Administrators Guide

SafeBoot N.V.
Edisonbaan 15, Nieuwegein, 3439 MN, The Netherlands

Tel: +31 (0)30 6348800
Fax: +31 (0)30 6348899
Email: info@safeboot.com
For more information regarding local SafeBoot representatives please take a look at:
www.safeboot.com
Document: SafeBoot 5 Device Encryption Administrators Guide

Version: 2007/05
Last updated: Friday, 25 May 2007
For Version: 5.1.0.0 B5100
Copyright © 2007 SafeBoot N.V. All rights reserved. Printed in The Netherlands.
No part of this document may be reproduced, transmitted, transcribed, stored in a retrieval

system, or translated into any language, in any form or by any means, electronic, mechanical,
photocopying, recording or otherwise, without prior written permission from SafeBoot N.V.
The information furnished herein is believed to be accurate and reliable. However, no

responsibility or liability is assumed by SafeBoot N.V., including its subsidiaries, for its use, nor
for any infringements of patents or other rights of third parties resulting from its use.
Microsoft® and Windows® NT are registered trademarks of Microsoft Corporation. Novell® is a

trademark of Novell Inc. SafeBoot® is a registered trademark of SafeBoot N.V. All other
trademarks and registered trademarks are the property of their respective holders.
© SafeBoot N.V.
Welcome
The team at SafeBoot is dedicated to providing you with the best in

security for protecting data on personal computers. Applying the latest
technology, deployment and management of users is enhanced using
simple and structured administration controls.
SafeBoot 5 Device Encryption represents the latest addition to the
SafeBoot family and incorporates functionality not found in earlier
versions. This new edition of SafeBoot features a new dimension in IT
security incorporating many new enterprise level options, including
automated upgrades, file deployment, flexible grouping of users and
centralized user management. In addition, user’s credentials can be
imported and synchronized with other deployment systems.
Through the continued investment in technology and the inclusions of
industry standards we are confident that our goal of keeping SafeBoot
at the forefront of data security will be achieved.
About This Guide

This Administrators Guide is designed to aid corporate security
administrators in the correct implementation and deployment of
SafeBoot 5 Device Encryption. Although this guide is complete in terms
of setting up and managing SafeBoot systems, it does not attempt to
teach the topic of "Enterprise Security" as a whole.
Readers unfamiliar with SafeBoot should follow the appropriate sections
of the “SafeBoot Device Encryption 5 QuickStart Guide” which walks
through setting up a SafeBoot enterprise before tackling any of the
topics in this guide.
Audience
This guide was designed to be used by qualified system administrators
and security managers. Knowledge of basic networking and routing
concepts, and a general understanding of the aims of centrally managed
security is required.
SafeBoot can only contribute to information security within your
organisation as part of a coherent and well-implemented organisational
security policy.
For information about cryptography topics, readers are advised to
consult the following publications: -
i
Welcome
Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd

Edition, Bruce Schneier, Pub. John Wiley & Sons; ISBN: 0471128457
Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN:
0471978442
Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3
edition; ISBN 0130355488
Document Conventions
The following conventions are used in this guide:
Convention Use Examples
Bold font Indicates a user entry - a • Click the option to set
command, menu, option, it.
button or key - or the
name of a file, directory, or
utility.
Italic font Identifies a chapter or sub- • See Creating Users
chapter of this guide for more information.
Square Brackets ( [] ) Enclose optional keywords • SBServer [username]
and values in command [password]
syntax
Vertical Bar ( | ) Separates two or more • SBServer start | stop
possible options in
command syntax
Related Documentation
The following materials are available from our web site,
http://www.safeboot.com, and from your SafeBoot Distributor,
• Device Encryption 5 PC Administrators Guide (this document)
• Management Center 5 Administrators Guide
• Device Encryption 5 PC QuickStart Guide
• SafeBoot Enterprise Technical Overview
• SafeTech Engineers Guide
ii
© SafeBoot N.V.
Contacting Technical Support

To obtain technical support on this product please use one of the
following methods. Remember to have your maintenance agreement
number, your license number, and details of the problem you are
experiencing to hand when calling for support.
If you purchased SafeBoot from one of our distribution channels, you
can call them direct for support. Alternatively, you can contact SafeBoot
direct at one of our office locations:
You can find a complete list of SafeBoot’s office locations, and the
Technical Support telephone numbers on our web site at:
http://www.safeboot.com/support/contact.html
Acknowledgements
SafeBoot’s Novell NDS Connector and LDAP Connectors make use of
OpenLDAP (www.openldap.org) and OpenSSL (www.openssl.org). Due
credit is given to these organisations for their free API’s.
iii
© SafeBoot N.V.
Table of Contents
SafeBoot N.V...................................................................................................i
WELCOME ........................................................................................................... I
ABOUT THIS GUIDE.................................................................................................I
AUDIENCE............................................................................................................I
DOCUMENT CONVENTIONS ........................................................................................ II
RELATED DOCUMENTATION ....................................................................................... II
CONTACTING TECHNICAL SUPPORT ............................................................................. III
ACKNOWLEDGEMENTS ............................................................................................ III
TABLE OF CONTENTS .......................................................................................... I
FIGURES ............................................................................................................. I
1. INTRODUCTION.......................................................................................1-1
1.1 WHY SAFEBOOT DEVICE ENCRYPTION?................................................................. 1-1
1.2 DESIGN PHILOSOPHY ...................................................................................... 1-1
1.3 HOW SAFEBOOT WORKS ................................................................................. 1-2
1.3.1 Protection ........................................................................................... 1-2
1.3.2 Management .......................................................................................1-3
1.3.3 Objects, Entities, and Attributes explained............................................... 1-3
1.4 THE SAFEBOOT COMPONENTS ........................................................................... 1-4
1.4.1 SafeBoot Administration Center (SBAdmin) ............................................. 1-4
1.4.2 SafeBoot Server (SBServer) .................................................................. 1-5
1.4.3 SafeBoot Object Directory ..................................................................... 1-6
1.4.4 SafeBoot Device Encryption PC Client ..................................................... 1-7
1.4.5 SafeBoot File Encryptor ........................................................................ 1-8
1.4.6 SafeBoot Connector Manager................................................................. 1-9
1.5 COMPONENT DESIGN ...................................................................................... 1-9
1.5.1 SafeBoot Device Encryption Client ........................................................ 1-10
1.5.2 SafeBoot Administration ..................................................................... 1-10
1.5.3 SafeBoot Connection Manager ............................................................. 1-10
1.6 INSTALL AND DEPLOYMENT ............................................................................. 1-10
2. INSTALLING SAFEBOOT ADMINISTRATION.............................................2-1
3. DEVICE ENCRYPTION USER POLICIES .....................................................3-1

3.1 USER ADMINISTRATION FUNCTIONS..................................................................... 3-1
3.1.1 Create Token ......................................................................................3-1
3.1.2 Reset Token........................................................................................3-2
3.1.3 Set SSO Details ................................................................................... 3-2
3.1.4 Force Password Change at Next Logon .................................................... 3-2
3.1.5 View Audit .......................................................................................... 3-2
3.1.6 Reset (All) to Group Configuration.......................................................... 3-2
3.1.7 Create Copy........................................................................................ 3-2
3.1.8 Properties ........................................................................................... 3-2
3.2 USER CONFIGURATION OPTIONS ......................................................................... 3-3
3.2.1 General .............................................................................................. 3-3
3.2.2 Devices ..............................................................................................3-4
3.2.3 Application Control............................................................................... 3-5
i
Table of Contents
4. USING TOKENS WITH DEVICE ENCRYPTION............................................4-1

4.1 GENERAL TOKEN OPERATION............................................................................. 4-2
4.2 STORED VALUE TOKENS .................................................................................. 4-3
4.3 CERTIFICATE, OR “CRYPT ONLY” TOKENS ............................................................... 4-4
4.3.1 How Certificate Tokens Work ................................................................. 4-5
4.3.2 Certificate Connectors .......................................................................... 4-6
4.4 OTHER TYPES OF TOKEN ................................................................................. 4-6
4.5 TOKEN COMPATIBILITY .................................................................................... 4-6
4.5.1 Smart Card / Smart Card Reader Compatibility ........................................ 4-6
4.5.2 USB Key / Reader Driver Requirements................................................... 4-8
4.6 SPECIFIC TOKEN NOTES .................................................................................. 4-8
4.6.1 RSA SID800 USB Token........................................................................ 4-8
4.6.2 ActivIdentity Smart Cards and USB Keys................................................. 4-8
4.6.3 Infineon Embedded TPM Chip ................................................................ 4-8
4.6.4 Sony Puppy Fingerprint Reader ............................................................ 4-11
4.6.5 Aladdin eToken 64KB ......................................................................... 4-13
4.6.6 SafeNet IKEY 2032 ............................................................................ 4-13
4.6.7 SafeBoot Phantom USB Biometric Key .................................................. 4-13
5. CREATING AND CONFIGURING MACHINES ............................................5-16
5.1 MACHINE ADMINISTRATION FUNCTIONS .............................................................. 5-17
5.1.1 Create Machine ................................................................................. 5-17
5.1.2 Rename Machine ............................................................................... 5-17
5.1.3 Delete .............................................................................................. 5-18
5.1.4 Import Machines................................................................................ 5-18
5.1.5 Export Configuration .......................................................................... 5-18
5.1.6 Create Install Set............................................................................... 5-18
5.1.7 Force Synchronization ........................................................................ 5-18
5.1.8 Reboot Machine ................................................................................. 5-19
5.1.9 Lock Machine .................................................................................... 5-19
5.1.10 Add Users ....................................................................................... 5-19
5.1.11 View Audit ...................................................................................... 5-19
5.1.12 Reset to Group Configuration ............................................................. 5-19
5.1.13 Create Copy .................................................................................... 5-19
5.1.14 Properties ....................................................................................... 5-19
5.2 MACHINE CONFIGURATION OPTIONS .................................................................. 5-20
5.2.1 Machine Groups................................................................................. 5-20
5.2.2 General ............................................................................................ 5-21
5.2.3 Encryption ........................................................................................ 5-25
5.2.4 Users ............................................................................................... 5-27
5.2.5 Warning Text .................................................................................... 5-28
5.2.6 Synchronization Settings .................................................................... 5-29
5.2.7 Files................................................................................................. 5-31
5.2.8 Screen Saver .................................................................................... 5-32
5.2.9 Boot ................................................................................................ 5-33
6. FILE GROUPS AND MANAGEMENT............................................................6-1
6.1 SETTING FILE GROUP FUNCTIONS ........................................................................ 6-2
6.2 IMPORTING NEW FILES .................................................................................... 6-3
6.3 EXPORTING FILES.......................................................................................... 6-3
6.4 DELETING FILES ........................................................................................... 6-3
6.5 SETTING FILE PROPERTIES ............................................................................... 6-4
7. ADDING COMPONENTS TO A MACHINE....................................................7-1
8. USING SAFEBOOT AS A FILE DEPLOY SYSTEM .........................................8-1
ii
© SafeBoot N.V.
8.1 EXAMPLE - COPYING A NEW FILE TO THE DESKTOP..................................................... 8-1

9. CREATING AN INSTALL PACKAGE ............................................................9-1
9.1 SELECTING THE GROUP / MACHINE ..................................................................... 9-1
9.2 SELECT THE INSTALL SET TYPE ........................................................................... 9-2
9.3 ONLINE INSTALLS.......................................................................................... 9-3
9.4 OFFLINE INSTALLS ......................................................................................... 9-3
9.5 IMPORTING A TRANSPORT DIRECTORY .................................................................. 9-4
9.6 SUMMARY OF OFFLINE INSTALL SET CONTENTS ........................................................ 9-4
9.7 SELECT THE MASTER DIRECTORY ........................................................................ 9-5
9.8 SET INSTALL OPTIONS AND CREATE THE SET............................................................ 9-6
10. INSTALLING, UPGRADING, AND REMOVING DEVICE ENCRYPTION .......10-1
10.1 OFFLINE PACKAGE INSTALLS ......................................................................... 10-1
10.2 ONLINE PACKAGE INSTALLS .......................................................................... 10-1
10.3 REMOVING / UNINSTALLING SAFEBOOT CLIENT ................................................... 10-1
10.4 UPGRADING SAFEBOOT FROM PREVIOUS VERSIONS. .............................................. 10-2
10.4.1 Upgrading SafeBoot 4.x Clients to 5.x ................................................. 10-2
10.4.2 Upgrading existing 5.x clients to a later service pack or patch version ..... 10-2
10.4.3 Removing SafeBoot 5.x from a machine .............................................. 10-3
11. CLIENT SOFTWARE................................................................................ 11-1
11.1 THE TOOL TRAY ICON ................................................................................. 11-1
11.2 CLIENT AUDITING ...................................................................................... 11-2
11.3 BOOT AND LOGON PROCESS .......................................................................... 11-3
11.4 SAFEBOOT SCREEN SAVER ........................................................................... 11-3
11.5 WINDOWS SIGN-ON AND LOGON MECHANISMS. .................................................. 11-4
11.6 CHANGING THE PASSWORD .......................................................................... 11-4
12. WINDOWS SIGN-ON AND SSO...............................................................12-1
12.1 WINDOWS LOGON FEATURES ......................................................................... 12-1
12.2 HOW WINDOWS LOGON WORKS ..................................................................... 12-2
12.2.1 First Boot........................................................................................ 12-3
12.2.2 Second Boot.................................................................................... 12-3
12.2.3 Failed Windows Password .................................................................. 12-4
12.2.4 Re Logon ........................................................................................ 12-4
12.2.5 Setting and Changing a users SSO details ........................................... 12-4
13. AUDITING ............................................................................................. 13-1
13.1 INTRODUCTION ......................................................................................... 13-1
13.2 COMMON AUDIT EVENTS .............................................................................. 13-2
13.2.1 Information Events........................................................................... 13-2
13.3 TRY EVENTS ............................................................................................ 13-3
13.4 SUCCEED EVENTS ...................................................................................... 13-4
13.5 FAILURE EVENTS ....................................................................................... 13-4
14. RECOVERING USERS AND MACHINES ....................................................14-1
14.1 OFFLINE RECOVERY .................................................................................... 14-1
14.2 ONLINE RECOVERY ..................................................................................... 14-6
15. TRUSTED APPLICATIONS ......................................................................15-1
15.1 HASH SETS ............................................................................................. 15-1
15.2 HASH SET PROPERTIES ............................................................................... 15-2
15.2.1 General .......................................................................................... 15-2
15.2.2 File Hashes ..................................................................................... 15-3
15.3 USING HASH SETS .................................................................................... 15-4
iii
Table of Contents
16. HASH GENERATOR................................................................................. 16-1

16.1 INTRODUCTION ......................................................................................... 16-1
16.2 USING HASH GENERATOR ............................................................................ 16-1
17. COMMON CRITERIA EAL4 MODE OPERATION ........................................17-1
17.1.1 Common Criteria EAL4 Certificate ....................................................... 17-3
17.2 ALGORITHM CERTIFICATE NUMBERS ................................................................. 17-4
17.2.1 AES ............................................................................................... 17-4
17.2.2 SHA1 ............................................................................................. 17-5
17.2.3 DSA/DSS ........................................................................................ 17-6
17.2.4 RNG ............................................................................................... 17-6
17.2.5 DES ............................................................................................... 17-7
18. SAFEBOOT CONFIGURATION FILES .......................................................18-1
18.1 SBGINA.INI ............................................................................................. 18-1
18.2 SBERRORS.INI .......................................................................................... 18-3
18.3 SBHELP.INI.............................................................................................. 18-3
18.4 SBFEATUR.INI .......................................................................................... 18-3
18.5 SCM.INI ................................................................................................. 18-3
18.6 DEFSCM.INI ............................................................................................. 18-4
18.7 SDMCFG.INI............................................................................................. 18-4
18.8 TRIVIALPWDS.DAT ..................................................................................... 18-5
18.9 BOOTCODE.INI ......................................................................................... 18-5
18.10 BOOTMANAGER.INI ................................................................................. 18-6
18.11 SBERRORS.XML ..................................................................................... 18-6
18.12 AUTOBOOT.INI ....................................................................................... 18-6
19. SAFEBOOT PROGRAM AND DRIVER FILES .............................................19-1
19.1 EXE FILES .............................................................................................. 19-1
19.1.1 SafeTech ........................................................................................ 19-1
19.1.2 Setup ............................................................................................. 19-1
19.2 DLL FILES .............................................................................................. 19-1
19.2.1 sbalgxx .......................................................................................... 19-1
19.2.2 sbgina ............................................................................................ 19-1
19.3 SYS FILES .............................................................................................. 19-2
19.3.1 SafeBoot.SYS .................................................................................. 19-2
19.3.2 SBALG.SYS ..................................................................................... 19-3
19.3.3 SafeBoot.CSC/RSV ........................................................................... 19-3
19.3.4 SafeBoot.FS .................................................................................... 19-3
19.4 OTHER FILES ........................................................................................... 19-3
19.4.1 srg files .......................................................................................... 19-3
20. SAFETECH.............................................................................................. 20-1
21. THEMES & LOCALIZATION .....................................................................21-1

21.1 THEMES ................................................................................................. 21-1
21.2 KEYBOARDS............................................................................................. 21-2
21.2.1 Physical Keyboard Layouts ................................................................ 21-2
21.2.2 Creating your own Keyboard Layout ................................................... 21-4
21.2.3 On Screen Keyboards ....................................................................... 21-6
21.3 PRE-BOOT LANGUAGE ................................................................................. 21-9
21.3.1 Creating your own Language file ...................................................... 21-10
21.4 PRE BOOT TOKEN DESCRIPTIONS .................................................................. 21-11
21.5 WINDOWS LANGUAGES ............................................................................. 21-11
22. TROUBLESHOOTING PCS ....................................................................... 22-1
iv
© SafeBoot N.V.
23. ERROR MESSAGES ................................................................................. 23-1

23.1 MODULE CODES ........................................................................................ 23-1
23.2 1C000 IPC ERRORS .................................................................................. 23-2
23.3 5C00 COMMUNICATIONS PROTOCOL ................................................................ 23-2
23.4 5C02 COMMUNICATIONS CRYPTOGRAPHIC ......................................................... 23-4
23.5 A100 ALGORITHM ERRORS ........................................................................... 23-4
23.6 DB00 DATABASE ERRORS ............................................................................ 23-1
23.7 DB01 DATABASE OBJECTS ........................................................................... 23-3
23.8 DB02 DATABASE ATTRIBUTES ....................................................................... 23-3
23.9 E000 SAFEBOOT GENERAL ........................................................................... 23-4
23.10 E001 TOKENS ........................................................................................ 23-4
23.11 E002 SAFEBOOT DISK .............................................................................. 23-6
23.12 E003 SAFEBOOT SBFS............................................................................. 23-7
23.13 E004 BOOT CODE IMAGE ........................................................................... 23-8
23.14 E005 CLIENT ......................................................................................... 23-8
23.15 E006 ALGORITHMS ................................................................................ 23-11
23.16 E007 READERS .................................................................................... 23-11
23.17 E008 USERS ....................................................................................... 23-12
23.18 E010 KEYS ......................................................................................... 23-12
23.19 E011 FILES......................................................................................... 23-12
23.20 E012 LICENCES .................................................................................... 23-12
23.21 E013 INSTALLER ................................................................................... 23-13
23.22 E014 HASHES...................................................................................... 23-13
23.23 E015 APPLICATION CONTROL .................................................................... 23-14
23.24 E016 ADMINISTRATION CENTER ................................................................. 23-14
23.25 XXH: BIOS......................................................................................... 23-14
24. TECHNICAL SPECIFICATIONS AND OPTIONS ........................................24-1
24.1 ENCRYPTION ALGORITHMS ............................................................................ 24-1
24.1.1 RC5-12 (FASTEST) ........................................................................... 24-1
24.1.2 RC5-18........................................................................................... 24-1
24.1.3 AES 256 ......................................................................................... 24-1
24.1.4 AES-FIPS (FIPS 140-2 Approved) - RECOMMENDED .............................. 24-1
24.1.5 DES (FIPS 140-1 Approved) .............................................................. 24-2
24.1.6 Blowfish.......................................................................................... 24-2
24.2 SMART CARD READERS ............................................................................... 24-2
24.2.1 PCMCIA Smart Card Readers ............................................................. 24-2
24.2.2 Generic USB CCID Smart Card Reader and compatibles ......................... 24-2
24.2.3 PCI Smart Card Readers ................................................................... 24-2
24.3 TOKENS ................................................................................................. 24-3
24.3.1 Smart Cards.................................................................................... 24-3
24.3.2 USB Tokens .................................................................................... 24-3
24.3.3 Other Authentication Tokens.............................................................. 24-3
24.4 LANGUAGE SUPPORT ................................................................................... 24-4
24.4.1 Client ............................................................................................. 24-4
24.5 SYSTEM REQUIREMENTS .............................................................................. 24-6
24.5.1 Client ............................................................................................. 24-6
25. INDEX ........................................................................................................ 7
v
© SafeBoot N.V.
Figures
FIGURE 1-1. SAFEBOOT ADMINISTRATOR INTERFACE ........................................................ 1-4

