Hard Disk Encryption of ControlSphere

ControlSphere Encrypted Volume Manager

ControlSphere provides unified Encrypted Volume management console, so called Encrypted Volume Manager. It displays a list of encrypted volumes which are currently mounted, providing detailed information on these volumes.

The volume attributes include:

Drive Index

This is a drive letter a volume is currently mounted on.

Volume Name

This is an identification name of the volume defined on its creation time.

Volume Size

This is the volume size, in megabytes.

Encryption Key Name

Name of the Encryption Key used by the volume.

Volume Status

The status describes the volume mounting options. It can be one of the following values:
Manually Mounted	The volume has been mounted manually.
Auto-mounted	The volume has been mounted automatically on token logon and will be dismounted on token removal (computer lock or logoff).
Automated Mount/Dismount	The volume has been mounted automatically on token logon and will be dismounted on logoff.
User Home Drive	The volume has been mounted automatically on token logon and will be dismounted on logoff. It is an active User Home Drive.
Server Volume	The volume is a server volume. Server volumes are encrypted volumes mounted at computer boot time and automatically dismounted at shutdown or power down.

Windows Vista: The volume status may also include the "[Global]" mark, notifying that the drive is visible to all users using the computer.

Volume File Location

A full path to the Encrypted Volume file.

The following actions are available for volumes in the list:

Dismount Volume	This action will dismount currently selected volume. Note that server volumes and User Home Drive cannot be manually dismounted.

Check Volume	This action will prompt you for the disk checking mode (with or without error correction) and will execute an external chkdsk.exe utility on the encrypted drive.

Encrypted Volume Management

This section provides quick links to encrypted volume management functions.

Click Create Encrypted Volume to initiate Encrypted Volume creation procedure (see below).

Click Mount Encrypted Volume to initiate Encrypted Volume mounting procedure (see below).

Click User Profile Migration to open User Profile Migration Wizard.

Automatic Volume Mounting

This section provides quick links to encrypted volume automation functions.

Click Automate Volume Mounting with a Token to open the Encrypted Volume Automation Manager.

Click Server (boot-time) Volume Configuration to edit Boot-time Encrypted Volume layout of ControlSphere (see below).

Encrypted Volume Management functions

Create Encrypted Volume

To create an Encrypted Volume select a path and file name to create it under. You can either type a location (full path) manually or click Browse to select a folder and a file name.

Next select the size/capacity of the volume in terms of MB's or GB's. Make sure there is enough space available for the volume at the selected location.

Define a name for the volume. The name is used for identification purposes.

Select a location of the Encryption Key to encrypt the data with. You can choose from the following locations:

Currently authorized (logged-on) token	Use the currently "authorized" token, the token which was used to logon to a computer. This option will not be available if there is no "authorized" token. A list of Encryption Keys stored on the "authorized" token will be displayed in the key list area below. You can click Organize to open Encryption Key Manager and modify the key list on the token.
Another token	Use Encryption Key from another token. You will be asked to connect the source token and provide its User PIN. Then a list of Encryption Keys stored on the token will be displayed in the key list area below. You can click Organize to open Encryption Key Manager and modify the key list on the token.
Use Token Image file	Use Encryption Key from an encrypted Token Image file. You will be prompted to provide a full path to the file or locate it by clicking Browse. Once the file path is provided, click Open Token Image file, enter encryption password protecting the file and a list of Encryption Keys stored in the Token Image file will be displayed in the key list area.

Finally select an Encryption Key to use from the list of available keys.

	You can optionally mount the volume once it is created as a particular drive letter. To do so select the Mount the volume now as option and select a drive letter to mount it on. Note that ControlSphere will prompt you to format the volume at the mount point.
	You may also want to automate the volume mounting with your token logon. To do so select the Automate volume mounting for the token device option. In this case ControlSphere will activate Encrypted Volume Automation Manager for your token once the volume is created and will initiate the volume automation definition.
	Click OK to create the Encrypted Volume

Mount Encrypted Volume

The easiest way to mount Encrypted Volumes is to automate their mounting with a token-based logon or computer unlock. This way a user will always have his environment (encrypted drives) mounted automatically. There is always an ability to mount the volumes manually.

