Hiddn SafeDisk Installation Manual Version 2.1.5 24. April 2018
1. Introduction This document will explain what is delivered, how units are initialized (loaded with certificates) and some alternatives for installing an operating system. The Card Management System (CMS) Administrator is responsible for providing the required smart cards for initialization of the Hiddn SafeDisk units. For guidance on how to use the CMS to program CO Cards, please see the CMS manual. When working with the Hiddn SafeDisk product, it is important to remember that once the PIN/password is accepted and data encryption keys are loaded, the keys stay active until powered off. This means the keys will survive a reboot, which might occur frequently during installation of operating system or restoring backups. However, the slightest loss of power to the drive will cause the encryption keys to be cleared. 2. Physical Installation of the Hiddn SafeDisk Prior to initializing the Hiddn SafeDisk, the original hard drive of the computer must be removed and replaced with the Hiddn SafeDisk unit. Please consult your computer manufacturer s manual for instructions on how to remove and replace hard drives. 1. Make sure the computer is powered off 2. Remove the hard drive cover from the outside of the computer 3. Remove the original hard drive from the computer 4. Move any rubber or plastic parts from the original drive to the Hiddn SafeDisk 5. Gently insert the Hiddn SafeDisk unit 6. Press firmly at the end of the Hiddn SafeDisk unit to ensure that the connector is properly inserted. 7. Reattach the hard drive cover and fasten any screws The physical installation is now completed. 3. BIOS/UEFI Configuration Before the Hiddn SafeDisk is ready for use you need to ensure that the SATA mode setting is correct. 1. Power on your computer 2. Enter BIOS/UEFI, usually by pressing F2. 3. If Secure Boot option is present, disable it. 4. If SATA mode option is present, set it to AHCI. RAID mode is not supported. If it fails, try IDE. IDE mode might also be called Native, Legacy or Compatibility. 5. Save settings and EXIT If you experience problems, try upgrading BIOS to latest version then load default settings and start over. Page 2 of 12
4. Initialization and OS Installation 4.1 Preparing the installation media For successful installation of an operating system, verify that the computer is able to boot from the installation media. There are two ways to boot from a specific device: 1. Most computers will let you enter a boot menu by pressing F12 during startup. Some manufacturers use another key. You can then select the correct boot media from a list. 2. Alternatively, configure BIOS/UEFI to always look for a connected USB, DVD or network bootable media in the boot order setting. A new installed Hiddn SafeDisk unit will be recognized as an unformatted disk drive without any boot sector. 4.2 First-time Initialization The first time you are using the Hiddn SafeDisk unit, you must go through an Initialization procedure, where you load certificates and configure the unit to allow User Cards to load data encryption keys into the unit. This is the Crypto Officer operation. 1. Power on your computer without installation media 2. Wait for the user interface to start and the message Waiting for Key Token. Please insert to appear 3. Insert the Crypto Officer Card and wait for Reading Crypto Officer Token 4. Enter PIN when prompted and confirm with Enter 5. The process is confirmed by the message Initialization Started 6. Wait for the on-screen message Initialization Finished. Followed by Press F8 to adjust RTC 7. If adjustment of the Hiddn SafeDisk units RTC clock is needed, press F8 and follow the on-screen instructions. Note that all timestamps are/must be given in GMT. NB! If RTC time is outside period of SAM Certificate the module will not be functional. 8. Remove the Crypto Officer Card, confirmed by the message Waiting for Key Token. Please insert 4.3 OS Installation If installing a preconfigured Windows image, the SATA mode used when building the image must be match the mode set in the BIOS/UEFI. Different modes will result in blue-screen when booting, and this is a well-known problem with Windows and is not related to the Hiddn SafeDisk To install the Operating System, follow the instructions below to first load data encryption keys into the unit. 1. Insert the User Card, confirmed by the message Reading User Token 2. Enter PIN when prompted and confirm with Enter 3. Wait for the message Remove Key Token to continue to appear 4. Remove the User Key Token 5. Observe that the computer starts normally (i.e. looking for a bootable device) 6. Install the operating system from the selected media 7. It is recommended to load a preconfigured image e.g. over the LAN (PXE boot), make sure the OS power settings have disabled all settings for entering Sleep / Standby Mode. Page 3 of 12
