InfoWatch CryptoStorage Personal - IT-Administrator...InfoWatch CryptoStorage (specific features of...

InfoWatch CryptoStorage User Guide

I N F O W A T C H C R Y P T O S T O R A G E

User Guide

ZAO “InfoWatch”

Phone/fax: +7(495)22 -900-22 http://www.infowatch.com

Last edited: December 2008

http://www.infowatch.com/

Table of Contents

INTRODUCTION ............................................................................................................. 6 Audience ....................................................................................................................... 6 Document Structure...................................................................................................... 6 General Conventions .................................................................................................... 7 Technical Support ......................................................................................................... 8

CHAPTER 1. INFOWATCH CRYPTOSTORAGE OVERVIEW .................................... 9 1.1. InfoWatch CryptoStorage Overall Description ..................................................... 9 1.2. Components of InfoWatch CryptoStorage ......................................................... 10 1.3. Protected Objects ................................................................................................ 11 1.4. Rights of Access to Protected Objects ............................................................... 12

CHAPTER 2. INSTALLING INFOWATCH CRYPTOSTORAGE ................................ 14 2.1. Hardware and Software Requirements .............................................................. 14 2.2. Installation ............................................................................................................ 15 2.3. Managing Licenses ............................................................................................. 16 2.4. Getting and Installing Licenses using an Activation Code ................................. 18 2.5. Updating the Product ........................................................................................... 19

CHAPTER 3. GETTING STARTED .............................................................................. 20 3.1. System Interface .................................................................................................. 20 3.2. Password Recommendations ............................................................................. 21

CHAPTER 4. PROTECTING DATA ............................................................................. 22 4.1. Protecting Files and Folders ............................................................................... 22

4.1.1. Specific Features of Encrypting Objects ...................................................... 22 4.1.2. Encrypting Objects........................................................................................ 25 4.1.3. Interrupting Folder Encryption ...................................................................... 26 4.1.4. Interrupting File Encryption ........................................................................... 27 4.1.5. Re-encrypting Objects .................................................................................. 27 4.1.6. Interrupting Re-encryption ............................................................................ 28 4.1.7. Decrypting Objects ....................................................................................... 28

4.1.7.1. Interrupting Folder Decryption ............................................................... 29

4 InfoWatch CryptoStorage Personal

4.1.7.2. Interrupting File Decryption .................................................................... 30 4.2. Protecting Disk Volumes and Removable Devices............................................ 30

4.2.1. Specific Features of Encrypting Disk Volumes and Removable Devices .. 31 4.2.2. Specific Features of Using Hard Disk Management Utilities ...................... 33 4.2.3. Encrypting Disk Volumes and Removable Disks ........................................ 33 4.2.4. Interrupting Encryption ................................................................................. 34 4.2.5. Resuming Encryption ................................................................................... 35 4.2.6. Rolling back to the Unencrypted State ........................................................ 35 4.2.7. Re-encrypting objects ................................................................................... 36 4.2.8. Decrypting Objects ....................................................................................... 37

4.3. Protected Containers ........................................................................................... 37 4.3.1. Specific Features of Creating Containers .................................................... 38 4.3.2. Creating a Container .................................................................................... 38 4.3.3. Preparing a Container for Use ..................................................................... 40 4.3.4. Protecting Containers from Deletion ............................................................ 40 4.3.5. Re-encrypting a Container ........................................................................... 40 4.3.6. Interrupting Re-encryption ............................................................................ 41 4.3.7. Resuming Re-encryption .............................................................................. 42 4.3.8. Rolling back to a Previous State .................................................................. 42

4.4. Wiping Protected and Unprotected Objects ....................................................... 43

CHAPTER 5. USING PROTECTED OBJECTS .......................................................... 44 5.1. Using Protected Files, Folders, Hard Disks and Removable Devices .............. 44

5.1.1. Rules for Using Protected Files and Folders ............................................... 45 5.1.2. Rules for Using Protected Volumes of Hard Disk and Removable

Devices .......................................................................................................... 46 5.1.3. Starting up Using Protected System Disk and/or Boot Disk ....................... 47 5.1.4. Attaching Protected Files, Folders, Hard Disks and Removable Devices.. 47 5.1.5. Detaching Protected Files, Folders, Hard Disks and Removable

Devices .......................................................................................................... 48 5.2. Using Protected Containers ................................................................................ 48

5.2.1. Rules for Using Protected Containers ......................................................... 49 5.2.2. Attaching a Container ................................................................................... 49 5.2.3. Formatting a Container ................................................................................. 51 5.2.4. Detaching a Container .................................................................................. 53

5.3. Viewing Information on a Protected Object ........................................................ 54 5.4. Managing Access to a Protected Object ............................................................ 56

Ошибка! Источник ссылки не найден. 5

5.4.1. The Structure of Access Lists....................................................................... 57 5.4.2. Viewing Access List ...................................................................................... 57 5.4.3. Managing Access to Protected Folders ....................................................... 59

5.4.3.1. Adding a New User ................................................................................ 59 5.4.3.2. Adding an Existing User ........................................................................ 60 5.4.3.3. Resuming Adding a User ...................................................................... 61 5.4.3.4. Removing a User from Access List ....................................................... 61 5.4.3.5. Resuming the Removal of a User ......................................................... 62

5.4.4. Managing Access to Protected Files, Containers, Disk Volumes and Removable Devices ...................................................................................... 62

5.4.4.1. Adding a User to Access List ................................................................ 63 5.4.4.2. Removing a User from Access List ....................................................... 63

5.5. Changing User Parameters for Accessing a Protected Object ......................... 63

CHAPTER 6. CONFIGURING SUBSYSTEMS ........................................................... 65

CHAPTER 7. DISK RECOVERY UTILITY ................................................................... 68

CHAPTER 8. UNINSTALLING INFOWATCH CRYPTOSTORAGE ........................... 70 8.1. Preparing the Protected Objects for Uninstallation of the System ..................... 70 8.2. Uninstalling the System ....................................................................................... 71

APPENDIX А END-USER LICENSE AGREEMENT ................................................... 72

GLOSSARY.................................................................................................................... 76

INDEX ............................................................................................................................. 78

INTRODUCTION

InfoWatch CryptoStorage (hereafter InfoWatch CryptoStorage or the System) – is a system intended to protect confidential information stored on a PC against unauthorized access using cryptographic means.

This document describes how to use InfoWatch CryptoStorage.

Audience

This guide is intended for users who have basic skills in the Microsoft Windows OS environment.

Document Structure

This user guide consists of the following chapters:

Chapter 1 InfoWatch CryptoStorage Overview (Page 9).

This chapter contains a general description of InfoWatch CryptoStorage (purpose, structure, types of protected objects).

Chapter 2 Installing InfoWatch CryptoStorage (Page 14).

This chapter describes how to install InfoWatch CryptoStorage.

Chapter 3 Getting Started (Page 20).

This chapter describes the interface of the System.

Chapter 4 Protecting Data (Page 20).

This chapter describes different methods of data protection, supported by InfoWatch CryptoStorage (specific features of different types of protection, algorithms).

Chapter 5 Using Protected Objects (Page 44).

This chapter describes the rules for using protected objects and contains information about how to manage protected objects.

Chapter 6 Configuring Subsystems (Page 65).

This chapter describes how to configure the InfoWatch CryptoStorage subsystems.

Introduction 7

Chapter 7 Disk Recovery Utility (Page 68).

This chapter describes how to use the utility which cleans disk space used by protected volumes when access to the volumes cannot be recovered.

Chapter 8 Uninstalling InfoWatch CryptoStorage (Page 70).

This chapter describes how to uninstall the System and contains instructions for how to prepare protected objects if you want to uninstall the System.

Appendix А End-User License Agreement (Page 72).

General Conventions

This document contains different types and styles to bring your attention to specific information. Table 1 contains style description.

Table 1. Style description

Style Description

Bold Indicates programs (if they are mentioned for the first time in the document), GUI elements. Bold typeface also indicates terms and definitions.

Italics Indicates document names, table of contents at the beginning of chapters and sub-chapters. Italics also indicates attribute names and values in a table. Some other text elements (if no special styles are provided for them) are also marked in italics.

Font Courier New Indicates file names, program text examples. When describing configuration files, the style denotes parameter values, examples of settings.


Technical Support

You can download new versions of the InfoWatch CryptoStorage software product and documentation from our website http://www.infowatch.com at http://www.infowatch.com/downloads.

If you cannot resolve issues which arise when using the licensed versions of the System, you can contact our technical support service either at http://www.infowatch.com/support/cryptostorage or by e-mail [email protected].


http://www.infowatch.com/downloads

http://www.infowatch.com/support/cryptostorage

mailto:[email protected]

CHAPTER 1. INFOWATCH

CRYPTOSTORAGE OVERVIEW

This chapter contains information on:

InfoWatch CryptoStorage Overall Description (Item 1.1 on Page 9).

Components of InfoWatch CryptoStorage (Item 1.2 on Page 10).

Protected Objects (Item 1.3 on Page 11).

Rights of Access to Protected Objects (Item 1.4 on Page 12).

1.1. InfoWatch CryptoStorage

Overall Description

The system is intended to protect the user’s confidential data against unauthorized access and to prevent data leakage when the operating system saves system information to disk or when the user’s files are not wiped.

Transparent encryption is used to encrypt information.

Transparent encryption is a method of encryption when data is encrypted

during protection and stored encrypted inside a protected object. The protected data is handled in the following way: the data is automatically decrypted in RAM when requested and the uploaded data is encrypted.

Data is encrypted with the 128-bit AES algorithm. The algorithm is approved by the international cryptography community and represents a cryptographic standard. AES is approved by the U.S. National Institute of Standards and

Technology (Standards and Technology (NIST) Federal Information Processing Standards (FIPS) PUB 197 26.11.2001).

The main functions of the System are listed below.

Data protection

With the System, you can:

protect all data on disk volumes including the system and the boot volumes, on Flash drives, and other USB Mass Storage devices;

protect the contents of individual files and folders within the NTFS file system;


create protected virtual disks (the protected containers) to store confidential data.

The protection of system disk allows you to keep the following confidential:

RAM contents which are saved to a hard disk when the system hibernates;

crash dump data which is saved to a hard disk when a fatal error occurs;

data of temporary files and swap files.

Handling protected data

With the System, you can:

delimit access to protected information using password authorization;

set up multi-user access to protected data;

store protected objects inside other protected objects with any nesting depth;

prevent accidental or intended deletion of protected objects by limiting access to these objects;

use protected containers, folders and files located both on the user’s workstation and on local network resources;

move protected objects together with the physical carrier to another computer where the System is installed and use the objects on this computer;

wipe protected and unprotected files and folders.

1.2. Components of InfoWatch

CryptoStorage

The components of InfoWatch CryptoStorage are listed in Table 2.