FIGURE 1-2. SAFEBOOT SERVER ................................................................................ 1-5
FIGURE 1-3. OBJECT DIRECTORY IN DBHELPER .............................................................. 1-6
FIGURE 1-4. SAFEBOOT CLIENT ................................................................................ 1-7
FIGURE 1-5. SAFEBOOT FILE ENCRYPTION UTILITY............................................................ 1-8
FIGURE 1-6. SAFEBOOT CONNECTOR MANAGER .............................................................. 1-9
FIGURE 2-1. INSTALLING SBADMIN ............................................................................ 2-1
FIGURE 2-2. SBADMIN START MENU ...........................................................................2-2
FIGURE 3-1. USER RIGHT-CLICK MENU ........................................................................ 3-1
FIGURE 3-2. USER OPTIONS - GENERAL ....................................................................... 3-3
FIGURE 3-3. USER CONFIGURATION - DEVICES ............................................................... 3-4
FIGURE 3-4. USER CONFIGURATION - APPLICATION CONTROL .............................................. 3-5
FIGURE 4-1. TRAINING A SONY PUPPY ....................................................................... 4-13
FIGURE 5-1. MACHINE ADMINISTRATION FUNCTIONS ...................................................... 5-17
FIGURE 5-2. MACHINE GROUP DESCRIPTION ................................................................ 5-20
FIGURE 5-3. BOOT PROTECTION AND GENERAL OPTIONS .................................................. 5-21
FIGURE 5-4. SETTING DRIVE ENCRYPTION .................................................................. 5-25
FIGURE 5-5. ALLOWED USERS ................................................................................ 5-27
FIGURE 5-6. CLIENT WARNING TEXT ......................................................................... 5-28
FIGURE 5-7. SYNCHRONIZATION SETTINGS ................................................................. 5-29
FIGURE 5-8. CLIENT FILE GROUPS............................................................................ 5-31
FIGURE 5-9. SCREEN SAVER PROPERTIES ................................................................... 5-32
FIGURE 6-1. SAFEBOOT FILE GROUPS ......................................................................... 6-1
FIGURE 6-2. FILE GROUP CONTENT ............................................................................ 6-2
FIGURE 6-3. ADDING FILES TO THE OBJECT DIRECTORY ..................................................... 6-3
FIGURE 6-4. FILE PROPERTIES, FILE INFORMATION .......................................................... 6-4
FIGURE 6-5. FILE PROPERTIES, ADVANCED .................................................................... 6-5
FIGURE 8-1. SETTING THE NEW TEXT FILE PERMISSIONS..................................................... 8-2
FIGURE 8-2. DOWNLOADING THE MESSAGE.TXT FILE ......................................................... 8-3
FIGURE 9-1. CREATING A GROUP INSTALLATION SET ........................................................ 9-1
FIGURE 9-2. CREATING INSTALLATION SETS, PAGE 1........................................................ 9-2
FIGURE 9-3. SELECTING THE MASTER OBJECT DIRECTORY .................................................. 9-5
FIGURE 9-4. CREATING THE INSTALL SET ...................................................................... 9-6
FIGURE 11-1. SAFEBOOT RIGHT-CLICK TOOL TRAY MENU................................................. 11-1
FIGURE 11-2. SAFEBOOT CLIENT STATUS WINDOW ....................................................... 11-2
FIGURE 11-3. SAFEBOOT SCREEN SAVER ................................................................... 11-3
FIGURE 11-4. CHANGING THE PASSWORD PRE-BOOT....................................................... 11-5
FIGURE 12-1. WINDOWS LOGON SETTINGS ................................................................. 12-1
FIGURE 12-2. LOGON TO WINDOWS REPLACEMENT DIALOG .............................................. 12-4
FIGURE 13-1. VIEWING A USERS AUDIT LOG ................................................................ 13-1
FIGURE 14-1. SELECT USER OR MACHINE RECOVERY ...................................................... 14-1
FIGURE 14-2. STARTING THE RECOVERY PROCESS .......................................................... 14-2
FIGURE 14-3. STARTING RECOVERY .......................................................................... 14-3
FIGURE 14-4. VALIDATING A USER ........................................................................... 14-3
FIGURE 14-5. SELECTING THE RECOVERY OPTION .......................................................... 14-4
FIGURE 14-6. USER’S RECOVERY CODE ...................................................................... 14-6
FIGURE 15-1. HASH GROUP ................................................................................... 15-2
FIGURE 16-1. HASH GENERATOR MAIN SCREEN ............................................................ 16-1
FIGURE 16-2. HASH PROGRESS SCREEN ..................................................................... 16-2
FIGURE 20-1. SAFETECH 5 MAIN WINDOW ................................................................. 20-1
i
Figures
FIGURE 22-1. SAFEBOOT WEBSITE .......................................................................... 22-1
TABLE 4-1. LIST OF SUPPORTED TOKENS ....................................................................... 4-2

TABLE 4-2. SAFEBOOT SMART CARD / READER COMPATIBILITY ............................................ 4-7
TABLE 4-3. USB KEY / READER DRIVER REQUIREMENTS .................................................... 4-8
TABLE 13-1. INFORMATION AUDIT EVENTS .................................................................. 13-3
TABLE 13-2. TRY AUDIT EVENTS ............................................................................. 13-4
TABLE 13-3. SUCCEED AUDIT EVENTS ....................................................................... 13-4
TABLE 13-4. FAILURE AUDIT EVENTS ........................................................................ 13-5
TABLE 15-1. TRUSTED APPLICATION LOGIC ................................................................. 15-4
TABLE 21-1. THEME OVERVIEW ............................................................................... 21-2
TABLE 21-2. KEYBOARD DEFINITION IN LOCAL.INI ......................................................... 21-4
TABLE 21-3. KEYBOARD MAP SOURCE FILE .................................................................. 21-6
TABLE 21-4. ON SCREEN KEYBOARD SOURCE .............................................................. 21-8
TABLE 21-5. ON SCREEN KEYBOARD DEFINITION .......................................................... 21-9
TABLE 21-6. PRE-BOOT LANGUAGE DEFINITION .......................................................... 21-10
TABLE 21-7. TOKEN TRANSLATION FILE ................................................................... 21-11
TABLE 23-1. MODULE ERROR CODES ........................................................................ 23-2
TABLE 23-2. IPC ERRORS ..................................................................................... 23-2
TABLE 23-3. PROTOCOL ERRORS ............................................................................. 23-4
TABLE 23-4. CRYPTO ERRORS ................................................................................. 23-4
TABLE 23-5. ALGORITHM ERRORS ............................................................................ 23-5
TABLE 23-6. DATABASE ERRORS ............................................................................. 23-2
TABLE 23-7. DATABASE OBJECT ERRORS .................................................................... 23-3
TABLE 23-8. ATTRIBUTE ERRORS ............................................................................. 23-4
TABLE 23-9. GENERAL ERRORS ............................................................................... 23-4
TABLE 23-10. TOKEN ERRORS ................................................................................ 23-5
TABLE 23-11. DISK ERRORS .................................................................................. 23-7
TABLE 23-12. SBFS ERRORS ................................................................................. 23-7
TABLE 23-13. SBFS ERRORS ................................................................................. 23-8
TABLE 23-14. CLIENT ERRORS .............................................................................. 23-11
TABLE 23-15. ALGORITHM ERRORS ........................................................................ 23-11
TABLE 23-16. READER ERRORS ............................................................................. 23-12
TABLE 23-17. USER ERRORS ................................................................................ 23-12
TABLE 23-18. KEYS ERRORS ................................................................................ 23-12
TABLE 23-19. FILES ERRORS ............................................................................... 23-12
TABLE 23-20. LICENCES ERRORS ........................................................................... 23-13
TABLE 23-21. INSTALLER ERRORS.......................................................................... 23-13
TABLE 23-22. HASHES ERRORS ............................................................................ 23-14
TABLE 23-23. APPLICATION CONTROL ERRORS ........................................................... 23-14
TABLE 23-24. MANAGEMENT CENTER ERRORS ............................................................ 23-14
TABLE 23-25. BIOS HARD ERRORS ....................................................................... 23-16
TABLE 24-1. PRE BOOT LANGUAGES ......................................................................... 24-4
TABLE 24-2. PRE BOOT KEYBOARD LAYOUTS ............................................................... 24-5
TABLE 24-3. WINDOWS SUPPORTED LANGUAGES .......................................................... 24-5
ii
Introduction
1. Introduction
1.1 Why SafeBoot Device Encryption?

Around 1,000,000 laptops go missing each year, causing an estimated 4
billion USD worth of lost data. Is your data safely stored? Ever thought
about the risks you run for your company and your clients? SafeBoot
was developed with the understanding that often the data stored on a
computer is much more valuable than the hardware itself.
1.2 Design Philosophy

Unlike other security systems, SafeBoot Device Encryption does not
prevent access to specific files, or in any way alter the way the PCs and
PDAs are used.
SafeBoot’s SafeBoot product range enhances the security of devices by
providing data encryption and a token-based logon procedure using, for
example a Smart Card via a USB, PCMCIA, serial or parallel reader.
SafeBoot also has optional File and Media encryption programs
(SafeBoot VDisk, SafeBoot File Encryptor and SafeBoot Content
Encryption). SafeBoot supports all current Microsoft Operating Systems,
and also common PDA platforms:
Microsoft Windows 2000 through SP4
Microsoft Windows XP through SP2
Microsoft Windows 2003
Microsoft Vista 32bit and 64bit (all versions)
Microsoft Pocket Windows 2002 and 2003
Microsoft Windows Mobile 5.0/6.0
PalmOS 3.5 through 5.4
Symbian UIQ
NOTE - For end users, SafeBoot allows users to work as usual, including the security and
network services. Apart from the initial Logon, SafeBoot offers completely
transparent security.
1-1
Introduction
1.3 How SafeBoot Works

1.3.1 Protection
On PCs, the client side of SafeBoot, in simple terms, takes control of the
user’s hard disk away from the operating system. SafeBoot’s driver
encrypts every piece of data written to the disk, and decrypts every
piece of information read off the disk. If any application managed to
break through the SafeBoot barrier and read the disk directly, it would
find only encrypted data, even in the Windows swap file and temporary
file areas.
NOTE - Even if a Data Recovery agency tries to retrieve information from a SafeBoot-
protected hard drive, without access to the SafeBoot System via the passwords or
recovery information there is no way of accessing this data – total security.
SafeBoot installs a mini-operating system on the user’s hard drive, this

is what the user sees when they boot the PC. SafeBoot looks and feels
like Microsoft Windows, with mouse and keyboard support, moveable
windows etc. This SafeBoot OS is completely contained and does not
need to access any other files or programs on the hard disk, and is
responsible for allowing the user to authenticate (with a password, or
token such as a smart card).
Once the user has entered the correct authentication information, the
SafeBoot operating system starts the crypt driver in memory, and boots
the protected machine’s original operating system. From this point on
the machine will look and behave as if SafeBoot was not installed. The
security is invisible to the user, and because the only readable data on
the hard disk is the SafeBoot operating system, and the encryption key
for the hard drive is itself protected with the user’s authentication key,
the only possible way to defeat SafeBoot is to either guess the hard disk
encryption key (a one in 2256 chance with the AES256 algorithm), or to
guess the user’s password.
On PDAs such as Pocket Windows and PalmOS, SafeBoot installs
applications and drivers to provide authentication and encryption
services. SafeBoot can protect memory cards, internal databases (such
as e-mail and contact lists), and provides secure, manageable
authentication services.
1-2
Introduction
1.3.2 Management
Every time a SafeBoot protected device boots, and optionally every time
the user initiates a dial-up connection or after a set period of time,
SafeBoot tries to contact its "Object Directory". This is a central store of
configuration information for both machines and users, and is managed
by SafeBoot Administrators. The Object Directory could be on the user’s
local hard disk (if the user is working completely stand-alone), or could
be in some remote location and accessed over TCP/IP via a secure
SafeBoot Server (in the case of a centrally managed enterprise).
The SafeBoot protected machine queries the directory for any updates
to its configuration, and if needed downloads and applies them. Typical
updates could be a new user assigned to the machine by an
administrator, a change in password policy, or an upgrade to the
SafeBoot operating system or a new file specified by the administrator.
At the same time SafeBoot uploads details like the latest audit
information, any user password changes, and security breaches to the
Object Directory. In this way, transparent synchronization of the
enterprise becomes possible.
1.3.3 Objects, Entities, and Attributes explained.

SafeBoot 5 Device Encryption stores information about users, machines,
servers, PDAs etc in collections called "objects" - from an internal point
of view it does not matter to SafeBoot what an "object" represents, only
the information it contains. So an object representing a user, say "John
Smith", and an object representing a machine, for example "Johns
Laptop" both contain information about encryption keys, account status
and administration level.
Within the object are collections of configuration data called
"attributes", again the same type of attribute may exist across many
object types. To take our previous example of John and his laptop, the
details of the encryption keys, user status and administration level
would all be stored as separate attributes.
Entities are applications within the SafeBoot system. Because of the
generality of the "object" design, all SafeBoot applications also have
some generality about them, for instance the "Entity" representing the
SafeBoot client, and the "Entity" representing the SafeBoot Server, both
authenticate to the Object Directory in the same way - as an "object"
which could be a machine or user - which it is does not matter. This
generality is mainly hidden from users and administrators, but because
of this core design, you will find that many SafeBoot related functions
and tasks are common between users, machines and entities.
1-3
Introduction
1.4 The SafeBoot Components

1.4.1 SafeBoot Administration Center (SBAdmin)
Figure 1-1. SafeBoot Administrator Interface
The most important component of the SafeBoot enterprise is SBAdmin,

the administrator Interface. This utility allows privileged users to
manage the enterprise from any workstation that can establish a TCP/IP
link or file link to the Object Directory. Typical procedures that the
SafeBoot Administrator handles are: -
• Adding users to machines
• Configuring SafeBoot protected machines
• Creating and configuring users
• Revoking users logon privileges
1-4
Introduction
• Updating file information on remote machines

• Recovering users who have forgotten their passwords
• Creating logon tokens such as smart cards for users
1.4.2 SafeBoot Server (SBServer)
Figure 1-2. SafeBoot Server
The SBServer facilitates connections between SafeBoot entities such as

SBClient and SBAdmin, and the central Object Directory over an IP
connection (rather than the file based "local" connection). The server
performs authentication of the entity using DSA signatures, and link
encryption using Diffie-Hellman key exchange and bulk algorithm line
encryption. This ensures that "snooping" the connection cannot result in
any secure key information being disclosed.
The server exposes the Object Directory via fully routed TCP/IP,
meaning that access to the Object Directory can be safely exposed to
the Internet / Intranet, allowing clients to connect wherever they are.
As all communications between the Server and client are encrypted and
authenticated there is no security risk in exposing it in this way.
There is a unique PDA Server which provides similar services to PDAs
such as Microsoft Pocket Windows and PalmOS devices. More
information about this can be found in later chapters.
1-5
Introduction
1.4.3 SafeBoot Object Directory
Figure 1-3. Object Directory in DBHelper
The SafeBoot Object Directory is the central configuration store for the
SafeBoot 5 Device Encryption and is used as a repository of information
for all the SafeBoot entities. The default directory uses the operating
systems file system driver to provide a high performance scalable
system which mirrors an X500 design. Alternative stores such as LDAP
are possible – contact your SafeBoot representative for details. The
standard store has a capacity of over 4 billion users and machines.
Typical information stored in the Object Directory includes
• User Configuration information
• Machine Configuration information
• Client and administration file lists
• Encryption key and recovery information
• Audit trails
• Secure Server Key information
1-6
Introduction
1.4.4 SafeBoot Device Encryption PC Client
Figure 1-4. SafeBoot Client
The SafeBoot Device Encryption (DE) client software is largely invisible

to the end user. The only visible part is an entry in the user’s tool tray
(the SafeBoot icon).
Clicking on this icon allows the user to lock the PC with the screen saver
(if one is selected). Right clicking on the monitor allows them to
perform a manual synchronization with their Object Directory, or
monitor the progress of any active synchronization.
Normally the SafeBoot client attempts to connect to its home server or
directory every time the machine boots or establishes a new dial-up
connection. During this process, any configuration changes made by the
SafeBoot administrator are collected and implemented by the SafeBoot
client. In addition, information such as the last audit logs are uploaded
to the directory.
1-7
Introduction
1.4.5 SafeBoot File Encryptor
Figure 1-5. SafeBoot file encryption utility
By right clicking on a file, users can elect to encrypt it using various

keys. Files can be encrypted with other SafeBoot users’ keys, and/or
passwords.
Once protected in this way the file can be sent elsewhere, for example
via e-mail, or on a floppy disk, without the risk of disclosure.
When the file needs to be used, it just needs to be double clicked, a
password or login prompt will be presented for authentication, if correct
the file will be decrypted.
The File Encryptor also has an option to create an RSA key pair for
recovery – if the password to a file is lost, then the file can still be
recovered using the correct recovery key.
1-8
Introduction
1.4.6 SafeBoot Connector Manager
Figure 1-6. SafeBoot Connector Manager
SafeBoot’s directory used to keep track of security information is

designed so that synchronization of details between SafeBoot and other
systems is possible. The "Connector Manager" is a customizable module
which enables data from systems such as X500 directories (commonly
used in PKI infrastructures) to propagate to the SafeBoot Object
Directory. Using this mechanism, it's possible to replicate details such
as a user’s account status between SafeBoot 5 Device Encryption and
other "directories". Current connector options include LDAP, Active
Directory, and a NT Domain Connector. For information on these
components, see your SafeBoot representative, or see the
“Management Centre 5 Administrators Guide”
1.5 Component Design

SafeBoot uses a suite of reusable components to handle the
synchronization of security data between the users and administration
systems.
1-9
Introduction
1.5.1 SafeBoot Device Encryption Client

SafeBoot Configuration Manager (SCM)
|
SafeBoot Directory Manager ---- SafeBoot Communication Manager (Client Side)
| Remote Link |
Local Object Directory SafeBoot Communication Manager (Server Side)
|
SafeBoot Directory Manager
|
Local Object Directory
1.5.2 SafeBoot Administration

SafeBoot Administration (SBAdmin)
|
| Remote Link |
|
|
1.5.3 SafeBoot Connection Manager

Alternate Information Database (Eg LDAP)
|
SafeBoot Directory Synchronizer (SDS)
|
| Remote Link |
|
|
From the above diagrams, you can see that all SafeBoot components
share a common communication backbone. This design has the benefit
that the security information source is transparent to the driving
application, and the end store can be changed with no modifications to
the administration, client, or synchronization engines.
1.6 Install and Deployment

SafeBoot is installed on users PCs by running small deploy sets created
by the SafeBoot Administration Center (SBAdmin). This executable file
contains the core components and drivers needed to enable SafeBoot
on a user’s machine.
1-10
Introduction
With the increasing necessity of install mechanisms which do not

involve end users, and the software industries strive to make the cost of
ownership and implementation of products as small as possible,
SafeBoot 5 Device Encryption utilizes "smart-update" type technology.
With this mechanism, only a small amount of code needs to be placed
on the client machine to facilitate installation. The remaining code
modules are downloaded on demand from either central SafeBoot
Servers (in the case of a network install), or from a local compressed
directory (in the case of a stand alone PC). With network connected
machines, this gives the additional benefit of being able to update
SafeBoot files simply by updating the data stored in the Object
Directory.
SafeBoot’s file deploy mechanism can also be used to "push" other files
to SafeBoot protected machine, for instance virus databases can be
stored in the central SafeBoot directory, when it needs updating a
SafeBoot administrator upgrades the central copy. All SafeBoot
protected machines notice the change and automatically download the
new file. This deploy mechanism can also be used to make registry
changes on remote machines, and can even execute files.
1-11
Installing SafeBoot Administration
2. Installing SafeBoot Administration
NOTE Readers unfamiliar with SafeBoot should follow the “Device Encryption 5 PC
QuickStart Guide” which walks through setting up a SafeBoot enterprise before
tackling any of the topics in this guide.
SBAdmin is the Administration part of SafeBoot and is the core tool for
managing all SafeBoot aware applications. If this is the first time you
have installed a SafeBoot application, you should read the SafeBoot
QuickStart Guide. You will find this either in your SafeBoot box, or on
your SafeBoot CD in the “DOCS” directory.
Install SBAdmin by running the appropriate “setup.exe” from the
“SafeBoot5…” directory on your SafeBoot CD. You should run this first
on the machine which you want to be the “master” or administrators
machine. If you have a multi-language CD, select the language (for
example “English”) you want to install.
Figure 2-1. Installing SBAdmin
The SafeBoot administration system will now be installed on your

machine. Follow the on-screen prompts to install the software, you may
be prompted to select a language, smart card reader, and encryption
algorithm. For more information on these options please see the
“Management Centre 5 Administrators Guide”. Once completed you may
need to restart your system.
2-1
Installing SafeBoot Administration
The SafeBoot management suite adds some items to your start menu.
“SafeBoot Administration” starts the SafeBoot management console;
“SafeBoot Database Server” starts the communication server which
provides encrypted links between clients and the configuration.
Figure 2-2. SBAdmin Start Menu
After rebooting, run the SafeBoot Administration program. A wizard will

walk you through the creation of a new SafeBoot directory. If you have
an existing Object Directory in your network, you can connect to it by
canceling the wizard and manually configuring a connection.
For more information on the SafeBoot Administration Center
please see the “Management Center 5 Administrators Guide”.
2-2
Device Encryption User Policies
3. Device Encryption User Policies
For information on SafeBoot users in general, please see the

“Management Center 5 Administrators Guide”. The following
sections detail the SafeBoot Device Encryption specific
parameters.
3.1 User Administration Functions
Figure 3-1. User Right-click menu
3.1.1 Create Token

Creates a new Token for the selected user - this could be a soft
(password) token, or a hard token such as a smart card or eToken. See
Chapter 4 for more information.
NOTE: In the case of hard tokens, creating the token does not necessarily set the user to
actually use that token. This must be accomplished separately from the users
“Token” properties page.
3-1
3.1.2 Reset Token

Resets the token authentication to the default. In the case of the soft
(password) token resets the password to 12345.
NOTE: Some hard tokens may not be able to be reset using SafeBoot - for example
Datakey Smart Cards. In this case contact the manufacturer of your token to
determine the correct re-use procedure.
3.1.3 Set SSO Details

Sets the Single-Sign-On details for the user. For more information on
SSO see Chapter 12.
3.1.4 Force Password Change at Next Logon

Forces the user to change their password at their next logon.
3.1.5 View Audit

Displays the audit for the user - for more information see Chapter 13.
3.1.6 Reset (All) to Group Configuration

Resets the configuration of the user, or all the users in the group, to the
groups configuration.
3.1.7 Create Copy

Creates a new object based on the selected object.
3.1.8 Properties
Displays the properties of the selected object.
3-2
3.2 User configuration Options

3.2.1 General
Figure 3-2. User Options - General
Auto-boot users
The special user id “$autoboot$” with a password of “12345” can be
used to auto-boot a SafeBoot protected machine. This option is useful if
an auto-boot of a machine is needed, for example when updating
software using a distribution package such as SMS or Zenworks. This ID
should be used with caution though, as it effectively bypasses the
security of SafeBoot.
Enabled
Shows whether the user account is enabled or not. The enabled status
is always user selectable.
3-3
When a SafeBoot Device Encryption system synchronizes with the

SafeBoot Management Center, it checks the user account list to ensure
that the currently logged on user is still valid (because they logged on
at boot time before the network and Object Directory was available).
Users with disabled accounts (or users who have been removed from
the user list) will find the workstation will lock and they will be unable to
log in.
NOTE - If you want to force a SafeBoot machine to synchronize (and hence immediately
stop the user from accessing the machine), you can use the "force sync" option to
force an update. For more information see the SafeBoot DE Administrators Guide,
Chapter 0.
3.2.2 Devices
Figure 3-3. User Configuration - Devices
Floppy Disk Access
3-4
Users can be prevented from accessing the floppy disk, or prevented

only from writing to it. You can also elect to allow only Encrypted
floppy disks - in this case users must format their own disks, which can
then only be used by themselves (the disk is encrypted with the users
personal key).
Ports
SafeBoot can attempt to block access to the serial and/or parallel ports.
This blocking is implemented after the operating system has booted, so
if the machine has a serial mouse, it will still function, as will a printer
connected to the parallel port. This option is designed to stop users
adding serial and parallel devices AFTER the machine has booted.
NOTE: If you need to take detailed control of the devices which are available to your
users, please see SafeBoot’s Port Control product which provides granular device
access.
3.2.3 Application Control
Figure 3-4. User Configuration - Application Control
3-5
SafeBoot includes an innovative application blocking system which can

be used to restrict what code can actually be run by a user. For more
information on this feature see Chapter 15.
List Contains Untrusted Applications (Blacklist)
Files specified in the listed file hash sets will be blocked (untrusted). All
unlisted executable files will be permitted to execute code (trusted).
List Contains Trusted Applications (White list)
Files specified in the listed file hash sets will be permitted to execute
code (trusted). All unlisted executable files will be blocked (untrusted)
Enable Blocking of Untrusted Applications
Blocks code from executing from untrusted applications. If this option is
not set, then any code can run. This is a debugging option.
Enable Logging of Executed Applications
Logs files which try to execute code, with status messages indicating
whether the file is trusted or not - this feature is useful for debugging
trusted application file sets.
3-6
Using Tokens with Device Encryption
4. Using Tokens with Device Encryption
SafeBoot supports many different types of logon token, for example

passwords, smart cards, Aladdin eToken, and others. Before a user can
use a non-password token, you must ensure any machine they are
going to use has been suitably prepared.
A Summary of the supported tokens:
Token Name Token Type
ActivIdentity Smart Card Stored Value, Certificate
ActivIdentity USB Key Stored Value, Certificate
Aladdin eToken USB Key Stored Value
Charismathics USB Key Stored Value
DataKey Smart Card Stored Value
DOD CAC Smart Card Certificate, Storage, All versions
Datev PKI Smartcard Certificate
Embedded Infineon TPM Chip Stored Value
Estonian National ID Smart Card Certificate
HP ProtectTools Smart Card Stored Value / Certificate
(Branded ActivIdentity smart card)
IZN Certificate Smart Card Certificate
Passfaces Stored Value
Password Only Stored Value
RSA SecurID RSA5100 Smart Card Stored Value
RSA SecurID SID800 Stored Value
PToken Identity Card Certificate
SafeBoot Black Smart Card Stored Value
SafeBoot Red Smart Card Stored Value
SafeBoot Phantom Biometric USB Stored Value
Stick
SafeNet IKEY 2032 USB Key Stored Value
4-1
Token Name Token Type

Siemens CardOS 4.3b and 4.01a Certificate
Smart Card
Setec Identity Card Certificate
Sony Puppy Stored Value
TEID Identity Card Certificate
Telesec Identity Card Certificate
Vasco Digipass 860 USB Key Stored Value
Table 4-1. List of supported tokens
4.1 General Token Operation.