4.4 Pre-boot security Once the OS is installed, it is recommended to disable all external boot devices (USB, CDROM, DVD, Netboot, PXE ) in the BIOS/UEFI settings, and to set the BIOS/UEFI password. This will normally also reduce boot time by several seconds. 5. Display Status Information After power up it is possible to display information about the installed Hiddn SafeDisk unit by using the following keys when the message Waiting for Key Token. Please insert is displayed: Pressing the F10 key ( F2 before initialization) will display the following information about the Hiddn SafeDisk List of version numbers for the different components, serial number, time and platform: CM version 2.1.1.6 CM HW version: 2.1.0.10 CM FW version: 2.1.0.23 SAM version 1.0.2.6 SKR version: 2.2.0.3 CM serial: XXXX-XXXX-XXXX-XXXX CM life cycle: User mode RTC time: XX.XX.XXXX XX:XX:XX SKR platform: BIOS Pressing the t key will display the following temperature information stored by the Hiddn SafeDisk Current temperature Current session max and min temperatures Previous session max and min temperatures Historical max and min temperatures Pressing the c key will display the following information on certificates stored in the Hiddn SafeDisk CM2 certificate to/from validity dates Revoked certificate list RTC time Page 4 of 12
6. Zeroization Zeroization clears all certificates and configuration, and reverts the unit to Personalization state. There are two ways to Zeroize (reset) the Hiddn SafeDisk unit by pressing a physical button or using a Zeroize CO card. 6.1 Physical button For the SafeDisk with product number starting with SDM0-0 the Zeroize button is located close to the hole as indicated by the black arrow. For the SafeDisk with product number starting with LT02-0 the Zeroize button is located at the end of the unit and for the LT02-1 unit on the side. The Zeroize button is pressed using a paper clip through the small hole. 1. Zeroize button needs to be pressed 1-2 seconds while the unit is powered on. 2. On Zeroization, the LED will blink green as the Zeroize process is started followed by red blinks indicating that zeroization has completed. 3. Crypto Module is ready for re-initialization 6.2 Zeroize CO card 1. The CMS Zeroize action will produce a CO card with a signed Zeroize command targeted for the specific Crypto Module. All the certificates and key material is cleared for this CM2, and it is possible to start over and generate a new Initialization card for it. 2. Power on your computer. 3. Insert the Zeroize Key Token when the message Waiting for Key Token. Please insert appears on the screen. 4. Reading Crypto Officer Token 5. Enter PIN: 6. By performing this action, all data on the Crypto Module will be lost! Are you sure that you want to zeroize the Crypto Module? (Y/N) 7. Zeroizing Finished. Crypto Module is ready for re-initialization Current RTC time is : XX.XX.XXXX XX:XX:XX No valid SAM Certificate could be read. Is CM2 initialized? 8. Press F8 to adjust RTC or remove token to continue NB! If RTC time is outside period of SAM Certificate the module will not be functional. Page 5 of 12
7. Firmware Upgrade To upgrade the firmware of the Hiddn SafeDisk you need the original initialization CO Card or a new Update CO Card and a Upgrade USB stick from your organization. 1. Power on your computer and insert the Upgrade USB stick into a USB port (For product versions below 2.1.2.0, a USB 2.0 port must be utilized) 2. When Waiting for Key Token. Please insert appears, press U to start the Upgrade process. Note that it can take up to 5 seconds from the USB stick is inserted until the system detects it. 3. Searching for upgradefile ok Reading upgradefile. OK Upgrade version: 2.1.1.9 Current CM2 version: 2.1.1.6 4. Insert a Crypto Officer card when Insert a CO card to authorize upgrade Verifying smart card before upgrade Reading Crypto Officer Token 5. Enter PIN when prompted and wait for the initialization to finish. Your user certificate will expire in XXXX days. User certificate validity dates: From: XX.XX.XXXX XX:XX Until: XX.XX.XXXX XX:XX The current time of CM2 is XX.XX.XXXX XX:XX:XX CO card authenticated Searching for upgradefile. ok Reading upgradefile..ok 6. Press y to continue with upgrade Installing CM2 upgrade Please do not power of or unplug your computer until upgrade is finished. Installing FPGA image (xxxxxxxxxx bytes) [ XX%] Verifying image signature ok Installing SKR image (xxxxxxxxxxx bytes) [ XX%] Verifying image signature ok Installing SAM image (xxxxxxxxxxx bytes) [ XX%] Verifying image signature ok Upgrade complete. Press any key to shut down computer Page 6 of 12
8. Cloning an existing system disk This chapter describes a quick guide for cloning an existing Windows disk (source) to an encrypted Hiddn SafeDisk. This description uses free open source applications publicly available. Several other tools exist and can be used following the same principles as described below. Active@ Disk Image is a recommended commercial product which is easy to use and can be used to both clone and resize in one operation. 8.1 Backup the entire source disk The file system of the source disk will be resized in order to make if fit on the destination disk. All such operations introduce a potential risk of data loss. Backup your entire source disk before proceeding. 8.2 Reduce the amount of data on the source disk The source disk cannot contain more data than will fit on Hiddn SafeDisk, in this example, 119 GB. Note that by using a larger capacity Hiddn SafeDisk this step reducing partition size might be skipped. 8.3 Reduce the partition size of the source disk Open Windows Disk Management from Control Panel or by right clicking My Computer and selecting "Manage...". Right click the partition you want to reduce and select "Shrink Volume..." Then, enter the amount of MB to reduce the partition size with. In this example, a new total size of 118 GB is selected to have some margin. Page 7 of 12
