HP ProtectTools Embedded Security Guide Document Part Number: 364876-001 May 2004 This guide provides instructions for using the software that allows you to configure settings for the HP ProtectTools Embedded Security chip.
© Copyright 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft and Windows are trademarks of Microsoft Corporation in the U.S. and other countries. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Contents HP ProtectTools Embedded Security Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Basic ProtectTools Embedded Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 HP ProtectTools Embedded Security Chip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Personal Secure Drive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HP ProtectTools Embedded Security The HP ProtectTools Security Manager is the software that allows you to configure settings for the HP ProtectTools Embedded Security. The Manager is an interface (shell) that points to the various options available in the Embedded Security software. HP ProtectTools Embedded Security is the software suite that includes the Personal Secure Drive (PSD), encryption/TPM chip interface, security migration, archive creation, and password control.
HP ProtectTools Embedded Security Basic ProtectTools Embedded Security Concepts This section contains high-level information on concepts you should understand in order to use HP ProtectTools Embedded Security and HP ProtectTools Security Manager. HP ProtectTools Embedded Security Chip The Embedded Security chip is a hardware component that offers security and encryption features and provides a tamper-proof storage area for protecting public and private keys.
HP ProtectTools Embedded Security Email Secure email is another significant feature of Embedded Security. It allows users to share information confidentially and to be certain that the authenticity of the information is maintained during transfer. Secure email allows you to: ■ Select a public key certificate issued by a Certification Authority (CA). ■ Digitally sign messages. ■ Encrypt messages.
HP ProtectTools Embedded Security Enhanced Encrypted File System (EFS) EFS is the file encryption service offered by Microsoft Windows 2000 and Windows XP Professional.
HP ProtectTools Embedded Security Administrators Administrators initialize the Embedded Security solution on a computer and may: ■ configure the local machine and user policies of Embedded Security ■ prepare user keys and certificates for migration ■ change the Embedded Security owner password ■ disable and enable Embedded Security ■ authorize destination computers for user key and certificate migration ■ recover data that was stored and encrypted using Embedded Security For more information on
HP ProtectTools Embedded Security Digital Signature A digital signature displays the name of the CA issuing the digital certificate. It is used to: ■ verify the identity of the sender of a digital document. ■ certify that the contents were not modified after the sender digitally signed the document. For more information on digital signatures, refer to the operating system online Help.
HP ProtectTools Embedded Security required to access the archive. The access to the Emergency Recovery Token is protected by a password. This password is required in case the Embedded Security system needs to be restored. Policies Policies are rules that govern the behavior of a computer or software. The system administrator generally specifies security policies to ensure consistent use of Embedded Security within an organization. The two types of security policies are machine policies and user policies.
HP ProtectTools Embedded Security Setup Procedures Follow these steps to enable and initialize the Embedded Security chip through the Computer Setup utility in the system BIOS: Ä CAUTION: To prevent a security risk, HP recommends that a person authorized by your organization immediately initialize the Embedded Security chip (see step 4). Failure to initialize the Embedded Security chip could result in an unauthorized user, a computer worm, or a virus taking ownership of the system.
HP ProtectTools Embedded Security 4. Use the left or right arrow key to select the Security menu, then use the up or down arrow key to select Setup Password. Press Enter, enter and confirm a new setup password, and press F10 to accept. carefully; for security reasons, the characters typed do not ✎ Type appear on the screen. 5. In the Security menu, use the up or down arrow key to select Embedded Security Device, then press Enter. 6.
HP ProtectTools Embedded Security 6. Click Browse and select the appropriate destination. Ä CAUTION: The Emergency Recovery Token Key is used to recover encrypted data in the event of a computer or embedded security chip failure. The data cannot be recovered without the key. (The data still cannot be accessed without the Basic User password.) Store this Key in a safe place. 7. Click Save to accept the location and the default file name, then click Next. 8.
HP ProtectTools Embedded Security carefully; for security reasons, the characters typed do not ✎ Type appear on the screen. 4. Click Next to confirm settings. 5. Select the appropriate Security Features and click Next. 6. Click Next to skip Help files. 7. If more than one Encryption Certificate exists, click the appropriate certificate. Click Next to apply the Encryption Certificate. 8. Configure the PSD with appropriate settings and click Next. 9.
HP ProtectTools Embedded Security Using the PSD To use the PSD, enter your PSD password. The PSD becomes visible and the files are decrypted. The PSD may be used like any other drive. When you are finished using the PSD, log off properly. The PSD automatically hides its presence. Encrypt Files and Folders When working with EFS in Windows 2000 and Windows XP Professional, consider the following: ■ Only files and folders on NTFS partitions can be encrypted.