Table 2. The components of InfoWatch CryptoStorage

Component Description

CryptoStorage Encrypts data, handles the protected data

InfoWatch CryptoStorage Overview 11

Component Description

CryptoStorage Configurator Configures subsystems of InfoWatch CryptoStorage

Disk recovery utility Wipes disk volumes which are protected and cannot be used

1.3. Protected Objects

The protected objects are any objects which are intended to store data and

encrypted with InfoWatch CryptoStorage.

There are two groups of protected objects.

The first group includes the objects which are created when the existing objects of the operating system are converted to a protected form:

files and folders;

hard disk volumes (including the system and/or the boot volumes) and other Mass Storage devices (Flash drives, USB storages, etc).

The second group includes special protected objects – the containers.

A protected container is a special file which is displayed by the operating

system as a file of unknown format. The protected containers are created by a user on the user’s computer or on local network resources with InfoWatch CryptoStorage. After a container is attached using InfoWatch CryptoStorage, you can use it as a protected virtual disk. If you use the NTFS file system, you can attach a protected container to an empty folder.

Moreover, container files can be copied, recorded to CD or DVD, emailed and moved to another computer where the System is installed. At the same time the containers can always be attached.

Attention!

All data placed into a created protected object is automatically protected. When you copy data from a protected object into an unprotected area, the data is placed in the open (unprotected) form.


1.4. Rights of Access to Protected

Objects

A user must be authorized to access protected objects. It prevents unauthorized operations on the objects.

The user’s rights to use a protected object are specified when authorizing. The System supports two roles to use the protected objects: the owner and the user.

The owner of a protected object is a user who has the right to perform any

operations on the object. The protected object owner is assigned when encrypting the object (or when creating a protected object). Each protected object can have only one owner.

A user of a protected object is a user added by the object owner into the object

access list. Unlike the object owner, the user’s rights to use a protected object are limited.

Table 3 lists user’s and owner’s rights for various operations on protected objects (the “+” and “-“characters signify whether the right for a specified type of operation is given).

Table 3. Rights of object owners and users

Operation on a protected object Protected object owner

Protected object user

Attaching/detaching objects + +

Using objects (reading, copying, archiving, removal, etc)

+ +

Wiping files or folders

Note: Any user can wipe unprotected

files and folders on a computer where the System is installed.

+ +

Viewing information on a protected object

+ –

InfoWatch CryptoStorage Overview 13

Operation on a protected object Protected object owner

Protected object user

Changing the access list (adding/removing users of a protected object)

+ –

Re-encrypting/decrypting objects + –

Creating a protected container using InfoWatch CryptoStorage

+ –

Changing personal authorization parameters

+ +

CHAPTER 2. INSTALLING

INFOWATCH CRYPTOSTORAGE

This chapter contains information on:

Hardware and Software Requirements (Item 2.1 on Page 14).

Installation (Item 2.2 on Page 15).

Managing Licenses (Item 2.3 on Page 16).

Getting and Installing Licenses using an Activation Code (Item 2.4 on Page 18).

Updating the Product (Item 2.5 on Page 19).

2.1. Hardware and Software

Requirements

Your computer must meet the following hardware and software requirements to run InfoWatch CryptoStorage.

Hardware requirements:

processor Intel Celeron 1 GHz or higher;

RAM 256 MB;

5 MB free disk space to install the application.

Software requirements:

Any of the listed operating systems:

- Microsoft Windows 2000 Server Service Pack 4;

- Microsoft Windows 2003 Server;

- Microsoft Windows 2000 Professional Service Pack 4;

- Microsoft Windows XP Service Pack 2;

- Microsoft Windows Vista.

Installing InfoWatch CryptoStorage 15

2.2. Installation

Attention!

You must have administrator rights to the computer to install InfoWatch CryptoStorage.

The installation starts with the installation wizard. Each window contains a set of buttons to control the installation process. The buttons provide the following operations:

Next – accept the action and go to the next step of the installation

procedure.

Back – return to the previous step.

Cancel – cancel the installation.

See below the step-by-step description of the System installation procedure.

Step 1. Start the Installation

Insert the InfoWatch CryptoStorage setup disk into the CD-ROM drive or run the installation file CryptoStorage_EN_1_0_VVVV_x86.msi.

Notes:

1. You can download a new version of the InfoWatch CryptoStorage software product at http://www.infowatch.com/downloads.

2. The last three characters in the name of the CryptoStorage_EN_1_0_VVVV_x86.msi installation file stand for the

version of the software product and are represented as VVVV in this

document.

The Welcome to the InfoWatch CryptoStorage Setup Wizard screen opens.

Click Next to proceed to the next step. Or click Cancel to cancel the installation.

Step 2. Accept License Agreement

You must accept the terms of the license agreement to continue the installation and click Next. You can read the license agreement in Appendix А on Page 72

of the current document.



Step 3. Select the Installation Directory

The default path to the directory where InfoWatch CryptoStorage will be installed is specified in the input field of the Destination Folder screen.

You can change the installation directory. Click Change… and select a directory

in the standard window for selecting the directory, or type the path to the directory in the appropriate input field.

Click Next to proceed to the next step.

Step 4. Complete the Installation

After proceeding to the Ready to install InfoWatch Cryptostorage screen, click Install, to install InfoWatch CryptoStorage.

Follow the installation wizard instructions to complete the installation of InfoWatch CryptoStorage.

When the installation is complete, you will be asked to activate the product. See information on the procedure for getting and using a license key in Item 2.4 on Page 18. To activate the product later, select the Activate product later check box and click Next.

Restart the computer to finish the installation. The corresponding notification is displayed.

Attention!

It is strongly advised not to turn off computer’s power supply when restarting (when Microsoft Windows is shutting down). It may cause an error while the operating system is starting up.

If the power supply fails, keep hitting the F8 key when restarting. In the Windows Advanced Options Menu, select the Last Known Good Configuration option.

After that, reinstall InfoWatch CryptoStorage.

2.3. Managing Licenses

You must get and register a commercial license to make InfoWatch CryptoStorage fully functional.

Note:

The Trial version is registered by default while the System is being installed. This is a 30-day full-functional version of InfoWatch CryptoStorage which only limits the number of characters in the passwords of encrypted objects. When the trial


period expires, you can only decrypt the existing protected objects but you

cannot encrypt new objects.

You can manage licenses using CryptoStorage Configurator.

To view the list of installed licenses, you must run CryptoStorage Configurator,

from the Start menu, select Programs ► InfoWatch CryptoStorage ► CryptoStorage Configuration.

In the opened window, click Licenses…. The Licenses dialog window will be

displayed (Figure 1).

Figure 1. Licenses

This window contains a list of installed licenses and detailed information on each license: type, serial number, current status and validity period.

To add a license to the list, click Add license…. In the opened dialog window, specify the path to a license file and click Open.

Note:

The added license must be given to the same user who owns all other licenses in the list. Otherwise you cannot add a license.

To remove a license from the list, select the license and click Remove license.

Note:

You cannot remove the Trial license from the license list.


Attention!

It is strongly advised not to remove the last commercial license from the list. Otherwise the functionality of the Product will be limited.

To get and install a license using an activation code, click Activate…. Activating

a license using an activation code is covered in Item 2.4 on Page 18.

When you finish editing the list of installed licenses, click Exit to close the

window.

2.4. Getting and Installing Licenses

using an Activation Code

You can use an activation code to get and install a license while installing the Product or after the Product is installed, when managing licenses (see Item 2.3 on Page 16).

Attention!

When using an activation code, your computer must be connected to the Internet to download a license from the InfoWatch license service.

To get a license, type a product code consisting of five parts. Each part of the code contains five characters (Figure 2). The code contains digits (except zero) and upper-case Latin letters.

Figure 2. Activating the Product

Then, in the customer information pane, specify your country, type your name and e-mail address. Click ОК.

After that the license is acquired and installed automatically.


Attention!

Only one license is given for each activation code. Keep your product activation code secret.

2.5. Updating the Product

You can download a new version of the InfoWatch CryptoStorage software product at http://www.infowatch.com/downloads.

To update the Product to a newer version, run the setup program of the new version.

If the installed license is still valid, the version is updated automatically.

Otherwise, while updating you will be asked to activate the Product using a new code to get a license which is valid after release date of the new version of the Product. If the Product is not activated with the code, it will not be updated.

Note:

You cannot update an older version to an earlier version. To install an earlier version, you must first uninstall the existing version of the Product (see Chapter 8 on Page 70).


CHAPTER 3. GETTING STARTED

The present section contains information on:

System Interface (Item 3.1 on Page 20).

Password Recommendations (Item 3.2 on Page 21).

3.1. System Interface

You can access functions of the System using Windows Explorer context menu.

Attention!

If you use Microsoft Windows Vista, you can select an object using only the right pane of Windows Explorer (the pane which displays the contents of a folder or a disk).

To open the CryptoStorage menu:

1. Select the necessary object (a file, a folder, a container, a volume or a removable disk) and right-click it.

The context menu of the selected object will be opened.

2. In the opened context menu, select CryptoStorage (see Figure 3).

Figure 3. The CryptoStorage menu

This menu item contains a submenu which depends on the type of object and whether the object is protected or not.

Getting Started 21

3.2. Password Recommendations

All protected objects are accessed upon authorization only. Password is the mandatory authorization parameter. Follow the recommendations for selecting a password:

a password should be made up of 6 characters or more;

a password can contain digits, Latin characters, space and special characters («.», «,», «?», «!», «<», «>», «”», etc.);

it is highly advised to create a password which includes a combination of upper- and lower-case alphabetic letters and digits.

You must not use in the password:

words found in a dictionary or set expressions;

any easy-to-guess word or number patterns, such as: qwerty, 123456789, qazxsw, etc.

It is strongly advised not to reuse the passwords which you use to run other programs (e-mail, databases, etc).

Security Warning!

Do NOT use your personal data in passwords: first and last names, addresses, passport numbers, social security numbers, etc.

Attention!

If you lose all passwords to a protected object, the object contents cannot be restored!

CHAPTER 4. PROTECTING DATA

The present chapter contains information on:

Protecting Files and Folders (Item 4.1 on Page 22).

Protecting Disk Volumes and Removable Devices (Item 4.2 on Page 30).

Protected Containers (Item 4.3 on Page 37).

Wiping Protected and Unprotected Objects (Item 4.4 on Page 43).

4.1. Protecting Files and Folders


Specific Features of Encrypting Objects (Item 4.1.1 on Page 22).

Encrypting Objects (Item 4.1.2 on Page 25).

Interrupting Folder Encryption (Item 4.1.3 on Page 26).

Interrupting File Encryption (Item 4.1.4 on Page 27).

Re-encrypting Objects (Item 4.1.5 on Page 27).

Interrupting Re-encryption (Item 4.1.6 on Page 28).

Decrypting Objects (Item 4.1.7 on Page 28).

4.1.1. Specific Features of Encrypting

Objects

Attention!

1. You can protect files and folders only within the NTFS file system.

2. The protection of files and folders is enabled if InfoWatch CryptoStorage is installed on the computer and the Protected file system subsystem is running (for more information about the subsystem, see Chapter 6 on Page 65). The subsystem is running by default.

