README File for SafeGuard PrivateDisk 1.10.0 for IBM CSS This version of SafeGuard PrivateDisk is adjusted for IBM computers with the IBM Client Security Software (CSS). The following differences apply to the standard version of SafeGuard PrivateDisk: - The software can only be installed on computers from IBM. - The Personal Edition also requires the installation of the IBM Client Security Software (CSS). - There is a new PrivateDisk wizard for IBM CSS which helps the user in creating a first PrivateDisk drive. The wizard automatically starts after user logon. For logon to created PrivateDisk drives, a certificate is created for the IBM Embedded Security Subsystem (ESS, if available). For computers without IBM ESS, already existing certificates are used or a new certificate will be created if needed. - When using IBM Rapid Restore: Note that PrivateDisk volume files always are backed up as a whole. Large PrivateDisk drives can therefore consume the hard-disk space reserved for Rapid Restore quite fast. 1. System Requirements A desktop computer with Microsoft Windows NT 4.0, Windows 2000 or Windows XP (all versions). Windows NT 4.0 requires at least service pack 4. For Windows NT 4.0 or Windows 2000 up to SP2 we suggest the installation of the Microsoft High Encryption Pack, if you want to use Microsoft Cryptographic Service Providers for certificates. 2. Version Information SafeGuard PrivateDisk 1.10.0 contains the following improvements over version 1.00.6: - New implementation of SHA-1 and AES - New menu item in the context menu 'Explore' of PrivateDisk Application which opens the selected volume in the windows explorer. - 'Forced Dismount' button of the unmount dialog changed to 'Forced Unmount'. - List in the 'Add Certificates' dialoge can now be sorted by clicking on the the header of the column. SafeGuard PrivateDisk 1.00.6 contains the following improvements over version 1.00.5: - The administrative template in the Enterprise Edition now also works for Windows .NET Server 2003. - The Personal Edition now also allows signature certificates. Attention: not all smartcard CSP's work correctly with signature certificates in PrivateDisk. It may happen that signature certificates can be added to PrivateDisk volumes but cannot be used later for mounting the disk. - Certificates with unknown critical extensions can not be assigned to PrivateDisks. This default behaviour can be changed in the Enterprise Edition with the administrative template. This feature has already been part of 1.005 but did not work. - A value of 0 will not be accepted anymore in the settings for automatic unmount of PrivateDisk volumes. SafeGuard PrivateDisk 1.00.5 contains the following improvements over version 1.00.4: - PrivateDisks that are opened by a user for write access can now simultaneously be opened by other users for read only access. Changes made by the writing user are visible for the reading users after some seconds (not for Windows NT 4.0!), unless a disk is opened with flag "Fixed Disk". - Labels for new PrivateDisks are set to the name of the volume file. NT Explorer in Windows XP therefore shows the container names for the PrivateDisks instead of "Removable Disk". - If a PrivateDisk drive can not be unmounted because of an application that has references to the disk, the user can now choose to force the unmount operation. Attention: this may lead to loss of unsaved data! - Read only PrivateDisks are now always unmounted, even if some applications still have references to files on the disk. - Certificate validity check has been improved: + It is now allowed to mount PrivateDisks with expired certificates. + Expired can not be assigned to PrivateDisks. + Certificates with unknown critical extensions can not be assigned to PrivateDisks. This default behaviour can be changed in the Enterprise Edition with the administrative template. + Signature certificates can not be assigned to PrivateDisks. This default behaviour can be changed in the Enterprise Edition with the administrative template. - If a PrivateDisk can not be mounted for write access because it is already in use by another person, the name of this person is now presented. - Earlier versions of PrivateDisk stopped a system logoff of shutdown if a PrivateDisk could not be unmounted. This has been fixed. Logoff or shutdown now continue after asking the user to retry or force the unmount operation. - In the Enterprise Edition, a preferred CSP can be defined in the administrative template. Whenever a user tries to use passwords for authentication or certificates from a different CSP, he will see a warning message telling him of the better security of the preferred CSP. - The OLE automation interface has been extended: + The MountDisk command now has an additional parameter "ReadOnly" (bool) for mounting a disk for read only access + The UnmountDisk and UnmountAllDisks commands now have an additional parameter "ForcedDismount" (bool) to force unmount of disks where applications still have open files. Note that this may lead to loss of unsaved data! - Some (fast) workstations could not mount volume files on network locations. This has been fixed. SafeGuard PrivateDisk 1.00.4 contains the following improvements over version 1.00.3: - An error in the PrivateDisk main application when adding certificates with very long values for the fields 'Issuer', 'Subject' and 'Friendly Name' has been fixed. SafeGuard PrivateDisk 1.00.3 contains the following improvements over version 1.00.2: - Improved support for packet writing software for rewritable CD-RW and DVD media. With the use of such software SafeGuard PrivateDisk volume files can be created on CD-RW and DVD-RW media and be used like normal writeable disks. SafeGuard PrivateDisk 1.00.3 now also works with Ahead InCD 4 and HP DLA. - The command "Unmount all" in the PrivateDisk context menu of the task bar has been moved from the "Unmount" submenu to the main menu. - Creating volume files larger than 4 GB on FAT32 disks is now disabled. This is a restriction of the FAT32 file system. SafeGuard PrivateDisk 1.00.2 contains the following improvements over version 1.00.1: - Support of USB dongle smartcard readers like