1

2007 McAfee, Inc.

2008 McAfee, Inc.
McAfee SafeBoot Security
SafeBoot Clients Device Encryption / Content Encryption
McAfee World-wide Learning and Development
2007 McAfee, Inc.
Copyright 2008 McAfee, Inc. All Rights Reserved.
Copyright 2008 McAfee, Inc. All Rights Reserved.
The training information provided herein is the property of McAfee, Inc., and is
intended for the sole use of the individual or organization purchasing the
training. Distribution of the training material outside of the purchasing
organization is strictly prohibited.
All information contained herein is subject to change without notice. McAfee is
not responsible for errors or damages of any kind resulting fromuse of the
information contained herein. Every effort has been made to ensure the
accuracy of information presented as factual; however errors may exist.
Users are directed to countercheck facts when considering their use in other
applications. McAfee is not responsible for the content or functionality of any
technology resource not owned by the company.
The statements, comments, or opinions expressed by users through use of
McAfees technology resources are those of their respective authors, who are
solely responsible for them, and do not necessarily represent the views of
McAfee, Inc. and/or its affiliates.
2
2/21/2008
2/21/2008
3
2007 McAfee, Inc.
Objectives
At the end of this section, the student will be able to;
Force synchronization between the client and the Object
Directory using the DE SysTray icon functions
List the policy changes needed to enforce full disk encryption
Use the Status window to determine current client disk
encryption status, view installed modules, and observe
synchronization events
Explain how to initiate the recovery process for Content
Encryption
List policy changes needed to allow Windows context menu
options for Content Encryption
Encrypt and decrypt files on the client using Content Encryption
At the end of this section, the student will be able to;
Force synchronization between the client and the Object Directory
List the policy changes needed to enforce full disk encryption
Use the Status window to determine current client disk encryption status, view installed modules, and
observe synchronization events
Explain how to initiate the recovery process for Content Encryption
List policy changes needed to allow Windows context menu optionsfor Content Encryption
Encrypt and decrypt files on the client using Content Encryption
4
2007 McAfee, Inc.
1. SafeBoot Device Encryption Client
McAfee SafeBoot Security
2007 McAfee, Inc.
Review: How SafeBoot Works Full Disk
Encryption (SafeBoot DE)
SafeBoot takes control of the Hard Disk from the O/S
SafeBoot driver encrypts all data written to disk
SafeBoot driver also decrypts all data read from disk
Hard disk contents are completely encrypted and unreadable without
the appropriate authorization
SafeBoot installs mini-O/Son the hard disk (SafeBoot File System)
Once authenticated, SafeBoot encryption driver is loaded and original
O/S is booted.
SafeBoot protects the users PC by simply taking control of the hard disk from the operating system.
The SafeBoot driver encrypts every piece of data written to the disk; it also decrypts every piece of
information read off the disk.
If an unauthorized application broke through the SafeBoot barrier and read the disk directly, it would
find only encrypted data, even in the Windows swap file and temporary file areas.
SafeBoot installs a mini-operating system on the users hard drive, this is what the user sees when
they boot the PC. SafeBoot looks and feels like Microsoft Windows, with mouse and keyboard
support, moveable windows etc. This SafeBoot OS is completely contained and does not need to
access any other files or programs on the hard disk, and is responsible for allowing the user to
authenticate with a password, for example, or, a token such as asmart card.
Once the user has entered the correct authentication information, the SafeBoot operating system
starts the crypt driver in memory and boots the protected machines original operating system. From
this point on the machine will look and behave as if SafeBoot was not installed. The security is
invisible to the user: the only readable data on the hard disk will be the SafeBoot operating system;
the encryption key for the hard drive is itself protected with the users authentication key The only
possible way to defeat SafeBoot is to either guess the hard disk encryption key, or to guess the users
password.
2007 McAfee, Inc.
The SafeBoot Device Encryption Client
Connects to Object Directory, or configuration store at boot
Uploads latest audit and password changes, downloads any central
configuration changes
End-user only sees SafeBoot Monitor icon in SysTray.
Double-click to lock workstation
Right-click to;
Lock Workstation
Show Status
Synchronize
The SafeBoot Client connects to its Object Directory, or configuration store, which may be on the
same machine, a network drive, or, via a SafeBoot Server. It does this every time the machine boots.
Once connected to the directory, the SafeBoot client uploads thelatest audit and password changes to
the directory, and if necessary downloads any configuration changes specified centrally.
The only user-visible part of SafeBoot is the SafeBoot Monitor icon in the users System Tray. By
double-clicking the icon users can lock the workstation. By right-clicking it they can select one of
three actions.
Lock Workstation
Locks the client workstation.
Show Status
The configuration process within SafeBoot 5.1 is largely transparent to the user. The only evidence
of SafeBoot working can be found from the status menu available from SafeBoot'stool tray icon. The
Status window displays any on-going configuration tasks (such as encryption processes) and status
messages from the last directory
connection.