1. Hardware Device Support
Ensure the machine has the appropriate Windows drivers for the
hardware tokens it needs to support, for example, if you intend to use
Aladdin eTokens you need to install the Aladdin eToken RTE (Run Time
Environment).
If you intend to use smart cards, you need to ensure that a SafeBoot
supported smart card reader is installed, along with its drivers – for
example the Mako/Infineer LT4000 PCMCIA smart card reader must be
installed.
In both cases, the appropriate device drivers are available either direct
from the manufacturer, or from the SafeBoot install CD in the “Tools”
directory.
2. Device Encryption Driver Support
Once you have installed hardware support for the devices, you can
enable software support for them – from the machine, or machine
group properties window, select the “Files” properties pane and tick the
appropriate options for the tokens you want the machine, or group of
machines to support.
For example, if you want the machines to support eTokens, select the
“eToken PRO Client Token” file group. To support the Mako/Infineer
Smart Card reader, select “Infineer Smart Card Reader” file set.
You should also note that some USB key tokens are in fact a combined
USB Smart Card reader and USB Device in one unit, so you also need to
add USB CCID Smart Card reader support to your Device Encryption
clients for them to work. See the compatibility document later in this
chapter for information on the tokens which are of this nature.
4-2
3. Assign the token to the user and create it.

From the user’s “Token” properties pane, select the token you want that
user to log in with. SafeBoot will prompt you to insert the token and will
create the appropriate data files on it.
If all steps are followed, when you install SafeBoot, or after the
machines synchronize, users will be able to log in using their new token.
NOTE: When learning how to use SafeBoot, we advise you always leave at least one
password-only user assigned to machines in case you make a mistake when
setting up token support.
4.2 Stored Value Tokens

SafeBoot can store user keys on certain tokens, such as smart cards or
USB keys such as the Aladdin eToken.
Storage tokens host around 1KB of data unique to the SafeBoot
environment, and SafeBoot user on each token, and need to be
configured within the SafeBoot Management Center for the specific user
before they can be used.
Tokens offer the following advantages over passwords:
• The users key is not stored on the users machine, and is
protected from brute force attack by the microprocessor of the
token
• The same token can be used to authenticate to many systems
• Tokens can be used for other physical purposes, for example door
access systems
SafeBoot supports many types of token, and the list is continuously
growing. Some examples are:
Soft Tokens such as :
• Password Only Token
Smart Cards such as:
• ActivIdentity Smart Card and USB Keys from ActivIdentity
(http://www.actividentity.com)
• SafeBoot Black Smart Card (G&D Cardos 1.2 T=1)
• SafeBoot Red Smart Card (G&D Cardos 1.2 T=0)
• RSA SecurID RSA5100 Smart Card from RSA
(http://www.rsa.com)
4-3
USB tokens such as:

• RSA SecurID SID800 USB Authenticator from RSA
(http://www.rsa.com)
• Charismathics USB Authenticator Token
(http://www.charismathics.com/)
• Aladdin eToken 64k Authenticator Tokens
(http://www.aladdin.com)
• SafeNet IKEY 2032 USB Token (http://www.safenet.com)
• SafeBoot Phantom Biometric USB Stick
(http://www.safeboot.com)
4.3 Certificate, or “Crypt Only” tokens

SafeBoot can leverage your investment in PKI and tokens to allow users
to authenticate using their certificates. This can be quite advantageous
in the corporate environment because of the following reasons:
• Leverage investment in PKI and existing tokens
• Tokens do not need to be provisioned specifically for SafeBoot
• Users can login to Windows etc using their PKI certificates
• Revocation of certificates denies access to SafeBoot-protected PCs
By using one of SafeBoot’s certificate connectors, you can quickly make
your SafeBoot enterprise aware of all certificate-holding users, and can
allow them to be allocated to PC’s using SafeBoot Device Encryption
without having to create new smart cards or other forms of token for
them to use.
SafeBoot has been tested with the following tokens and PKI
environments – more tokens and PKIs are being developed so if your
environment is not listed, please contact your SafeBoot representative
for the latest information.
You can use any token with any PKI.
PKIs
• Microsoft Certificate Server
• Entrust
• T-Systems
• Estonian National ID Card System
Tokens
4-4
• Datev PKI Smartcard

• ActivIdentity Smart Card and USB Keys from ActivIdentity
(http://www.actividentity.com). This token is also branded by HP
As a HP ProtectTools Smart Card
• Estonian National ID Smart Card (http://id.ee)
• Telesec TCOS ID Card / IZN ID Card
• Siemens CardOS 4.3b and 4.01a Smart Card
(http://www.siemens.com)
• Setec ID Card (http://www.setec.com)
4.3.1 How Certificate Tokens Work

Certificate tokens leverage the unique one-way properties of public-key
encryption: that a piece of data can be encrypted for a user, using some
public information, but cannot be subsequently decrypted with that
same information.
SafeBoot uses the information stored in the public certificate store of a
PKI to look up users and encrypt their unique SafeBoot key with the
public key stored in their certificate. This online process is handled
transparently by one of the SafeBoot Connectors.
Once encrypted, SafeBoot stores the information within its policy store,
and makes it available to all SafeBoot-aware applications. For example
with SafeBoot Device Encryption, the users key encrypted with their
public key is stored on each machine the user is assigned to.
When a user tries to login, SafeBoot sends their encrypted user key to
their token and asks it to decrypt it using the private key stored on the
token. The actual decryption happens securely within the
microprocessor of the token, and only after the user has supplied the
correct token PIN or password. This ensures the users decryption key
(private key) never has to leave the token.
Once decrypted, the resulting user key can be used to authenticate the
user.
You can see from this process that there is no need for SafeBoot to
have prior experience, or to have stored anything on the users token.
All the information SafeBoot needs to prepare the system can be
obtained online through the PKI certificate server.
4-5
4.3.2 Certificate Connectors

Setting up Certificate tokens is the responsibility of the SafeBoot
Certificate connectors – these are available for both Active Directory
and LDAP systems, and more information on configuring them can be
found in the “Management Center 5 Administrators Guide”, in the
“Active Directory Connector” and “LDAP Connector” chapters.
The connectors can search AD and LDAP directories for users, and
create them in SafeBoot based on certain criteria. The connectors can
also monitor CRL lists for revoked certificates, and also automatically
handle the rollover of certificates on expiry.
4.4 Other Types Of Token

There are other types of token also supported by SafeBoot, such as
Biometric and Cognometric tokens. For more information on these
tokens please contact the manufacturer or your SafeBoot Distributor
Other Tokens Supported in SafeBoot Device Encryption:
• Sony Puppy Biometric Reader (http://www.sony.co.jp/puppy/)
• RealUser Passfaces (http://www.realuser.com)
• Infineon Embedded TPM Chip
4.5 Token Compatibility

SafeBoot supports many tokens, but due to the pre-boot nature of
Device Encryption, not all tokens are supported in all environments. The
following table indicates known compatibility issues, though if you have
a specific token requirement; please contact your SafeBoot
representative for the latest information.
4.5.1 Smart Card / Smart Card Reader Compatibility

RSA SecureID RSA5100
SafeBoot Black (T=1)
(T=0) (Stored Value)
ActivIdentity (Stored
Estonian National ID
Datev (PKI Mode)
ActivIdentity (PKI
Siemens CardOS
Smart Card
(Stored Value)
(Stored Value)
IZN Certificate
SafeBoot Red
Value) T=0
Mode)
Card
Reader
Generic 9 9 9 9 9 9 9 9 9
USB CCID
4-6
RSA SecureID RSA5100

SafeBoot Black (T=1)
(T=0) (Stored Value)
ActivIdentity (Stored
Estonian National ID
Datev (PKI Mode)
ActivIdentity (PKI
Siemens CardOS
Smart Card
(Stored Value)
(Stored Value)
IZN Certificate
SafeBoot Red
Value) T=0
Mode)
Card
Reader
Reader
Omnikey
3021 CCID
9 ? ? 9 ? 9 ? 9 9
ACR38
USB 9 9 9 9 9 9 9 9 9
Reader
GemPC
430 USB
9 9 9 9 9 9 9 9 9
Dell D620
Integrated 9 9 9 9 9 9 9 9 9
reader
SCM
SCR243 9 9 9 9 9 9 9 9 9
PCMCIA
PCI
Integrated
8 9 9 9 9 9 9 9 9
SCM
SCR201
9 9 9 9 9 9 9 9 9
CISCO /
PSCR 9 9 9 9 9 9 9 9 9
PCMCIA
Cardman
4040
9 9 9 9 9 9 9 9 9
TI
Embedded
(Dell 9 9 9 9 9 9 9 9 9
D610, HP
NC6400)
O2 Micro
Embedded
( Dell
9 9 9 9 9 9 9 9 9
D600 etc)
Table 4-2. SafeBoot Smart Card / Reader Compatibility
4-7
Some USB key tokens are in fact a combined USB Smart Card reader
and USB Device in one unit, so you also need to add USB CCID Smart
Card reader support to your Device Encryption clients for them to work.
4.5.2 USB Key / Reader Driver Requirements

RSA SID800 (Storage)
Actividentity Activkey
Aladdin eToken 64K
SafeNet IKEY 2032

Vasco Digipas 860
Charismathics
USB Key
(Certificate)
RSA SID800
(Storage)
(Storage)
Reader
Generic
Not
USB CCID 9 9 9 9 9 Required 9
Reader
Table 4-3. USB Key / Reader Driver Requirements
4.6 Specific Token Notes

4.6.1 RSA SID800 USB Token
Storage token supported pre-boot. This token requires firmware
1.01.33 or higher.
4.6.2 ActivIdentity Smart Cards and USB Keys

These modules support ActivIdentity 64K v1 (card profile S4),
ActivIdentity 64K v2 (card profile O4) and ActivIdentity 64K v2C (card
profile S4 Cards. You can choose to use the card in Stored Value mode,
or Certificate mode. The Tested ActivIdentity ActivKeys are AAK300
version (product code ZFG-3007-AB).
4.6.3 Infineon Embedded TPM Chip

The Infineon Trusted Platform Module (TPM) on Fujitsu PCs can be used
as a token for SafeBoot allowing:
• Authentication to SafeBoot Administration
• Pre-Boot Authentication
• Screensaver Authentication
4-8
Note: When you wish to use the TPM as a token for SafeBoot
Administration, you must ensure that the UserID is not used on any
other PC with a TPM as it will be locked to that PC from then on.
The embedded TPM chip is in its simplest form can be envisaged as a
smart card physically attached to the motherboard of the PC. The TPM
(Trusted Platform Module) can perform similar cryptographic operations
to PKI smart cards, such as encryption, decryption, key generation,
signing of data etc.
With the SafeBoot TPM module, the TPM chip is used to secure a users
logon credentials. This means once initialized the users unique secret
key is removed from the SafeBoot environment and secured by the TPM
chip. The user from this stage onwards will only be able to login to that
particular machine.
Conversion from password mode to TPM mode is automatic and occurs
as soon as the user uses their account on a TPM protected machine.
From activation onwards, that SafeBoot user will only be able to log into
the machine on which the TPM chip holds their keys.
Pre-Requisites for SafeBoot Pre-Boot TPM Support
• SafeBoot V5.0
• PC with Infineon TPM Chip installed (TCG Spec. Version 1.2)
SafeBoot's TPM module also requires that the TPM be "initialised". This
involves creating the Endorsement Key, Storage Root Key and setting
an Owner password. If this is not done, SafeBoot will find the TPM and
try to convert the user to use it at first logon, but the operation will fail
and the user will not be able to logon.
• Infineon TPM Professional Package (Version 2.5)
The TPM initialisation process is performed by the Infineon software
after you install it.
• The TPM Chip must be enabled in the BIOS on the target PC.
The TPM has to be enabled in the BIOS (which it isn't by default). Until
it is enabled, is essentially not present as far as SafeBoot and Infineon
software is concerned. If you try to install the Infineon software with
TPM disabled, it will warn you that the "Infineon TPM not found" and
abort the install (exactly as it does on machines without a TPM).
SafeBoot has been tested with the following TPM Components:
Infineon TPM Professional Package v2.5 HF2
Chip State = Enabled
Owner State = Initialized
4-9
User State = Initialized

Trusted Platform Module:
TCG Spec. Version = 1.2
Vendor = Infineon Technologies AG
Chip Version = SLB 9635 TT 1.2 (41313100) FW Version = 1.00 FW
ROM CRC = 0x4028
TPM Device Driver:
File name = ifxtpm.sys (x86)
Version = 1.80.0002.00 built by: WinDDK
TPM Device Driver Library:
File name = IFXTPM.dll
Version = 2.50.0771.00
Configuring the TPM on the target PC
The following instructions detail how to enable TPM support for a user
on a target PC
1. From the system tray double-click the TPM icon or from Start-> All
Programs -> Infineon Security Platform solution -> Manage Security
Platform
2. Click on the User Settings tab
3. Click on the Basic User Password -> Change button
4. Follow the on screen instructions to register password for the TPM
5. When you have successfully created the TPM password, exit the
application.
SafeBoot DE 5.0 setup
1. Install SB5.0 with TPM support
2. Login to SBADMIN
3. Click on Devices and from SafeBoot Machine Groups add a new
Machine Group
4. Right click on the Machine Group and select properties
5. Click on the Files icon and select TPM Machine Chip and apply these
settings
6. Click on the User’s tab and create a SafeBoot User
4-10
7. Right click on the new SafeBoot user and select properties

8. Assign an Infineon Embedded TPM Chip to the User and apply these
settings
(Note the Configure option does not apply to the Puppy token)
9. Assign the user to the machine group
10. Create an install set from the machine group.
Installing SafeBoot with TPM
1. Install SafeBoot on the Client PC using the newly created install set
2. Reboot and Synchronize with the SafeBoot Database
3. Login to the Pre-Boot authentication using the default password
“12345”
4. When prompted to change the password, select the same password
as the Basic User password for the TPM
5. From the PCs next boot the password for the TPM will be the TPM
Basic User password.
6. Reboot machine and logon at PBA by selecting the Sony Puppy token.
Recovery
When a user password recovery is performed SafeBoot will reset the
password to the default ‘12345’ and will allow the user to login. The
user will be prompted to change the password. Select a new password
and ensure that you change the TPM password to the new one before
rebooting the PC.
4.6.4 Sony Puppy Fingerprint Reader

The Sony Puppy can be used as a token for SafeBoot allowing:
• Authentication to SafeBoot Administration
• Pre-Boot Authentication
• Screensaver Authentication
The Puppy allows two mode of operation: Fingerprint or Password. This
means that if a user fails to login using their fingerprint, they can do so
using their password.
Requirements to use Sony Puppy with SafeBoot
1. Puppy Suite Enterprise / Personal - v2.1 or later
2. Sony Puppy device (FIU-810-N03)
4-11
3. SafeBoot V5.0
The following instructions detail how to enable Sony Puppy Support for
a User. For this you will need to have a new Sony Puppy or Reset an
exiting one using the Sony Puppy Administration Tools.
Step 1. Setup the Sony Puppy Fingerprint Reader
1. Install the Sony Puppy software - SC-API 810 setup (Basic)
2. Plug the Sony Puppy finger-print reader into an available USB Port
3. Click Start -> All Programs -> FIU-810 tools -> User Manager
4. Follow the on screen instructions to register a UserName and
Fingerprint / Password for the device
5. When you have successfully created the Sony Puppy User and
registered your fingerprint(s) exit the application.
Step 2. SafeBoot DE 5.0 setup
1. Install SB5.0 with Sony puppy support
2. Login to SBADMIN
3. Click on Devices and from SafeBoot Machine Groups add a new
Machine Group
4. Right click on the Machine Group and select properties
5. Click on the Files icon and select Sony Puppy Client Files
6 Apply these settings,
7. Click on the User’s tab and create a SafeBoot User (Keep a note of
the UserID)
8. Right click on the new SafeBoot user and select properties
9. Assign a Puppy token to the User and apply these settings
(Note the configure option does not work with the Puppy token).
10. Assign the user to the machine group and
11. Create an install set from the machine group.
Step 3. Installing SafeBoot with Puppy Support
1. Install SafeBoot on the Client PC using the newly created install set
2. Once installed, start SbPuppytrainer.exe from default SafeBoot
directory.
3. Select Train Puppy from the menu.
4-12
The following screen is displayed:
Figure 4-1. Training a Sony Puppy
4. Select Use SafeBoot Username and enter the UserID and Password of
the SafeBoot user and click the Logon with Password button.
You will be asked to verify your fingerprint,
5. Place your finger on the reader and it should verify "OK"
The training is complete. You may Reboot the machine and logon at
PBA by selecting the Sony Puppy token.
4.6.5 Aladdin eToken 64KB

Tokens with id 0x0514 and 0x0600 are supported. Tokens 0x050c are
no longer supported as they are discontinued by Aladdin.
This token module requires Aladdin RTE 3.65 to be installed.
4.6.6 SafeNet IKEY 2032

Requires the v3.4.7 drivers as available from www.safenet.com. The
Windows update drivers do not function. This token is supported in
Storage Mode only.
4.6.7 SafeBoot Phantom USB Biometric Key

The SafeBoot Phantom is a combined USB storage + Biometric
authentication token. To use it for Device Encryption Pre-Boot:
Step 1.
4-13
Create a user and assign their finger within the USB Phantom by
running SMCforUSB.exe (this is the USB Management utility):
1. Create user
2. Enrol user i.e. register finger!
3. Assign a partition to the user
Step 2.
1. Within the SafeBoot Management Center create a user account
for the user name created in step 1.
2. Assign SafeBoot for USB token to user (default token is
password) Note: Default in DE is to create a default password of
12345
Step 3.
Define Machine Policy which should include file sets:
• DE 5.x client files
• READER: USB CCID smart card
• TOKEN V5x: SafeBoot for USB Phantom client files
Step 4.
Create on line installation set note: assign user or user group to the
machine as part of machine policy.
Step 5.
Install Safeboot5x.exe on client PC
After the second reboot of the client should see the pre boot
authentication screen which will have password and SafeBoot for USB
token options.
Step 7.
Select SafeBoot for USB which should generate a SafeBoot Biometric
challenge screen
1. Attach USB phantom to PC.
2. Swipe enroled finger on USB Phantom
3. Tick the box for user listed “Provide User Name”
4-14
The standard SafeBoot logon screen should appear which will require
the SAME user name to be entered as the one registered with the USB
Phantom. At this point you will need to enter the default DE password of
12345 which will marry the DE Safeboot client with the USB phantom.
This step has completed the integration of the SB DE client with the
USB phantom.
The PC should now boot into Windows. After rebooting the client you
should only be prompted to authenticate via the USB Phantom
biometric reader.
4-15
Creating and Configuring Machines
5. Creating and Configuring Machines
The Object Directory contains a unique record for every machine

attached to it. When SafeBoot installs, it creates a record either directly
in the Object Directory, or in a transfer directory for later inclusion –
this “object” contains the machine’s encryption key, hard drive
geometry, and secure configuration.
Each user machine periodically tries to connect to its parent directory to
check that its local configuration matches the centrally defined one. If
there are any differences, the local machine reconfigures itself to
match. You can change any aspect of the machine’s configuration
centrally; these changes get applied to the machine the next time it
synchronizes.
Machines normally create their own object in the directory when
SafeBoot first installs, this happens automatically if you use a Group
Install Set (see Chapter 9), but you can pre-create a “placeholder”
object for the machine, set a unique custom configuration for it, and
then create an install set for that object only.
Users are assigned to machines and machine groups. When the
machine synchronizes it compares its local user list with that in its
Object Directory entry. Any changes are made in real time, including
disabling the current user if their account status becomes removed or
disabled.
5-16
5.1 Machine Administration Functions
Figure 5-1. Machine Administration Functions
5.1.1 Create Machine

Creates a new “placeholder” machine definition. If in the future a new
machine with the same network name tries to install itself into the
group, it will take over the placeholder object and use the configuration
set within it.
5.1.2 Rename Machine

Changes the SafeBoot name of the machine.
NOTE: This does not affect the machines network name which can be seen from the
General Properties page.
5-17
5.1.3 Delete
Deletes the machine entry – you will be given the opportunity to
Permanently Delete the machine, or to move the machine to the
Recycle Bin (where it can be later restored)
5.1.4 Import Machines

Imports a machine definition into the group - This definition could be
from a machine created using an Offline Install (see Chapter 10) or
from an export from another database.
5.1.5 Export Configuration

Exports the configuration information for a machine (.sdb file) which
can be used for diagnostic or troubleshooting tasks (see Chapter 22), or
for import into an alternate database.
5.1.6 Create Install Set

Creates a package of all the files and configuration needed to install
SafeBoot - for more information see Chapter 10.
5.1.7 Force Synchronization

You can elect to force a machine (or group of machines), which are
online to perform immediate configuration synchronization. You would
perhaps do this if you have removed a user from a group (or disabled
them) and it is imperative that they are disabled immediately, or a user
has a configuration issue that needs resolving.
To do this, select the machine (or machine group) in question, and use
the "Force Synchronization" option from the window menu or right-click
menu. The Administration Center sends a short message to the machine
in question (using its stored DNS or IP address) telling it to perform an
immediate synchronization to update its policies.
If you "Force Sync" a machine that is not online, or refuses the request
because SafeBoot is no longer installed, an error message is generated.
If SafeBoot is already in the process of performing a configuration
change on the remote machine, the sync request is ignored.
5-18
5.1.8 Reboot Machine

You can select the “Reboot Machine” option to attempt to reboot one or
many machines – this sends a message to the machines in question
telling them to perform an immediate shutdown. Users may not be
given enough time to save their work, so this feature should be used
with caution.
You can configure the messages and timeout of the reboot option by
editing the SCM.ini file, as explained in Chapter 18 of this guide.
NOTE: There are some instances when Windows will prevent remote rebooting of a
system, e.g. while the screen-saver is active.
5.1.9 Lock Machine

