described in this guide, you will have activated Local Self Help for logon recovery, see ActivateLocal Self Help (page 11).

17

Demo guide

To recover your system if you have forgotten your password:

1. Enter your user name and select Recovery.

2. The Local Self Help Welcome dialog is displayed. This dialog provides a short description ofthe next steps. Click Next.

3. You are now asked to answer three out of the six questions you answered during configuration.The answers are case sensitive. You must answer all three correctly in order to proceed. If youget an answer wrong, SafeGuard treats this as a failed logon attempt. For security reasons, thesystem does not indicate which question was answered incorrectly.

4. After you have answered all questions correctly, you can click the blue box to be reminded ofyour password or simply click OK to be allowed access to Windows.

18


6 What to expect from the full version

The following sections provide a short overview on the functionality and benefits of the full versionsof Sophos SafeGuard Disk Encryption, SafeGuard Easy and SafeGuard Enterprise.

Please use sophos.com or contact your local sales representative if you are interested in learningmore about the SafeGuard product portfolio or want to order the fully licensed version.

6.1 Main benefits of licensing the full version

This demo version just gives you a small glimpse of the full disk encryption capabilities of theSafeGuard product range.

Upgrading to a full product version allows you to

■ have full control over the encryption policies including encryption of additional drives andconfiguration of background bitmap as well as user notifications.

■ make use of additional recovery methods in case of forgotten passwords (Challenge/Response)and help when restoring broken operating system installations even on encrypted drives withthe Windows PE based Virtual Client bootable recovery image.

■ optionally use Opal-compliant, self-encrypting hard disks managed by SafeGuard with allpre-boot and management options offered by the SafeGuard software solution.

■ add smartcard, token and/or biometric authentication options (SafeGuard Easy or SafeGuardEnterprise).

■ add online management including Active Directory synchronization, management API, centrallogging, reporting and key management (SafeGuard Enterprise).

■ optionally add additional functional modules for removable media encryption including opticalmedia (SafeGuard Data Exchange), port and device control (SafeGuard ConfigurationProtection) or BitLocker management (SafeGuard PartnerConnect) when choosing to upgradeto SafeGuard Enterprise.

■ receive product updates and support around the globe from Sophos and Sophos partners.

6.2 Management variants to choose from

SafeGuard Easy (SGE) and Sophos SafeGuard Disk Encryption (SDE) are managed in the so-calledstandalone mode, where policies are created on a reference client and deployed via any third partydeployment mechanism. With this demo version you can evaluate an SGE/SDE client. Upgradeto the full version requires installing the SafeGuard Policy Editor and importing a valid license.Afterwards, you can create a licensed configuration package and deploy it to demo clients.

The following diagram illustrates the SafeGuard Easy/Sophos SafeGuard Disk Encryptionmanagement mode:

19

Demo guide

SafeGuard Enterprise is managed online via a web service mechanism that also allows ActiveDirectory import, central logging and status reporting along with further security modules likeSafeGuard Data Exchange for group-based removable media encryption and SafeGuardConfiguration Protection for port and device control. Upgrade from this demo version requiresinstalling the SGN management server and the SafeGuard Management Center and deploying alicensed configuration package to demo clients. They will then become managed clients whichconnect to the SGN Server.

The following diagram illustrates SafeGuard Enterprise online management. In addition, in amanaged SGN scenario, a subset of the clients can also be managed in the so-called offline modewhich would then be identical to the SafeGuard Easy scenario shown in the previous diagram.

20


6.3 Sample screens of the management variants

The following figure shows the SafeGuard Policy Editor for SafeGuard Easy. The SafeGuard PolicyEditor for Sophos SafeGuard Disk Encryption (SDE) is mostly the same. It just has less advancedpolicy options, for example no Data Exchange policies and no policies for fingerprint logon.

Note:

The interface elements for Active Directory, Security Officer management, reports, keys andcertificates etc. are neither necessary nor present in the standalone (SGE/SDE) mode, as opposedto the SafeGuard Enterprise Management Center.

The following screenshot shows Users and Computers management in the SafeGuard ManagementCenter.

21

Demo guide

22


7 Upgrading to the full version

Once you have completed your evaluation you will want to move to a full version of the SafeGuardencryption solution.

