Recovery Procedures for SecureDoc-protected Computers
Recovery Procedures for SecureDoc Disk Encryption users
The following document lists various support scenarios that may occur while SecureDoc Disk Encryption is installed on an encrypted computer. Each procedure is based on a specific situation and environment. Note, this article focuses on Windows client computers, and though some of the information herein could be applied to SES-managed endpoint computers, this article is primarily for users of the Stand-Alone SecureDoc product.
Operating System Crashes
Decrypt the hard disk before running Windows diagnostic utilities
If the OS crashes, depending on the circumstances surrounding the crash, the Support team will likely have to decrypt the computer prior to running any diagnostic tools; this is because the Windows Utilities will not be able to recognize the hard disk. In addition, Windows might first try to replace the MBR because it will not recognize the code as being its own. To decrypt the computer, following the steps below:
1. Using the SES console, add the encryption key for this (crashed) hard disk to the administrator’s account that is being used to look into this issue. After the encryption key is added, create a key file for the administrator. Save this key file to a USB drive.
2. The next step is to install the SecureDoc Disk Encryption software on a bootable (decrypted) computer. This can be any computer available to the administrator. No encryption will be performed on this computer. After the installation is complete, turn off the computer.
3. With the computer turned off, attach the encrypted (crashed) hard disk as a slave to the bootable computer above. For laptop hard disks, you may require a specific adapter to attach the hard disk. Once the hard disk has been attached, power on the computer.
4. Once the computer starts into Windows, log into the SecureDoc Control Center:
Start -> All Programs -> SecureDoc Disk Encryption -> SecureDoc Control Center
Insert the USB drive that contains the key file (see step 1).
Beside User ID/Key File, browse to the key file located on the USB drive. Once selected, enter the password that was set for the key file.
Note: If you created a token-based key file, enter the password of the IKey 2032
5. After logging in, more tabs appear in the SecureDoc Control Center. The next step is to install Boot Logon on the bootable hard disk. Click on the Boot Control tab:
Click on Install/Uninstall boot logon. A new dialog appears. Click on Install Boot Logon.
Although you will see 2 options (Hard Disk 1 and Hard Disk 2), you will only be able to select Hard Disk 1; this is because Boot Logon is already installed on Hard Disk 2.
Click and select Hard Disk 1, and click Ok.
When you click OK, 4 messages appear. The first message tells you that the default key file for Boot Logon belongs to the administrator (the key file that was logged in when Boot Logon was installed). Click Ok to continue.
The second message prompts you to create Emergency Disk files. Since we will not be encrypting the first hard disk, we will not create Emergency Disk files. Click No.
The third message simply advises that Boot Logon was installed successfully on the hard disk
Click OK.
The last message indicates the computer will automatically reboot. Upon restarting, the computer will remain at the Boot Logon prompt (pre-boot authentication).
Before the Default Key File, press the <Enter> key. Enter the password you assigned in Step 1, and press the <Enter> key.
6. Upon successfully authenticating to Boot Logon, the computer will begin booting into Windows.
Log back into the SecureDoc Control Center, and click on the tab Disk Encryption:
The last step is to decrypt the second (crashed) hard disk. Change the Drive pick-list to HD2.
Under Action, click on Decrypt. Click Start to begin the decryption process.
Depending on the size of the hard disk, this may take several hours (40 minutes per 10GB).
Once the decryption is finished, the last step is to uninstall Boot Logon.
7. While logged into the SecureDoc Control Center, click on the Boot Control tab. Click on the button Install/Uninstall Boot Logon, and click on the button Uninstall Boot Logon.
This time, click on both Hard Disk 1 and Hard Disk 2, and click Ok.
This will uninstall Boot Logon from both hard disks. Once Boot Logon has been uninstalled, Windows diagnostic programs can now be used to troubleshoot the (crashed) OS.
Once the hard disk is corrected, the Support team will have to re-encrypt with the users remote installation files before sending the computer back to the end-user.
User loses or damages their iKey 2032
There are several ways to recover from a lost or damaged iKey2032.
Issue a new iKey 2032
If a user loses or damages their IKey 2032 , the Support team will have to issue a new token to the user. This will be done in the same way it was originally: the Support team initializes a brand new IKey 2032, and adds the respective user's certificate to the token from the Microsoft CA.
Things to remember: For a user to successfully log into their computer at pre-boot, they must log into their IKey 2032 token. The token must contain the same certificate that was originally used to protect the key file. If the token doesn’t have the same certificate, they will be unable to log into their computer.
Upon adding the certificate to the IKey 2032, the token will be sent to the user. The Support team will have to provide the password of the IKey 2032 after the initialization. The user will then log into the computer at pre-boot as before.
Upon logging into Windows, the user will then have to reconfigure their IKey 2032 to use Axis Manager "" [Please review instructions from Datakey].
The user will be required to change the password for the IKey 2032.
Provide the user with a 1-time password recovery
Note:This feature will only work if the option was enabled before the user key files were created. In the SES, click on Tools and Options. Click on the button Password Rules, and modify the setting at the bottom:
This value represents how many days the password-based key file can be used to log into the computer. This will lock the key file after the number of days has passed.
