Product Reviews

Lock the Door

WinMagic SecureDoc's full-disk encryption provides easy-to-use security for laptops and remote users.

• By Peter Varhol
• 07/01/2008

SecureDoc 4.3 REDMOND RATING Installation 20% 10.0 Usability 20% 8.0 Features 20% 8.0 Administration 20% 8.0 Documentation 20% 9.0 Overall Rating: 8.6 —————————————— Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

I've never lost my laptop computer -- knock on wood -- but I'm rarely at an airport where I don't hear the PA system announcing, "Will whoever left their laptop at security please come back to claim it." Out of curiosity, I asked about that the last time I was at San Francisco International. "We have about half-a-dozen a day from this terminal that aren't claimed on the same day they're left here," replied the TSA supervisor at the station. Multiply that by all terminals at all airports across the country, and you have a lot of spare laptops floating around.

With a certain percentage of those laptops that are for business use, it's likely that there's confidential or at least proprietary data residing on those disks. Most systems use Windows and domain passwords, but usually they're not difficult to get around. So for someone with ill intent, or just someone with curiosity and computer skills, your secrets could become public -- or it may cost you to keep them private.

It goes without saying that if you have people outside of the office with laptops, you need to plan for occasional loss or theft. Everyone hopes it never happens, but of course it does, and rarely at convenient times and places.

In addition to lost laptops, WinMagic SecureDoc also protects data from unauthorized copying to removable media such as USB memory sticks, protects data on authorized memory sticks and helps in the secure disposal of damaged or obsolete hard disks (you don't want your data sitting in the bin at the second-hand computer shop). I've lost memory sticks, so I can appreciate at least one of these characteristics.

There are a couple of ways of using SecureDoc, and I've tried both. First I did a single-system installation, which offers encryption for an individual system. This approach makes the most sense if the users are mobile and often don't have the need to connect to a server in the organization. The second way of using SecureDoc is as an enterprise solution managed by a server.

My next step was to install the server version of the product and interact with it as a network user might. In a server configuration, the primary focus is files on shared drives living on those servers, so you'd probably want to use this version in conjunction with the individual user version, especially if your users disconnect from the network to work in standalone mode.

[Click on image for larger view.]

Figure 1. When you install SecureDoc, you can select a drive, key and type of encryption you want to use.

Installing and Encrypting
Installation is largely automatic and takes only a few minutes. On install, SecureDoc asks you to define a key file, disk password and at least one key (see Figure 1). You can also specify the use of a hardware token here in addition to a password. Then it will reboot, spend a few minutes encrypting the entire disk, and ask you to log in and select a key file, if necessary, to gain access to the disk. In my case, with a typical laptop, the installation and encryption process took less than 15 minutes.

A couple of caveats are in order. As you can imagine, in order to encrypt the disk, SecureDoc has to write to the master boot record (MBR). This can be a dangerous activity, and the documentation warns that bad disk sectors or any other software that writes to the MBR could cause a problem. If there's any question as to whether your hardware is in reasonable shape, you should do some testing first. It also does not support dual-boot USB encryption. If you have a Linux partition, you have to separately encrypt that partition from within Windows.

The system requirements are eminently reasonable: a low-end Pentium or AMD processor, 128MB of RAM, 128MB of disk space, and either Windows Vista, XP SP2 or 2000 SP4. You may also have to install the Visual C++ 2005 Redistributable Package. The documentation is extensive and impressive. Perhaps the only negative here is that there's far too much for a typical user to read and understand. Fortunately, most tasks are transparent to such users.

[Click on image for larger view.]

Figure 2. The SecureDoc Control Center provides a log-in with tabs for boot control, disk encryption, customization and logging.

Little Negative Impact
Under ordinary usage, a computer user won't notice any difference between an encrypted computer and an unencrypted one, beyond the initial log-in. There's no noticeable difference in system performance, and nothing else at all for a user to do. If they want to copy data from the system onto a USB stick or CD/DVD, the process becomes a little different than they may be used to.

Writing to external media involves creating a container, which is represented on the desktop and in Windows Explorer as a virtual disk. To use containers, a user has to work with keys and the container manager to create, open and close containers.

The default SecureDoc key configuration wizard makes it easy to set up keys and passwords. However, it won't help you change passwords or provide self-help password recovery. For these activities, you want to use the key-management features to be able to manage and recover passwords.

From the standpoint of an admin, there are a number of things you can do. For example, if the computer has multiple user accounts, you can add and delete users, passwords and keys. You can also manage boot options between those users.

[Click on image for larger view.]

Figure 3. The Control Center boot control tab lets you manage key files and designate boot modes for different users.

The SecureDoc Control Center provides a multitabbed interface for accessing these functions. Once you have it installed, you can log into it using your disk log-in password, and work in interfaces for boot control, disk encryption, customization and logging (see Figure 2). Once logged in, you can move among the tabs and accomplish finer-grained actions involving encryption (see Figure 3).

Users can also encrypt individual files and folders with specific keys. This is useful if you're e-mailing around documents or otherwise transporting them on unencrypted media. You have to set up separate keys for those objects and manage them in the Control Center. Once you've encrypted a file it's given the file name extension .SDE so you can readily identify your encrypted documents.

Working from a server is pretty seamless. Passwords for individual systems and users are propagated to the server, so once logged in, there's little need to worry about further passwords for server access. However, if you want to use removable media, you still have to create and manage containers.

Certified Secure
I'm not a security expert, and didn't try to break the SecureDoc encryption. However, it's worthwhile noting that the product has AES validation from the National Institute of

Standards and Technology, Federal Information Processing Standards 140-1 Level 2 certification, and is certified by the National Security Agency for SECRET data for U.S. government agencies. It also supports smart cards, USB tokens and popular Public Key Infrastructures (PKIs). This product has some heavy certification horsepower behind it, so users shouldn't be worried about attacks against the encryption itself.

If you have employees outside of the corporate network, or people who travel on business with their laptops, you have two security concerns. The first, which many enterprises have addressed, is secure access to the corporate network. Despite many high-profile lapses, however, most have not yet addressed the problem of the lost or stolen laptop or other device. However, encryption is getting more straightforward to use, both individually and as an enterprise-wide solution. It's time to move forward with full-disk encryption, and SecureDoc is an enterprise-friendly way of doing so.