You can remotely activate the screen saver on a given machine by using
the “Lock Machine” command. Both machines and groups of machines
can be locked in this way.
5.1.10 Add Users

You can add a number of users to a collection of machines using this
option – You can select the machine, or combination of machines you
want to add users to from a group or search window.
5.1.11 View Audit

Displays the audit for the machine - for more information see Chapter
13.
5.1.12 Reset to Group Configuration

Resets the configuration of the Machine, or all the machines in the
group, to the groups configuration - optionally sets the user list to
match the group user list.
5.1.13 Create Copy

Creates a new object based on the selected object.
5.1.14 Properties
Displays the properties of the selected object.
5-19
5.2 Machine Configuration Options

The following configuration options can be set for machines, or groups
of machines.
5.2.1 Machine Groups
Figure 5-2. Machine Group Description
Description
You can enter a text description for a machine group, such as the
physical location of the machines.
5-20
5.2.2 General
Figure 5-3. Boot Protection and General Options
Boot Protection
The status of SafeBoot can be set in one of four modes. Both the
desired and current protection status is shown.
Disabled – SafeBoot is installed and listening, but is not securing the
computer. You can change the status to another mode and this will be
reflected at the next synchronization
Enabled – SafeBoot is protecting the machine, and requiring users to
logon.
Remove – SafeBoot will decrypt and uninstall itself at the next
synchronization
Remove and Reboot – as above, with the addition that SafeBoot will
automatically reboot the machine after uninstalling.
Removed – SafeBoot is no longer installed on the machine, and its entry
can be deleted from the directory.
5-21
TIP – If you select “Remove” and let the machine uninstall SafeBoot, remember to either
delete the entry from the directory, or set the protection back to “Enable” before
re-installing SafeBoot. If you forget this, then as soon as the new install connects,
it will remove itself again.
Description
A text description of the machine, such as its specification, model or
physical location.
Network Name
The machines logical network name - you can find and filter the
Machine tree for the machines name using the Object/Filter option.
Options
Windows Logon
• Require SafeBoot Logon – SafeBoot takes control of the normal
windows logon screen, and screen saver logon. Users will be
prompted for their SafeBoot credentials.
• Attempt automatic Windows Logon – SafeBoot tracks the user’s
Windows id, password and domain, and presents these
automatically to windows logon boxes. This mechanism means
once the user has authenticated to SafeBoot at the boot screen,
they do not need to enter any more passwords for Windows.
NOTE – If the user’s Windows credentials are different from their SafeBoot credentials,
SafeBoot stores the windows credentials the first time they are used. It may take
two reboots before the single sign on becomes active.
• Require SafeBoot re-logon – If the user loges out of Windows,

SafeBoot will control the login box for the next login.
• Automatically logon as boot user – If there are no stored Windows
credentials for the user, SafeBoot tries to login to Windows with
the user’s SafeBoot credentials.
• SafeBoot logon component always active – If selected, the
SafeBoot login component is kept active on the machine even if
all the other options are disabled. This means that it can be
reactivated mid-session during synchronization with the Object
Directory. If all options are deactivated, the SafeBoot logon
component can only be reactivated after a reboot.
• Set SafeBoot Password to Windows Password – If the Windows
and SafeBoot login passwords differ, Users will be prompted to set
the SafeBoot password to the Windows password. Also, if the user
changes their password in Windows, their SafeBoot password will
be set to match.
5-22
• Must Match Windows user name – If a users SafeBoot and

Windows user ID’s do not match, no SSO credentials will be
stored for the user if this option is enabled. This prevents an
administrators Windows credentials being associated with a
normal user’s SafeBoot account in the case that the normal user
logged in at pre-boot, but then an administrator authenticated to
Windows.
Booting
• Allow Booting from the hard disk – If disabled, users will have to
boot the machine with a machine bootable token such as a
SafeBoot Floppy Disk. This adds the additional security in that the
machine is inaccessible without the token.
NOTE: This option is not available with SafeBoot version 4.1 or later.
Virus Protection
• Enable MBR Virus protection – SafeBoot monitors boot sector
activity, and prevents any program writing to it. SafeBoot also
monitors the bios signature to further prevent boot viruses.
NOTE – If you have this option enabled and you move a protected hard disk between two
machines, SafeBoot will detect this as a possible virus and prevent the machine
being used until a virus reset has been performed. For information on this
procedure, see Chapter 20
Miscellaneous
• Do not display previous user name – Hides the ID of the last
logged on user in all SafeBoot logon dialogs, and changes the
“Incorrect Password” and “Unknown User ID” error messages to a
generic message.
• Reject Suspend/Hibernate Requests - Stops the machine
performing an insecure power action.
• Disable Checking for AutoBoot - switches off the $autoboot$ user
support on this machine. If the machine has many users
assigned, this option can speed up the boot time.
• Do not lock after AutoBoot is removed – normally SafeBoot locks
the workstation if the current logged in user is removed or
disabled as part of a synchronization event. This is to prevent the
machine being used in the event that there is no current user.
Switching this option on stops the autolock happening if the
$autoboot$ user is removed, and may be useful in the case of
automated software updates.
5-23
• Allow AutoBoot user to be managed locally – enables support for

the “-disablesecurity” and “-reenablesecurity” options of the
SafeBoot Automation library – for more information on these
options see the SBAdmCL users guide.
• Disable Clearing of status log – Prevents users from clearing the
Client side status log.
• Always display On-screen keyboard – Forces the pre-boot to
always display a clickable on screen representation of the
keyboard. This option is of most benefit to TabletPC users.
• Enable Boot Disk Compatibility – Some machines have BIOS code
which mounts USB disks as physical drives. This is an unusual
mode of operation and means that after SafeBoot has finished it’s
authentication, Windows will hang trying to access the drive
through the BIOS physical interface (because SafeBoot is also a
32 bit platform, it unloads all BIOS drives when it finishes). This
option forces the low-level SafeBoot drivers to block access to
disks other than the boot disk meaning Windows will not detect
these USB drives until the USB stack is initialized. An alternate
solution would be to unplug all USB drives before booting the
machine.
• Always enable pre-boot USB support – This option forces the
SafeBoot pre-boot code to always initialize the USB stack.
Normally this option should not be enabled as SafeBoot will
dynamically enable USB on demand.
5-24
5.2.3 Encryption
Figure 5-4. Setting Drive Encryption
Before a machine has first synchronized with the Object Directory, or in

the case of the properties of a machine group, the Object Directory
does not know what drives and partitions are available to be encrypted.
The SafeBoot Administration Center gives you the ability to specify any
partition name and elect to encrypt it.
Once the machine has synchronized, only the partitions present on it
will be shown.
Encryption Mode
You can specify one of three encryption modes – “Full” encrypts the
entire partition, “Partial” encrypts only the first 10% of the drive,
“None” leaves the drive in plain text with no security. The “Last
Reported Setting” can be used to verify if the machine has applied
recent configuration changes.
The “Last Reported Setting” for a drive is the exact state of encryption
the last time the machine reported to the Database.
5-25
NOTE – Partial encryption is designed to encrypt the directory structure and file allocation
table on FAT drives – it does not stop a competent hacker reassembling file data
from the drive.
Recovery key
You can boot a machine, or close the SafeBoot screen saver without
logging on using the recovery process – this involves the user reading a
small “challenge” of 18 characters from the machine to an
administrator, then typing in a larger “response” from the
administrator. The recovery key size defines the exact length of this
code exchange. For more information see Chapter 14. A recovery key
size of “0” disables the machine recovery system.
Removable Devices
You can configure Device Encryption to also encrypt removable drives
such as USB/Firewire hard disks, Flash drives etc. Normally, Device
Encryption only protects physically attached hard disks – for example
IDE or SCSI hard disks. This is because SafeBoot Device Encryption is
related to the machine, not the user – it’s impossible to share drives
encrypted with Device Encryption between different machines. If you
need to share data amongst users and machines, please consider
SafeBoot Content Encryption.
• Manually Select – Normally removable drives will not be show in
the encryption list. Selecting this option makes them visible.
• Always Encrypt – Forces encryption of removable drives.
• Never Encrypt – Prevents SafeBoot from attaching its drivers to
removable disks – this is the default option.
5-26
5.2.4 Users
Figure 5-5. Allowed Users
You can add both groups of users, and individual users to a machine (or
machine group) – either drag the user(s) from the user tree into the
machine properties user tab, or use the “user picker” to select them.
Although SafeBoot supports many hundreds of users on a single
machine, we STRONGLY recommend that the actual number of users
assigned is minimized to the fewest possible. Every user added to a
machines is another possible account for a hacker to gain entry via.
There is no purpose in adding entire departments of users to laptops
which are used by only one person.
Auto-boot users
Special user IDs containing the name “$autoboot$” with a password of
“12345” can be used to auto-boot a protected machine. This option is
useful if an auto boot of a machine is needed, for example when
updating software using a distribution package such as SMS or
Zenworks. These IDs should be used with caution though, as they
effectively bypasses the security of SafeBoot.
5-27
Any ID containing the string “$autoboot$” can be used, for example

“my$autoboot$”, “$autoboot$123” etc.
By using more than one ID, you can improve database performance if
many machines are synchronizing the $autoboot$ account at the same
time.
You can also change the default password for the $autoboot$ accounts,
to do so see the section “Autoboot.ini” in Chapter 18.
WARNING – It is quite possible to create a machine, or machine group, with no users

assigned. If this configuration is deployed then no one will be able to log on to
that machine. To resolve this issue, use the recovery “boot once” procedure, add
some users to the machine in question, then synchronize it again to update the
configuration.
5.2.5 Warning Text
Figure 5-6. Client Warning Text
Security Warning
5-28
Text displayed to the user in the SafeBoot login box.

Recovery Message
Text displayed to the user when they select the “recover” button. This
may include information such as their help desk telephone number.
5.2.6 Synchronization Settings
Figure 5-7. Synchronization Settings
SafeBoot machines try to keep their local configuration the same as

their central directory configuration; they do this by periodically
synchronizing changes with the Object Directory. The default behavior
is to synchronize on boot, but further options can be set.
Automatically Resynchronize
SafeBoot tries to contact the Object Directory every specified number of
minutes. If the directory cannot be contacted, the sync sleeps until the
next period.
Allow Local Resynchronization
5-29
By right clicking on the SafeBoot tool tray icon, the user can force a
synchronization event by selecting the “Synchronize” option. This
feature can be disabled.
Resynchronize when RAS connection is detected
Causes a synchronization event to occur if the user dials up to the
internet / intranet. SafeBoot checks for new RAS (Remote Access
Service) connections every second.
Synchronize time with directory
Sets the local machine time to the time of the server / directory it is
synchronizing with. If the user’s machine is in a different time zone to
the server, the correct local time will be set as long as their time zone is
correct.
SECURITY TIP - This option is useful when logon hour restrictions are in place – without
this time check the user could set their system clock back to gain extra hours of
machine use.
Disable Synchronization of Files

Stops SafeBoot monitoring file group changes, and deploying updates to
the remote machines.
Allow remote controlled synchronization
Lets an administration initiate a synchronization event using the “Force
Sync” option – The SafeBoot client sends its ip address to the Object
Directory each time it connects to enable the communication channel.
The communication port can be set between 0 and 65535.
Disable Access if not synchronized…
If a machine does not connect to its server within the specified number
of days, then all accounts will become disabled. This option prevents
users continuing to use machines offline from the SafeBoot Object
Database for extended periods of time. Also, if a machine is stolen or
lost, you can be assured that it will disable itself after the timeout has
passed.
Delay Sync at boot for…
You can specify an optional offset and random offset for the initial boot
sync. This may speed up the machine, and will also ensure any network
load created by “9am syndrome” is distributed over a longer period of
time. You can set a value of Zero for the delay time, this disables the
initial synchronization.
5-30
The synchronization settings take effect once SafeBoot has connected

and picked up its policy from the central object directory. You can pre-
set the parameters that SafeBoot will use while it is trying to establish
the initial first time connection through settings in the file SCM.ini. More
information on this file can be found in Chapter 18.
5.2.7 Files
Figure 5-8. Client File Groups
Select which groups of files need to be deployed to the machine.

Typically the “SafeBoot Client File” group is deployed, along with
optional token and language files.
Some file groups may not be displayed in the list - Only file groups with
the property “Client File Sets” will be show.
You can add your own file groups for deployment to the SafeBoot
Object Database – see Chapter 6 for more information.
5-31
NOTE: If your SafeBoot user account has group permissions set, Some file groups
assigned to the machine may be outside your control - in this case they will be
marked as locked groups. To gain the ability to change them, remove any “Group”
administration restrictions on your account.
5.2.8 Screen Saver
Figure 5-9. Screen Saver Properties
Enable Secure Screen Savers

SafeBoot will take control over all screen savers, providing secure
authentication services. On Windows NT, 2000, and XP, the “Windows
Logon” options also need to be configured.
NOTE: If “secure screen saver” is disabled, then it will be possible for users to set a
screen saver which does not required a password, or set no screen saver.
Allow user access…

If set, allows the user to change the local screen saver properties.
Run screen saver if token is removed…
5-32
If the current user’s token supports dynamic removal (such as a smart

card or eToken), then the screen saver will be activated if they remove
the token from the machine.
Set SafeBoot screen saver as default
Sets the current selected screen saver to be the “SafeBoot Screen
Saver”
Allow logon of administrators…
Allows administrators with accounts on machines greater than the
specified level to unlock a screen saver locked buy a different user. If
this option is not set, then only the user who locked the machine can
unlock it.
Set screen saver inactivity…
Sets the timeout period for the screen saver.
5.2.9 Boot
Boot Manager
5-33
Enable boot Manager

Switches on the built in pre-boot partition boot manager. Users will
be able to select which primary partition on the hard disk they wish
to boot.
You can control the display of the partitions which the user can select to
via the file “bootmanager.ini”. For information about this file see
Chapter 18 of this guide.
Auto select After…
Allows you to select a time period which once expires, will cause the
boot manager to select the last used partition.
5-34
File Groups and Management
6. File Groups and Management
Figure 6-1. SafeBoot File Groups
SafeBoot 5 Device Encryption uses central collections of files, called

"Deploy Sets" to manage what versions of files are used on remote
SafeBoot clients. When an administrator updates a file in the central
directory, all machines attached to that deploy set automatically collect
the new version of the file from the directory the next time they
synchronize. This mechanism can be used to update SafeBoot clients to
future versions, or to manage any file on a SafeBoot protected machine
- for instance updating a virus database, or a new version of an
application.
You can assign multiple file sets to be used on each machine. Typically
two are used, the first for the core SafeBoot files, the second for the
language files. All assigned sets are processed in the same way.
When the Management Center is installed, it automatically adds the
entire standard SafeBoot administrator and client files into two core file
groups, " Administration Center Files" and "Device Encryption 5 Client
Files", and also may create language sets, for example "English
Language". Two INI files, ADMFILES.INI for the administrator files,
determine the contents of the core groups and CLTFILES.INI for the
client files. These INI files can be edited to allow custom collections of
files to be quickly imported and then applied using the "Import file list"
menu option. For more information on ADMFILES.ini and CLTFILES.ini,
see Chapter 18.
Other file sets created as standard include those to support login tokens
(such as smart card readers, and USB Key tokens).
6-1
6.1 Setting file group functions
Figure 6-2. File Group Content
You can specify the function of a file group by right-clicking it and

selecting its properties. Some file selection windows, for example the
file selector for machines, only display certain classes of file group (in
this example, those marked as “Client Files”).
6-2
6.2 Importing new files
Figure 6-3. Adding files to the Object Directory
New files can be imported one by one into an existing deploy set using
the "Import files" menu option. Simply select the file, SBAdmin will then
import it into the directory, and add it to the deploy set. The default
options for the file mean that it will NOT automatically be downloaded
to machines using this deploy set when they synchronize. See Chapter
6 for information on how to achieve this. You can also import File Sets,
for instance to add a new option to the SafeBoot database.
6.3 Exporting Files

You can export a file group, or an individual file back to a directory. This
may be useful, for example if you have an out of date administration
system driver and there is an updated file in the Object Directory.
6.4 Deleting Files

You can delete individual files from a file set. In this case all machines
that are maintaining a link to the file through association will delete it
from their local directory at the next synchronization event.
NOTE – Clients maintain a link to a particular file via its object id, not its name. If you
delete a file and re-import it, its id changes, clients will still delete the original and
download the new copy.
6-3
6.5 Setting File Properties

To see the properties of a file, right click on the file in question and
select "Properties". Two screens of information are available.
Figure 6-4. File Properties, File Information
The name of the file is the actual name, which will be used when
deploying the file on the remote machine. The ID is the Object Directory
object ID used as a reference for the file from the client PC. The version
number is an incremental version of the file. When the file is updated,
the version is incremented. This is used by the clients to check whether
an update is needed. Other information such as the name of the user
who imported the file, and its size may be shown.
6-4
Figure 6-5. File Properties, Advanced
File Types – Set the type of the file

Operating System -
Because some files are only applicable to some operating system(s), the
target operating system(s) for the file must be selected. This is to
prevent Windows NT drivers being installed on Windows 98 machines,
or windows 9x registry files being run on Windows 2000 servers.
Appid – If you are installing file which is shared between multiple
SafeBoot applications, you can specify this applications ID. This
prevents one application from installing files shared by another.
Update – Specify when SafeBoot should update the file.
6-5
Adding components to a Machine
7. Adding components to a Machine
To add new options, such as tokens, smart card readers, or other

ancillary files to an existing machine, or group of machines, simply
check the desired options on their “Files” tab.
Some combinations of options may be incompatible – for information
please see our web site, http://www.safeboot.com.
7-1
Using SafeBoot as a File Deploy System
8. Using SafeBoot as a File Deploy

System
SafeBoot’s internal file update mechanism can be used to synchronize

any file on a SafeBoot protected machine.
When the SafeBoot client performs synchronization, it compares its
internal file revision list with the revision of the files in the Object
Directory. If any files have been superseded (or are in the directory list
but not in the local list), the SafeBoot downloads them.
The file type assigned in the Object Directory determines what happens
to a file when it is downloaded. The action can be summarized simply:-
• SafeBoot Registry File Processed into registry
• Windows Registry File Processed into registry using RegEdit
• Pre/post Installation Executable Copied to specified location and Run
either before or after SafeBoot.
• Any other file Copied to specified location
8.1 Example - Copying a new file to the desktop

This example shows how to set up a new text file that will be copied to
the user’s desktop when they synchronize.
Step 1. Checking the File Group settings
From the properties of the machine (or controlled machine group) you
want to update, check which file groups are assigned. The default file
group is "SafeBoot 5.1 Client Files". You can create new file groups
specifically for your custom files and assign them to machines if you so
wish.
Step 2. Adding the new text file
Select the file group from step 1, and then use the "import files" option.
Select the new file you want to import, for example "message.txt".
Once imported, select the new file and go to its "Advanced Properties"
box.
8-1
Because we are importing a "Known" file type, the file location will be
set automatically to [appdir]. We will override this with the location we
want to send the file to, in this case "c:\windows\desktop". We also
want this file to be deployed on all operating systems, so we check all
the boxes.
Figure 8-1. Setting the new text file permissions.
Now, next time the machine synchronizes, it will notice the new file,
and download it into its "c:\windows\desktop" directory. If the file was
defined as a type of SafeBoot or Windows Registry file, it would be
applied. If it was marked as a "Installation Executable", it would be run.
You can test this behavior by forcing the machine to resynchronize
using either the "Force Sync" option from SBAdmin, or from the
SafeBoot client tool tray Icon right-click menu.
8-2
Figure 8-2. Downloading the message.txt file
The file "message.txt" should appear on the desktop, and the status
window of the client should reflect the change.
More information on the SafeBoot file deployment mechanism can be
found in Chapter 6.
8-3
Creating an Install Package
9. Creating an Install Package
SafeBoot client is installed by running a special archive file created from

the Management Center. This archive file contains all the components
necessary to install SafeBoot.
The Management Center compresses the files needed into a single self-
contained executable for ease of management. Deploy sets can be
created for Machine groups, and individual machines for both fully
online, and temporary offline situations. This chapter deals with creating
the install package, for information on how to apply it, see Chapter 10.
9.1 Selecting the Group / Machine
Figure 9-1. Creating a Group Installation Set
9-1
The First step in creating an install set is to select the object you want
to create set for. Either an individual machine or a machine group can
be used. Install sets created for A MACHINE can only be used to install
that one machine - the target PC always takes the database entry the
install set was created for. Sets created for GROUPS OF MACHINES can
be used to install any number of machines in that group - each machine
looks in the deployed group for its name - if found it uses that object, if
not it creates a new object based on its network name.
9.2 Select the Install Set type
Figure 9-2. Creating Installation Sets, Page 1
For the second step you need to determine whether you expect the
machine to be online or offline at the time of install.
9-2
9.3 Online Installs

Online installations expect the master Object Directory (the directory
the administrator is currently connected to) to be available via the LAN
during the install process. Once SafeBoot is set up, on the next boot
SafeBoot will contact the Object Directory and download all the
configuration and object data for the machine and users.
If a "placeholder" object for the machine name exists (a machine object
created, but not installed), it will use the configuration stored in that
object. If no placeholder exists, the machine will obtain its configuration
from the machine group that the install set was created for.
If the machine name is already used in the directory, and the existing
machine is not a “placeholder”, the new machine will append a four digit
number to the end of its name and install. For example, where a
machine called “JSMACHINE” already exists, an object
“JSMACHINE0001” will be created.
NOTE: by editing the file "scm.ini" on the client before SafeBoot is activated (i.e. after
setup, but before the first reboot) the group can be changed.
9.4 Offline Installs

If the machine is expected to be disconnected from the SafeBoot Server
during the install, an "offline" install set can be created. In this case a
"transport directory" containing the necessary objects and configuration
data will be included in the deploy set. After local configuration, the
transport directory will need to be re-imported into the master directory
before the machine can be recovered.
Selecting an Offline install mode allows the additional choice to include
the "individual objects" in the transport directory. If they are included,
then all users and machines in the set will be deployed with the
transport directory (and therefore will be available immediately, even
before the machine connects back to the master directory). If they are
not included, then there will be no login prompt until the machine has
performed its first connection and brought down its user list.
NOTE- Until the transport directory containing the machine’s completed configuration is
imported back into the master directory, no connection or configuration of the
client can be performed. Also, in the case where the offline install set was created
from a group, it will not be possible to recover the machine until it has
successfully synchronized with its master database. In the case where the offline
install set was created for an individual machine, or in the case of users,
synchronization is not necessary for the machine to be recovered.
9-3
9.5 Importing a Transport Directory

The Transport directory is a file called sbxferdb.sdb, and can be found in
the directory the SafeBoot client is installed into. To import the details
in this directory back into the master, select the machine group you
want to contain the entries, and use the “Import Machines” right-click
option. This brings the keys and configuration from the machine into the
master database, giving the ability to synchronize with, reconfigure,
and recover the machine.
9.6 Summary of Offline Install set contents

Machine Group Sets
An Install set created from a machine group can contain the following
items.
• The Machine Group object.
• User objects assigned to the group, and user objects assigned to
machines in that group.
If the group contains machines, the following items are included in the
set.
• Individual Machine objects (live or placeholder).
• User objects assigned to the individual machines.
Individual Machine Sets

The following items are included.
• The machine object.
• Users assigned to that machine.
9-4
9.7 Select the Master Directory
Figure 9-3. Selecting the Master Object Directory
Step 3 involves selecting the final Object Directory that the new client
will communicate with to synchronize configuration details. The default
is the directory that the administrator is currently using, but may be
any the administrator has access to. Usually the clients will access the
Object Directory via a SafeBoot server, rather than locally. Connections
via a SafeBoot Server have the type “Remote”. You can specify multiple
connection points for machines, if you have more than one server
defined.
You can also change the order that the client will look for servers, and
enable automatic random selection of servers by using the wizard.
NOTE – For information on setting up a SafeBoot Server, see the SafeBoot Administration
Center Guide.
9-5
9.8 Set install options and create the set
Figure 9-4. Creating the Install Set
In Step 4, you set the location you wish the completed install file to be
saved to, and the directory on the client you wish SafeBoot to be
installed into.
Two options for the "visibility" of the set-up process can be set, Silent
installs do not give the user any visible display of the install process,
and are used in automatic deployment environments, such as Microsoft
SMS.
After SafeBoot.exe has been run on a client machine, it needs to be
restarted before SafeBoot can be activated. An automatic restart option
is included, but note that if both silent install, and automatic restart are
enabled, the machine will restart with no user intervention - this may
cause users to loose work if they have open documents when this
process occurs.
9-6
Installing, Upgrading, and Removing Device Encryption
10. Installing, Upgrading, and

Removing Device Encryption
Running an “Install Package” created by the SafeBoot administrator on

the target machine enables and installs SafeBoot.
For information on creating install packages see Chapter 9.
10.1 Offline Package Installs

Create the install file as per Chapter 9, selecting Offline install, and
including the users and machines required. Run the package on the
target client and let it reboot.
Once restarted, you must retrieve the file sbxferdb.sdb which needs to
be imported back into the master directory. For information on this
procedure see Chapter 9.
Once the transport directory has been imported into the master
database, if there is a network connection between the client and a
SafeBoot Server, you will be able to remotely manage the machine. If
you do not retrieve the transport directory, then you will not be able to
recover or reconfigure the machine.
If your machines are unable to connect to the master database after
install, for example if you are working in a permanently disconnected
environment, you may want to retrieve the .sdb file AFTER encryption
has finished – the status of encryption will then be properly reflected in
the master database. In the case of machines which connect to the
master database after offline install, this property will be automatically
updated during the sync process.
10.2 Online Package Installs

Create an “Online” install package as per Chapter 9. Simply run this file
on the target machine(s). Once they have installed and rebooted, they
will contact one of the SafeBoot Servers specified and create their
directory entries.
10.3 Removing / Uninstalling SafeBoot Client

You can specify four modes of operation for SafeBoot in the machine’s
“General” property page. For full details of these modes see Chapter
5.2.2.
10-1
To disable SafeBoot, i.e. put it into a mode where it is applying no

protection but can be easily re-enabled, set the machine status to
“Disable”. You can then at a future time set the status to “Enable” and
SafeBoot will re-apply the protection specified.
To completely remove SafeBoot, select either “Remove” or “Remove
and Reboot” – SafeBoot Client will perform the action after the next
synchronization event.
10.4 Upgrading SafeBoot from previous versions.