Synchronize
SafeBoot tries to establish connection with its directory duringthe boot process. In a situation where
the directory is unavailable, for example - a notebook user who is connecting via dial-up networking,
the user can establish a connection at any time, and select the Synchronize option to connect to a
remote directory and collect / upload changes.
2007 McAfee, Inc.
Client Status Window
Displays
synchronization
status messages
Displays current
disk encryption
level
Click Modules to
view loaded
modules
Selecting Show Status from the SafeBoot DE SysTrayicon will launch the SafeBoot Client Status
window.
Use the Client Status Window to;
View synchronization messages from past and current synch events
View the current disk encryption level for this client Note that in this example, the disk has not
been encrypted.
The Clear Log button will clear all messages from the synch status window.
You can also click the Modules button to view a list of loaded SafeBoot modules.
2007 McAfee, Inc.
SafeBoot Modules
Clicking the Modules button displays the Loaded Modules window.
Click the Save button on this window to save the modules information to a text file. You can also use
the Copy to Clipboard button to copy the information to the Windows clipboard and paste it into
another document.
2007 McAfee, Inc.
Enabling Full Disk Encryption
Select Full encryption in the
machine properties synch
Client status window will
display encryption progress
To enable full disk encryption, edit the client properties and under the Encryption category, select the
Full button to indicate full disk encryption for this client machine.
Once the client synchronized, the SafeBoot Client Status window will display the current progress of
the disk encryption task.
Note the estimated time to encrypt in this example the disk to encrypt was 8Gb total with approx.
3Gb of existing data. Encryption time was approx. 15 minutes.
2007 McAfee, Inc.
Disk Encryption Status
Once encryption
is complete, the
status window
displays the new
disk encryption
status (Full)
Once the disk encryption task is complete, the SafeBoot Client Status window will display the new
disk encryption status.
11
2007 McAfee, Inc.
2. SafeBoot Content Encryption Client
McAfee SafeBoot Security
2007 McAfee, Inc.
Review: SafeBoot Content Encryption Client
Encrypts files/folders according to policy
Acts like a filter between application and media
Automatically encrypts based on policy assigned
Decrypts on-the-fly into memory when accessed
Source always remains encrypted on media
Encryption/Decryption transparent to user
The SafeBoot Content Encryption client automatically encrypts folders and files according to policies
set by SafeBoot Administrators, and delivered by the SafeBoot Server. The SafeBoot Content
Encryption client acts like a filter between the application creating or editing the files and the storage
media, e.g. the hard disk.
Whenever a file is written to supported storage media the SafeBoot Content Encryption filter
executes assigned encryption policies and encrypts the file if applicable. When an application later
reads the file, the encryption filter automatically decrypts thefile when it is read into memory.
The source file always remains encrypted on disk.
The encryption/decryption process happens automatically and is fully transparent to the user. The
user does not notice any difference between working with encrypted and plaintext files; the users
working procedures are not, and must not, be disturbed.
2007 McAfee, Inc.
SafeBoot Content Encryption Client
SafeBoot CE Icon added to SysTray
Menu depends on policy
Could include;
About SafeBoot Content Encryption
Close All Keys
SafeBoot Logon
SafeBoot Recovery
Send Support Information
Key Management
With SafeBoot Content Encryption installed, there is an additional icon in the system tray menu, or
added to the SafeBoot Monitor single-tray icon.
The content of the menu when right-clicking the tool tray icon is defined by a policy for each user
logging on.
The option About Content Encryption displays important configuration data for the SBCE client
in a separate window.
The option Close All Keys enables users to close all the keys that have been opened to access data,
thus securing (locking) the system.
SafeBoot Logon opens a communication with the SafeBoot Server in order to retrieve the latest
policy from the Object Directory and the
SafeBoot Recovery option allows user to recover lost SBCE passwords.
Key Management provides options for managing local keys, if enabled by policy. This includes
creating, importing, and deleting local keys.
2007 McAfee, Inc.
About SafeBoot Content Encryption
Displays info about
SafeBoot CE config
7 tabs;
General
Components
Managers
Plugins
Keys
Policies
Progress
About Content Encryption
This option opens up a dialog with important configuration information about this installation of
SafeBoot Content Encryption.
Contains 7 tabs;
General Version and copyright information.
Components - This dialog shows the installed components constituting the SafeBoot Content
Encryption client. The version number for each component is alsopresented along with a brief
description.
Managers - This dialog contains information about the Managers that control SafeBoot Content
Encryption. The Managers are the components that manage interaction between different parts of the
Content Encryption client, e.g. with providers and the kernel driver. The type of Manager is listed
(Sys=System Manager, Usr=User Manager) as well as the Manager version number and the classID.
Key Manager - Displays the encryption keys available to CE on this client machine.
Log Manager - This Manager is responsible for the interaction with various logging systems
through the Log Providers. Currently, this
functionality is not fully implemented as there are no completeLog Providers available.
Notification Manager - This Manager is responsible for catching and interpreting all the internal
notification events in the system that affects
Content Encryption; e.g. a user logging on or when a USB memorystick is inserted.