You can encrypt a file or a folder only if the file or folder meets the following requirements.

Protecting Data 23

A File:

must not be encrypted with InfoWatch CryptoStorage or with EFS (an encrypting file system which is included in the Microsoft Windows OS);

must not be a file of the user profile (with the exception of the My Documents and Desktop folders of the current user’s profile);

must not be a system file;

must not be a part of InfoWatch CryptoStorage.

must have a full name which does not exceed 255 characters.

A Folder:

must not contain files or folders encrypted with InfoWatch CryptoStorage or EFS (an encrypting file system which is included in the Microsoft Windows OS);

must not contain user profile folders (with the exception of the folders in My Documents and Desktop of the current user’s profile);

must not be a folder of the Microsoft Windows system volume and must not contain any system files;

must not contain any InfoWatch CryptoStorage files.

must have a full name which does not exceed 255 characters.

Some specific features of encrypting files and folders are listed below:

You can use the protected files and folders within the Microsoft Windows local network. In this case the Protected file system subsystem must be disabled on a remote computer which stores the data (for more information about the subsystem, see Chapter 6 on Page 65) and the files and folders must be stored on an NTFS volume.

When you encrypt a folder, it means that its files and the files inside its subfolders will be encrypted too.

You can do any operations on a protected file (folder) (reading, writing, renaming, archiving, removing and etc.) only when the file (folder) is attached.

If an object (a file or a folder) is attached, it is not protected and can be accessed by any user who uses the same computer locally under the account of the user who attached the object. The System prohibits network access to all protected objects.

Copies and moved files and folders are protected only by the objects which they are placed inside.


Note:

Copies and moved files and folders are not protected when they are placed into objects which are not protected by the System.

The System does not support the following operations on the protected objects: moving to the Recycle Bin, moving within one volume of files and folders which contain files.

Note:

If you move a folder which contains files within a volume, the source folder remains unchanged. An empty folder which has the same name as the source folder will be created in the target place. This folder is protected by the object which it is placed inside.

Some file managers, for example, Total Commander, can delete the source objects after copying, if files or folders are moved within a volume. In this case you can move the objects, but the moved files and folders will be protected only by the objects which they are placed inside.

You can move unprotected folders containing protected files and subfolders within a volume to unprotected folders. In this case protected objects do not have to be attached and at the same time their properties remain.

An unprotected folder containing protected files and subfolders can be moved to the Recycle Bin if all protected objects of this folder are attached.

Note:

In this case you can delete or restore the folder which is moved to the Recycle Bin. When restoring the folder, all protected objects of the folder will be reattached. After you restart the computer or log off the system, you cannot delete the folder which is moved to the Recycle Bin but you can restore it. When restoring, all protected objects of the folder will be detached. With Microsoft Windows Vista, you can both delete and restore the folder.

Total Commander does not support this kind of object relocation.

When you encrypt single files, take into account the following information:

Some applications create temporary copies of a file in the folder where the source file is located. This folder is not protected and the file copies will not be protected too, though they may contain unprotected confidential data. Moreover, there are applications (for example, Microsoft Word) which rename a temporary file into the source file when saving. As the result, file protection can be lost.

Protecting Data 25

When you copy an unprotected file to a folder which already contains a protected file with the same name, the request for replacing the file is displayed. If you confirm that you want to replace the file, the protected file will be replaced with an unprotected file (even if the protected file is not attached).

Therefore, it is advised to encrypt the whole folders rather than single files.

4.1.2. Encrypting Objects

Attention!

Before starting encryption, read about specific features of encrypting files and folders (see item 4.1.1 on Page 22).

Before encrypting, you must finish using the file or folder which will be encrypted. Do not do any operations on the file or folder until the object is encrypted.

You can interrupt encrypting a folder. In this case you must manually restore the initial structure of the encrypted folder (for more details, see Item 4.1.3 on Page 26).

Note:

When a computer hibernates or goes into Standby mode, the encryption process is automatically interrupted. After the computer returns from Hibernation or

Standby mode, the encryption process resumes.

To encrypt a file or a folder:

1. Select an object (a file or a folder) to encrypt.

2. Right-click the selected object and from the opened context menu, select CryptoStorage ► Protected file system ► Encrypt file object.

3. In the opened dialog window specify parameters for the object owner to access the protected object:

Login. Name of the protected object’s owner.

Password, Confirm password. Owner’s password to access the

protected object.

Note:

See password recommendations in Item 3.2 on Page 21.

When all necessary parameters are specified, click OK.


4. After that, the System displays a dialog window where you can change the description of the owner. The description is displayed in the object access list (for more details, see Item 5.4.2 on Page 57) and it can not be edited. The owner’s name specified in Step 3 is used as the default description.

When the description is specified, click OK.

After that, the System starts encrypting the object. When the object is encrypted, it gets attached and is ready for use.

4.1.3. Interrupting Folder Encryption

In some cases, you may need to interrupt the encryption process manually or the encryption is interrupted due to a fatal error (for example, when the computer’s power is unexpectedly turned off). In this case some data remains unprotected in the temporary folder xxx_PROCEED_### (where xxx is the name of the protected folder, and ### is a numerical sequence). In this case, copy the data from the temporary folder xxx_PROCEED_### to the folder which is being encrypted.

Note:

The xxx_PROCEED_### folder is created in the same directory as the protected folder. If the xxx folder is detached, then you must attach it prior to copying.

Example:

The Reports folder is being encrypted. While encrypting, the System creates the unprotected temporary folder Reports_PROCEED_120. A user interrupts the encryption process. After that, some files from the Reports folder are placed in the Reports_PROCEED_120 folder (these files are unprotected).

To restore the contents of the initial Reports folder, you must open the temporary folder Reports_PROCEED_120 and copy its contents into the protected folder Reports. After that, you can delete the Reports_PROCEED_120 folder.

Note:

You can only use the Copy operation (the <CTRL+C> key combination) to

place objects into a protected folder. The Cut operation is not supported (the <CTRL+X> key combination).

The Reports folder is now protected, and consequently, all data moved to this folder will also be protected.

Protecting Data 27

4.1.4. Interrupting File Encryption

When you interrupt the encryption of a file, the source file remains unprotected and can be encrypted later.

If the file encryption process is interrupted incorrectly (for example, when the computer’s power is unexpectedly turned off), the file remains at the same place under the name of xxx_PROCEED_### (where xxx is the name of the encrypted file, and ### is a numerical sequence). At the same time, the initial file name xxx is assigned to the temporary file containing the encrypted part of the source file. To restore the original file, you must delete the file with the initial name xxx and rename the xxx_PROCEED_### file back to xxx. After that, you can repeat the file encryption procedure. If the xxx file is detached, you must attach prior to deleting.

Example:

The Report data file is being encrypted. While encrypting, the computer’s power is turned off. After the computer restarts, the same folder contains the Report data and Report data_PROCEED_124 files.

To restore the initial state, you must delete the Report data file and rename the Report data _PROCEED_124 file into Report data.

4.1.5. Re-encrypting Objects

Only an object owner can re-encrypt a file or a folder.

This operation is available only if the object is attached by the object owner (for more information about how to attach a file or a folder, see Item 5.1.4 on Page 47).

Attention!

Do not use a file or a folder while re-encrypting it: the files or folders, which are currently being used, cannot be re-encrypted.

To re-encrypt a file or a folder:

1. Select a protected object (a file or a folder) to re-encrypt.

2. Right-click the selected object and from the opened context menu select CryptoStorage ► Protected file system ► Owner functions ► Reencrypt file object.

3. In the opened dialog window, type Login and Password of the owner of the protected object. Click OK.


The System starts re-encrypting the file or folder. Do not use the protected object while re-encrypting it. When the object is re-encrypted, it remains protected and attached and you can use it.

It is advised to re-encrypt objects if the internal keying information is likely to be compromised. The standard situation when the internal keying information can be compromised is when you remove a user from an access list. The removed user was allowed to access the keying information and consequently he/she can use the data to access the object even after he/she is removed from the list. Re-encryption changes the internal keying information (the object is re-encrypted with a new key) and prevents access to the object using the compromised keying information.

4.1.6. Interrupting Re-encryption

When a user stops the re-encryption of a file or folder, the source object remains encrypted, but some files and subfolders will not be re-encrypted. You can repeat re-encryption of the object.

If the process of file encryption is interrupted incorrectly (for example, when the computer’s power is unexpectedly turned off), the System may create the xxx_PROCEED_### file (where xxx is the name of the file on which re-encryption is stopped, and ### is a numerical sequence). The initial name of the file xxx is assigned to a temporary file containing the encrypted part of the source file. The xxx and xxx_PROCEED_### files are encrypted and can be accessed using the same passwords, as the source file xxx. To restore the initial state, attach the protected folder (or the xxx and xxx_PROCEED_### files), delete the file with the initial name xxx and rename the xxx_PROCEED_### file back to xxx. After that, repeat the re-encryption of the file or folder.

Example:

The Report Data file is being re-encrypted. While encrypting, the computer’s power is turned off. After the computer restarts, the same folder contains the Report data and Report data_PROCEED_126 files.

To restore the initial state, you must attach and delete the Report data file. After that, attach and rename the Report data_PROCEED_126 file into Report data (for more information on how to attach a file, see

Item 5.1.4 on Page 47).

4.1.7. Decrypting Objects

An object can be decrypted only by the object owner.

Protecting Data 29

This operation is available only if a file or a folder is attached by the object owner (for more information on how to attach a file or a folder, see Item 5.1.4 on Page 47).

You can interrupt the decryption of a file or a folder. However, in this case you must manually restore the initial structure of the decrypted folder (for more information, see Item 4.1.7.1 on Page 29).

Note:

When a computer hibernates or goes into Standby mode, the decryption process is automatically interrupted. After the computer returns from Hibernation or Standby mode, you can resume the decryption process.

To decrypt an object:

1. Select a protected object (a file or a folder) to decrypt.

2. Right-click the selected object and from the opened context menu select CryptoStorage ► Protected file system ► Owner functions ► Decrypt file object.

3. In the opened dialog window, insert Login and Password of the protected object owner. Click OK.

4.1.7.1. Interrupting Folder Decryption

In some cases you may need to interrupt the decryption of a folder manually or the decryption is interrupted due to a fatal error (for example, when the computer’s power is unexpectedly turned off). In this case some data remains in the encrypted temporary folder xxx_PROCEED_### (where xxx is the name of the encrypted folder, and ### is a numerical sequence). In this case, you must copy all data from the temporary folder xxx_PROCEED_### to the folder which you decrypt.

Notes:

1. The xxx_PROCEED_### folder is created in the same directory as the decrypted folder.

2. The temporary folder remains encrypted and you can copy data from it only after the folder is attached (see Item 5.1.4 on Page 47). The encrypted temporary folder is attached with the same parameters which are used to access the source protected folder.

Example:

The Documents folder is being decrypted. While decrypting, the System creates the protected temporary folder Documents_PROCEED_225. A


user interrupts the decryption process. After that, some files from the Documents folder are placed into the encrypted folder Documents_PROCEED_225.