Where 5.x is mentioned, the current version of SafeBoot 5 should be
assumed.
As there are many different SafeBoot versions in existence, the upgrade
procedure changes depending on what versions you are upgrading from
and to.
10.4.1 Upgrading SafeBoot 4.x Clients to 5.x

1. Update your database and administration system as described earlier
in this chapter
2. Deselect the “SafeBoot 4.x Client Files” file set from the machines
you wish to upgrade, and select “SafeBoot 5.x Client Files” instead.
On the next synchronization, the machine will download the latest files
and code and apply the upgrade.
If you have other options selected, such as the File Encryptor, or Token
modules, be sure to also select 5.x versions of these as well.
10.4.2 Upgrading existing 5.x clients to a later service

pack or patch version
Method 1. All machines at once
To upgrade between service pack or patch levels, for example from v5.0
to v5.1 you modify the existing file set in the SafeBoot Object Directory.
A special version of the client file cltfiles.ini is provided which does not
include items which have not changed, thus reducing the amount of
data which needs to be sent to the client machines.
in this chapter
2. Copy the appropriate upgrade file from the tools/upgrade directory
on the SafeBoot CD into your admin system directory.
10-2
3. Update the existing SafeBoot 5.0 Client file set with the new service
pack files by right-clicking the file group, clicking “import files” and
selecting the file you copied in step 2.
4. The machines assigned to the file set will download the new files and
apply it when they next synchronize.
Method 2. Upgrade machine by machine
To upgrade between service pack or patch levels, for example from v5.0
to v5.1 you can create a new file set in the SafeBoot Object Directory.
in this chapter
2. Create a new file group for the new 5.x files.
3. Right-click the new group and select “Import File Set”. Select the file
‘SBClientFileSet.ini’ from the administration system directory (usually
c:\program files\sbadmin).
4. For each machine you want to upgrade, deselect the machines
current client file set, and select the new 5.x file set you created in step
2.
10.4.3 Removing SafeBoot 5.x from a machine

1. Set SafeBoot to either “Remove” or “Remove and Reboot” from the
machines General properties.
The next time the machine synchronizes with the database, it will
remove all encryption and authentication, then uninstall the SafeBoot
program files. If you simply want to disable the SafeBoot protection, set
the Client to be “Disable” instead.
If the machine is unable to synchronize, perhaps because of a network
or Windows issue, you can still remove SafeBoot by performing an
emergency SafeTech removal, then running:
Sbsetup -Uninstall
From the SafeBoot program files directory.
10-3
Client Software
11. Client Software
The SafeBoot Client connects to its Object Directory, or configuration

store, which may be on the same machine, a network drive, or via a
SafeBoot Server. It does this every time the machine boots, and
optionally at set time intervals or when a RAS session is initiated.
Once connected to the directory, SafeBoot Client uploads the latest
audit and password changes to the directory, and if necessary
downloads any configuration changes specified centrally.
11.1 The Tool Tray Icon

The only user-visible part of SafeBoot is the “SafeBoot Monitor” icon in
the user’s tool-tray. By double-clicking the icon users can start the
system screen saver (which may be protected by SafeBoot). By right-
clicking it they can select one of four actions.
Figure 11-1. SafeBoot right-click Tool Tray Menu
Activate Screen Saver

The default action when the SafeBoot tray icon is clicked is to bring up a
password protected screen saver.
Show Status
As the configuration process within SafeBoot 5.1 is largely transparent
to the user. The only evidence of SafeBoot's working can be found from
the status menu available from SafeBoot's tool tray icon
11-1
Client Software
Figure 11-2. SafeBoot Client Status Window
The Status window displays any on-going configuration tasks (such as

encryption processes) and status messages from the last directory
connection.
Synchronize
SafeBoot tries to establish connection with its directory during the boot
process, in situations where the directory is unavailable then (for
instance a notebook user who is connecting via dial-up networking), the
user can establish a connection at any time, and select the Synchronize
option to connect to a remote directory and collect / upload changes.
For details of the supported functions within the SafeBoot client, please
see the User and Machine configuration sections in the “Management
Centre 5 Administrators Guide”, and also this guide.
11.2 Client Auditing

User events are audited locally and then transferred to the Object
Directory as part of the synchronization process. For more information
on the events tracked see Chapter 13.
11-2
Client Software
11.3 Boot and Logon Process

The Device Encryption boot screen allows the user to select a login
method (one of the available tokens), and then provide authentication
credentials such as a user id and password. If the user can provide the
correct details, the SafeBoot boot code starts the transparent hard drive
decryption process, loads the original MBR and executes it.
When the operating system starts, the SafeBoot Configuration Manager
(SCM) runs and performs a logon to the operating system (if SSO is
enabled). It then attempts to contact the Object Directory using the
Directory Manager - this can be local or remote via a SafeBoot Server
and re-validates the user against any changes that have been made
between the last validation. Following this SCM downloads and applies
any configuration updates. This could include new user accounts.
If the Object Directory validation is successful (i.e. no administrator has
deleted or disabled the users account) the Windows startup completes,
and the SafeBoot icon is loaded into the tool tray to allow the user to
run the screen saver, validate with the server, display status etc.
After a period of inactivity or a power event, SCM activates the screen
saver locking the user.
If the user logs out of the operating system, they may be required to
authenticate to SafeBoot when they log back into windows.
11.4 SafeBoot Screen Saver
Figure 11-3. SafeBoot Screen Saver
11-3
Client Software
SafeBoot Client includes a simple logo screen saver. You can use any
screen saver written to the Microsoft Screen Saver standards on the
system, SafeBoot will still protect the logon of them using the standard
SafeBoot logon window.
NOTE – You can change the logo displayed in the screen saver by adding a file called
“logo.bmp” to the Windows directory. You can also deploy logo.bmp using the File
Update technology built into SafeBoot. You may find extra graphics on your
SafeBoot CD in the “tools” directory.
Users can start the screen saver through any of the normal Windows
mechanisms, or by double-clicking on the SafeBoot tool tray icon.
11.5 Windows Sign-On and Logon Mechanisms.

SafeBoot includes many options to reduce the numbers of passwords
users have to remember. For information on these features, see
Chapter 12. These options are used to ensure that whenever the user
changes their Windows password, their SafeBoot password is changed
to the same. This happens without user interaction.
11.6 Changing The Password

The Device Encryption password can only be changed in the pre-boot
environment. To change the password:
1. Restart the PC
2. Enter the current user ID and password in the login dialog
3. tick the change box, and click “OK”
4. Follow the on-screen prompts to change the password.
11-4
Client Software
Figure 11-4. Changing the password pre-boot.
11-5
Windows Sign-on and SSO
12. Windows Sign-on and SSO
SafeBoot can ease the logon process for users by doing the Windows
logon for them, and taking responsibility for screen saver logons and re-
logon requests. The features available can be configured by clicking on
the “General” icon of a machine or machine group object.
12.1 Windows Logon Features
Figure 12-1. Windows Logon Settings
Require SafeBoot Logon – SafeBoot takes control of the normal

windows logon screen, and screen saver logon. Users will be
prompted for their SafeBoot credentials rather then their Windows
Credentials.
12-1
Attempt automatic Windows Logon – SafeBoot tracks the users

Windows id, password and domain, and presents these automatically
to windows logon boxes. This mechanism means once the user has
authenticated to SafeBoot at the boot screen, they do not need to
enter any more passwords for Windows.
NOTE – If the user’s Windows id and password are different from their SafeBoot id and
password, SafeBoot stores the windows credentials the first time they are used. It
may take two boots before the single sign on becomes active.
Require SafeBoot re-logon – If the user loges out of Windows,

SafeBoot will control the login box for the next login.
Automatically logon as boot user – If there are no stored Windows
credentials for the user, SafeBoot tries to login to Windows with the
user’s SafeBoot credentials.
SafeBoot logon component always active – If selected, the
SafeBoot login component is kept active on the machine even if all the
other options are disabled. This means that it can be reactivated mid-
session during synchronization with the Object Directory. If all options
are deactivated, the SafeBoot logon component can only be reactivated
after a reboot.
Set SafeBoot Password to Windows Password – If the Windows
and SafeBoot login passwords differ, Users will be prompted to set the
SafeBoot password to the Windows password. This option also captures
the Windows Change Password event, and again, sets the users
SafeBoot password to match.
If you are using this option, it is important to ensure that the password
template and quality rules in SafeBoot are identical, or more lenient
than those in Windows, otherwise a failed password change may occur
and the user will be reset to “12345”.
Must Match Windows User Name – This option ensures that SSO
details are only captured in the situation that the users SafeBoot and
Windows IDs match. If they are different, no SSO details will be stored.
12.2 How Windows Logon works

SafeBoot intercepts the Windows Logon mechanism, using a “Pass
through Shim Gina” on Windows NT, 2000 and XP, and a Credential
Provider on Vista. On Windows NT, 2000, and XP operating systems a
custom .ini file (SBGINA.INI) is used to help SafeBoot analyze the logon
screen and paste the credentials into the correct boxes on screen.
12-2
In Windows VISTA Microsoft has replaced the original MSGINA

(Graphical Identification and Authentication) with a new method called
Microsoft Credential Provider. SafeBoot has modified the Single Sign On
architecture and implemented a Credential Provider to communicate
with Windows. We display each of the SafeBoot Tokens as a potential
logon method. If you logon to SafeBoot, you will be asked for your
Windows credentials only for the first time and SafeBoot will store the
Windows Credentials securely within SafeBoot. On subsequent logon
events, SafeBoot will use the stored Windows credentials to logon.
You can find out more about Microsoft Vista Credential Providers from
the Microsoft MSDN Website :
http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders
/default.aspx
NOTE – For more information on SafeBoot ini files, see Chapter 18.
12.2.1 First Boot

The first time a user starts their newly SafeBoot protected machine,
SafeBoot authenticates them at boot time. If successful, the operating
system starts.
Normally they would next presented with a Windows logon – if the
SafeBoot Windows Logon architecture is fully activated, SafeBoot will
automatically present the user’s stored SSO id and password to
windows. If these details are accepted, SafeBoot stores a record of
these credentials in a special encrypted area of the user’s profile. If
Windows fails the SSO credentials, for example if they have not been
set, Windows displays the standard login box and the user is forced to
enter their Windows id and password. Again, once a valid login has
taken place, SafeBoot stores the correct credentials in the user’s
encrypted profile, which are uploaded to the central Object Directory on
the next synchronization.
12.2.2 Second Boot

The second and subsequent times the user starts the machine, they
login to the SafeBoot boot screen, then SafeBoot supplies the stored
Windows credentials to the Windows login box.
12-3
12.2.3 Failed Windows Password

If/When the Windows Logon credentials become invalid, for instance if
the user changes their windows password on another system, or has it
reset by an administrator, the automatic login will fail and the standard
Windows login box will appear. Once again, once a successful login has
occurred, the correct details are stored encrypted in the user profile and
uploaded on synchronization with the central Object Directory.
12.2.4 Re Logon
If a user chooses to “log off” windows, they would normally expect to
see the standard Windows logon box. SafeBoot takes control of this in
the same way as the initial logon screen, forcing the next user to login
with their SafeBoot credentials.
Figure 12-2. Logon to Windows Replacement Dialog
If you want to logon to Windows using a different account than your

stored credentials, they simply cancel the default login window, then
clear the “Automatically logon to Windows” box.
Once cleared, simply select the token you want to login with.
12.2.5 Setting and Changing a users SSO details

You can pre-set or change the SSO details associated with a user by
right-clicking their object and selecting “Set SSO Details”.
12-4
Auditing
13. Auditing
13.1 Introduction
SafeBoot Device Encryption audits user, machine, and server activity.
By right-clicking on a object in the SafeBoot Object Directory, you can
select the view audit function.
Figure 13-1. Viewing a users audit log
Audit trails are uploaded to the central directory each time a machine
synchronizes. Until that time the audit is cached internally in the
encrypted SafeBoot file system. In SB4.1.1 and above, the last 3000
entries are cached locally; when the limit is reached the oldest 300
entries are culled. The local audit will retain approximately 2 years of
normal operation before culling begins.
The permission to view or clear an audit log can be controlled on a user
or group basis. Both the administration level, and administration
function rights are checked before allowing access to a log. For more
information on setting these permissions see Chapter 3.
Audit trails can be exported to a CDF file by using the “Audit” menu
option, or by right-clicking the trail and selecting “Export”. Also, the
entire audit of the directory can be exported using the “SBAdmCL” tool
– for information on this option please contact your SafeBoot
representative.
13-1
Auditing
The Object Directory audit logs are open-ended, i.e. they continue to
grow indefinitely, but can be cleared on mass again using SBAdmCL.
13.2 Common Audit Events

The text displayed in the audit log will depend on your localization and
language settings. The following table lists the common events and
their ID codes for the American English version of SafeBoot. Many
events can appear at multiple places, for example the “Login
Successful” event will be logged both in the user account doing the
login, and the machine being logged into simultaneously.
13.2.1 Information Events

Description Event
Audit cleared 01000000

Boot started 01000001
Boot complete 01000002
Booted non-secure 01000003
Backwards Date Change 01000005
Booted from floppy 01000004
Token battery low 01000010
Power fail 01000011
A virus was detected 01000013
Synchronization Event 01000014
Crypt Start 01000015
Crypt End 01000016
Add group 01000082
Add object 01000083
Delete group 01000084
Delete object 01000085
Import object 01000086
Export object 01000087
Export configuration 01000088
13-2
Auditing
Description Event
Update object 01000089

Import file set 01000090
Create token 01000091
Reset token 01000092
Export key 01000093
Recover 01000094
Create database 01000095
Reboot machine 01000096
Move Object between groups 01000098
Rename Object 01000099
Server started 010000C0
Server stopped 010000C1
Table 13-1. Information Audit Events
13.3 Try Events

Description Event
Logon attempt 02000001

Change password 02000002
Forced password change 02000003
Recovery started 02000016
Database logon attempt 02000081
Logon successful 04000001
Password changed successfully 04000002
Boot once recovery 04000016
Password reset 04000017
Password timeout 04000018
Lockout recovery 04000018
Change token recovery 04000019
13-3
Auditing
Description Event
Screen saver recovery 0400001A

Database logon successful 04000081
Logon failed 08000001
Password change failed 08000002
Password invalidated 08000005
Recovery failed 08000017
Database logon failed 08000081
Machine configuration expired Undefined
A virus was detected Undefined
Table 13-2. Try Audit Events
13.4 Succeed Events

Description Event
Logon successful 04000001

Password changed successfully 04000002
Boot once recovery 04000016
Password reset 04000017
Password timeout 04000018
Lockout recovery 04000018
Change token recovery 04000019
Screen saver recovery 0400001A
Database logon successful 04000081
Table 13-3. Succeed Audit Events
13.5 Failure Events

Description Event
Logon failed 08000001

Password change failed 08000002
Password invalidated (too many 08000005
13-4
Auditing
incorrect attempts)
Machine configuration expired 08000012
Recovery failed 08000017
Database logon failed 08000081
Table 13-4. Failure Audit Events
13-5
Recovering Users and Machines
14. Recovering Users and Machines
You can recover users using either the SafeBoot Management Center,
WebHelpdesk, or the procedure documented below. For information on
recovery via the Management Center WebRecovery and WebHelpdesk
options, please see the “Management Center 5 Administrators Guide”.
14.1 Offline Recovery

Resetting a remote user’s password or replacing their logon token if it
has been lost requires a challenge/response procedure to be followed.
The user starts their machine, cancels any logon dialogues that may
appear, then clicks the “Recover” button from the pre-boot SafeBoot
Icon. This process can be used at the boot screen, windows logon, or
screen saver logon.
Figure 14-1. Select User or Machine Recovery
14-1
After (optionally) entering their user name, a set of codes is displayed

on the user’s screen, the user needs to telephone their helpdesk and
read the codes to the administrator. The user code is time based, and
unique to the user and machine.
Figure 14-2. Starting the recovery process
The SafeBoot administrator needs to log into the Administration Centre,

select a machine group, and click the recover button – there is no need
to find the correct user beforehand.
14-2
Figure 14-3. Starting Recovery
The administrator will be prompted to enter the user code in the wizard,
and if correct will be given the opportunity to check the user’s profile if
the administrator has sufficient access rights to recover the user (based
on their level and group memberships). The administrator should use
this opportunity to validate the user by asking them questions based on
the hidden information stored in their account. Only if successful should
the helpdesk actually allow the user’s password to be reset.
Figure 14-4. Validating a user
If the administrator is happy that the user on the telephone is

legitimate, they can proceed with the next step in recovery.
14-3
Figure 14-5. Selecting the recovery option
The administrator selects the option they want to perform. If a user

name was entered a user recovery proceeds, if no user name was
entered, then a machine recovery can be performed.
Boot Once - The machine boots with no user logged in.
Unlock Screen Saver – The screen saver is cleared.
Reset the user’s password – The user’s password is reset to the
token default. The user can then change this to a new password – This
option will not function if the user is disabled due to too many invalid
passwords – to resolve this issue see “Change Token”.
NOTE: Some tokens do not support password resets through SafeBoot, examples of this
include the DataKey Smartcard, RSA Smartcard, and Aladdin eToken Pro. For
information on how to reset the password on these devices contact the
appropriate manufacturer. To recover a SafeBoot user who has forgotten their
password in this case, either issue them with a new token, or temporarily switch
them to use a password using the “Change Token” recovery option.
14-4
Unlock a disabled user – If a user account is marked as disabled in

the object database, it can be temporarily activated using this option.
When the machine synchronizes with the Object Directory, the account
will be re-disabled if their security profile in the Directory still indicates
this.
Create Token – If supported by the token, allows administrators to
remotely create a new token for the user to replace a lost ones. The
SafeBoot Password login always supports remote recreation, for
information on other tokens see the Tokens chapter in the product
administrators guide.
Change the user’s token to – Changes or resets the user’s token to
the one specified. The administrator needs to have pre-generated the
token for the user. If a user has invalidated their password account
through too many invalid attempts, changing their token to “password
only” recreates their “soft token” and allows them to enter the default
password again.
NOTE – If you change a user’s token using this method, remember that next time their
machine synchronizes with the SafeBoot directory, their token will be set to
whatever is specified in their user properties. If you want the change to be
permanent remember to set their token type in the user properties window.
14-5
Figure 14-6. User’s recovery code
The final step is to read the recovery code back to the user. The length
of this code is controlled by their token recovery key as set in the user’s
“token” properties, or in the case of a machine, the recovery key set in
the encryption properties.
The user simply enters the code line by line into the pre-boot dialog.
Each line is check summed. Once the code has been entered, the
elected action will occur.
14.2 Online Recovery

If a user’s machine is online when they forget their password or loose
their token, simply create a new token for them in the SafeBoot
directory, and force sync their machine to make the appropriate
change.
You can reset a user’s password by simply generating a new password
token for them.
14-6
Trusted Applications
15. Trusted Applications
SafeBoot’s client has the capability on Windows NT, 2000, and XP to

restrict what applications and code users are allowed to run. Through
this mechanism you can restrict access to certain applications to only a
few users, or you prevent users running any applications that are not
pre-defined.
With this system you can apply untrusted control, for example to
prevent access to pre-defined tools such as “regedit.exe” for all but
administrators. With untrusted control, unknown applications are
allowed to run, known applications are blocked. You can also apply
trusted control where ONLY pre-defined code can run, and unknown
control is blocked. This is useful for example when you want to restrict
an entire build image so it was impossible for users to run any
application other than the ones distributed in the “gold build”.
SafeBoot application control takes effect once a user has logged into
Windows – it does not affect code run in the context of booting the
operating system. To prevent applications and code being run at this
stage Control Break recommend appropriate operating system security
settings be used, for example disallowing device driver updates etc.
15.1 Hash Sets