If the user is off-site, and cannot immediately receive a new IKey 2032, then the Support team can provide the user with a 1-time password recovery.This process can be done over the phone, and allows the user to immediately log into their computer. Upon logging into their computer, the user assigns a password that is used to generate a password-based key file. This key file can then be used to log into the computer until the Support team can re-issue the user with a new iKey 2032.
To run the password recovery, the Support team opens the SES console. Browse and find the user account you wish to perform the password recovery for, and right-click. Click the sub-menu Challenge Response:
The following dialog appears:
The next step is to verify the identity of the user. This can be accomplished by asking the user to answer their authentication questions, or any internal information that only the authorized user would know.
Once verified, ask the user to reboot their computer, and remain at the Boot Logon screen (pre-boot). Have them press the <Enter> key beside the prompt Key File (Enter for default"¦) :
Next, have the user press the <F8> key on the keyboard.
The user should now see the password recovery menu. Have the user read off the Challenge Number they see at the top of the screen. The support technician types this number inside the Challenge number textbox. Upon entering the number, click Get Response.
Note: If the Challenge Number is incorrect, an error appears.
If the Challenge Number is correct, then after clicking Get Response, a Response Number should appear. The Support staff will read the Response Number back to the user.
The user will enter the Response Number in a password prompt under the Challenge Number.If the Response Number is entered correctly, the computer will begin to boot.
Once the computer starts into Windows, the user will be required to set up a password-based key file. The following prompt appears immediately upon entering Windows:
After entering a new password, and confirming the password, the user can optionally enter a Pass Phrase Hint. Once completed, click OK.
After successfully creating the key file, the user can work on their computer as normal. This new key file will be used the next time they wish to log into their computer. At the Boot Logon prompt, the user presses <Enter> for their default key file, and at the password prompt, the user will be required to enter the password that was set above.
Restoring to a token-based key file
Once the support staff is able to issue a new IKey 2032 to the user, they can remove the password-based key file, and restore token protection.
Note: Please see the above chapter "Issue a new IKey 2032 "� for details.
The user logs into their computer as normal.Upon logging into Windows, the user logs into the SecureDoc Control Center:
Start -> All Programs -> SecureDoc Disk Encryption -> SecureDoc Control Center
The user then enters their password and clicks Login:
To finish, the user clicks the button Restore token protection. The following prompt appears:
The user clicks Yes. The next time they reboot their computer, they will be required to use their IKey 2032. The computer is now back to the original "token-based"� state.
General Login to a users encrypted computer
Should a user leave the company with their IKey 2032, the Support team always has access to their encrypted computer. To access the encrypted computer, the administrator logs into the SES console, and opens their (administrator) user account. They then add the AES encryption key that is encrypting the user’s computer, and add it to their own account:
Once the AES encryption key is added to the administrators account, click OK to save. The next step is to create the administrator’s key file. This key file will be used to log into Boot Logon on the user’s encrypted computer. The key file can be saved on either: 1) A floppy disk, or 2) Hardware Token (IKey 2032).
Right-click on the administrator account that the user’s AES encryption key was added to, and click the sub-menu "Create key file"�:
Select how you wish to protect this key file, e.g. password or token, and then enter the relevant information. Click OK to create the key file.
Note: If you wish to save the key file on a floppy disk, select the full path and name of the key file beside the File Name above. When the key file is being created, you will be required to insert a floppy disk.
A key file saved on a floppy disk can be protected by either a strong password or a token (under Protected by).
Logging into a key file stored on a floppy disk
Power on the user’s encrypted computer. At the Boot Logon prompt, beside the prompt "Key File (Enter for default"¦), type the full path to the key file on the floppy disk, e.g. A:\Demo.dbk, and press the<Enter> key.
Note: DOS naming convention exists. If the key file name is longer than 8 characters, you will need to configure as such (A:\longfi~1.dbk).
After typing in the key file name, enter the password for the key file,
If the key file contains the correct AES encryption key, and the password was entered successfully, the computer will begin booting into Windows.
Logging into a key file stored on a token (IKey 2032)
Power on the user’s encrypted computer. Insert the token (IKey 2032). At the Boot Logon prompt, beside the prompt "Key File (Enter for default"¦), type the number 0, and press the <Enter> key.
SecureDoc will search for the token, and upon finding it, prompt the administrator for the password to their token. Beside the "Password"� prompt, type the token password. Once the password is entered, press the <Enter> key.
If the key file contains the correct AES encryption key, and the password was entered successfully, the computer will begin booting into Windows.
Removing SecureDoc Disk Encryption
Once in Windows, the Support staff logs into the SecureDoc Control Center and performs decryption. For full instructions, please review Step 6 in the above section "Decrypt the hard disk before running Windows diagnostic utilities"�
Once the hard disk is decrypted, the administrator will then uninstall Boot Logon. Please review Step 7 in the above section "Decrypt the hard disk before running Windows diagnostic utilities"�
The administrator can then completely remove SecureDoc Disk Encryption by using "Add/Remove Programs".