The easiest way to manually mount an Encrypted Volume is to double-click the volume file (EDR) in the Windows Explorer. Otherwise you can initiate the process by clicking appropriate menu item in the ControlSphere tray icon menu (Disk Encryption sub-menu) and select a volume to mount.

Once the Encrypted Volume is selected, ControlSphere will look up its Encryption Key on the currently "authorized" token. If there is no "authorized" token or the Encryption Key cannot be found on the token, ControlSphere will switch to manual key lookup mode.

Once the Encryption Key is located, the volume is ready to be mounted. You can optionally select Mount as read-only option to mount the volume as a read-only drive. You may also want to automate the volume mounting with your token logon. To do so select the Automate volume mounting for the token device option. In this case ControlSphere will activate Encrypted Volume Automation Manager for your token once the volume is mounted.

Note that ControlSphere will prompt you to format the drive if it has not been formatted before.

Lookup Encryption Key

ControlSphere uses Encryption Key lookup procedure if there is no "authorized" token has been set yet or the desired Encryption Key cannot be found on the token. It will prompt you to select a location of the key.

You can select either Token Image file of Another token to lookup for the key.

If you select Token Image file to lookup the key in, ControlSphere will ask you to provide a full path to the file or Browse for it. Finally you will have to "Open Token Image file" and provide the encryption password. ControlSphere will search the file for the desired Encryption Key and if found, will close the lookup window automatically.

If you select Another token to lookup the key on, ControlSphere will prompt you to connect one and provide a corresponding User PIN. ControlSphere will search the token for the desired Encryption Key and if found, will close the lookup window automatically.

Define Server (boot-time) Volume Configuration

ControlSphere boot-time encryption service provides encrypted volume mounting support on computer boot time and automatically dismounts them at shutdown or power down. Such volumes are an ideal solution for protecting server data. The volumes can be configured to mount prior to defined Windows services (databases, enterprise servers, etc.), allowing the services using the encrypted volumes as their primary data storage from the startup time. This ensures the data of your enterprise is stored securely.

Mounting the volumes will require appropriate encryption keys loaded from single or multiple hardware tokens, which must be authorized by entering corresponding PIN(s).

The server volume layout configuration is stored locally on a computer.

You can view or edit existing server volume layout entries in the "ControlSphere Server (boot-time) Volume Layout" window. A list of existing server volume configuration entries is displayed in the list control.

The entry attributes include:

Preferred	This is a preferred drive letter to mount a volume on.

Mounted As	This is a drive letter a volume is currently mounted on.

Volume Name	This is an identification name of the volume defined at the time of its creation.

Volume Size	This is the volume size, in megabytes.

Encryption Key Name	Name of the Encryption Key used by the volume.

Volume File Location	A full path to the Encrypted Volume file.

You can Add, Edit or Remove ControlSphere boot-time volume automation entries from the list by clicking the corresponding buttons.

Defining Server Volume layout entry

To define a server volume mounting rule of ControlSphere you will need to select an Encrypted Volume file to mount at the computer boot-time server volume layout. You can do so by typing a full path to the file manually or browsing for a file by clicking Browse. Once the Encrypted Volume file is selected, choose a preferred drive letter to mount the volume on.

Click OK to commit your changes. Note that the changes will take effect next time computer is restarted.
Note that the server volumes are always visible to all users logged on a computer.

Appendix

Encryption Keys of ControlSphere

ControlSphere uses standard AES256 (Advanced Encryption Standard) symmetric encryption algorithm which provides reliable encryption strength for tens of years ahead. In addition to the standard, ControlSphere provides enhancements for easier identification or multiplication of the AES keys. The keys are used by ControlSphere Disk and File Encryption services.

Encryption Keys has the following attributes:
Key Name	The name of a key is used for convenient identification purposes.
Key Length	In addition to the standard encryption method, ControlSphere provides key stacking feature, i.e. having a number of AES256 encryption keys stored within a single "chained" encryption key (up to 8 AES256 bit keys in a single key).