The first step in applying application control to SafeBoot users is to
create sets of “hashes” for the code modules you want to apply control
to using the SafeBoot Hash Generator (see Chapter 16). A hash set
contains a unique “digital signature” for each file in the scope of the set.
This digital signature is unique to the file – no two files will ever have
the same signature. When SafeBoot applies control to applications, it
calculates the “hash” of the code (.exe file, .dll etc) that the user is
trying to run, and compares it to the list of hashes applied to the user.
The actual location of the code does not matter, only its content, so if a
user moves a restricted application to another directory, it will still be
blocked.
After creating a hash set for the files or directories containing the
sample code modules you can create a “SafeBoot Hashes Group” in the
SafeBoot database to contain them. Within the group, create new
hashes objects to contain your hash sets created previously.
15-1
Figure 15-1. Hash Group
15.2 Hash Set Properties

15.2.1 General
Hash Count
15-2
Displays the number of file hashes stored in this object. You can remove
duplicates using the “File Hashes/Compact” function.
Description
A text description of this hash set – for example its source.
15.2.2 File Hashes
Import
Allows you to import one or many hash sets created with “SafeBoot
Hash Generator” into this hash object.
Export
Saves the contents of this hash object as a hash set.
Compact
Removes duplicate entries from this hash object – As SafeBoot
Application Control is driven by the hash (or digital signature) of a file,
not its location, only one entry per file is required.
Remove
15-3
Removes a single file entry from this hash object.
NOTE: You can add entries only by importing hash files
15.3 Using Hash Sets

After creating hash sets, you can assign both hash objects, and hash
groups to users through their “application control” properties.
You can specify one of two modes of application control – “Untrusted”
and “Trusted”:-
Untrusted
In the case of untrusted control, if the hash is known then the code is
prevented from running.
Trusted
In the case of trusted control, if the code is know it is allowed to run,
whereas all unknown code is blocked.
These options can be summarized in the following table:
Known Applications Unknown

Applications
Untrusted Optionally Blocked Allowed
Application
Control
Trusted Allowed Optionally Blocked
Application
Control
Table 15-1. Trusted Application Logic
You can also set whether to actually block the untrusted code, or to
simply log it for future analysis – this option (log with no blocking) is
useful when debugging hash sets which do not block appropriately.
15-4
Hash Generator
16. Hash Generator
16.1 Introduction
SafeBoot Hash Generator creates “Hash Sets” for use with the
application control feature of SafeBoot. For more information on
application control, see Chapter 16.
Figure 16-1. Hash Generator Main Screen
The generator creates MD5 hashes of the selected files and packages
them into a SafeBoot hash set (HSH file).
16.2 Using Hash Generator

After selecting the output file name, add the files (or folders) you want
to include in the hash set . Finally, click “Hash” – the specified HSH file
will be generated.
16-1
Hash Generator
Figure 16-2. Hash Progress Screen
The progress window shows the activity. Once completed, you can
import the resultant hash set into your SafeBoot directory.
16-2
Common Criteria EAL4 Mode Operation
17. Common Criteria EAL4 Mode

Operation
CESG in the United Kingdom, has certified the following products to the
standard EAL4
• SafeBoot 5.0 Device Encryption Client
To apply this standard to your implementation of SafeBoot, you need to
ensure the following criteria are met:-
Administrator Guidance
SafeBoot must be installed using the SafeBoot AES (FIPS) 256bit
algorithm.
1. Administrators must enforce the following Policy Settings
• A minimum password length of 5 characters or more
• Disabling of accounts after 10 or less invalid password attempts
• All data and operating system partitions on the machines where
SafeBoot client has been installed MUST be fully encrypted. You
can check the conformance to this issue by viewing the SafeBoot
client status window – if any drives are highlighted in red then
they are not fully encrypted.
• Administrators must enforce use of the SafeBoot Secure Screen
Saver Mode
• Use of “Autoboot Mode” is prohibited
• Machine and User recovery key sizes must be non-zero
(Machine/Encryption properties and User/Token properties)
To comply with CC regulations, these policy settings must be applied
before installing any clients.
2. There must be a system in place for maintaining secure backups that
are separately encrypted or physically protected to ensure data
security is not compromised through theft of or unauthorised access
to backup information.
3. Backups should be regular and complete to enable system recovery
in the event of loss or damage to data as a result of the actions of a
threat agent and to avoid vulnerability through being forced to use
less secure systems.
17-1
4. Users (including administrators) must protect all access credentials,

such as passwords or other authentication information in a manner
that maintains IT security objectives.
5. Customers implementing a SafeBoot enterprise must ensure that
they have in place a database of authorised TOE-users along with
user-specific authentication data for the purpose of enabling
administrative personnel to verify the identity of a user over a voice-
only telephone line before providing them with support or initiating
recovery. SafeBoot provides the means to display personal
information such as the users ID number as part of the “User
Information Fields” – but any other appropriate system is
acceptable.
6. Administrators should ensure their users are fully trained in the use
of the Device Encryption Client software as described in Chapter 11
of this guide, and should remind them of the security procedures
detailed in the User Guidance Below.
User Guidance
1. Users must maintain the confidentiality of their logon credentials,
such as passwords and tokens
2. Users must not leave a SafeBoot protected PC unattended in a
logged on state, unless it is protected by the secure screen saver.
3. Users must be informed of the process that they need to go through
in order that they may contact their administrator in the event of
needing to recover their PC if they forget their password or their user
account becomes disabled, either through the actions of the
administrator or repeated incorrect login attempts.
17-2
17.1.1 Common Criteria EAL4 Certificate

You can find the official recognition of this certification on CESG’s website:
http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=152&id=3
36
17-3
17.2 Algorithm Certificate Numbers

17.2.1 AES
Cert 21 and 170 ECB(e/d; 256); CBC(e/d; 256); CFB8(e/d; 256)

http://csrc.nist.gov/cryptval/aes/aesval.html
17-4
17.2.2 SHA1
Cert 71 and 254

http://csrc.nist.gov/cryptval/shs/shaval.htm
17-5
17.2.3 DSA/DSS
DSS cert 53 and 112 Sig(ver) Mod(all)

http://csrc.nist.gov/cryptval/dss/dsaval.htm
17.2.4 RNG
Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1,
PentiumIII Windows 2000
http://csrc.nist.gov/cryptval/rng/rngval.html
17-6
17.2.5 DES
Cert 145 CBC(e/d); CFB( 8 bits;e/d)
http://csrc.nist.gov/cryptval/des/desval.html
17-7
SafeBoot Configuration Files
18. SafeBoot Configuration Files
SafeBoot uses many .ini files to maintain information about the

configuration of various components. Some of the more important files
are listed here.
18.1 sbgina.ini
Used by the SafeBoot Client to control the Windows logon mechanism.
SBGina.ini contains the references used to populate the user id,
password and domain boxes of a login dialog, and also the id of the “ok”
button.
[Global]
; The Trace option is an
; This option is an aid to implementing SSO to further
dialogs. If this option
aid to implementing
; is set to "Yes", then information about every window SSO to further
that is created when
; a logon dialog is expected is saved to the file dialogs. If this option
specified (or "LOGONWND.TXT"
; if not supplied). Note the file will always be in the
is set to "Yes", then
SafeBoot directory. information about
;
Trace.LogonWindowInfo=No every window that is
Trace.FileName=LOGONWND.TXT created during the
logon process is
[Windows.NT.Logon]
;
output to the defined
; Lists all the sections that contain information about trace file.
the logon windows for
; the NT derived versions of Windows (NT4/2000/XP).
;
; The keys should be of the form "Window" with an
incrementing number appended.
; The sections are checked in incrementing numerical
order. The numbering
; cannot contain any gaps.
;
Window1=MSGina.NT4.LogonDialog
Window2=MSGina.W2K.LogonDialog
Window3=MSGina.XP.LogonDialog
Window4=MSGina.WIN2003.LogonDialog
Window5=NWGina.NT.LogonDialog
Window6=NWGinaJP.NT.LogonDialog
[Windows.9x.Logon]
;
; Lists all the sections that contain information about
the logon windows for
; the Windows 9x versions of Windows (95/98/ME).
;
; The keys should be of the form "Window" with an
incrementing number appended.
; The sections are checked in incrementing numerical
order. The numbering
; cannot contain any gaps.
;
Window1=MSNP.9x.LogonDialog
Window2=NWNP.9x.LogonDialog
window3=NWNPJP.9x.LogonDialog
18-1
;------------------------------------------------------
----------------------
; The logon window definition sections for NT/W2K/XP
;
[MSGina.NT4.LogonDialog]
;
; The operating system version to which this section
applies. You can specify
; the value of "Any" for either field (which is the
default if not specified).
;
OS.MajorVersion=4
OS.MinorVersion=Any
;
; The original DLL to which this section applies. If
the name is not
; specified or set to "Any", all original DLLs match.
If any part of the
; for digit file version is set to "x", then then all
values for that
; component are matched (e.g. 4.1.0.x).
;
OrigDll.Name=MSGINA.DLL
OrigDll.FileVersion=x.x.x.x
;
; Specifies information about the window that we can
use to indentifiy it.
; For both the class and title, setting a value of
"Any" will match any
; window. Starting the value with a "*" means the
remainder of the value
; is treayed as a substring, and hence if it occurs
anywhere in the window
; title/class it is matched. Otherwise the whole value
must match (case
; insensitive).
;
Window.Title=Any
Window.Class=#32770
;
; The control identifiers of controls that are used by
the SSO module to
; simulate logons.
;
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1453
Dlg.CtrlId.Password=1454
Dlg.CtrlId.Domain=1455
;
; If this is set to "Yes" then the user/password fields
are captured from the
; dialog box rather than using the values supplied by
the original gina.
;
Option.CaptureFromDlg=No
;
; These options define how text is entered into the
various fields when
; simulating a logon. Mode 0 sets the text directly
into the controls, while
; mode 1 sends characters one at a time (simulating
pressing keys) and mode 2
; selects from a combo box.
;
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2
18-2
; The logon window definition sections for Win9x/ME

;
[MSNP.9x.LogonDialog]
OS.MajorVersion=4
OS.MinorVersion=Any
OrigDll.Name=MSNP32.DLL
OrigDll.FileVersion=x.x.x.x
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=21
Dlg.CtrlId.Password=23
Dlg.CtrlId.Domain=25
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=0
...
18.2 sberrors.ini
Used to increase the detail available in on-screen error messages. You
can add further descriptions to errors by amending this file.
18.3 sbhelp.ini
Used to match on-screen windows to their help file sections.
18.4 sbfeatur.ini
Controls the feature set available to SafeBoot. This file is digitally
signed by the SafeBoot team and must not be modified.
18.5 scm.ini
Configuration manager file, controls options such as which directory to
connect to, and which group to install into.
[Install]
GroupID=the ID of the group this machine will relate to
[Databases]
DatabaseID1=1
TryLastGoodFirst=Yes
LastGoodConnection=1
[Uninstall]
Sbsetup.exe=sbsetup.exe
You can specify the maximum number of lines to hold in the

SCMLOG.txt file using the following parameters. If scmlog reaches a
size of beyond 10,000 lines, performance of your machine can suffer.
[Log]
MaxSize=number of KB keep in log (128).
PurgeSize=number of KB to delete when log reaches MaxSize (16).
You can specify the pre-configuration connection behavior by setting the
following parameters
18-3
[Defaults]
;this section defines settings that apply before the SafeBoot is
;actually active on the machine.
BootSynchDelay=0 ; delay before synching on boot in minutes

RandSynchDelay=0 ; an extra max random delay to synch in
minutes
SynchInterval=0 ; time between automatically retrying synch
You can turn on tracing of the SafeBoot client with the following section.
Trace is output to SBCM.log in the same directory of the application.
[Debug]
Trace=1 ;Trace activity, 1 = on, 0 = off
You can set a message to be displayed and a timeout when an

administrator performs a remote shutdown of the client (using the
machine/Reboot menu option).
[Reboot]
Message=some text to display
Timeout=10 (seconds)
[disk]
Sbfs.defaultsize=10 ;Default size of SafeBoot.FS (in MB)
Install.clearcryptlist=1(0) ;Determines whether to clear the cryptlist
;for a drive on install, or to leave it set.
Boot.message=Starting SafeBoot %d%d

;The default starting message
[boot]
Hookflags=… ;Internal use only – do not change.
18.6 defscm.ini
You can pre-set parameters used in the SCM.ini file created within
install sets by creating a file “defscm.ini” in the Administration system
directory containing the lines and sections you want to pre-define.
defscm.ini is used as a seed to create the unique scm.ini file for the
install set.
18.7 sdmcfg.ini
Used by the SafeBoot Client to control the connection to the Object
Directory. There may be many connections listed in the file, the multi-
connection behavior is controlled through scm.ini.
[Databases]
Database1=192.168.20.57
The ip address for
the remote server.
This can be a DNS
name.
18-4
[Database1]
Description=SH-DELL-W2K
IsLocal=No
Authenticate=Yes
Port=5555
ServerKey=…
The public key for
the remote Server.
This is used to stop
a hacker putting a
rogue server in place
and intercepting the
traffic.
ExtraInfo=…
Padding for the
serverkey.
18.8 TrivialPwds.dat
This file provides a dictionary of forbidden passwords. Simply create a
Unicode text file, with one password per line, and deploy it to the client
machines. You need to enable the user template option “no simple
passwords”
The file needs to be deployed to the “[appdir]\SBTokens\Data” folder
NOTE – It is more effective to restrict passwords using a template which insists on

numeric or special characters, rather than supply a long list of forbidden words.
18.9 Bootcode.ini
Bootcode.ini defines the behaviour of the SafeBoot pre-boot
environment. This file is not commonly modified by the end user as it is
a system only file. The file is stored in SafeBoot’s pre-boot environment
in the \boot directory.
[TokenSelect]
; the token type id of the last token the user selected.
Default=0x01000000
[Locale]
;
; the user selected language to use (reference a key in the [Languages]
section
; of the \Locale\Locale.ini file).
;
Language=EnglishUS
;
; the user selected keyboard to use (reference a key in the [Keyboards]
section
; of the \Locale\Locale.ini file).
;
Keyboard=US
[Audit]
;
; The maximum alllowed audit events
;
MaxEvents=3000
;
18-5
; The number of events to remove when the maximum is reached

;
PurgeCount=300
18.10 BootManager.INI
This file controls the partition names specified when the SafeBoot Boot
Manager is enabled. The file is stored in SafeBoot’s pre-boot
environment in the \boot directory.
[Partition.Names]
Partition0=My secure partition
Partition1=My Insecure partition
18.11 SBErrors.XML
XML version of SBErrors.ini to allow Unicode translation. Device
Encryption uses SBErrors.XML in preference of SBErrors.ini if both exist.
18.12 AutoBoot.ini
Defines the default password for the $autoboot$ user(s)
[AutoBoot]
Password=12345
18-6
SafeBoot Program and Driver Files
19. SafeBoot Program and Driver Files
19.1 EXE Files

19.1.1 SafeTech
Disaster recovery tool for SafeBoot client.
19.1.2 Setup
Setup.exe is the core executable in SafeBoot’s' packaging mechanism, it
is used as an exe stub for the install package, and also handles the de-
install process. Setup takes one parameter "-Uninstall" which prompts it
to walk through sbfiles41.lst, deleting files (or marking them for
deletion if they are in use) and reversing registry settings. Setup also
re-runs any installation executables with the -Uninstall flag to remove
programs. The order of removal is reverse to the install, i.e. Installation
executables, registry settings, then lastly files.
19.2 DLL Files

19.2.1 sbalgxx
Utility Encryption algorithm module.
19.2.2 sbgina
Windows login passthrough GINA driver for NT / 2000.
Usually SafeBoot monitors the GINA settings in the registry to ensure
that nothing removes or disables the login system. You can change the
behavior of this system by editing the SB-NoUpdateGina DWORD key in
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. The following
values can be set:
0 - SafeBoot will install and remove it's Gina
1 - SafeBoot will *not* install it's Gina, but will
remove it.
2 - SafeBoot will *not* remove it's Gina, but will
install it.
3 - SafeBoot will *not* install or remove it's Gina.
You can use these settings to force compatibility with other GINA
replacement login systems. If you use option 1,2,3 you are responsible
for keeping the GINA chain correct, as SafeBoot will not be monitoring
some aspects of it .
19-1
19.3 SYS Files

19.3.1 SafeBoot.SYS
The core device driver for SafeBoot, handling crypt of the disk, and
management functions.
You can change the way that SafeBoot calculates the disk number by
setting the following registry settings – do NOT do this without
consulting a SafeBoot Certified System Engineer.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeBoot]
"DiskNumberMode"=dword:00000001
"DiskNumberingMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeBoot\Parameters
]
"DiskNumberMode"=dword:00000001
"DiskNumberingMode"=dword:00000001
You can block the use of Safe Mode when SafeBoot is installed by
setting the following parameters. These options are included in the
“BlockSafeMode” file group option in SafeBoot DE Build 23L and above.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SafeBoot]
;Prevent Safe Mode access if SafeBoot is activated
PreventSafeMode=dword:00000001
;The warning message to display (default if not set)

;PreventSafeModeMsg=""
;The screen background color (default red)

;PreventSafeModeBkCol=dword:00000000
;The Screen forground color (default white)

;PreventSafeModeFgCol=dword:0000000f
5.01+ SafeBoot uses several sectors of the hard disk between 1 and 63
(commonly termed the “partition gap” to store power fail information
while encryption and decryption is in progress. If you have other
applications also using these sectors, you can exclude them from the
range used by specifying registry settings as below.
For each sector you need to exclude, add a DWORD value of 1 with a
name of the decimal sector number to the following registry key as
follows:
[HKLM\Software\SafeBoot International\SafeBoot\DiskManager\ExcludedSectors]
14=dword:1
15=dword:1
You can specify any number of exclusions using this method, but be
aware that at least two sectors are required, and the smaller the
number available, the slower encryption processes will run.
You can add this information to the client NTDRV.SRG registry file to
ensure it is applied on all machines at point of install.
19-2
19.3.2 SBALG.SYS
SafeBoot’s device driver crypto algorithm module.
19.3.3 SafeBoot.CSC/RSV
5.01 SafeBoot’s pre-boot sector chain for the boot loader. The
SafeBoot.csc file was renamed to SafeBoot.RSV in v5.01 for better
defrag protection.
19.3.4 SafeBoot.FS
The encrypted pre-boot environment (stored as a single file)
19.4 Other Files

19.4.1 srg files
SafeBoot registry files – these are standard regedit files which are
processed into the registry by SafeBoot, without using the windows
regedit utility.
19-3
SafeTech
20. SafeTech
Figure 20-1. SafeTech 5 Main Window
SafeTech is SafeBoot’s disaster recovery and diagnostic tool. It only

needs to be used in the event of a catastrophic failure of the machine,
for example after severe hard disk corruption, virus attack, or a
complete OS failure.
SafeTech can perform the following functions:
• Decrypt the drive using information obtained from the SafeBoot
Management Center
• Start the SafeBoot Emergency Repair process
• Perform forensic analysis on encrypted data
SafeTech can only be used by trained SafeBoot staff, or after attending
a SafeBoot training course. For more information, and access to the
SafeTech Engineers Guide, please contact your SafeBoot
Representative.
20-1
Themes & Localization
21. Themes & Localization
SafeBoot Device Encryption is the most flexible product of its kind in

terms of Localization capabilities. It supports unlimited numbers of pre-
boot languages and keyboards, and offers full localized pre-boot on
screen keyboard and automatic language detection.
You can also restyle almost any aspect of the pre-boot interface, from
changing colors and graphics, to moving buttons and text on the
screen.
SafeBoot provides full localization and customization services, but for
those interested, the following information is provided to help you gain
experience of how all the components fit together. We provide
numerous languages and graphical layouts (themes) with our product,
readers are strongly advised to look to those while reading these
sections to understand how they work.
A tip to future theme designers – the Device Encryption client will
synchronize any file changes found in the [appdir]\locale and
[appdir]\graphics trees into the SafeBoot pre-boot file system on every
policy sync event, so, rather than making your changes and uploading
them to a SafeBoot Management Center, you can simply change the
files directly on a SafeBoot client and perform a sync event to load them
into the pre-boot. A successful sync is not required – only an attempt.
21.1 Themes
Device Encryption uses graphical “Themes” to control the look and feel
of the pre-boot environment. These Themes are stored as “Client File”
type file sets within the SafeBoot Object Directory. Only one theme can
be assigned to a machine at any time.
To assign a theme to a Device Encryption machine, simply enable its file
set from the “Files” tab of either the machine, or machine group
properties.
Themes are comprised of the following components:
File or Description
Directory
Graphics Master definition file for the graphical theme. This file
dictates the overall look of the theme, the button an d
Graphics.ini window positions, and the various graphical elements
21-1
which are used for each resolution. The
ENGLISH English language font files
640x480 Images for 640x480 resolution
Shared Shared images used in all modes
Locale Language Translations. This file sets all the options re

various language and keyboard support options. The
Locale.ini options in Local.ini determine which font sets from
Graphics.ini are used.
Table 21-1. Theme Overview
For information about the parameters in the Graphics.ini and Local.ini

files, see the example theme which has fully commented versions.
21.2 Keyboards
21.2.1 Physical Keyboard Layouts
Device Encryption 5 supports many physical keyboard layouts, and also
supports automatic detection of the Windows keyboard layout in an
attempt to choose the most appropriate pre-boot layout.
Having the correct layout selected pre-boot is essential when
authenticating, for example, imagine the user has the French keyboard
enabled in Windows, but has the USA keyboard enabled in Device
Encryption Pre-Boot.
Row 2 of the French keyboard begins “azerty…” whereas row 2 of a USA
keyboard begins “qwerty…” – so if the users password contains either
“a” or “z”, then they will not be able to press the same keys in pre-boot
to authenticate.
Defining and adding layouts to the SafeBoot PBA
Device Encryption 5 can support an unlimited number of different
keyboard layouts. To define which layouts are available, usually you
simply need to select the appropriate file group for a machine and the
layout will be added.
21-2
The PBA determines which layouts are installed by considering the

Locale\Locale.ini file in the pre-boot environment. This file is
synchronised along with the entire [app-dir]\locale directory each time
the machine performs a sync operation.
An example keyboard layout is defined as follows in Locale.ini:
Node Description
;Norwegian Stub
;B5100
[Settings] Defines the default keyboard if no mapping in

DefaultKeyboard=0414
[LanguageIDMap] can be determined
[Keyboards] Defines the list of possible keyboards. In this

0414=Keyboard.0414
example, two keyboards are defined (0414
and 043B), which are described in the
043B=Keyboard.043B sections keyboard.0414 and keyboard.043b.
The definition names and section names are
arbitary, but we recommend you use the
actual keyboard ID for consistency.
[Keyboard.0414] This is a keyboard definition section, it
name=Norwegian
describes the name of the keyboard
(displayed in the selection list), the map file
mapfile=0414_E.MAP to use (stored in \Locale), and the On screen
OSK=0414_OSK.XML keyboard file to use (again, stored in \locale)
Instead of using the “name” tag, you can use

NameW which takes a comma separated list
of hex char codes, for example:
NameW=32,54,23,6A,43DF
With NameW you can display Unicode chars

which are useful when defining double-byte
languages.
[Keyboard.043B]
name=Norwegian with Sami
mapfile=043B_E.MAP
OSK=043B_OSK.XML
[LanguageIDMap] This section describes how the client should

0414.Keyboard=0414 attempt to map the selected Windows
keyboard to the pre-boot keyboards.
043B.Keyboard=043B
0414.Keyboard=0414 indicates if Windows is
using a keyboard with the ID 0414, SafeBoot
should use the keyboard described in
21-3
Node Description
[keyboards] under the definition name 0414.
Table 21-2. Keyboard definition in Local.ini
Normally Language and keyboard layouts are defined within the