Policy Enforcement Manager - This Manager is responsible for all the enforcers that are at work in
the Content Encryption client. Examples
of enforcers are the removable media policy enforcer and the folder encryption enforcer. This
Manager tells all enforcers when to start and what
to do.
Policy Processing Manager - This Manager is responsible for the interpretation and processing of
the policies that are assigned to the
system.
Policy Update Manager - This Manager receives policy updates through the interaction with the
policy providers.
Tray Manager - This Manager is responsible for the providers constituting the system tray menu.
CONTINUED NEXT SLIDE
2007 McAfee, Inc.
About SafeBoot Content Encryption
Displays info about
SafeBoot CE config
7 tabs;
General
Components
Managers
Plugins
Keys
Policies
Progress
CONTINUED FROM PREVIOUS
Plugins - The Pluginsare the components that are managed by the Managers presented above. These
components are both providers (e.g. Key Provider and Policy Provider) and various pluginmodules.
The starting condition for each pluginis listed:
Sys=Started by the sbceCoreService.exein System context
Usr=Started by sbceCore.exein User context
Ins=Started at the time of the installation of the system
The version of each pluginis also listed, as well as its classID.
Keys - This dialog presents information about what encryption keys areavailable to the system. Is
shows the name of the key and the current status (Open/Closed). If the key is Closed, then the user
needs to authenticate when trying to access the key. Informationabout what algorithm is associated
with each key is also presented as well as the key length.
The key inactivity timeout for each key is also listed. This parameter is controlled from SafeBoot
Management Centre. When the key inactivity has elapsed, the key will close. There is also a column
stating what providers provide the key and the classIDfor each encryption key.
Policies - This tab contains information about the currently loaded policies. The type of policy is
listed in the left-hand column. You will notice the exemptions done for certain CD/DVD burning
applications, meaning that these applications will be able to write encrypted data onto CDs and
DVDs. In essence, this list is a reflection of the policy as created in the SafeBoot Management
Centre with all parameters.
Remember that changes to a Machine policy require a restart of the client computer before they
take effect. Changes to User policies only require a SafeBoot Content Encryption Logon to take
effect, e.g. an authentication to an encryption key will update any User policy change, provided the
computer can reach the SafeBoot Server.
CONTINUED NEXT SLIDE
2007 McAfee, Inc.
About SafeBoot Content Encryption
Displays info about
SafeBoot CE config
7 tabs;
General
Components
Managers
Plugins
Keys
Policies
Progress
CONTINUED FROM PREVIOUS
Progress - This dialog shows any ongoing activities in the Content Encryption client services. For
example, it is possible to monitor when the client starts encrypting a network share folder, and an
estimate of when it will be completed. This monitoring is useful for support purposes. If there is a
sudden increase in the CPU and/or RAM usage on the client PC, it is now possible to monitor if
Content Encryption is involved and what client activity caused the increase and for approximately
how long it will last.
All the SafeBoot Content Encryption Enforcers run at regular intervals, checking for policy
compliance. There are different enforcers for different purposes. A value of Idle until shows the
time until each Enforcer will start a new round of compliance checking.
2007 McAfee, Inc.
Content Encryption Recovery
In order to recover password for Content Encryption, select the SafeBoot Recovery option from the
CE Tray icon.
You will be prompted to supply the name of the user. Once you have entered the user name and
clicked Next, you will be provided with the Client Code.
The remainder of the recovery process is identical to the DeviceEncryption recovery process which
is detailed in the next module, User and Machine Recovery/webHelpDesk.
2007 McAfee, Inc.
Explicit Encrypt/Decrypt Windows Shell
File context
menus
determined by
policy
In this example,
no explicit
encrypt/decrypt is
allowed
The SafeBoot Content Encryption policy determines which context menu options are available for
CE. In the example shown, explicit encrypt and decrypt of files is disabled.
2007 McAfee, Inc.
Enabling Explicit Encrypt/Decrypt
Modify Encryption Policy
to Allow explicit encrypt
and Allow explicit decrypt
Apply and synchronize
To enable the Encrypt / Decrypt options for file context menus, modify the Encryption Policy to
Allow explicit encrypt and Allow explicit decrypt. Apply the changes and synchronize the client(s).
The new selections will appear on file context menus, as shown in this example.
2007 McAfee, Inc.
Manually Encrypt/Decrypt Files
To manually encrypt a file, right-click the file and select Encrypt.
You will be prompted to select the encryption key to use. You may be prompted for a password as
well.
The encrypting screen will briefly appear (not shown in this example).
The encrypted file will display the keyhole icon, if enabled by policy.
2007 McAfee, Inc.
Manually Encrypt/Decrypt Files
Right-click, choose decrypt
Keyhole icon disappears indicating
the file is no longer encrypted
To manually decrypt a file, right-click the file and select Decrypt. The file will be decrypted, and the
Keyhole icon (if enabled by policy) will disappear.
22
2007 McAfee, Inc.
End Module
SafeBoot Clients Device Encryption /
Content Encryption
McAfee SafeBoot Security