ControlSphere uses standard 256bit AES keys to encrypt and decrypt data. This encryption algorithm is very strong and reliable, but in some cases there can be a need to increase strength its strength even further. For this purpose ControlSphere allows doubling or multiplying the AES keys in a single "chained" key that can hold up to a 8 keys of 256 bit length each and perform the encryption consecutively. This way ControlSphere stays compliant with standard AES256 encryption, but provides extra strength to the encryption if required.

See the encryption key lengths/strengths comparison table below:

Summary key length (bits)	Comparing with standard AES 256	Performance penalties
2x256 keys	approx. 10^77 times stronger	2 times slower
4x256 keys	approx. 10^231 times stronger	4 times slower
8x256 keys	approx. 10^539 times stronger	8 times slower

Even using stacked 2x256bit keys increases the encryption strength dramatically, but only doubles the time taken to process the encryption.

Note on key lengths usage
Using single 256bit keys is completely sufficient for most cases. By using longer keys increase data safety but slows down the encryption/decryption operations a little. We recommend using 256 bit keys in most cases since it should be enough for most, if not all needs. Longer keys slow down encryption/decryption performance, thus slowing data exchange performance.

Hints on Encryption key usage
Typically System Administrators will create a number of keys on their primary tokens (or centralized encryption key storage provided by ControlSphere software) and then export to user's tokens, so both the Administrator and a user can access the user-defined encrypted drives. We also recommend having enterprise-wide encryption keys and enforcing users to use them. This way group access to encrypted resources/drives can be supported.

User Home Drive

The User Home Drive is an encrypted volume of ControlSphere that holds entire user environment securely. The volume is a sort or roaming profile that can be shared among different computers on a network, keeping all user files and data portable and secure. ControlSphere redirects the following system shell folders to the drive automatically:

Shell Folder Name	Mapped folder on the Encrypted drive
"My Documents"	<ROOT:>\User Home Drive\Personal
"My Pictures"	<ROOT:>\User Home Drive\Personal\My Pictures
"My Music"	<ROOT:>\User Home Drive\Personal\My Music
"My Network Places"	<ROOT:>\User Home Drive\NetHood
"User Desktop"	<ROOT:>\User Home Drive\Desktop
"My History"	<ROOT:>\User Home Drive\Local Settings\History
"My Recent Documents"	<ROOT:>\User Home Drive\Recent
"Favorites"	<ROOT:>\User Home Drive\Favorites
"Internet Cookies"	<ROOT:>\User Home Drive\Cookies

Besides the user shell folders ControlSphere can optionally redirect temporary user file folders to the User Home Drive (see Automate Volume Mounting window for a list of drive auto-mounting options). If configured, the following folders are redirected after the drive is mounted and restored to their original location once the drive is dismounted:

Temporary Folder	Mapped folder on the Encrypted drive
"TEMP" and "TMP" folders	<ROOT:>\User Home Drive\Temp
"Temporary Internet Files"	<ROOT:>\User Home Drive\Temporary Internet Files

IMPORTANT (Windows 2000/XP): The User Home Drive feature can only be activated at the time user logs on to Windows and uses his token to automatically mount its volume configuration. This is because the User Home Drive requires environment paths to be set to the drive prior the user environment activation and the paths cannot be changed once the used is logged on to Windows. If no User Home Drive activated at the logon time, ControlSphere will mount the drive as an ordinary one with no shell environment redirection.

The User Home Drive volume can still be used as a regular encrypted drive in addition to the Home Drive functionality. The drive can always be accessed directly with a help of Windows Explorer of other file manager. It is always possible to organize files on the User Home Drive manually. However, ControlSphere provides an easy file migration utility from/to the Home Drive.

The encrypted volume is portable and can be mounted as a User Home Drive from a network location as well. We recommend storing the User Home Drive volume on the network server, when applicable.

Configuration of the User Home Drive is stored on a token itself and is token-dependent. It is a part of the token-automated drive configuration. Once the drive is configured, ControlSphere will try to mount and activate the drive on every computer you logon to. If you put the volume on a network server or a remotely accessible location, you are basically turning your Home Drive into a portable "user profile".