To restore the contents of the initial folder Documents, open the Documents_PROCEED_225 folder and copy its contents into the Documents folder. After that, you can delete the Documents_PROCEED_225 folder.

The Documents folder is already decrypted, and consequently all data which you move to this folder will also be unencrypted.

4.1.7.2. Interrupting File Decryption

When a user interrupts the file decryption process, the source file remains encrypted and can be decrypted again.

If the file decryption process is interrupted incorrectly (for example, when the computer’s power is unexpectedly turned off) the file remains at the same place under the name of xxx_PROCEED_### (where xxx is the name of the decrypted file, and ### is a numerical sequence). The initial name of the file xxx is assigned to a temporary file containing the decrypted part of the data from the source file xxx. The xxx_PROCEED_### file is encrypted and you can access it using the same password, as for the source file xxx. To restore the original state, you must delete the file with the initial name xxx and then attach and rename the xxx_PROCEED_### file back to xxx. After that, you can repeat the file decryption.

Example:

The Report Data file is being decrypted. While decrypting, the computer’s power is turned off. After the computer restarts, the same folder contains the Report data and Report data_PROCEED_124 files.

To restore the initial state, delete the Report data file and then attach and rename the Report data _PROCEED_124 file into Report data.

4.2. Protecting Disk Volumes and

Removable Devices


Specific Features of Encrypting Disk Volumes and Removable Devices (Item 4.2.1 on Page 31).

Protecting Data 31

Specific Features of Using Hard Disk Management Utilities (Item 4.2.2 on Page 33).

Encrypting Disk Volumes and Removable Disks (Item 4.2.3 on Page 33).

Interrupting Encryption (Item 4.2.4 on Page 34).

Resuming Encryption (Item 4.2.5 on Page 35).

Rolling back to the Unencrypted State (Item 4.2.6 on Page 35).

Re-encrypting objects (Item 4.2.7 on Page 36).

Decrypting Objects (Item 4.2.8 on Page 37).

4.2.1. Specific Features of Encrypting Disk

Volumes and Removable Devices

You can encrypt disk volumes (including the system and the boot volumes) and other Mass Storage devices.

Attention!

If you encrypt the system or the boot volume, you must authorize prior to loading the operating system to access the protected volume (for more details, see Item 5.1.3 on Page 47).

Moreover, if you encrypt the system volume of a hard disk using InfoWatch CryptoStorage, you protect the crash damp file as well as the RAM data which is saved to the system disk when the system hibernates. If encrypting the system volume, you prevent the leak of confidential data through the system information

which is saved on the hard disk.

There are some limitations for encrypting disk volumes and removable disks:

You can encrypt hard disk volumes and removable storages only if the sector size of a device is 512 bytes (the standard sector size of the majority of devices of this kind).

Encrypting dynamic volumes is not supported.

You can encrypt only local disks. Encrypting network disks is not supported.

You cannot simultaneously encrypt\decrypt\re-encrypt several volumes of a hard disk. But you can simultaneously use volumes of different disks.

You can encrypt the hard disk volume where InfoWatch CryptoStorage is installed only if the volume is the system or/and the boot volume.


The encryption is allowed if the volume which you want to encrypt is write-enabled.

You can start encrypting a removable disk if the files on the removable disk are not used by any programs. You can use the files while the removable disk is being encrypted.

The System does not support the direct encryption of CD/DVD disks. At the same time, you can use CD/DVD disks to store protected containers (see Item 4.3 on Page 37).

Attention!

You can use a protected disk or a removable device only if InfoWatch CryptoStorage is installed on the computer and the Protected volumes

subsystem is running (see Chapter 6 on Page 65). If the subsystem is disabled, the unprotected data on an encrypted disk or a removable disk cannot be accessed. The operating system displays this volume as an unformatted volume or a volume containing errors. If the system and/or the boot volume of a hard disk is encrypted, the configurator does not allow disabling the Protected volumes subsystem.

It is not advised to use InfoWatch CryptoStorage on computers where several operating systems are installed. In this case you can protect disk volumes which are used to load the installed operating systems only if each operating system: contains installed InfoWatch CryptoStorage and the Protected volumes subsystem is running.

The System’s data on all encrypted volumes of a physical media (physical hard disk, Flash disk, etc) is stored in the root directory of the first volume of the physical media in the iwcs.bin file. If the volume containing iwcs.bin is formatted or if iwcs.bin is removed, replaced or corrupted, you can lose access to all protected volumes of the physical media. If the Protected volumes subsystem is

running on the computer where InfoWatch CryptoStorage is installed (see Chapter 6 on Page 65), the System protects the iwcs.bin file from removal or modification. Therefore, it is not advised to disable the Protected volumes subsystem if some volumes are encrypted. If you need to format the volume containing iwcs.bin, you must decrypt all volumes of the physical media, format the volume and then encrypt the volumes again.

Protecting Data 33

4.2.2. Specific Features of Using Hard Disk

Management Utilities

Attention!

Some utilities allow you to change the size of disk volumes. Do not change sizes of hard disk volumes protected with InfoWatch CryptoStorage. It may lead to data loss.

If you need to change the size of a volume, you must first decrypt all protected volumes, reallocate free disk space and then encrypt the volumes again.

4.2.3. Encrypting Disk Volumes and

Removable Disks

Attention!

Before encrypting, read about specific features of encrypting disk volumes and removable devices (see item 4.2.1 on Page 31).

Disk volumes and removable devices are encrypted in the background mode. Consequently, you can continue using the device while the encryption process is running.

If necessary, the encryption process can be interrupted (Item 4.2.4 on Page 34). You can resume the encryption later (see Item 4.2.5 on Page 35), or cancel it (See Item 4.2.6 on Page 35).

Note:

When a computer hibernates or goes into Standby mode, the encryption process is automatically interrupted. After the computer returns from Hibernation or Standby mode, you can resume the encryption or cancel it.

To encrypt a disk volume or a removable device:

1. Open My Computer.

2. Select an object (a volume of a hard disk or a removable disk) to encrypt.

3. Right-click the selected object and in the opened context menu select CryptoStorage ► Encrypt disk.

4. In the opened dialog window type the object owner’s parameters to access the protected object:


Login. Name of the protected object owner.

Password, Confirm Password. Owner’s password to access the

protected object.

Note:



5. After that, the System displays a dialog window where you can change the description of the owner. This object owner data is displayed in the object access list (for more details, see Item 5.4.2 on Page 57) and cannot be edited later on. The owner’s name specified in Step 4 is used as the default description.

When the description is specified, click OK.

After that, the System starts encrypting the object. From this moment the volume (removable disk) is a protected object.

Attention!

If the system or the boot disk is encrypted, then you must be authorized prior to loading the operating system (for more details, see Item 5.1.3 on Page 47). Authorization is required every time you start or restart the computer and also when the computer returns from hibernation or Standby mode.

4.2.4. Interrupting Encryption

In some cases you may need to interrupt the encryption manually or the encryption is interrupted due to a fatal error (for example, when the computer’s power is unexpectedly turned off). You can resume the encryption later.

Attention!

A volume (a removable disk) is a protected object regardless of whether it is fully protected or partially. Consequently, if you interrupt the encryption, you can use the volume (or the removable device) only after attaching it (successful authorization). At the same time, if the encryption is not completed some data on the volume remains unencrypted.

To interrupt the encryption process:

1. Select an object which is being encrypted.

2. Complete one of the following steps:

Protecting Data 35

In the dialog window displaying progress of the encryption, click Stop.

Right-click the selected object and from the opened context menu select CryptoStorage ► Owner functions ► Stop.

3. In the opened dialog window, type Login and Password of the protected object owner. Click OK.

The encryption process is interrupted. The protected disk (removable device) remains attached and you can continue using it.

4.2.5. Resuming Encryption

An object is safely protected only after the encryption process is completed. If you interrupt the encryption for some reason, some data remains unprotected. You can continue encrypting using a special function.

Encryption can be resumed only by the owner of the protected volume (or a removable device).

To resume the encryption:

1. Select an object which is partially encrypted.

2. If necessary, attach the protected object (Item 5.1.4 on Page 47).

3. Right-click the selected object and in the opened context menu select CryptoStorage ► Owner functions ► Resume disk processing.


The encryption process resumes. The protected disk (removable device) remains attached and you can continue using it.

4.2.6. Rolling back to the Unencrypted

State

If you interrupt the encryption, you can cancel it and roll the object back to the unprotected state.

Rolling back can be done by the owner of the protected volume (or removable device).

To cancel the encryption and roll back to the unprotected state:

1. Select an object which is partially encrypted.


2. If necessary, attach the protected object (Item 5.1.4 on Page 47).


4. Right-click the selected object and from the opened context menu, select CryptoStorage ► Owner functions ► Roll back disk processing.


After that, the roll back process starts. The protected disk (removable device) remains attached and you can continue using it.

4.2.7. Re-encrypting objects

An object can be re-encrypted by the object owner.

This operation is available only if the object (a disk volume or a removable device) is attached (for more information on how to attach a protected object, see Item 5.1.4 on Page 47).

Note:

You can re-encrypt only one volume of a physical disk. Several protected volumes are re-encrypted one-by-one.

To re-encrypt a disk volume or a removable device:

1. Select an object to re-encrypt.

2. Right-click the selected object and from the opened context menu, select CryptoStorage ► Owner functions ► Reencrypt disk.


After that, the re-encryption process starts. While being re-encrypted, the volume (removable device) remains protected. It remains attached and you can continue using it.

If necessary, you can interrupt the re-encryption (Item 4.2.4 on Page 34). Re-encryption can be resumed later (Item 4.2.5 on Page 35). Moreover, you can cancel the re-encryption and roll the object back to the previous state.

It is advised to re-encrypt objects if the internal keying information is likely to be compromised. The standard situation when the internal keying information can be compromised is when you remove a user from an access list. The removed user was allowed to access the keying information and consequently he/she can use the data to access the object even after he/she is removed from the list. Re-

Protecting Data 37

encryption changes the internal keying information (the object is re-encrypted with a new key) and prevents access to the object using the compromised keying information.

4.2.8. Decrypting Objects

An object can be decrypted only by the object owner.

This operation is available only if the object (a disk volume or a removable device) is attached (for more information about how to attach a protected object, see Item 5.1.4 on Page 47).

Note:

You can decrypt only one volume of a physical disk. Several protected volumes

are decrypted one-by-one.

To decrypt an object:

1. Select an object to decrypt.

2. Right-click the selected object and from the opened context menu, select CryptoStorage ► Owner functions ► Decrypt.


If necessary, you can interrupt the decryption (Item 4.2.4 on Page 34). The decryption can be resumed later (Item 4.2.5 on Page 35).

Moreover, you can cancel the decryption and roll the object back to the previous state. The cancelling of the decryption process is identical to the cancelling encryption (Item 4.2.6 on Page 35). After you cancel the decryption, the object remains encrypted.

4.3. Protected Containers


Specific Features of Creating Containers (Item 4.3.1 on Page 38).