SafeBoot Database, and each language has a locale.ini file configured as
a “Merge Ini”. This system enables administrators to add and remove
languages without having to define the exact set prior to distribution. As
all keyboards and Languages are defined in the same Locale.ini file,
without merge INIs you would have to create a locale.ini file describing
the exact combination of keyboards and locales prior to sending it to a
Device Encryption client.
For examples of how to define a Locale.ini, see one of the supplied
languages stored in the SafeBoot Management Center install directory
\Languages tree.
21.2.2 Creating your own Keyboard Layout

Keyboard layouts are compiled from a source text file with the following
structure:
Name=the keyboard name
Flags=keyboard flags
Scancode=Unicode char number, mask, keystate…
For example:
flags=0x8000007C
NAME=Norwegian with Sami
;----
0x02=0x0031,0x009F,0x0000 ;-normal
0x02=0x0021,0x009F,0x0010 ;-shift
0x02=0x0000,0x009F,0x0009 ;-altgr
0x02=0x0031,0x009F,0x0080 ;-caps
0x02=0x0000,0x009F,0x0090 ;-shiftcaps
0x02=0x0000,0x009F,0x0019 ;-shiftaltgr
0x02=0x0000,0x009F,0x0089 ;-altgrcaps
0x02=0x0000,0x009F,0x0099 ;-shiftaltgrcaps
The keyboard map source file is comprised of the following components:
Node Description
flags Operational flags which control the behaviour of this

keyboard map. Defined flags include:
0x00000001 Caps is Shift
0x00000002 Shift unsets Caps
0x00000004 Acute
0x00000008 Grave
0x00000010 Circumflex
0x00000020 Umlaut (Diaresis)
21-4
Node Description
0x00000040 Tilde
0x00000080 Caron
0x00000100 Apostrophe
0x00000200 Cedliia
0x00000400 Breve
0x00000800 Ogonek
0x00001000 Dotabove
0x00002000 DoubleAcute
0x00004000 Degree
0x00008000 Tonos
0x00010000 Middle Dot
0x00020000 Low Nine
0x00040000 Dialytika
0x00080000 Quotation
0x00100000 Polish Programmers Tilde
0x00200000 Ring Above
0x00400000 Macron
0x80000000 Extended Mode (should always be
enabled)
Name The keyboard name
Key definitions Each key (scan code) behaviour is defined in a
number of entries which state the Unicode character
which should be produced. Each key may have many
states (normal, shifted, caps etc) so there may be
multiple entries per key.
The possible states are defined with a mask (which
keys to consider) and a state (the key state itself)
The possible keys you can use in the mask and
keystate are:
RIGHT_ALT_PRESSED 0x0001
LEFT_ALT_PRESSED 0x0002
RIGHT_CTRL_PRESSED 0x0004
LEFT_CTRL_PRESSED 0x0008
SHIFT_PRESSED 0x0010
NUMLOCK_ON 0x0020
SCROLLLOCK_ON 0x0040
CAPSLOCK_ON 0x0080
21-5
Node Description
ENHANCED_KEY 0x0100
So as an example, to define key 2 (the number 1 key
on a USA keyboard) you would add an entry for scan
code 0x02 (the scan code of this key) followed by a
number of possible key states.
0x02=0x0031,0x009F,0x0000
Would define the number 1 key to display the char

“1” in the situation that none (keystate of 0x000) of
the modifiers capslock, shift, left-alt, right-ctrl, left-
ctrl and right-alt (0x09F) is pressed.
To define the behaviour of this key when shift alone is

pressed we use the following line:
0x02=0x0021,0x009F,0x0010
As above, if key 2 is pressed, create a quotation mark

(Unicode char 21) if shift (0x0010) is pressed out of
the combination of capslock, shift, left-alt, right-ctrl,
left-ctrl and right-alt (0x09F).
Of course, in both the cases above, the keys not

considered in the keystate must not be pressed.
The Mask defines which keys to consider, and the

keystate defines the state of each of those keys.
Table 21-3. Keyboard map source file
If you wish to create a custom keyboard map, you will need to have it
compiled by SafeBoot before it can be used.
21.2.3 On Screen Keyboards

On-Screen keyboards provide visual representation of the physical
keyboard. Each keyboard map can be defined to provide either it’s own
OSK, or the system default OSK (US English). The symbols on each key
can be defined for the normal, alt, altgr, shift, caps, and ctrl states, and
also any combination of states.
21-6
OSK’s are defined in SafeBoot pre-boot using an XML file which controls
the layout (key spacing, number of rows etc), and the display char for
each key. The OSK file (keyboardID_OSK.XML) is usually stored in the
SBFS\Locale directory.
The can be many OSK’s installed, and each physical keyboard map can
choose one of the installed OSK’s to display on request.
Administrators can choose to always display an OSK for the user by
selecting the “always display on-screen keyboard” option of the
Machine/General properties.
NOTE: Though the OSK displays the character for each possible state, the OSK sends the
scan code and modifier (shift/alt etc) to the selected keyboard driver for
conversion, so the actual character printed will be a result of the keyboard driver,
NOT necessarily the one displayed on the OSK.
A Sample OSK Keyboard could be defined as follows
<?xml version="1.0" encoding="UTF-16"?>

<keyboard>
<options col="lightgray" button_col="lightgray"
border_col="black" txt_col="black"
font="System"
down_col="blue" button_style="square"
border_width="3">
</options>
<layout id="English (US)">
<layout>
<row>
<key id="18" obey-caps="true" scancode="0x11">
<default display="w" />
<shifted display="W" />
<caps display="W" />
<alt_gr display="GR" />
<text state="alt+shift" display="AS" />
<text state="alt+shift+ctrl" display="ASC" />
<text state="shift+ctrl" display="SC" />
<text state="caps+shift" display="PS" />
<text state="altgr+ctrl" display="GC" />
</key>
<key id=”19” obey-caps=”false” scancode=”0x056”>

…
</key>
<row>
…
</row>
</layout>
</keyboard>
The following nodes should be considered:

Node Description
Options/font The name of the font used by this OSK. This should
be defined in graphics.ini and needs to be an OnTime
Binary font
Layout ID The name of this OSK layout – displayed in the title
21-7
Node Description
bar of the OSK
Key/ID
A decimal representation of the key – usually the
decimal scan code ID
Key/Obey-Caps If this key is subject to any caps state switching, this

should be set to true.
Key/Scancode The Scancode produced by this key
Key/default The default display char
Key/shifted The shifted display char
Key/caps The caps lock state char
Key/alt_gr The alt_gr state char
Key/text/state The combination states for this key – The text/state
attribute takes precedence over the key/default
key/shift etc states. You can specify single states, for
example
Text state=”shift” display=”Q”
Or combination states, for example
Text state=”shift+altgr” display=”%”
For any key to consider any caps behaviour, the
key/obey_caps needs to be true.
Table 21-4. On Screen Keyboard Source
To set which OSK is displayed per keyboard map, add an “OSK=” tag to
the keyboard definition in locale.ini, for example:
[Keyboard.043B]
name=Norwegian with Sami
mapfile=043B_E.MAP
OSK=043B_OSK.XML
Node Description
Name The display name of the Keyboard
Mapfile The name of the map file to use to map the key
presses to chars
21-8
Node Description
OSK The name of the OSK file to display

Table 21-5. On Screen Keyboard Definition
21.3 Pre-Boot Language

Device Encryption 5 supports many languages, and also supports
automatic detection of the Windows Language in an attempt to choose
the most appropriate pre-boot language.
The selectable languages are defined in the SBFS Locale\Locale.ini file,
for example:
Node Description
Chinese Stub
;B5100
[Settings] The default language to use if no mapping is

DefaultLanguage=0804
found in the [LanguageIDMap] section
[Languages] The defined languages – Both the definition

0804=Lang.0804
name and section name are arbitrary.
0404=Lang.0404
[LanguageIDMap] The Windows language to SafeBoot Pre-Boot

0804.Language=0804
language map.
0404.Language=0404 For example, if Windows is using the Locale

0404, then the Pre-boot should use the
definition 0404 for it’s language.
0004.Language=0804
0C04.Language=0404
Both the major and minor language can be
0404.Keyboard=0404 checked, so in this example both Windows
0804.Keyboard=0804 languages 0804 and 0004 use the SafeBoot
pre-boot definition section 0804. If the
primary variant for example 0F04 is found in
Windows, then 0004 will be used in SafeBoot
[Lang.0804] This section defines a language.
;Name=Chinese Simplified (PRC) The Name tag is the name displayed in the
NameW=,0020,0050,0052,0043,0029 pre-boot selection list. You can supply a
NameW tag instead which takes a comma
separated list of char codes. This enables
ID=0804
StringFile=0804.STR you to set a Unicode name for the list.

FontSection=Fonts.SuperFont The ID describes the Locale ID, this should
21-9
Node Description
be the ANSI recognised ID for this
languages.
The StringFile describes the actual compiled
definition file to use (stored in \locale).
The FontSection describes the section in
Graphics.ini which contains the fonts to be
used for this particular language.
Each language can use its own fonts, or can
use fonts shared by other languages.
Table 21-6. Pre-Boot Language Definition
21.3.1 Creating your own Language file

Device Encryption Language files are created from a Unicode master
which describes the text to display for each defined pre-boot message,
for example:
Name=Chinese (Simplified)
ID=0804
1=确定
2=取消
3=SafeBoot
4=是
5=否
50=请插入一张引导用的软盘或者按取消从硬盘引导。
100=SafeBoot登录
101=用户名：
102=密码：
103=修改密码
51=您不允许从软盘引导，系统将从硬盘引导。
You can obtain a pre-boot English master text file from your SafeBoot
distributor. Once translated, the file needs to be compiled by SafeBoot.
Normally Language and keyboard layouts are defined within the
SafeBoot Database, and each language has a locale.ini file configured as
a “Merge Ini”. This system enables administrators to add and remove
languages without having to define the exact set prior to distribution. As
all keyboards and Languages are defined in the same Locale.ini file,
without merge INIs you would have to create a locale.ini file describing
the exact combination of keyboards and locales prior to sending it to a
Device Encryption client.
21-10
For examples of how to define a Locale.ini, see one of the supplied

languages stored in the SafeBoot Management Center install directory
\Languages tree.
21.4 Pre Boot Token Descriptions

You can localise the token names used in the Device Encryption by
adding a XML definition file to the [appdir]\SBTokens\Languages
directory. The client searches for resources in the following order.
1. The [appdir]\SBTokens\Languages \LanguageID directory
2. The [appdir]\SBTokens\Languages \LanguageMajor directory
3. The [appdir]\SBTokens\Languages directory
For example, on a US English system (Language ID 0409) Device
Encryption will look for token resources in
[appdir]\SBTokes\Languages\0409, then [appdir]\ SBTokens\
Languages\ 0009, then [appdir]\ SBTokens\ Languages then [appdir]\
SBTokens\ Languages.
The definition file for each token is described in an XML file with the
name “Token_tokenID.xml” as follows:
Node Description
<SbTokenInformation>
<Token type="xxxxxxxx"> The ID of the Token - you can find

this from the “Tokens” section of
this guide.
<PromptName>prompr text</PromptName> The text to display in the login box
<ListName>list text</ListName> The text to display in the list of
tokens
</Token>
</SbTokenInformation>
Table 21-7. Token Translation File
21.5 Windows Languages

Device Encryption 5 uses resource DLL’s and other files to convert its
Windows components to display in alternate languages.
The client searches for resources in the following order
4. Looks to the [appdir]\Languages\LanguageID directory
21-11
5. Looks to the [appdir]\Languages\LanguageMajor directory

6. Looks to the [appdir]\Languages directory
7. Looks to the [appdir] directory and uses built in resources
For example, on a US English system (Language ID 0409) Device
Encryption will look for resources in [appdir]\Languages\0409, then
[appdir]\Languages\0009, then [appdir]\Languages then [appdir]
The following components are supported for localisation
• DLL resources (Windows resources)
• SBErrors.XML (Unicode Error code descriptions)
• SBErrors.INI (ASCII Error code descriptions)
• SBClient.CHM (Help file)
• SBHelp.INI (Help file index)
21-12
Troubleshooting PCs
22. Troubleshooting PCs
For the latest information on SafeBoot issues, patches and information

please see our web site – www.safeboot.com. We maintain several
sections with the latest tips from our implementation teams, and any
suggested changes and updates. You can also subscribe to an update
list which uses e-mail to keep you informed of any significant issues.
Figure 22-1. SafeBoot Website
22-1
Error Messages
23. Error Messages
Please see the file sberrors.ini for more details of these error messages.
You can also find more information on error messages on our web site,
www.safeboot.com.
23.1 Module codes

The following codes can be used to identify from which SafeBoot module
the error message was generated.
Error Code Module
1c00 IPC
5501 SBHTTP Page Errors
5502 SBHTTP User Web Recovery
5c00 SBCOM Protocol
5c02 SBCOM Crypto
a100 ALG
c100 Scripting
db00 Database Misc
db01 Database Objects
db02 Database Attributes
e000 SafeBoot General
e001 SafeBoot Tokens
e002 SafeBoot Disk
e003 SafeBoot SBFS
e004 SafeBoot BootCode
e005 SafeBoot Client
e006 SafeBoot Algorithms
23-1
Error Messages
Error Code Module
e007 SafeBoot Users
e010 SafeBoot Keys
e011 SafeBoot File
e012 SafeBoot Licenses
e013 SafeBoot Installer
e014 SafeBoot Hashes
e015 SafeBoot App Control
e016 SafeBoot Admin

Table 23-1. Module Error Codes
23.2 1C000 IPC Errors

Code Message and Description
[1c000001] Timeout during IPC

[1c000002] IPC terminated
[1c000003] Unable to initialise IPC
[1c000004] Unknown or unsupported function
[1c000005] Request to send data that is too big
[1c000006] Timeout sending data
[1c000007] Timeout waiting for reply
[1c000008] Out of memory
Table 23-2. IPC Errors
23.3 5C00 Communications Protocol

[5c000000] Unsupported version

The server and client are not talking the same
communications protocol version
[5c000005] Out of memory
23-2
Error Messages
[5c000008] A corrupt or unexpected message was received

[5c000009] Unable to load the Windows TCP/IP library (WSOCK32.DLL)
Check that the TCP/IP protocol is installed
[5c00000a] Communications library not initialised
This is an internal programmatic error
[5c00000c] Unable to create TCP/IP socket
[5c00000d] Failed while listening on a TCP/IP socket
[5c00000e] Unable to convert a host name to an IP address
Check the host file or the DNS settings
[5c00000f] Failed to connect to the remote computer
The computer may not be listening or it is too busy to
accept connections
[5c000010] Failed while accepting a new TCP/IP connection
[5c000011] Failed while receiving communications data
The remote computer may have reset the connection
[5c000012] Failed while sending communications data
[5c000013] Invalid communications configuration
[5c000014] Invalid context handle
[5c000015] A connection has already been established
[5c000016] No connection has been established
[5c000017] Request for an unknown function has been received
[5c000018] Unsupported or corrupt compressed data received
[5c000019] Data block is too big
[5c00001a] Data of an unexpected length has been received
[5c00001b] Message too big to be received
This may occur if an attempt is made to import large
amounts of data into the database (e.g. a file)
[5c00001c] Unable to create thread mute
[5c00001d] Message too big to be sent
23-3
Error Messages
This may occur if an attempt is made to import large

amounts of data into the database (e.g. a file)
[5c00001e] Wrong SafeBoot Communications Protocol Version
You are most likely trying to connect to a v4 SafeBoot
Server using a v5 Server definition with server
authentication enabled.
Check that you do not have both v4 and v5 servers running
(perhaps as a service) at the same time.
Table 23-3. Protocol Errors
23.4 5C02 Communications Cryptographic

[5c020000] The Diffie-Hellmen data is invalid or corrupt

[5c020001] An unsupported encryption algorithm has been requested
[5c020002] An unsupported authentication algorithm has been
requested
[5c020003] Unable to sign data
[5c020004] Authentication signature is not valid
[5c020005] Authentication parameters are invalid or corrupt
[5c020006] Failed while generating DSA parameters
[5c020007] No session key has been generated
[5c020008] Unable to authenticate user
[5c020009] Session key too big
Table 23-4. Crypto Errors
23.5 A100 Algorithm Errors

[a1000000] Not enough memory

[a1000001] Unknown or unsupported function
[a10000002] Invalid handle
[a1000003] Encryption key is too big
23-4
Error Messages
[a1000004] Encryption key is too small

[a1000005] Unsupported encryption mode
[a1000006] Invalid memory address
[a1000007] Invalid key data
Table 23-5. Algorithm Errors
23-5
Error Messages
23.6 DB00 Database Errors

[db000000] Out of memory

[db000001] More data is available
[db000002] The database has not been created or initialised yet
Check the database path or create a new database. To
force the new database wizard to be run, delete the
SDMCFG.INI file and restart the administration program.
[db000003] Invalid context handle
[db000004] The name was not found in the database
db000005] [Authentication was not successful.
Check that you have the correct token for this database
[db000006] Unknown database
[db000007] Invalid database type
[db000008] The database could not be found. Check the database path
settings
[db000009] Database already exists.
Choose a different database path
[db00000a] Unable to create the database
Check the path settings and make sure you have write
access to the directory
[db00000b] Invalid database handle
[db00000c] The database is currently in use by another entity
You can not delete a database while someone is using it
[db00000d] Unable to initialise the database
[db00000e] User aborted
[db00000f] Memory access violation
[db000010] Invalid string
[db000011] No default group has been defined
[db000012] The group could not be found
23-1
Error Messages
[db000013] File not found

[db000014] Unable to read file
[db000015] Unable to create file
[db000016] Unable to write to file
[db000017] File corrupt
[db000018] Invalid function
[db000019] Unable to create mutex
[db00001a] Invalid license
The license has been modified so that the signature is now
invalid
[db00001b] License has expired
[db00001c] The license is not for this database
Check the database ID and ensure it is the same as the one
specified in the license. Each time you create a new
database, a different ID is generated. There is no way to
change the ID of a database.
[db00001d] You do not have permission to access the object
[db00001e] SafeBoot is currently busy with another task. Please wait
for it to complete and try again.
This usually means that your hard disks are in the process
of being encrypted or decrypted. You can check the current
SafeBoot status from the right-click menu of the SafeBoot
task bar icon.
[db00001f] SafeBoot is still installed on this machine
[db000020] Buffer too small
[db000021] The requested function is not supported
[db000022] Unable to update the boot sector
The disk may be in use by another application or Explorer
itself. The disk may be protected by an anti-virus program.
Table 23-6. Database Errors
23-2
Error Messages
23.7 DB01 Database Objects

[db010000] The object is locked

Someone else is currently updating the same object
[db010001] Unable to get the object ID
[db010002] Unable to change the object's access mode
Someone else may by accessing the object at the same
time. If you are trying to write to the object while someone
else has the object open for reading, you will not be able to
change to write mode.
[db010003] Object is in wrong access mode
[db010004] Unable to create the object in the database
The disk may be full or write protected
[db010005] Operation not allowed on the object type
[db010006] Insufficient privilege level
You do not have the access rights required to access the
object.
[db010007] The object status is disabled
This is usually associated with User objects. Disabling the
user's object prevents them logging on until their account is
re-enabled.
[db010008] The object already exists
[db01000f] The object is in use
[db010010] Object not found
The object has been deleted from the database
[db010011] License has been exceeded for this object type
Check that your licenses are still valid and if not obtain
further licenses if necessary
Table 23-7. Database Object Errors
23.8 DB02 Database Attributes

23-3
Error Messages
[db020000] Attribute not found

[db020001] Unable to update attribute
[db020002] Unable to get attribute data
[db020003] Invalid offset into attribute data
[db020004] Unable to delete attribute
[db020005] Incorrect attribute length
[db020006] Attribute data required
Table 23-8. Attribute Errors
23.9 E000 SafeBoot General

[e0000000] User aborted

[e0000001] Insufficient memory
[e0000002] Invalid date/time
Table 23-9. General Errors
23.10 E001 Tokens

[e0010000] General token error

[e0010001] Token not logged on
[e0010002] Token authentication parameters are incorrect
[e0010003] Unsupported token type
[e0010004] Token is corrupt
[e0010005] The token is invalidated due to too many invalid logon
attempts
[e0010006] Too many incorrect authentication attempts
[e0010007] Token recovery key incorrect
[e0010010] The password is too small
[e0010011] The password is too large
23-4
Error Messages
[e0010012] The password has already been used before. Please choose
a new one.
[e0010013] The password content is invalid
[e0010014] The password has expired
[e0010015] The password is the default and must be changed.
[e0010016] Password change is disabled
[e0010017] Password entry is disabled
[e0010020] Unknown user
[e0010021] Incorrect user key
[e0010022] The token is not the correct one for the user
[e0010023] Unsupported user configuration item
[e0010024] The user has been invalidated
[e0010025] The user is not active
[e0010026] The user is disabled
[e0010027] Logon for this user is not allowed at this time
[e0010028] No recovery key is available for the user
[e0010030] The algorithm required for the token is not available
[e0010040] Unknown token type
[e0010041] Unable to open token module
[e0010042] Unable to read token module
[e0010043] Unable to write token module
[e0010044] Token file not found
[e0010045] Token type not present
[e0010046] Token system class is not available
[e0018000] Sony Puppy requires fingerprint
[e0018001] Sony Puppy requires password
[e0018002] Sony Puppy not trained
Table 23-10. Token Errors
23-5
Error Messages
23.11 E002 SafeBoot Disk

[e0000002] Invalid date/time

[e0020000] No more data is available
[e0020001] No more data is available
[e0020002] Unsupported disk driver function
[e0020003] Invalid disk driver request
[e0020004] Disk request buffer too small
[e0020005] Unsupported encryption algorithm
[e0020006] Unknown disk number
[e0020007] Error reading disk sector
[e0020008] Error writing disk sector
[e0020009] Unable to get disk partition information
[e002000a] SafeBoot disk information not present
[e002000b] Not enough space for the SafeBoot disk information
[e002000c] The SafeBoot disk information is invalid
[e002000d] Sector not valid for SafeBoot disk information use
[e002000e] Sector chain is invalid
[e002000f] Sector chain type incorrect
[e0020010] Sector chain sequence number incorrect
[e0020011] Sector chain checksum invalid
[e0020012] Crypt state information too big for available space
[e0020013] Crypt list full
[e0020014] Crypt range too big.
[e0020015] Attempt to crypt while in power fail state not allowed
[e0020016] Attempt to crypt in-progress I/O
[e0020017] Error communicating with SafeBoot disk driver
[e0020018] SafeBoot disk driver not present
[e0020019] Unsupported disk driver version
23-6
Error Messages
[e002001a] No encryption has been key set

[e002001b] Unable to find the system boot disk
[e002001c] Unknown message slot
[e002001d] Message slot data too large
[e002001e] Unable to lock floppy disk driver for access
[e002001f] Unable to access floppy disk
[e0020020] The boot disk type is not supported
[e0020021] Access to driver not permitted
Table 23-11. Disk Errors
23.12 E003 SafeBoot SBFS

