SpyProof! Support

How does VDE as provided by SpyProof! differ from FDE and other storage encryption technologies.

One of the most concise summaries of the differences between storage encryption technologies that we've seen to date is in NIST Special Publication 800-111. Table 3.1 is particularly helpful:

NISTSP800-111 Table 3.1 (with markup)

Note that in most categories VDE is regarded by NIST as superior to FDE. The main advantages of VDE are:

• support for a wider range of devices,
• the possible mitigation of intrusion threats,
• portability,
• the relative ease of backup and recovery, and
• the smaller risk of catastrophic loss of data.

The possible disadvantages of VDE identified by NIST come down to two issues:

1. sensitive data, to be protected, must be identified and located on an encrypted partition, and
2. a single sign-on capability may negate the advantage VDE has over FDE in the mitigation of OS and application layer threats

SpyProof! addresses both of these concerns by 1) making it easy for the user to migrate his 'My Documents' and Windows temp folders onto a newly created encrypted partition, and 2) making single sign-on optional. By installing a restrictive SpyProof! security policy that disables the single sign-on feature and by pre-configuring end-user systems with all sensitive data folders already established on an encrypted partitiom, an IT administrator can effectively block exploitation of these possible vulnerabilities,

When I start SpyProof! for the first time the program displays a warning saying that I need to specify an X.509v3 encryption certificate. How do I obtain such a certificate and create my first SpyProof! disk? (9/10/08)

Prior to creating your first disk you must install your personal encryption certificate into SpyProof! ISC will provide a free encryption certificate with a one year validity period to each new SpyProof! user who doesn't already have one.

To obtain your free certificate using Internet Explorer, go to the certificate enrollment page and follow its instructions. Be sure to enter your SpyProof! serial number as the requested 'Coupon Code' and your free certificate will be returned to you via e-mail.

How do I permanently rename a mounted SpyProof! disk (so that Windows will remember the name the next time the disk is mounted)? (9/23/02)

Right click on the icon for the disk in Windows Explorer and select 'Properties' in the context menu. Enter a new name for the disk on the 'General' tab and clik OK. (Using the 'Rename' context menu item in Windows Explorer is not reliable.)

I've upgraded my system to Windows XP Service Pack 2 and now Windows only prompts me for my password the first time I mount a disk. How can I configure my system so that I am prompted to enter my password every time I mount a disk? (2/17/04; this issue affects versions 1.2.3 and earlier)

By default, Windows XP SP2 will cache your CAPI password regardless of whether you tell it to remember the password or not. This is a known bug in SP2. To fix this problem:

1. Download the following .reg file and save it to your Desktop: sp2fix.reg
2. Right-click on the .reg file on your desktop and select Merge.
3. You may now delete the .reg file.

SpyProof! should now prompt you to enter your password every time you mount a disk.

• the maximum size of a newly created disk is now limited to the available space on the selected destination drive (rather than to that on drive C:)
• disks located on external drives can now be resized
• the editing and management of an ACL with expired certificates has improved
• the handling of errors that may occur when creating disks on network drives has improved
• duplicate entries should no longer appear in the open disks list in the left hand pane of the organizer view
• the command line now properly checks that the maximum number of simultaneously mounted disks is not exceeded

• integration into the ISC Security Console (GUI framework)
• improved ACL creation and editing with support for LDAP certificate retrieval (even without a SecretAgent license); new LDAP module supports TLS for client authentication
• Suite B-compliant ECC operations are now supported via the Vista CNG API
• adds support for DAS so that encrypted disks can be shared by the members of one or more dynamic communities of interest
• credential configuration has been automated to select the latest encryption and signing certificates upon installation
• provides PKCS#11 and Entrust support (even without a SecretAgent license)
• includes SecretAgent 6.0 Reader Edition