Creating a Container (Item 4.3.2 on Page 38).

Preparing a Container for Use (Item 4.3.3 on Page 40).

Protecting Containers from Deletion (Item 4.3.4 on Page 40).

Re-encrypting a Container (Item 4.3.5 on Page 40).


4.3.1. Specific Features of Creating

Containers

There are some limitations for creating containers:

1. A device (a hard disk or a removable disk) where you create a protected container must be write-enabled. The user who creates the container must have privileges for creating files.

2. Creating protected containers on CD/DVD disks is not supported. At the same time, you can use CD/DVD disks to store the created protected containers. You can attach and use a protected container if InfoWatch CryptoStorage is installed on your computer and the Protected containers subsystem is running. If the subsystem is disabled, a

protected container cannot be used.

You can attach a protected container to:

a volume;

an empty folder (only within the NTFS file system). Microsoft Windows Vista does not support this function.

To prepare a new protected container for use, you must attach and format it (for more details, see Item 4.3.3 on Page 40).

To prevent the accidental or intended deletion of the container, it is advised to additionally protect the container file from deletion (see Item 4.3.4 on Page 40).

4.3.2. Creating a Container

Attention!

Before starting, read about specific features of creating protected containers (Item 4.3.1 on Page 38).

You can create containers on a hard disk, removable storage or local network resources. Moreover, a protected container can be created inside other protected object (a volume, removable device, folder or protected container).

Note:

If a container is created inside any other protected object, you must attach this object prior to creating the container.

Protecting Data 39

To create a container:

1. Open the folder (on a hard disk or removable device) where you want to create a protected container.

2. Right-click any place in the opened folder or on the desktop and from the opened context menu select CryptoStorage ► Create container.

3. After that, a dialog window will be displayed (Figure 4). Type the name of the created container and specify the container size (in Mb). If you create the container on an NTFS volume, you can create the container as a sparse file. Click OK.

Note:

If the container file is created as a sparse file, its size on disk (see file

properties in the Microsoft Windows Explorer) increases as you fill the file with data. This kind of file saves disk space. The copies of a sparse file do not inherit this property and always have the specified maximum size. For more information about how to create a container with undefined size, which increases as you fill it with data, see Item 5.2.3 on

Page 51.

Figure 4. Creating a protected container

4. In the opened dialog window, specify the parameters for the object owner to access the protected container:

Login. Name of the protected container’s owner.

Password, Confirm Password. The owner’s password to access the

protected container.

5. After that, the System will display a dialog window where you can change the description of the owner. The owner’s name specified in Step 4 is


used as the description by default. This description is displayed in the object access list (for more information, see Item 5.4.2 on Page 57). When the description is specified, click OK.

Note:



A protected container is created. A protected container is displayed as a standard file of unknown format.

4.3.3. Preparing a Container for Use

You can attach protected containers as volumes and if you use the NTFS file system, you can also attach the containers as folders.

To prepare a container for use, you must:

1. Attach the container as a volume or attach it to a folder (Item 5.2.2 on Page 49).

2. Format the volume or the folder to which the protected container is attached (Item 5.2.3 on Page 51).

Formatting is a one-time procedure, which is performed once after you have attached a container for the first time.

4.3.4. Protecting Containers from Deletion

A protected container is a standard file which can be deleted by any user. To prevent the unauthorized deletion of a protected container, you can move the container file into a protected folder or protected volume.

Attention!

This kind of protection requires the InfoWatch CryptoStorage system to be installed on your computer.

4.3.5. Re-encrypting a Container

An object can be re-encrypted only by the owner of the object.

Before re-encrypting, you must detach the protected container. For more information on how to detach protected containers, see Item 5.2.4 on Page 34.

Protecting Data 41

To re-encrypt a protected container:

1. Select a protected container to re-encrypt.

2. Right-click the selected container and from the opened context menu select CryptoStorage ► Protected containers ► Owner functions ► Reencrypt container.

3. In the opened dialog window type the Login and Password of the protected container’s owner. Click OK.

After that, the re-encryption process will start. While being re-encrypted, the container cannot be attached.

If necessary, you can interrupt the re-encryption process (Item 4.3.6 on Page 41). Re-encryption can be resumed later (Item 4.3.7 on Page 42).

Moreover, you can cancel the re-encryption and roll the object back to the previous state.

It is advised to re-encrypt objects if the internal keying information is likely to be compromised. The standard situation when the internal keying information can be compromised is when you remove a user from an access list. The removed user was allowed to access the keying information and consequently he/she can use the data to access the object even after he/she is removed from the list. Re-encryption changes the internal keying information (the object is re-encrypted with a new key) and prevents access to the object using the compromised keying information.

Note:

If you re-encrypt a container the size of which is changing while you are filling it, then after re-encryption the size of the container changes to the defined maximum size. Canceling re-encryption or rolling back to the previous state does not reduce the size of the container.

4.3.6. Interrupting Re-encryption

In some cases, while re-encrypting a container, you may need to interrupt the process manually or the encryption is interrupted due to an unexpected situation (for example, when the computer’s power is unexpectedly turned off). You can resume the re-encryption later.

The re-encryption can be interrupted only by the owner of the protected container.

To interrupt re-encrypting a protected container:

1. Complete one of the following steps:


In the dialog window displaying progress of the re-encryption, click Stop.

Select the protected container file which is being re-encrypted.

Right-click the selected file and from the opened context menu, select CryptoStorage ► Protected containers► Owner functions ► Stop.

2. In the opened dialog window type Login and Password of the protected container owner. Click OK.

After that, the re-encryption process is stopped. While the protected container remains partially re-encrypted, you can only resume the re-encryption process (Item 4.3.7 on Page 42) or roll the container back to the previous state (Item 4.3.8 on Page 42).

4.3.7. Resuming Re-encryption

If the re-encryption of a container is interrupted, the protected container cannot be used: you must either complete the re-encryption or roll the container back to the previous state.

The re-encryption can be resumed only by the owner of the container.

To resume re-encrypting a protected container:

1. Select a container file which is partially re-encrypted.

2. Right-click the selected file and from the opened context menu select CryptoStorage. From the opened submenu select Protected containers ►Owner functions► Continue.


The re-encryption process is resumed. You cannot use the container while it is being re-encrypted.

4.3.8. Rolling back to a Previous State

If the re-encryption of a container is interrupted, the protected container cannot be used: you must either complete the re-encryption or roll the container back to the previous state.

Note:

A container can be rolled back to a previous state only by the container owner.

Protecting Data 43

To roll a container back to the previous state:

1. Select a container file which is partially re-encrypted.

2. Right-click the selected file and from the opened context menu select CryptoStorage ► Protected containers ► Roll back.


After that, the process of rolling back to the previous state starts. You cannot use the container while it is being rolled back.

4.4. Wiping Protected and

Unprotected Objects

Files, folders and protected containers which you delete with the standard operations can be restored using special utilities. Consequently, the data stored in the deleted object can be accessed by unauthorized persons. This problem is solved by wiping.

Wiping is available both for protected and unprotected objects.

Attention!

When you encrypt files and folders, the source (opened) data is automatically wiped.

A protected file or folder can be wiped only after attaching.

A protected container can be wiped only after detaching.

To wipe a file, folder or protected container:

1. Select an object (a file, folder or protected container) to wipe.

2. Right-click the selected object and from the opened context menu select CryptoStorage ► Wipe.

3. In the opened confirmation window click Yes.

CHAPTER 5. USING PROTECTED

OBJECTS

The present chapter contains information on:

Using Protected Files, Folders, Hard Disks and Removable (Item 5.1 on Page 44).

Using Protected Containers (Item 5.2 on Page 48).

Viewing Information on a Protected Object (Item 5.3 on Page 54).

Managing Access to a Protected Object (Item 5.4 on Page 56).

Changing User Parameters for Accessing a Protected Object (Item 5.5 on Page 63).

5.1. Using Protected Files, Folders,

Hard Disks and Removable

Devices


Rules for Using Protected Files and Folders (Item 5.1.1 on Page 45).

Rules for Using Protected Volumes of Hard Disk and Removable Devices (Item 5.1.2 on Page 46).

Starting up Using Protected System Disk and/or Boot Disk (Item 5.1.3 on Page 46).

Attaching Protected Files, Folders, Hard Disks and Removable Devices (Item 5.1.4 on Page 47).

Detaching Protected Files, Folders, Hard Disks and Removable Devices (Item 5.1.5 on Page 48).

Using Protected Objects 45

5.1.1. Rules for Using Protected Files and

Folders

While using the protected files and folders, you must consider the following rules:

You can use the protected files and folders within the Microsoft Windows local network. In this case the Protected file system subsystem must be disabled on a remote computer which stores the data (for more information about the subsystem, see Chapter 6 on Page 65) and the files and folders must be stored on an NTFS volume.

When you protect a folder, it means that its files and the files inside its subfolders will be protected too.

You can do any operations on a protected file (folder) (reading, writing, renaming, archiving, removing and etc.) only when the file (folder) is attached.

If an object (a file or a folder) is attached, it is not protected and can be accessed by any user who uses the same computer locally under the account of the user who attached the object. The System prohibits network access to all protected objects.

Note:

It is advised to detach a protected object after you finish using it.

Copies and moved files and folders are protected only by the objects which they are placed inside.

Note:

Copies and moved files and folders are not protected when they are placed into objects which are not protected by the System.

The System does not support the following operations on the protected objects: moving to the Recycle Bin, moving within one volume of files and folders which contain files.

Note:

If you move a folder which contains files within a volume, the source folder remains unchanged. An empty folder which has the same name as the source folder will be created in the target place. This folder is protected by the object which it is placed inside.

Some file managers, for example, Total Commander, can delete the source objects after copying if files or folders are moved within a volume.


In this case you can move the objects, but the moved files and folders will

be protected only by the objects which they are placed inside.

You can move unprotected folders containing protected files and subfolders within a volume to unprotected folders. In this case protected objects do not have to be attached and at the same time their properties remain.

An unprotected folder containing protected files and subfolders can be moved to the Recycle Bin if all protected objects are attached.

Note:

In this case you can delete or restore a folder which is moved to the Recycle Bin. When restoring the folder, all protected objects of the folder will be attached. After you restart the computer or log off the system, you cannot delete the folder which is moved to the Recycle Bin but you can restore it. When restoring, all protected objects of the folder will be detached. Microsoft Windows Vista supports both deletion and restoration of a folder.

Total Commander does not support this kind of object relocation.

5.1.2. Rules for Using Protected Volumes of

Hard Disk and Removable Devices

You can use the data (reading, writing, renaming, archiving, deleting and etc.) located on this kind of protected objects only if an object is attached.

If the object is attached, it is not protected and available to all users who use this computer. Therefore, it is advised to detach the object after using it.

If the Protected volumes subsystem is disabled on a computer (see Chapter 6 on Page 65), then while trying to access a protected Flash drive, you will be asked to format the Flash drive (providing that the Flash drive has already been formatted as a disk). If the Flash drive is formatted as a floppy disk, then the folder structure on this drive will be displayed with unreadable characters. In this case you can also format the Flash drive.