[e0030001] The SafeBot File System is already mounted

[e0030002] Unable to mount the SafeBoot File System
[e0030003] Unable to unmount the SafeBoot File System
[e0030004] The SafeBoot File System is not mounted
[e0030005] Error reading SafeBoot File System sector
[e0030006] Error writing SafeBoot File System sector
[e0030007] SafeBoot File System too fragmented
[e0030008] SafeBoot File System size invalid
[e0030009] Error creating SafeBoot File System host file
[e003000a] Error reading SafeBoot File System host file
[e003000b] Error writing SafeBoot File System host file
[e003000c] Error setting SafeBoot File System host file pointer
[e003000d] Unable to locate sectors corresponding to the SafeBoot File
System host file
[e003000e] No host driver found for the SafeBoot File System
Table 23-12. SBFS Errors
23-7
Error Messages
23.13 E004 Boot Code Image

[e0040001] Unable to open boot code image file

[e0040002] Error reading boot code image file
[e0040003] Boot code image file too big
[e0040004] Error creating boot code image host file
[e0040005] Error reading boot code image host file
[e0040006] Error writing boot code image host file
[e0040007] Error setting boot code image host file pointer
[e0040008] Unable to locate boot code image host file sectors
[e0040009] No host driver found for boot code image file
[e004000a] Unhandled instruction
[e004000b] Invalid instruction
[e004000c] Protected mode General Protection Fault
Table 23-13. SBFS Errors
23.14 E005 Client

[e0050001] SafeBoot Client not activated
[e0050002] The SafeBoot Client is already activated
[e0050003] The SafeBoot Client activation is already in progress
[e0050004] The wrong version of the SafeBoot Client is currently active
[e0050005] Unable to save original MBR
[e0050006] Disk Manager not open
[e0050007] Unable to load MBR copy
[e0050008] Unable to load the SafeBoot MBR
[e005000a] Too many work items to perform encryption.
[e005000b] SafeBoot MBR invalid
[e005000c] SafeBoot Client sync failed to start
23-8
Error Messages

[e005000d] SafeBoot Client sync already in progress
[e005000e] Key not available to the SafeBoot Client
[e005000f] The recovery key is incorrect
[e0050010] Failed to start cryption
[e0050011] Cryption already in progress
[e0050012] The hard disk key is incorrect
[e0050013] The machine configuration is corrupt or invalid
[e0050014] Unable to load string data
[e0050015] String data is invalid
[e0050016] Incorrect user logon
[e0050017] The isolation period has expired
[e0050018] A possible virus has been detected
[e0050019] Recovery data is invalid
[e005001a] Recovery file version unsupported
[e005001b] Invalid recovery command
[e005001c] Invalid recovery type
[e005001d Recovery data not found
[e005001d] Client not initialized for emergency boot
[e0050020] Unable to open the client data store
[e0050021] The client data store is not open
[e0050022] The client data store already exists
[e0050023] Error creating client data store
[e0050024] Unable to create client data store directory
[e0050025] Client data store in use
[e0050026] Unable to delete client data store
[e0050027] The client data store is corrupt
[e0050028] Unsupported client data store version
[e0050030] Client data store object not found
23-9
Error Messages

[e0050031] Client data store object not open
[e0050032] Client data store object not exclusive
[e0050033] Client data store object ID invalid
[e0050034] Client data store object ID already exists
[e0050035] Unable to create client data store object directory
[e0050036] Client data store object name already exists
[e0050037] Unable to read client data store object name
[e0050038] Unable to write client data store object name
[e0050040] Unable to remove client data store object
[e0050041] Client data store attribute not found
[e0050042] Client data store attribute not open
[e0050043] Unable to open client data store attribute
[e0050044] Unable to create client data store attribute
[e0050045] Unable to read client data store attribute
[e0050046] Unable to write data store attribute
[e0050047] Client data store attribute version incorrect
[e0050048] Client data store attribute corrupt
[e0050049] Invalid size of client data store attribute
[e005004a] Access denied to client data store attribute
[e0050060] Upgrade of client is not possible
[e0050061] Upgrade old SbFs is invalid
[e0050062] Upgrade old SbFs not found
[e0050063] Upgrade old SbFs drive not found
[e0050064] Upgrade, unable to read old SbFs
[e0050065] Upgrade, old machine configuration invalid
[e0050066] Upgrade, invalid user data.
[e0050067] Upgrade, user directory version invalid
[e0050068] Upgrade, invalid user directory
23-10
Error Messages

[e0050069] Upgrade, unable to get original MB
[e005006a] Upgrade, unable to get audit data
Table 23-14. Client Errors
23.15 E006 Algorithms

[e0060001] Unknown encryption algorithm

[e0060002] Unable to install pre-boot encryption algorithm module
[e0060003] Error relocation 16-bit encryption algorithm code
[e0060004] Error initializing 16-bit encryption algorithm module
[e0060005] 16-bit encryption algorithm module invalid
Table 23-15. Algorithm Errors
23.16 E007 Readers

[e0070001] Unknown reader type

[e0070002] Unable to open reader module
[e0070003] Unable to read reader module
[e0070004] Unable to write reader module
[e0070005] Reader failure
[e0070006] Unable to create reader context
[e0070007] Invalid reader parameter
[e0070008] Reader not present
[e0070009] Reader timeout
[e007000a] Reader sharing violation
[e007000b] Token not present in reader
[e007000c] Reader protocol mismatch
[e007000d] Reader communications error
[e007000e] Token not powered in reader
23-11
Error Messages
[e007000f] Token not reset in reader

[e0070010] Token removed from reader
Table 23-16. Reader Errors
23.17 E008 Users
[e0080001] User configuration invalid or corrupt

[e0080002] User information field index invalid
[e0080003] User has no hard disk encryption key
Table 23-17. User Errors
23.18 E010 Keys

[e0100001] Encryption key too big

[e0100002] Encryption key size invalid
Table 23-18. Keys Errors
23.19 E011 Files

[e0110001] Unable to create file

[e0110002] Unable to open file
[e0110003] Error reading file
[e0110004] Error writing file
[e0110005] Error setting file pointer
[e0110006] Error getting file size
Table 23-19. Files Errors
23.20 E012 Licences

[e0120001] License invalid
23-12
Error Messages
[e0120002] License expired

[e0120003] License is not for this database
[e0120004] License count exceeded
Table 23-20. Licences Errors
23.21 E013 Installer

[e0130002] No installer executable stub found

[e0130003] Unable to read installer executable stub
[e0130004] Unable to create file
[e0130005] Error writing file
[e0130006] Error opening file
[e0130007] Error reading file
[e0130008] Installer file invalid
[e0130009] No more files to install
[e013000a] Install archive block data too large
[e013000b] Install archive data not found
[e013000c] Install archive decompression failed
[e013000d] Unsupported installer archive compression type
[e013000e] Installation error
[e013000f] Unable to create temporary directory
[e0130010] Error registering module
Table 23-21. Installer Errors
23.22 E014 Hashes


[e0140002] Error opening hashes file
[e0140003] Error reading hashes file
[e0140004] Hashes file invalid
23-13
Error Messages
[e0140005] Unable to create hashes file

[e0140006] Error writing hashes file
[e0140007] Hashes file is not open
[e0140008] Hashes file data invalid
[e0140009] Hashes file data too big
[e014000a] User aborted
Table 23-22. Hashes Errors
23.23 E015 Application Control


[e0150002] Application control invalid parameter
[e0150003] Error communicating with application control driver
[e0150004] Application control driver not installed
[e0150005] Error opening application control log file
[e0150006] Invalid hashes object list
Table 23-23. Application Control Errors
23.24 E016 Administration Center

[e0160001] Invalid plugin information

Table 23-24. Management Center Errors
23.25 xxH: BIOS

If SafeBoot’s boot loader detects a hardware error from the BIOS, it
reports the standard error code in the format “SafeBoot ?? Error code
H??”
The following list of codes may be reported:
01H Invalid function call
23-14
Error Messages
02H Address mark not found
03H Disk is write protected
04H Sector not found
05H Reset failed (hard disk)
06H Diskette has been changed
07H Drive parameter activity failed (hard disk)
08H DMA overrun
09H DMA attempted across 64K boundary
0AH Bad sector flag detected (hard disk)
0BH Bad track detected (hard disk)
0CH Unsupported track or invalid media
0DH Invalid number of sectors for Format (hard disk)
0EH Control data address mark detected (hard disk)
0FH DMA arbitration level out of range (hard disk)
10H Uncorrectable CRC or ECC error on read
11H ECC corrected data error (hard disk)
20H Disk controller failure
31H No media in drive
32H Drive does not support media type
40H Seek failed
80H Timeout (disk not ready)
AAH Drive not ready
B0H Volume not locked in drive (INT 13 extensions)
B1H Volume locked in drive (INT 13 extensions)
B2H Volume not removable (INT 13 extensions)
23-15
Error Messages
B3H Volume in use (INT 13 extensions)
B4H Lock count exceeded (INT 13 extensions)
B5H Valid eject request failed (INT 13 extensions)
BBH Undefined error (hard disk)
CCH Write fault (hard disk)
E0H Status register error (hard disk)

FFH Sense failed (hard disk)
Table 23-25. BIOS Hard Errors
23-16
Technical Specifications and Options
24. Technical Specifications and Options
The following options are available from SafeBoot but may not be
included on your install CD, or be appropriate for your version of
SafeBoot. Please contact your SafeBoot representative for information if
you wish to use one of these optional components.
24.1 Encryption Algorithms

SafeBoot supports many custom algorithms. Only one algorithm can be
used in a SafeBoot Enterprise.
Algorithm performance is based on the “PassMark” rating which gives
an overall indication of system performance. All tests were performed
on a K6-II-300 machine running NT4.0. This test platform has a
PassMark of 20.7. The closer to this figure an algorithm gets, the less
the impact of SafeBoot on the user. Faster machines will achieve
correspondingly faster passmark ratings, but the percentage difference
between them will be comparable.
24.1.1 RC5-12 (FASTEST)

CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks. PassMark 20.7
(100%)
24.1.2 RC5-18
CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks, PassMark 20.7
(100%)
The 18 round RC5 variant is designed to prevent the theoretical “Known
Plaintext” attack.
24.1.3 AES 256

CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%)
Only recommended for use where support for SafeBoot 4.0 AES is
required.
24.1.4 AES-FIPS (FIPS 140-2 Approved) -

RECOMMENDED
CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%)
This algorithm is approved for FIPS 140-2 use.
24-1
24.1.5 DES (FIPS 140-1 Approved)

CBC Mode, 56 bit key. 128 bit blocks. Passmark 16.5 (79%)
Only for use in exceptional circumstances.
24.1.6 Blowfish
CBC Mode, 448 bit key, 20 rounds, 64 bit blocks, PassMark 19.9 (96%)
Withdrawn from general distribution - special order only.
24.2 Smart Card Readers

The following smart card readers are supported.
24.2.1 PCMCIA Smart Card Readers

• SCR243 / SCR201 and compatibles such as HP DC350B,
ActivIdentity and others)
PCMCIA smart card reader.
See http://www.scmmicro.com/security/SCR243.html for
more information.
• SCR201 and compatibles such as PCSR and Cisco PCMCIA
readers
24.2.2 Generic USB CCID Smart Card Reader and

compatibles
This module provides support for the following devices
• Universal CCID USB smart card reader support (supports all
industry standard CCID readers)
• Dell D620 Integrated Smart Card Reader
• Gemplus GemPC430 USB Smart Card Reader
• Omnikey 3121 USB Smart Card Reader
• ACR38 USB Smart Card Reader
24.2.3 PCI Smart Card Readers

• HP 6400 Integrated Smart Card Reader
• Dell D610/810 Integrated Smart Card Reader
24-2
24.3 Tokens
24.3.1 Smart Cards
The following Smart Cards are supported. For more information, please
contact the smart card vendor, and see the additional notes in the file
“created.html” on the SafeBoot distribution CD.
• SafeBoot Blue Smart Card (G&D Starcos 2.1 T=1)
• SafeBoot Red Smart Card (G&D Starcos 2.1 T=0)
• ActivIdentity Smart Card
• DataKey Smart Card
• Datev PKI Smartcard
• DOD CAC smart cards (all types)
• Estonian National ID Smart Card
• HP ProtectTools Smart Card (Branded ActivIdentity smart card)
• PToken Certificate Card
• RSA SecurID RSA5100 Smart Card
• Setec Certificate Card
• Siemens CardOS 4.3b / 4.01a Smart Card
• Telesec Certificate Card
• TEID /IZN Certificate Card
24.3.2 USB Tokens

• Aladdin eToken 64KB Pro
• Charismathics USB Key
• RSA SID800 USB Key
• SafeNet IKEY 2032
• SafeBoot Phantom Biometric Key
• Sony Puppy Fingerprint Reader
24.3.3 Other Authentication Tokens

• Passfaces
• Infineon TPM Chip
24-3
24.4 Language Support

24.4.1 Client
Pre-Boot Languages (auto detect)
• Arabic • Italian
• Czech • Japanese
• Chinese (Simplified) • Korean
• Chinese (Traditional) • Polish
• Dutch • Portuguese
• English (United Kingdom) • Russian
• English (United States) • Swedish
• Estonian • Spanish
• German • Turkish
• Hungarian
Table 24-1. Pre Boot Languages
Pre-Boot Keyboards (auto detect)

• Arabic 101 • Greek 319
• Arabic 102 • Greek 220 Latin
• Arabic AZERTY • Greek 319 Latin
• Belgian Comma • Hebrew
• Belgian Period • Hungarian
• Canadian Multilingual • Italian
• Canadian French • Icelandic
• Canadian French Legacy • Irish
• Chinese Bopomofo • Japanese
• Chinese ChaiJei • Kazakh
• Croatian • Korean
• Czech (Czech Republic) • Latin American
• Czech (QWERTY) • Norwegian
24-4
Pre-Boot Keyboards (auto detect)

• Czech (Programmers) • Norwegian with Sami
• Danish • Polish 214
• Dutch • Polish Programmers
• English (United States) • Portuguese Brazil
• English (United Kingdom) • Portuguese Portugal
• English (US International) • Romainian
• English (UK Extended) • Russian
• Estonian • Slovac
• French (Belgium) • Slovac QWERTY
• French (France) • Slovenian
• French (Canada) • Spanish (Spain)
• French (Swiss) • Spanish (International)
• Finnish • Spanish Variant
• Gaelic • Swedish
• German (Standard) • Swiss German
• German (IBM) • Thai Kedmanee
• Greek • Turkish F
• Greek Latin • Turkish Q
• Greek 220 • US Dvorak
Table 24-2. Pre Boot Keyboard Layouts
Most of the keyboard layouts also support On-Screen representations.

Please note – other languages are available on request. We are
continuously updating our language translations and encourage
feedback from our users.
Windows Languages (auto detect)
• English (United Kingdom)
• English (United States)
Table 24-3. Windows Supported Languages
24-5
24.5 System Requirements

Implementation documentation discussing appropriate hardware for
typical installations of SafeBoot is available from your representative.
24.5.1 Client
Windows NT4.0, 2000, XP, 2003 Server, Vista 32bit (all versions), Vista
64bit (all versions)
128MB RAM, or OS Minimum specification
5-35MB Free hard disk space depending on localization and number of
desired users)
Pentium compatible processor, multi-processor (up to 32 way), dual-
core and hyper threading processors, Pentium-compatible processors
such as AMD processors.
For remote administration, a TCP/IP network connection is required.
24-6
Index
25. Index
Active Directory, 1-9 Entities

algorithm, 1-2, 1-5, 2-1, 17-4, 19-1, 19- explained, 1-3
3, 24-1 error codes, 18-3, 23-1, 23-14
Attributes error messages, 23-1
explained, 1-3 File Encryption
Auditing, 13-1 overview of, 1-8
authentication, 1-2, 1-5, 1-8 file group management, 6-1
Authentication Files
with a smart card, 1-2 deleting and exporting, 6-3
AutoBoot User, 5-23, 5-24 importing new, 6-3
Auto-boot users ini files, 18-1
autoboot user, 3-3, 5-27 program and driver files, 19-1
BIOS properties, 6-4
Error codes, 23-14 force sync, 3-4, 8-2, 14-6
Blowfish, 24-2 Force Sync, 5-18, 5-30, 8-2, See
boot once, 14-4 Machines
boot process, 11-3 groups, 3-2, 5-16, 5-19, 5-20, 5-27, 5-
boot protection status, 5-21 31, 5-32, 6-1, 8-1, 9-1, 13-3, 15-4
cache, 13-1 Importing Machines
CE Server, 1-5 Importing a transfer database. See
challenge / response, 14-1 Offline Installs
Client IP Address, 1-3, 1-4, 1-5, 5-18, 24-6
creating an install set, 9-1 LDAP, 1-6, 1-9, 1-10
installing, 10-1 Machines
overview of, 1-7 adding users to, 5-27
synchronising, 11-2 configuring, 5-20
using, 11-1 creating, 5-16
Connector Manager Forcing Syncronization, 5-18
overview of, 1-9 rebooting, 5-19
cryptography, i recovering, 14-1
Cryptography synchronisation of, 5-29
decryption, 11-3 Microsoft, i, 1-2, 9-6, 11-4, 19-1
encryption, 1-2, 1-8, 5-25, 5-26, 19-2 NT Domain, 1-9
Data Recovery, 1-2 object directory, 1-3, 1-4, 1-5, 1-6, 1-7,
decrypt, 5-21 1-9, 1-10, 1-11, 2-2, 3-4, 5-16, 5-22,
Default Password, 3-2, 3-3, 5-27, 14-5 5-25, 5-29, 5-30, 6-3, 6-4, 8-1, 9-3,
deploy, 1-10, 1-11, 6-1, 6-3, 9-3, 11-4 9-5, 11-1, 11-2, 11-3, 12-2, 12-3, 12-
disable, 5-30, 10-2, 10-3 4, 13-1, 13-2, 14-5, 18-4
disabling users. See Users Objects
DNS, 5-18, 18-4 explained, 1-3
DSA, 1-5 Offline Installs, 9-3
enabling users. See Users Password
encryption, 5-25 Default, 3-2, 3-3, 5-27, 14-5
Encryption passwords, 1-2, 1-5, 1-8, 5-22, 11-4,
algorithms, 24-1 12-2
windows swap file, 1-2 Reset, 14-4
Encryption Algorithm, 1-2, 1-5, 2-1, 19- Pentium, 24-6
1, 19-3, 24-1 performance, 1-6, 24-1
Encryption Algorithms Placeholder, 5-16, 9-3, 9-4
Blowfish, 24-2 Pocket Windows
RC5, 24-1 2002, 1-5
7
Index
privileges, 1-4 screen saver, 11-4

quickstart guide, ii service, 5-30
RC5, 24-1 smart card. See Authentication
Reboot Machine. See Machines smartport, 24-2
recovery, 1-2, 1-6, 1-8, 5-26, 5-28, 14- Smarty, 24-2
1, 14-2, 14-3, 14-4, 14-6, 19-1 synchronising machines, 5-29
Recovery TCP/IP, 1-3, 1-4, 1-5, 24-6
offline, 14-1 Tokens
online, 14-6 changing during recovery, 14-5
registry, 1-11, 6-5, 8-1, 19-1, 19-3 transport database, 9-4
Registry File, 8-1 troubleshooting, 22-1
relogon, 12-4 user status, 1-3
removing safeboot, 10-1 Users
reset password, 14-4 device access, 3-5
RSA, 1-5, 1-8 enabling and disabling, 3-3
SafeBoot. See Client recovering, 14-1
SafeBoot CE Server, 1-5 virus protection, 5-23
SafeBoot Components warning text, 5-29
SafeBoot File Encryptor, 1-1 Windows 2000, 6-5
VDisk, 1-1 Windows CE, 1-5
SafeBoot File Encryptor, 1-1 windows logon, 5-22, 11-4, 12-1
SafeBoot Server Windows Logon
overview of, 1-5 how it works, 12-2
SafeTech, 19-1 X500, 1-6, 1-9
SBAdmCL, 13-1, 13-2

Administrators Guide

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Administrators Guide

Diunggah oleh

Hak Cipta:

Format Tersedia

SafeBoot N.V.

Edisonbaan 15, Nieuwegein, 3439 MN, The Netherlands

Document: SafeBoot 5 Device Encryption Administrators Guide

No part of this document may be reproduced, transmitted, transcribed, stored in a retrieval

The information furnished herein is believed to be accurate and reliable. However, no

Microsoft® and Windows® NT are registered trademarks of Microsoft Corporation. Novell® is a

The team at SafeBoot is dedicated to providing you with the best in

About This Guide

Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd

Contacting Technical Support

3. DEVICE ENCRYPTION USER POLICIES .....................................................3-1

4. USING TOKENS WITH DEVICE ENCRYPTION............................................4-1

8. USING SAFEBOOT AS A FILE DEPLOY SYSTEM .........................................8-1

8.1 EXAMPLE - COPYING A NEW FILE TO THE DESKTOP..................................................... 8-1

16. HASH GENERATOR................................................................................. 16-1

21. THEMES & LOCALIZATION .....................................................................21-1

23. ERROR MESSAGES ................................................................................. 23-1

FIGURE 1-1. SAFEBOOT ADMINISTRATOR INTERFACE ........................................................ 1-4

FIGURE 22-1. SAFEBOOT WEBSITE .......................................................................... 22-1

TABLE 4-1. LIST OF SUPPORTED TOKENS ....................................................................... 4-2

1.1 Why SafeBoot Device Encryption?

1.2 Design Philosophy

1.3 How SafeBoot Works

SafeBoot installs a mini-operating system on the user’s hard drive, this

1.3.3 Objects, Entities, and Attributes explained.

1.4 The SafeBoot Components

Figure 1-1. SafeBoot Administrator Interface

The most important component of the SafeBoot enterprise is SBAdmin,

• Updating file information on remote machines

1.4.2 SafeBoot Server (SBServer)

Figure 1-2. SafeBoot Server

The SBServer facilitates connections between SafeBoot entities such as

1.4.3 SafeBoot Object Directory

Figure 1-3. Object Directory in DBHelper

1.4.4 SafeBoot Device Encryption PC Client

Figure 1-4. SafeBoot Client

The SafeBoot Device Encryption (DE) client software is largely invisible

1.4.5 SafeBoot File Encryptor

Figure 1-5. SafeBoot file encryption utility

By right clicking on a file, users can elect to encrypt it using various

1.4.6 SafeBoot Connector Manager

Figure 1-6. SafeBoot Connector Manager

SafeBoot’s directory used to keep track of security information is

1.5 Component Design

1.5.1 SafeBoot Device Encryption Client

1.5.2 SafeBoot Administration

1.5.3 SafeBoot Connection Manager

1.6 Install and Deployment

With the increasing necessity of install mechanisms which do not

2. Installing SafeBoot Administration

Figure 2-1. Installing SBAdmin

The SafeBoot administration system will now be installed on your

Figure 2-2. SBAdmin Start Menu

After rebooting, run the SafeBoot Administration program. A wizard will

3. Device Encryption User Policies

For information on SafeBoot users in general, please see the

3.1 User Administration Functions

Figure 3-1. User Right-click menu

3.1.1 Create Token

3.1.2 Reset Token

3.1.3 Set SSO Details

3.1.4 Force Password Change at Next Logon

3.1.5 View Audit