HP ProtectTools Embedded Security Send and Receive Email by Encryption and/or Digital Signatures For instructions on digitally signing and encrypting email, refer to the email client online Help. use secure email, you must first configure the email client to use a ✎ Todigital certificate that is created with Embedded Security. If a digital certificate is not available, you must obtain one from a Certification Authority.
HP ProtectTools Embedded Security Recover Information In the event of chip failure or reset: ■ The Emergency Restore Wizard can be used to recover data from the PSD. ■ The PSD also supports recovery by using a recovery agent, which is a mechanism similar to Encryption File Systems (EFS). To determine if you have a registered recovery agent on the computer, click Start > All Programs > Administrator Tools > Local Security Policy > Public Key Policies > Encrypted Data Recovery Agents.
HP ProtectTools Embedded Security Restore the Embedded Security Chip to the original factory settings through Computer Setup Ä CAUTION: This task releases ownership of the Embedded Security chip. Once ownership is released, anyone can initialize the Embedded Security chip. Restoring the Embedded Security chip to its original factory settings may result in data loss if you have encrypted files. To return the Embedded Security chip to its original factory settings: 1. Turn on or restart the computer.
HP ProtectTools Embedded Security 6. In the Security menu, use the up or down arrow key to select Embedded Security Device, then press Enter. 7. Use the up or down arrow key to move to Reset to Factory Settings–Do Not Reset. Press the left or right arrow key once. A message is displayed stating: Performing this action will erase all security keys. Data loss may occur. Press any key to continue. Press Enter. 8. The selection will now read Reset to Factory Settings–Reset. Press F10 to accept the change. 9.
HP ProtectTools Embedded Security ■ Regularly back up the entire server that stores server-based encrypted data. This ensures that in the event of data recovery, the profiles that include decryption keys can also be restored. ■ If you are encrypting file types that are monitored by System Restore, put the files on a volume that is not monitored by System Restore. ■ The system does not support multiple levels of encryption.
HP ProtectTools Embedded Security you do not press the F10 key at the appropriate time, you must ✎ Ifrestart the computer and press and hold the F10 key again to access the utility. If you are using a PS/2 keyboard, you may see a Keyboard Error message—disregard it. 3. If necessary, enter the setup password and press Enter. 4. Use the up or down arrow key to select the language. Press Enter to enter Computer Setup. For navigation instructions, press F1. 5.
HP ProtectTools Embedded Security Troubleshooting My Embedded Security is not working. What should I do? 1. Right-click the HP ProtectTools icon in the system tray, then left-click Manage Embedded Security. 2. Click Embedded Security > Info > Self Test. Also check under Embedded Security State, Chip, Owner and User. I restored my system after a crash. What should I do now? Ä CAUTION: In most cases, the IT System Administrator performs this procedure.
HP ProtectTools Embedded Security you do not press the F10 key at the appropriate time, you must ✎ Ifrestart the computer and press and hold the F10 key again to access the utility. If you are using a PS/2 keyboard, you may see a Keyboard Error message—disregard it. 3. If necessary, enter the setup password and press Enter. 4. Use the up or down arrow key to select the language. Press Enter to enter Computer Setup. For navigation instructions, press F1. 5.
HP ProtectTools Embedded Security 10. To save the changes, press F10 to go to Save Changes and Exit. Press Enter, then press F10 to confirm. 11. Turn off the computer. ✎ Power must be turned off for the chip to reset. 12. Go to step 1. 13. If the selection in the dialog box is Embedded Security Device–Disable, use the left or right arrow key to change it to Embedded Security Device–Enable. 14. Press F10 to accept the changes to the Embedded Security configuration. 15.
HP ProtectTools Embedded Security 24. Click Browse and locate the Recovery token created during the initial HP ProtectTools Embedded Security Initialization, click the token, and click Open. 25. Enter Token password and click Next. 26. Select the machine name and click Next. 27. Click Next to confirm settings. If an announcement appears that the restore failed, return to step 1. Carefully check passwords, token location and name, and archive location and name. 28.
HP ProtectTools Embedded Security 38. Confirm the Security Features and click Next. 39. Confirm the Settings and click Next. 40. Enter the PSD password and click OK. 41. Click Finish and Yes to restart. Ä CAUTION: Safeguard the Basic User password. Encrypted data cannot be accessed or recovered without this password. Glossary Certification Authority (CA)—a service that issues the certificates required to run a public key infrastructure.
HP ProtectTools Embedded Security Encryption—i.e., algorithm, cryptography; any procedure used in cryptography to convert plaintext into cipher text in order to prevent unauthorized recipients from reading that data. There are many types of data encryption and they are the basis of network security. Common types include Data Encryption Standard and public-key encryption. Encryption File System (EFS)—a system that encrypts all files and subfolders within the selected folder.