If you use an NTFS formatted Flash drive, the request for formatting the disk will not be displayed. You must manually select the formatting command from the context menu of the Flash drive.


5.1.3. Starting up Using Protected System

Disk and/or Boot Disk

If a system and/or a boot disk is protected with InfoWatch CryptoStorage, you must attach the disk to load the operating system. To attach a protected disk, you must be authorized prior to loading the system.

To attach a protected system disk and/or boot disk, specify the following

parameters:

Login. User name.

Password. User password.

Note:

If the system and the boot volumes are located on different volumes on your computer and the both volumes are protected, you must attach each volume.

After that, a user is authorized. If the authorization is successful the operating system, installed on a protected disk, starts up.

Note:

If you insert incorrect authorization data, you will be notified that you cannot be authorized. To repeat the authorization, you must restart the computer using the <CTRL+ALT+DEL> key combination.

5.1.4. Attaching Protected Files, Folders,

Hard Disks and Removable Devices

You can use a protected object (reading, writing, renaming, copying, deleting and etc.) only if the object is attached.

To attach a file, folder, disk volume or removable storage:

1. Select a protected object to attach.

2. Right-click the selected object and from the opened context menu select CryptoStorage ► Attach.

3. In the opened dialog window specify the parameters to access the protected object:

Login. The name of the protected object user.


Password. The password of the protected object user.

Click OK.

5.1.5. Detaching Protected Files, Folders,

Hard Disks and Removable Devices

When you detach a protected object, the object is transited to the state in which it cannot be used until you attach it again.

Attention!

Before detaching an object, save all changes and complete using the object. These steps are needed because some applications can retain access to the

data until all operations with the data are completed.

To detach a protected file or folder:

1. Select a protected object (a file or folder) to detach.

2. Right-click the selected object and from the opened context menu select CryptoStorage ► Protected file system ► Detach.

To detach a protected volume of a hard disk or a removable storage:

1. Select a protected object (a disk volume or a removable storage) to detach.

2. Right-click the selected file or folder and from the opened context menu select CryptoStorage ► Detach.

The System requires more time to detach several protected objects simultaneously. In some emergency situations, you may need to detach all protected objects simultaneously. For this purpose you must save the changes and restart the computer. After the computer restarts, all protected objects will be detached. You can detach all protected files and folders by logging off the system.

5.2. Using Protected Containers


Rules for Using Protected Containers (Item 5.2.1 on Page 49).

Attaching a Container (Item 5.2.2 on Page 49).

Formatting a Container (Item 5.2.3 on Page 51).


Detaching a Container (Item 5.2.4 on Page 53).

5.2.1. Rules for Using Protected Containers

You can use a protected container only after the container is attached.

An attached container is not protected and available to all users who work at this computer. Therefore, you must detach a protected object after you complete using it.

While using a protected container, remember that all files and folders which are located inside the container are encrypted and they are protected objects too. However, if you move the objects outside the container, the objects become unprotected.

You must not rename the folder to which a container is attached. To rename the folder, you must first detach the container.

If the computer is turned off due to any fatal error and the protected container remained attached to the folder, the folder can be corrupted. You must delete the folder. The container and the data inside the container are not damaged and you can attach the container as a volume or attach it to another folder.

5.2.2. Attaching a Container

You can use a protected container only after attaching it.

To attach a protected container:

1. Select a protected container.

2. Right-click the selected container and from the opened context menu select CryptoStorage ► Protected containers ► Attach container.

3. In the opened dialog window type the data to access the protected container:

Login. Name of the protected container user.

Password. Password of the protected container user.

Click OK.

The Container parameters dialog window is displayed (Figure 5).


Figure 5. Specifying parameters of a protected container

4. In the opened dialog window specify the parameters to attach the container:

Mount point. Select a mount point for the protected container. A

mount point can be a logical disk (you can specify any free character of volume) or an empty NTFS folder.

Note:

If you use Microsoft Windows Vista, you can mount a protected container only as a volume.

Mount mode. Specify the parameters for attaching the container:

o Mount in read-only mode. If the check-box is selected, all

contents of the protected container are available only for reading. Adding or deleting data are not permitted.

Note:

Select this check-box if the protected container will be simultaneously attached to several computers.

The check-box is selected automatically, and cannot be cleared, if another user attached the container file as Read-only or the container file has the Read-only attribute.

Microsoft Windows 2000 does not support the Read-only mode

for the NTFS-formatted protected containers.

o Mount as a fixed disk. By default, a protected container can be

mounted as a removable disk (it is displayed in the list of


removable devices in My Computer). However, if you select the

check-box, the protected container is mounted as a fixed disk (it is displayed in the list of fixed disks in My Computer).

Note:

In Microsoft Windows Vista a protected container can be attached only as a removable disk.

5. When the parameters are specified, click OK.

5.2.3. Formatting a Container

Attention!

While formatting a disk or a folder to which a protected container is attached, all

data inside the container is deleted.

A user of a protected container can format the container which is attached as a disk or a folder. A container is formatted using InfoWatch CryptoStorage or the standard tools of Microsoft Windows. When specifying parameters for formatting a disk, consider the following:

If the disk is formatted using the operating system, the NTFS file system can be selected only for fixed disks. Therefore, when defining attachment parameters (for any type of the mount point), select the Mount as fixed disk check-box.

Note:

If you use Microsoft Windows Vista, you can attach a protected container only as a removable device, but when formatting a container using tools of the operating system, you can select the NTFS file system.

Microsoft Windows 2000 does not support formatting of a container which is attached as a fixed disk.

If you do a full format of a disk, the file of a protected container will have the size specified while creating the container.

If you do a quick format of a disk and select the FAT file system, the size of a protected container is minimized and it increases while you fill the container with data. This feature saves free disk space.

If you do a quick format of a disk and select the NTFS file system, then the container must be created as a sparse file to minimize the required disk space (see Item 4.3.2 on Page 38). Otherwise, even while doing the quick


format, the container file will have the maximum size which you specify when creating the container.

Note:

Regardless of the format type, the size of a protected container which is mounted as a virtual disk is always equal to the size specified while creating the container. But the size of the container file changes.

Attention!

When using a container whose file size increases while you fill it with data, the volume containing the protected container may run out of free space. In this case you will be asked to save data in another place.

If the volume where you want to save the data is not protected, the data will not be protected too. If you place the data to the protected area (on other protected volume or removable device), the data is protected as an object placed within a protected area. At the same time, all properties (including the access list) of the protected area where you place the data are inherited.

To format a protected container using InfoWatch CryptoStorage:

1. Select a disk or a folder to which the container is attached.

2. Right-click the selected file or folder and from the opened context menu select Owner functions ► Format container.

3. In the opened dialog window insert the data to access the protected container:

Login. Name of the protected container owner.

Password. Password of the protected container owner.

Click OK.

4. The Format protected container dialog window is displayed (Figure 6).


Figure 6. Specifying parameters to format a container

5. In the opened dialog window, specify the following parameters:

File system. The type of a file system which will be created on the

disk or in the folder.

Label. Disk label (optional parameter).

The full formatting is done by default. To do quick format of a disk or a folder, select the Perform quick format check-box.

6. Click OK.

Note:

Microsoft Windows Vista does not support the formatting of a protected container using InfoWatch CryptoStorage.

5.2.4. Detaching a Container

Before detaching a container, you must complete all operations on objects of the folder (files, folders, protected sub-containers).

If you attached volumes to the folders of the container, then before detaching the container, you must detach the volumes which are attached to the folders of the container. Otherwise, after detaching the container you cannot access the volumes through the given mount points.

To detach a protected container:

1. Select an object (a disk or a folder) to which the protected container or the file of the protected container is attached.


2. Right-click the selected container (disk/folder) and from the opened context menu select CryptoStorage ► Protected containers ► Detach container.

The System requires more time to detach several protected objects simultaneously. In some emergency situations, you may need to detach all protected objects simultaneously. For this purpose you must save the changes and restart the computer. After the computer restarts, all protected objects will be detached.

5.3. Viewing Information on a

Protected Object

The option is available only to the owner of a protected object.

To view properties of a protected object:

1. Select a protected object, the properties of which you want to view. When using an attached protected container, you can select a disk or a folder to which the container is attached.

2. Right-click the selected object and from the opened context menu select CryptoStorage. After that, complete one of the following steps:

If you selected a file or a folder, then from the opened submenu select Protected file system ► Owner functions ► View object info.

If you selected a disk volume or a removable device, then from the opened submenu select Owner functions ► View disk info.

If you selected a protected container, then from the opened submenu select Protected container ► Owner functions ► View container info.


A dialog window containing the properties of the selected object is displayed (Figure 7 shows an example of the window for a protected container).


Figure 7. Viewing properties of a protected object

Table 4 lists attributes of protected objects.

Table 4. Attributes of protected objects

Attribute of protected object

Comments Type of protected object

Name Object’s full name Any

Object ID Object’s identification code

Any

Algorithm Type of encryption Any

Type Type of protected object Any

State Object’s protection status

Any

Last mount mode

Attachment parameters Protected container

Attachment flags


Attribute of protected object

Comments Type of protected object

Last mount point The last folder or disk to which the container was attached

Protected container

Flags Disk’s parameters Protected volume

Root object

Full name of an object which is the root object of the given object (for the top level objects, the object’s name is displayed)

Protected file or folder

5.4. Managing Access to a Protected

Object

InfoWatch CryptoStorage supports multi-user access to objects. A protected object can be attached only by its owner and the users included by the owner into its access list.

When a protected volume, protected removable drive or protected container is attached, the users who are not included in the object access list can access the contents of the object using tools of the operating system. The access to the contents of a protected folder or protected file is always limited by the object owner regardless of the access settings of the operating system.

That is why the access lists of inserted protected objects can be independent. The exception is the access lists of a protected folder and its subfolders and files.

Each protected object has its own access list. When a protected object is created, its access list contains only the object owner’s data (the name of the object owner is marked with the letter (O)).

An owner of a protected object can edit an access list by adding or removing users.

For information on how to use an access list, see:

The Structure of Access Lists (Item 5.4.1 on Page 57).

Viewing Access List (Item 5.4.2 on Page 57).


Managing Access to Protected Folders (Item 5.4.3 on Page 59).

Managing Access to Protected Files, Containers, Disk Volumes and Removable Devices (Item 5.4.4 on Page 62).

5.4.1. The Structure of Access Lists

The protected files, containers and disk volumes (or removable media) have only one access list. A user, who is included in the access list of these protected objects, gains access to all of this object’s data, with the exception of its protected sub-objects which have independent access lists.

Each subfolder in a protected folder has its own access list. The structure of the access lists of protected objects is arranged in such a manner that the users who have access to a subfolder also have access to its parent folder. At the same time, two subfolders, located inside the same folder, can have different access lists. As a result, the protected root folder has the most complete list of access: it includes any user who has access to at least one folder inside the root folder. The access list of files which are located inside a protected folder is identical to the access list of the folder which contains these files.