You can upgrade the demo client to

■ Sophos SafeGuard Disk Encryption/SafeGuard Easy, see Upgrade to a Sophos SafeGuard client(page 23).

■ SafeGuard Enterprise, see Upgrade to a SafeGuard Enterprise client (page 24).

For upgrading, you need valid licenses. Please contact your local sales represenative to obtainthem.

To upgrade, create a new configuration package with the relevant licensed management tool anddeploy it to the computer.

Note:

You do not have to remove the demo version beforehand.

Note:

You cannot upgrade a demo client to a newer full version. You must first upgrade the demo clientto a licensed client of the same version and then update it to the new version.

7.1 Upgrade to a Sophos SafeGuard client

1. Ensure that a licensed SafeGuard Policy Editor is available.

For detailed information on how to install and configure a licensed SafeGuard Policy Editor,refer to the Sophos SafeGuard Disk Encryption/SafeGuard Easy Startup Guide.

2. In the SafeGuard Policy Editor, create a new configuration package.

For detailed information, refer to the Sophos SafeGuard Disk Encryption/SafeGuard EasyStartup Guide.

3. Deploy the new configuration package on the test computer.

After you have upgraded to the full version, an automatic key backup is initiated. Users importedduring evaluation are not removed and will still have access to the computer. For furtherinformation refer to the Sophos SafeGuard Disk Encryption/SafeGuard Easy Administrator’s Helpand User Help.

23

Demo guide

7.2 Upgrade to a SafeGuard Enterprise client

1. Ensure that a licensed SafeGuard Management Center is available.

For detailed information on how to install and configure SafeGuard Enterprise and a licensedSafeGuard Management Center, refer to the SafeGuard Enterprise Installation Manual.

2. In the SafeGuard Management Center, create a new configuration package.

For detailed information, refer to the SafeGuard Enterprise Installation Manual.

3. Deploy the new configuration package on the test computer.

After you have upgraded to the full version, an automatic key backup is initiated. The Power-onAuthentication switches back to autologon and the first Windows user who logs on becomes themachine’s owner. For further information, refer to the SafeGuard Enterprise Administrator’s Helpand User Help.

24


8 Uninstalling the demo software

Should you choose not to upgrade the client configuration to a full version, you can remove thedemo software from the test computer as follows.

Note:

For upgrading to a full version, it is not necessary to uninstall the demo software first, see Upgradingto the full version (page 23). Please use sophos.com or contact your local sales representative ifyou are interested in learning more about the SafeGuard product portfolio or want to order thefull license version.

1. Open Add/Remove Programs.

2. Remove the "Sophos SafeGuard 5.60 Client Configuration" and then remove the "SophosSafeGuard 5.60 Client".

When you remove the client, you will see the drive begin to decrypt. We recommend that youuninstall both packages and allow the drive to finish decrypting before you restart.

If the system is restarted during this process, uninstallation is cancelled, but decryption will continuewhen the system is restarted. Once decryption has completed, you can reinitiate the removal ofthe SafeGuard encryption client.

25

Demo guide

9 Technical support

You can find technical support for Sophos products in any of these ways:

■ Visit the SophosTalk forum at http://community.sophos.com/ and search for other users whoare experiencing the same problem.

■ Visit the Sophos support knowledgebase at http://www.sophos.com/support/

■ Download the product documentation at http://www.sophos.com/support/docs/

■ Send an email to [email protected], including your Sophos software version number(s),operating system(s) and patch level(s), and the text of any error messages.

26


http://community.sophos.com/

http://www.sophos.com/support/

http://www.sophos.com/support/docs/

mailto:[email protected]

10 Legal notices

Copyright © 1996 - 2011 Sophos Group. All rights reserved. SafeGuard is a registered trademarkof Sophos Group.

Sophos is a registered trademark of Sophos Limited, Sophos Group and Utimaco Safeware AG,as applicable. All other product and company names mentioned are trademarks or registeredtrademarks of their respective owners.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in anyform or by any means, electronic, mechanical, photocopying, recording or otherwise unless youare either a valid licensee where the documentation can be reproduced in accordance with thelicence terms or you otherwise have the prior permission in writing of the copyright owner.

You find copyright information on third party suppliers in the file entitled Disclaimer and Copyrightfor 3rd Party Software.rtf in your product directory.

27

Demo guide

sophos safeguard disk encryption, sophos safeguard easy demo guide

Documents