After selecting "Shrink", the process starts. If shrinking fails, this might be due to files that are currently in use by Windows can't be moved. In this case, the GParted Live USB can be used to reduce the partition size. Page 8 of 12
8.4 Clone from source disk to Hiddn SafeDisk Make the following connections: Connect the Hiddn SafeDisk to the computer via SATA Connect the source disk to the computer via SATA/USB/eSATA Connect Clonezilla Live USB to computer (Use "tuxboot" or "rufus" to create bootable Clonezilla USB disk) First, boot computer from the Hiddn SafeDisk and authenticate with User Key Token and PIN code. When the computer restarts, boot from the Clonezilla USB disk. In Clonezilla, select expert mode and set option "icds" to not check size of destination disk. If asked to copy bootloader, select "yes". 8.5 Test Hiddn SafeDisk When cloning is finished, disconnect source disk and the Clonezilla Live USB disk and reboot. Windows should now boot encrypted from the Hiddn SafeDisk. Note 1: Shrinking a partition might be a very slow process. If possible, use a larger SSD to be able to skip this step of the cloning process. Note 2: If the original drive is encrypted using BitLocker or similar software encryption product, be careful to deactivate the protection mechanisms and decrypt the drive before starting the cloning process. When finished, remember to reactivate the integrity checking features in e.g. BitLocker for protecting the OS boot files and drivers. Page 9 of 12
9. Power Settings One of the main security features with the Hiddn SafeDisk is that the data encryption keys are cleared when the power to the SafeDisk is lost. This renders the unit useless for an attacker not having the User Key token and the PIN/passphrase. Both Sleep and Hibernate will make the machine cut power to the SafeDisk. When power to the SafeDisk is restored the keys are no longer in the SafeDisk and needs to be retransmitted from the User Card. Sleep however does not boot from the SafeDisk and therefor the keys are not transferred to the SafeDisk. Because of this behavior the SafeDisk will be unreadable after returning from Sleep. Hibernate or power off must be used instead to be able to use the SafeDisk Sleep mode is under all circumstances a security risk, hence most security aware organizations already have deactivated sleep mode as a corporate policy. Hibernate mode is very similar to sleep, but instead of saving your open documents and running applications to your RAM, it saves them to your hard disk. This allows your computer to turn off entirely, which means once your computer is in Hibernate mode, it uses zero power. Once the computer is powered back on, it will resume everything where you left off. It just takes a bit longer to resume than sleep mode does (though with an SSD, the difference isn t as noticeable as it is with traditional hard drives). Hibernation with a fully encrypted drive should be acceptable from a security point of view and is supported by the Hiddn SafeDisk. 9.1 Disable Sleep 9.1.1 Using GPO in Active Directory (IT Admin only) Start "Group Policy Management" on Domain Controller then edit Default Domain Policy or create new Policy Navigate to: Computer Configuration - Policies - Administrative Templates - System - Power Management - Sleep Settings 9.1.2 Locally on a Windows Computer Start "Edit Group Policy (gpedit.msc)" Navigate to: Computer Configuration - Administrative Templates - System - Power Management - Sleep Settings Page 10 of 12
Page 11 of 12
Trademark Disclaimers Hiddn Security and the Hiddn logo and graphics are trademarks of. Disclaimer Hiddn Security accepts no liability for any consequential, incidental, direct or indirect damage (including loss of business profits, business interruption, loss of business information and similar events causing losses to business) arising from any action and/or inaction based on information contained in this document. Hiddn Security does not accept any liability for any loss of data and/or company and/or personal information that may result from any action and/or inaction based on information contained in this document. Users are instructed to make backups of all data prior to installation of any device or product described herein. All Hiddn SafeDisk parts are Hiddn Security s parts, and Hiddn Security does not accept any liability for any direct or indirect loss related to the handling and/or mishandling of any of the parts and/or a combination of the parts provided in this package. Hiddn Security reserves the right to, at any time and without notification; change its offer and/or price and/or availability of parts. Note: Hiddn Security has the responsibility that this equipment complies with the FCC criteria for radiation and any user made changes or modifications to this equipment that is not expressly approved by Hiddn Security could void the user s authority to operate this equipment. Contact Information: E-mail: Website: support@hiddn.no http://www.hiddn.no Page 12 of 12