• Added support for Windows Vista and CSP^id
• To resolve conflicts with certain third party applications, SpyProof! now creates a subordinate 'My Documents' folder within a newly created disk that has been designated by the user to act as their 'My Documents' folder
• Manually mounting an 'automount' disk now opens the drive in Windows Explorer
• When a volume containing a mounted SpyProof! disk is detached from the system, SpyProof! will display a warning and automatically unmount the disk
• Disks imported when SpyProof! is configured to use CAPI are no longer assigned a SecretAgent profile if an appropriate CAPI profile is found
• Disk Manager Profile Type item modified to reduce confusion
• CLI enhancements:
  • automatically chooses profiles when creating disks
  • added options to avoiding prompting when removing disks
  • added option to avoiding opening drive window when mounting
• bug fixes:
  • fixed display of certificates with UTF-8 encoded RDNs
  • users are now prohibited from creating a disk when the maximum number of disks are already mounted

• Allows UNC paths to be used for disks
• Enforces security policies signed with SecretAgent 5.9 or higher
• Fixed bug causing disks made with release 1.1 and earlier to no longer mount under release 1.3

• Supports disks larger than 8GB
• Allows disk files to be transferred to another location
• Checks CRLs during CAPI certificate chain validation
• Uses SecretAgent's certificate chain validation if SecretAgent is installed and configured to use Certificate Explorer for validation
• Enforces compliance with PolicyAgent 5.9 security policies
• Adds command line support for Mount, Unmount, Import, Remove, and Create functionality
• Works with Windows XP SP2 fast user switching
• Lowers its Windows run level priority when creating disks
• Asks whether to rekey and backup disk files when removing recipients
• Opens its directory in an Explorer window when mounted manually
• Allows user to bypass slide bar and directly enter disk size in the Create Disk dialog
• Supports dual monitor configurations in Windows

• Increased performance when handling large amounts of data (better than 2x speed-up).
• Improved processing of expired/updated certificates.
• Improved handling of attempts to mount a disk already mounted by another user.

• Disks are now, by default, created in "Local Application Data" (instead of in the root directory of the specified drive), are formatted with an NTFS file system, and can be expanded.
• Free space encryption has been made optional to permit compression during backup (with negligible impact on security).
• Mounted disks are labeled 'SpyProof!' to facilitate their identification and are now readable by other processes (e.g., backup programs).
• Improved CAPI integration, including better handling of password prompts.
• Improved certificate selection: certificate fingerprints are displayed to help distinguish between certificates with identical DNs.
• The setup program has been changed to provide smoother silent installs.

• The restriction to trusted root certificates mandated by a local security policy is now enforced during certificate chain validation
• A workaround for a key exchange bug in the Rainbow iKey as been incorporated into the program

• Additional users may be added to an existing disk at any time
• An improved Create Disk dialog allows you to assign Windows drive letters, set disk automount properties, and set a new disk as your My Documents folder
• The user access control list for an existing SpyProof! disk can now be inspected
• The rekeying of SpyProof! disks is now supported as is the recovery of disks damaged by power loss during the rekeying process. (Rekeying may be desired after removing some users from a disk's access control list.)
• An improved certificate validation process conforms to NIST and DoD PKI interoperability specifications and supports full chain validation of certificates in a CAPI store
• The hotkey used to unmount all disks can now be specified by the user

• Users can now be added to the access control list for a SpyProof! disk by retrieving their certificate from ActiveDirectory or from any remote LDAP repository or local CertEx database; static LDAP group queries are supported
• Permanent password caching ("single sign-on") is supported when SpyProof! is used with an appropriately configured SA 5.7 profile
• Security policies created by PolicyAgent 5.7 (including control over allowed ciphers, certificate trust policies, key recovery agents, etc.) are now supported

• certificates may be retrieved from a CAPI store even when SecretAgent is installed; you can now use SecretAgent or CAPI profiles simultaneously when creating, mounting, and importing SpyProof! disks
• Windows logoff now dismounts all SpyProof! disks
• Automount disks are mounted when the system returns from suspended state
• The root directory of the Windows system disk is now the default location for disk files (instead of the user's 'My Documents' folder)
• SpyProof! disk files now have distinctive icons and descriptions to help identify them in Windows Explorer
• Base64-encoded, as well as binary, key recovery certificates are supported
• SETUP prevents users from installing SpyProof! on Win9X systems