the Omnikey 6020. - Users can be forced to use certificates for new virtual disks instead of passwords (Enterprise Edition). - Creation of initial disks did not work under Windows NT 4.0 (Enterprise Edition). - A crash with intense usage of NT Explorer file operations has been fixed. SafeGuard PrivateDisk 1.00.2 further includes the improvements of version 1.00.1 over version 1.00: - In earlier versions the NT Explorer sometimes crashed or restarted - Support for additional third party smartcard CSP's: DataSafe CSP, SafeSign CSP, SECUDE CSP, SmartTrust Smartcard CSP, Aladdin eToken CSP, IBM TCPA CSP - Support for crytographic USB tokens: Aladdin eToken, Rainbow iKey 2000/3000, ActivCard ActivKey - French user interface and online help - Enhanced specification of the recovery certificate - Tray icon can be turned off (Enterprise Edition) - Error logging for CRL check (Enterprise Edition) - The PrivateDisk volume attribute "Shareable" has been renamed to "Fixed Disk" and is available for all operating systems. When enabled, local disks are simulated instead of removable media. - Compatibility with the Windows 2000/XP Driver Verifier 3. Installation Administrative privileges are required to install the software. Simply execute the SafeGuard PrivateDisk MSI package to install the software. If the Microsoft Windows Installer component is not available on the computer (e.g. on Windows NT 4.0), there is larger EXE package for SafeGuard PrivateDisk that installs the Windows Installer component first automatically. It is possible to install the software on a network location. Note that in this case some files might be left over in the installation directory after deinstallation. The software can be used immediately after installation. Normally, no reboot is necessary after installing SafeGuard PrivateDisk. Under Windows NT 4.0, however, updating some older Microsoft redistributable components might make a reboot necessary. When installing the software with Active Directory (GPO), the following issues should be considiered: - SafeGuard PrivateDisk can only be installed per computer (Computer Configuration), not for single users (User Configuration). - If a program package has a different language than the operating system of the client machine, then the setting ?Ignore language when deploying this package? must be enabled for the package, otherwise the software will not be installed automatically. 4. Notes * Single Login Password The single login password is not shared between the multiple modules of SafeGuard PrivateDisk. If you mount some disks from within the main application and some others using the tray icon or the shell extension and you are using the single login feature, then you will have to enter the single login password more than once. * Recovery Certifikate (Enterprise Edition Feature) The administrative template (ADM) of the Enterprise Edition can be used to define a recovery certificate, which is added automatically to new PrivateDisk volumes. This feature can be used by security administrators to gain access to encrypted data of users, e.g. after a user left the company or when a user forgets his password. Note that the recovery certificate is only identified by its serial number, which is not always unique (there might be multiple certificates with identical serial numbers from different issuers). In that case the first found certificate would be entered as recovery certificate. The next version of PrivateDisk will be able to exactly specify the recovery certificate. 5. Known Issues * Deinstallation of Utimaco Products When deinstalling SafeGuard Biometrics 1.60, SafeGuard Advanced Security 3.10 or older versions of this software, the ADM template files are deleted. Please run a "Repair" command for the SafeGuard PrivateDisk installation (Control Panel / Add or Remove Programs / SafeGuard PrivateDisk / Change) to restore the files. * SafeGuard LAN Crypt 2.10 and 2.00 The definition of a LAN Crypt profile for encrypting whole PrivateDisk drives (e.g. ?P:\*.*?) leads to an encryption of all files on all drives! This issue will be solved in later releases of SafeGuard LAN Crypt. Encrypting PrivateDisk volume files (*.vol) with SafeGuard LAN Crypt is not possible. * Drive label for PrivateDisk Drive replaced by removable storage device label In some situations, the drive label assigned to a PrivateDisk might get re-assigned to another removable storage device. When this occurs, the drive letter for the PrivateDisk will display the drive label for a newly attached device, even though the PrivateDisk can be accessed using the drive and not the newly attached device. If this occurs, un-mount the affected PrivateDisk and re-mount it to ensure access to both devices. * PrivateDisk Volume-Files on removable media that get different drive letters assigned PrivateDisk keeps a list of previously used volume files using their fully qualified path name. In case that the volume file resides on a removable media which drive letter has changed, e.g. a USB memory stick or a network share, the volume file can no longer be located using its original file name, thus marking its entry in PrivateDisk accordingly. In order to mount this particular volume file again it has to be imported from the new drive with the changed drive letter using the ?File Import?? function. * Loss of data when writing to a PrivateDisk When storing data onto a PrivateDisk that? volume file is located on a removable USB drive or a network share that is accessed via WLAN it may occasionally happen, caused by the delayed write operation of the file system cache, that the stored data are lost in case that access to the volume file can no longer be accessed. This can happen if a removable media is removed suddenly after the write operation has finished, or the connection to a wireless LAN connection is broken. Therefore it is strongly recommended not to remove any removable storage device that has a a PrivateDisk mounted without un-mounting it before. Besides that it is not recommended to access PrivateDisk via wireless network connections that can not ensure trouble-free operation. February 3rd 2005, Utimaco Safeware AG, Oberursel, Germany