In such a manner, the files and folders inside a protected folder are protected objects which depend on the protected root folder. With this feature, you can create a hierarchic structure of access in a protected folder and give access to its subfolders and files to other users when attaching the protected root folder.

The advantage of the hierarchic structure of access, which is based on a protected folder, over the structure which is based on protected objects containing protected sub-objects consists in the following:

The access to a subfolder, which is inside a protected folder, does not require that this subfolder and all folders of higher levels are attached.

The speed of access to a subfolder does not depend on its nesting depth, whereas opening and using a protected object implies additional time and resources.

When copying a folder to a protected folder, the copied folder and its subfolders get an access list which is identical to the access list of the folder which they are copied to. All copied files also get the same access list.

5.4.2. Viewing Access List

To open a list of access to a protected object:

1. Select a protected object.


Note:

A protected file or folder must be attached by the object owner prior to viewing their access list.


If you selected a file or a folder, then from the opened submenu select Protected file system ► Owner functions ► Manage file object users.

If you selected a disk volume or a removable device, then from the opened submenu select Owner functions ► Manage disk users.

If you selected a protected container, then from the opened submenu select Protected container ► Owner functions ► Manage container users.


As a result, a dialog window containing information on users who have access to the protected object will be displayed.

Figure 8. The list of users who can access the protected object

The object owner is initially included in the access list. The access list can be edited by adding or removing users.


5.4.3. Managing Access to Protected

Folders

When arranging access to protected folders, you must consider the following information:

A protected file or folder must be attached by its owner prior to managing access list.

A protected folder, which is created inside another protected folder, inherits all properties of the parent folder. After creating a protected subfolder, you can edit its access list inherited from the parent folder.

If you add a user to the access list of a protected subfolder, the user is automatically added to the access list of the parent folder.

Managing an access list is covered in the sections:

Adding a New User (Item 5.4.3.1 on Page 59).

Adding an Existing User (Item 5.4.3.2 on Page 60).

Resuming Adding a User (Item 5.4.3.3 on Page 61).

Removing a User from Access List (Item 5.4.3.4 on Page 61).

Resuming the Removal of a User (Item 5.4.3.5 on Page 62).

5.4.3.1. Adding a New User

To add a new user to the access list of a subfolder inside a protected folder:

1. Open the list of access to a subfolder of a protected folder (Item 5.4.2 on Page 57).

2. In the dialog window of the access list click Add.

3. A dialog window containing a list of users who can access the protected root folder is displayed (Figure 9).


Figure 9. Selecting a user to add to the access list

4. In the dialog window select the New User line and click OK.

5. The system displays a dialog window where you must specify object access parameters. Specify the following parameters:


Password, Confirm Password. The user’s password for accessing

the protected object.

Note:



6. A dialog window for editing the description of the new user is displayed. The user’s name specified in Step 5 is used as description by default. This description is displayed in the access list of the selected subfolder (for more information, see Item 5.4.2 on Page 57) and it cannot be edited any more. When the description is specified, click OK.

As a result, a new user is added to the lists of access to the selected subfolder and its subfolders as well as to all folders located through the path from the root folder to the specified folder. The new user is also added to the lists of access to files of the abovementioned folders.

5.4.3.2. Adding an Existing User

To give a user access to the specified subfolder of a protected folder:


1. Open the list of access to a subfolder of a protected folder (Item 5.4.2 on Page 57).


3. After that, a dialog window containing a list of all users who can access the protected root folder is displayed (Figure 9).

4. In the dialog window select the name of a user who must be added to the access list of the subfolder. Click OK.

As a result, the selected user is added into the lists of access to the selected subfolder and its subfolders and also to all folders located through the path from the root folder to the specified folder. The selected user is also added to the lists of access to files of the abovementioned folders.

5.4.3.3. Resuming Adding a User

While adding a user to the access lists of a folder, you may need to interrupt the process manually or the process is interrupted due to an unexpected situation (for example, when the computer’s power is unexpectedly turned off).

In this case the user is added only to some subfolders of a protected folder. Consequently, the user is already added to the access list of the root folder, regardless of whether the user is a new user or the existing one.

To finish adding the user to the necessary subfolders of a protected folder, add the existing user to the access list of the specified folder (Item 5.4.3.2 on Page 60). If the user already exists in the access list of the folder, it does not mean that the user is included in the access lists of its subfolders.

5.4.3.4. Removing a User from Access List

Attention!

If you remove a user form the access list of a parent folder, the user automatically loses access to all subfolders.

To remove a user from the access list of a subfolder of a protected folder:

1. Open the list of access to the given protected subfolder (Item 5.4.2 on Page 57).

2. In the access list of the protected object, select the name of the user who must be removed from the list.

3. Click Remove.


It is advised to re-encrypt the object after removing a user from the access list.

5.4.3.5. Resuming the Removal of a User

While removing a user from access lists in a protected folder, you may need to interrupt the process manually or the process is interrupted due to an unexpected situation (for example, when the computer’s power is unexpectedly turned off).

In this case the user is removed from some folders inside the protected folder.

To complete removing the user from the selected folder, repeat the procedure of user removal from the folder access list (Item 5.4.3.4 on Page 61), if the user still exists in the folder access list (for more information on how to view the access list of a protected folder, see Item 5.4.2 on Page 57).

5.4.4. Managing Access to Protected Files,

Containers, Disk Volumes and Removable

Devices

A protected container (disk volume, removable device) may contain files (folders, other containers) which have already been protected.

When providing access to these kinds of objects, remember that an internal protected object can be accessed according to the access list which is assigned to this particular object.

When independent access to internal protected objects is needed, you must add users to the access lists of the protected container or disk volume or removable device where the protected objects are located.

Files and folders located on a protected volume or a removable device are accessed according to the access list defined for the disk (or removable media).

For more information on how to use an access list, see:

Adding a User to Access List (Item 5.4.4.1 on Page 63).

Removing a User from Access List (Item 5.4.4.2 on Page 63).


5.4.4.1. Adding a User to Access List

To add a user to an access list:

1. Open the access list of a protected object (Item 5.4.2 on Page 57).


3. The dialog window where you must specify parameters for accessing the object is displayed. Specify the following parameters:


Password, Confirm Password. The user’s password for accessing

the protected object.

Note:



As the result a new user is added to the access list of the protected object.

5.4.4.2. Removing a User from Access List

To remove a user from the access list:

1. Open the access list of a protected object (Item 5.4.2 on Page 57).

2. In the access list of the protected object select the name of the user who must be removed from the list.

3. Click Remove.

It is advised to re-encrypt the object after removing a user from access list.

5.5. Changing User Parameters for

Accessing a Protected Object

The access parameters are the user’s name and password. The user description cannot be changed.

Attention!

Before changing the access parameters of a file or folder, you must attach them (for more information on how to attach an object, see Item 5.1.4 on Page 47).


Disks may be in any state and a container must not be in the state of re-

encryption.

To change the parameters of access to a protected object:

1. Select an object to change its access parameters.


If you selected a file or a folder, then from the opened submenu select Protected file system ► Change user key.

If you selected a volume of a hard disk or a removable device, then from the opened submenu select Change user key.

If you selected a protected container, then from the opened submenu select Protected containers ► Change user key for container.

3. In the opened dialog window, type the current authorization parameters to access the protected object:

Login. The name of the protected object’s user.

Password. The password of the protected object’s user.

Click OK.

4. The dialog window where you must type the new authorization parameters is displayed. Fill the Name, New Password and Confirm Password fields. Click OK.

Note:


As a result, the parameters for accessing the protected object are changed but the user description remains the same. The new access parameters will be valid the next time you attach the object.

CHAPTER 6. CONFIGURING

SUBSYSTEMS

Infowatch CryptoStorage consists of three subsystems which protect objects of specific types. The purposes of the subsystems are described in Table 5.

Table 5. InfoWatch CryptoStorage subsystems.

Subsystem Purpose

Protected volumes Protects volumes of a hard disk and removable devices

Protected containers Creates protected containers, provides use of the protected containers.

Protected file system Encrypts files and folders, provides use of the protected files and folders.

CryptoStorage Configurator is intended to configure the subsystems included

in InfoWatch CryptoStorage.

To open the window of CryptoStorage Configurator, from the Start menu, select Programs ► InfoWatch CryptoStorage ► CryptoStorage Configuration.

The window containing data on the InfoWatch CryptoStorage subsystems which are installed on your computer is displayed (Figure 10).


Figure 10. Configuring InfoWatch CryptoStorage subsystems

To the right of the subsystem’s name there is the Autorun field. If the check-box

in the field is selected, the autorun of the subsystem is enabled.

After InfoWatch CryptoStorage is installed, the autorun option is enabled for all subsystems. However, you can change the autorun parameters of each subsystem:

to disable autorun, clear the Autorun check-box;

to enable autorun, select the Autorun check-box.

Note:

The autorun settings come into effect after you restart the computer.

When disabling the autorun option of the subsystems, you must consider the operating specifics of the InfoWatch CryptoStorage subsystems. Table 6 describes the consequences which arise from disabling the subsystems.

Table 6. The impact on object protection if the subsystems are disabled

Subsystem The result of disabling the subsystem

Protected volumes

The operating system identifies protected disks as unformatted devices. The contents are encrypted.

The functions of the System for using disk volumes and removable devices are not available.

Note: You cannot disable the subsystem if the system

and/or the boot disks are protected.

Configuring Subsystems 67

Protected containers

The contents of protected containers cannot be used. The contents are encrypted.

The functions of the System for using the protected containers are not available.

Protected file system

The files, folders and protected containers can be deleted from the computer by any user.

The contents of files are encrypted; you can view only the structure of subfolders.

The functions of the System for using protected files and folders are not available.

CHAPTER 7. DISK RECOVERY

UTILITY

Attention!

You must have administrator rights to the computer to use the Disk recovery utility.

InfoWatch CryptoStorage contains a utility which cleans the disk space used by protected volumes when the access to the volumes cannot be recovered.

You may need to delete a protected volume without decrypting it, when:

You have lost the access keys to the protected volume and consequently cannot attach or decrypt it.

The protected volume is formatted without using InfoWatch CryptoStorage and its data is lost but the record made by the System that the volume exists on the disk still remains.

The size of a protected volume is changed (see Item 4.2.2 on Page 33). As a consequence, the size allocated by the System does not correspond to the real size of the protected volume.

You cannot access the abovementioned protected volumes, if the Protected volumes (see Chapter 6 on Page 65) subsystem is running on a computer where InfoWatch CryptoStorage is installed. Moreover, the space allocated for the volumes on a disk cannot be used. With the utility, you can make this space available for use including for use by InfoWatch CryptoStorage.

To make available the disk space used by a protected volume, you must run the utility: from the Start menu, select Programs ► InfoWatch CryptoStorage ► Disk recovery utility.

In the opened window, select a protected volume to delete the System’s information about it from the disk, then right-click it and select Delete information about encrypted area.

Attention!

You must detach the protected volumes of a physical disk which will be deleted using the utility, prior to deleting them. You must also complete all operations on encrypting, re-encrypting and decrypting volumes of the physical disk prior to using the utility.

Disk Recovery Utility 69

Be attentive when selecting a protected volume. After the System’s information

about the protected area is deleted, the volume cannot be accessed.

CHAPTER 8. UNINSTALLING

INFOWATCH CRYPTOSTORAGE


Preparing the Protected Objects for Uninstallation of the System (Item 8.1 on Page 70).

Uninstalling the System (Item 8.2 on Page 71).

8.1. Preparing the Protected Objects

for Uninstallation of the System

If InfoWatch CryptoStorage is uninstalled it means that all subsystems are disabled for all protected objects (see Chapter 6 on Page 65):

The protected files and folders can be deleted from the computer by any user. The contents of files are encrypted; you can view only the structure of subfolders.

The containers remain protected, but you cannot use them because the containers cannot be attached.

The disk volumes and removable devices remain protected. However, you cannot access the data stored on the devices because they cannot be attached.

Attention!

The operating system displays the objects as the unformatted objects and when you try to access a protected object, you are prompted to format the objects. Once the object formatting is done all data is deleted. Therefore, if the object contains important data, you must cancel the formatting.

The System must not be removed if the system and/or the boot volume of hard disk is protected. If you uninstall the System, the operating system cannot be loaded and consequently the data stored on the disk cannot be accessed.

Before uninstalling the System, complete the preliminary steps:

Uninstalling InfoWatch CryptoStorage 71

Decrypt files, folders, the system and/or the boot volumes, non-system volumes and removable disks.

Attach the protected containers and move the contents of the containers to unprotected hard disks and removable media.

8.2. Uninstalling the System

Attention!

You must have administrator rights to the computer to uninstall InfoWatch CryptoStorage.

InfoWatch CryptoStorage is uninstalled using Microsoft Windows standard tools.

To uninstall InfoWatch CryptoStorage:

1. Open the Add or Remove programs tool. To do this, from the Start menu select Settings ► Control Panel. In the control panel, double-click the Add or Remove Programs icon.

2. In the Add or Remove Programs window, select InfoWatch CryptoStorage and click Remove.

You must restart the computer to finish uninstalling the System.

APPENDIX А END-USER

LICENSE AGREEMENT

ZAO “InfoWatch”

Phone/fax: +7(495)229-00-22

Sales department: [email protected]

Technical support service: [email protected]

Web site: www.infowatch.com

This End-User License Agreement (hereafter referred to as the “Agreement”) is the legal agreement between you, either an individual or a single entity (hereafter referred to as the “User") who legally owns a copy of InfoWatch CryptoStorage Personal (hereafter referred to as the “Software”) and ZAO “InfoWatch” (hereafter referred to as the “Copyright holder”).

The Software (the source code, the object code, and all other elements) and “InfoWatch CryptoStorage. User Guide” (whether print or electronic) are the intellectual property of and are owned by the Copyright holder.

If you have purchased the Software via the Internet, by selecting the “I accept” check-box in the process of installation and by clicking the “Next” button, you agree to be bound by the terms and conditions stated in this Agreement. If you do not wish to agree with the terms and conditions of this Agreement, do not install the Software.

If you have purchased the Software in hardcopy format, by unsealing the CD-ROM sleeve (or breaking the sticker) you agree to be bound by the terms and conditions stated in this Agreement. If you do not agree with the terms of this Agreement, the Software may be returned for a full refund within 14 days after purchase from InfoWatch, it’s authorized distributor or reseller.

From the moment the CD-ROM sleeve is unsealed or the sticker is broken (if you have purchased the Software in hardcopy format), or from the moment the “I accept” check-box is selected (if you have purchased the Software via the Internet), you obtain an ordinary (nonexclusive) license for the Software use limited within the rights to install, copy and run the Software in compliance with the conditions outlined in this Agreement.

You may use the Software according to the conditions of this License Agreement:

[email protected]

mailto:[email protected]


Appendix А End-User License Agreement 73

1. The Software is intended for cryptographic protection of confidential data stored on a personal computer. The Software protects against unauthorized access to data and provides data protection in case the media which stores the data is lost.

2. The Software provides:

the protection of disk volumes including the boot and the system volumes, and USB Mass Storage Devices;

the protection of files and folders within the NTFS file system;

the implementation of protected virtual disks through the special container files;

the protection of crash-dump files and OS swap files (while protecting the system volume);

the transparent processing of protected data;

multi-user access to confidential data;

password-based authorization;

hierarchical access to folders and files inside a protected folder;

the protection of traffic when using remote protected files and container files;

support of the Hibernate and Stand by modes when using protected data;

the encryption and decryption of disk volumes and USB Mass Storage Devices in the background mode;

the wiping of files;

protection against the unauthorized deletion of protected files and folders including the protection from renaming the files and folders.

3. The Software is licensed as a single product. The period of the Software use is specified in the license key file (a unique electronic file, intended to enable full functionality of the Software) and is displayed in the CryptoStorage configuration interface in the Licenses window.

4. If you use the commercial version of the Software, you are entitled to receive the following from the Copyright holder and its Partners(1) during the period specified in the license key file and from the moment of the Software purchase:

new versions of the Software including updates;

technical support (via Copyright holder’s web-sites);


a duplicate of the license key file;

The functionality available to the User is not limited after expiration of the period specified in the license key file (the period is displayed in the CryptoStorage configuration interface in the Licenses window).

5. If you use the trial versions of the Software, you are entitled to receive from the Copyright holder technical support (via Copyright holder’s web-site) during the period specified in the license key file and from the moment of the Software receipt.

The functionality available to the User is limited automatically after the expiration of the period specified in the license key file (the period is displayed in the CryptoStorage configuration interface in the Licenses

window). After the validity period has expired the Software allows you to:

attach the existing cryptographic objects created using the Software;

decrypt the existing cryptographic objects created using the Software.

6. The services described in Item 4 of the present Agreement are valid, provided that the User installs the latest update for the latest version of the Software(1).

7. The Copyright holder does not guarantee the User full functionality of the Software installed on workstations, provided that the User does not update the Software as stated in Item 4.

8. You may create a copy of the Software provided that the copy is intended only for archival purposes or to replace a legally purchased version of the Software when the original is lost, destroyed or unusable. The copy mentioned in the given Item may not be used for any other purposes and must be deleted if the ownership of the Software copy ceases to be legal.

9. You may sell (transfer under other conditions) a Software copy to another person who agrees to the terms of this Agreement. At that time you cease to be a legal owner of the Software copy and must delete all remaining copies of the Software including any archival copies.

10. If you use the trial version of the Software you must not sell (transfer under other conditions) the Software copy to any other persons specified in Item 9 of the given Agreement.

11. Reverse engineering and/or modifying the Software is prohibited.

12. Renting, leasing or lending is prohibited.

13. Splitting the software into components in order to use them on different computers is prohibited.

Appendix А End-User License Agreement 75

14. Use of the Software in order to create data or code intended for use by other software products is prohibited.

15. The Copyright holder guarantees that the Software will operate in accordance with the conditions stated in the User Guide, the technical and the project documentation.

16. The Copyright holder does not guarantee that the Software will operate if the conditions stated in the User Guide are violated or if the User violates the terms of the given Agreement.

17. The Copyright holder and/or its Partners shall not incur liability in respect of any damage arising from, or in any way related to, the use or inability to use the Software.

GLOSSARY

InfoWatch CryptoStorage

A system which is intended to protect confidential information stored on a user’s computer and on local network resources against unauthorized access using cryptographic means.

Confidential data

The data with restricted access. Confidential data can be accessed by the users who are included in the access list of the data.

Multi-user access

Use of data stored in a protected object by the users who are included in the access list of this object.

Owner of a protected object

A user who created a protected object and has a right to administrate it.

Password

A combination of characters which is used to access the contents of a protected object. A user must keep the password secret.

Protected container

A file of a specific format which is displayed by the System as a virtual volume (in the FAT, FAT32, NTFS file systems) or as a folder (in the NTFS file system). Data is located in the file.

Protected object

Protected objects are any objects which are intended for storing data and which are encrypted with InfoWatch CryptoStorage.

A protected object is a specific object (a container file) or a data storage object (a volume, folder, file, etc.) which contains encrypted confidential data and an access list for it.

Glossary 77

Protection of information

Preventive measures to limit access of users (user groups) to information.

Transparent encryption

A mechanism which encrypts information while protecting it. The data is stored encrypted inside a protected object. The protected data is processed in the following way: the data is automatically decrypted in RAM when requested and the uploaded data is encrypted.

User of a protected object

Any user added by the object owner to the object access list. The user’s rights for using a protected object are limited.

Wiping of an object

A function of wiping files and folders which deletes the name of an object from the file system as well as wipes the contents of the deleted object.

INDEX

C

Changing user parameters for accessing a protected object....63

Configuring subsystems ..............65

D

Disk recovery utility ......................68

I

InfoWatch CryptoStorage ............. 6 components .............................10

M

Managing access to a protected object .......................................56 managing access to protected

folders...................................59 adding a new user ................59 adding an existing user.........60 removing a user from access

list .....................................61 resuming adding a user ........61 resuming the removal of a user

form access list .................62 structure of access lists ............57 viewing access list ...................57

Managing access to protected files, containers, disk volumes and removable devices ...................62

O

Owner of a protected object.........12

P

Protected container .....................11 Protected containers ....................37

creating ....................................38

interrupting re-encryption ......... 41 preparing for use ...................... 40 protecting from deletion ........... 40 re-encrypting ............................ 40 resuming re-encryption ............ 42 rolling back to a previous state 42 specific features of creating ..... 38

Protected objects......................... 11 Protecting disk volumes and

removable devices ................... 30 decrypting ................................ 37 encrypting ................................ 33 interrupting encryption ............. 34 re-encrypting ............................ 36 resuming encryption ................ 35 rolling back to the unencrypted

state ..................................... 35 specific features ....................... 31 specific features of using utilities

............................................. 33 Protecting files and folders .......... 22

decrypting objects .................... 28 encrypting objects .................... 25 interrupting file encryption ........ 27 interrupting folder encryption ... 26 interrupting re-encryption ......... 28 re-encrypting objects ............... 27 specific features ....................... 22

T

Transparent encryption ................. 9

U

Uninstalling InfoWatch CryptoStorage.......................... 70 preparing the protected objects70 uninstalling ............................... 71

User of a protected object ........... 12 Using protected containers .......... 48

attaching .................................. 49

Ошибка! Источник ссылки не найден. 79

detaching .................................53 formatting .................................51 rules for ....................................49

Using protected files, folders, hard disks and removable devices ...44 attaching ..................................47 detaching .................................48 rules for using protected files and

folders...................................45 rules for using protected volumes

of hard disk and removable devices .................................46

starting up using protected system disk and/or boot disk 47

V

Viewing information on a protected object ....................................... 54

W

Wiping objects ............................. 43

Date post:	05-Aug-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times