Kilgetty 2K v1.1 User Manual

KILGETTY 2K v1.1
USER MANUAL

Issue 1.3, 20 January 2005

A: HMG Infosec Standard 5 (IS5) - Secure Erasure of Protectively Marked Information
B: Manual of Protective Security (MPS)
C: CESG Infosec Memorandum 26 (IM26) - Passwords for Identification and Authentication
D: Kilgetty 2K v1.1 Security Procedures
E: HMG Infosec Standard 4 (IS4) - Communications Security and Cryptography (PART 1)

Introduction

Chapter 1 ................. Welcome & Glossary

Chapter 2 ................. How Kilgetty protects your data

Chapter 3 ................. Kilgetty Local Managers

Installation

Chapter 4 ................. Preparing for Installation

Chapter 5 ................. Windows 2000 Installations

Chapter 6 ................. Upgrading from Kilgetty 2K v1.0

Chapter 7 ................. Setting up your BIOS

Day to Day use

Chapter 8 ................. General Day to Day use

Chapter 9 ................. Shutting your Computer Down

Chapter 10 ................ New Features for Kilgetty 2K v1.1

Appendices

Appendix A ............. Security

Appendix B ............. Technical Information

Appendix C ............. Contacts

Appendix D ............. Warranty

back to contents

CHAPTER 1

Welcome to the world of Kilgetty!

By using Kilgetty you are providing CESG approved protection for your protectively marked data. You will experience very little performance impact whilst still having the peace of mind that your data is protected when the computer is powered down.

This manual applies to the following versions of Kilgetty products for the Microsoft Windows 2000 operating system:
KILGETTY 2K Version 1.1 (for Windows 2000 SP4)

If you have any questions about Kilgetty, or in the event of any technical difficulties, then please call the Helpdesk as described in Appendix C of this manual.

Kilgetty Kit Contents

For installation, you should ensure that all of the following items have been supplied:

NOTE: In the case of an upgrade from Kilgetty 2K v1.0, only a Kilgetty 2K v1.1 Upgrade CD is supplied.

Software on CD, labelled Kilgetty 2K Version 1.1. (Installation Disk or Upgrade Disk, as appropriate)
Touch Memory Device holder.
Touch Memory Device reader.
Touch Memory Device.

Note that the installation CD will be delivered separately from the Touch Memory Device and its accessories.

For normal operation, the Touch Memory Device and its accessories must be available.

The Touch Memory Device is not protectively marked but must be treated as a valuable and accountable item and looked after as one would an office pass or credit card (treated as NPM ACCSEC - Please refer to IS4 Ref E)

Glossary

BIOS	Basic Input Output System
Default FDK	Default Floppy Disk Key (i.e. the Boot TMD)
FDK	Floppy Disk Key (TMD used for floppy disk access)
GB	Giga Byte (1024MB) = 1,073,741,824 bytes
KLM	Kilgetty Local Manager
KSM	Kilgetty System Manager
MHz	Mega Hertz (1,000,000 Hertz)
NPM	No Protective Marking (unclassified)
PCMCIA	Personal Computer Memory Card International Association
RAM	Random Access Memory
TMD	Touch Memory Device
TMR	Touch Memory Device Reader
USB	Universal Serial Bus

back to contents

CHAPTER 2

General

Kilgetty products protect your data primarily by encryption. During installation, the entire hard disk of your computer is encrypted and an access control program is installed. The data on the disk is then only accessible after you have been verified as a valid user. This provides protection of your data when the computer is powered down, should it be lost or stolen, for instance, but provides no protection when the computer is running and the user has been validated.

Note The procedures and guidelines detailed in Chapter 4, Preparing for Installation and Chapter 5, Windows 2000 Installations, must be followed to ensure the correct operation of the Kilgetty product.

The access control is probably all you will see of Kilgetty in day to day usage. On boot up, the PC asks for the Touch Memory Device to be applied to its reader, and then prompts for your username and password. Once you have supplied the Touch Memory Device, username and password, then your computer will start in the usual way. If you then need to change some part of the Kilgetty system (change the floppy drive to operate in clear mode, for example), then you will need to use the system management program provided with Kilgetty.

Note When the computer is running, all data is potentially accessible. Exported data is only protected by Kilgetty when output to encrypted floppy disks and encrypted removable hard drives (i.e. USB hard disk (not solid-state) devices). PCMCIA, Parallel, serial and network connections are not protected nor are CD-ROMs or other media types.

Hard Disks and Kilgetty

Kilgetty products provide hard disk encryption for removable hard disk drives (both plug and play types which can be inserted/removed on-the-fly and non plug-and-play removable types) and fixed hard disk drives. However, note that removable hard drives must not be removed once power has been applied. Kilgetty does not support removal/insertion of a hard drive once running.

Floppy Disks and Kilgetty

Kilgetty products provide facilities, described in Chapter 8, General Day to Day Use, section of this manual, to produce encrypted floppy disks.

Floppy disks can be encrypted in a way which is unique to one particular computer (using the Default Floppy Disk Key, which is the Boot TMD, for backup purposes) or in a way which allows floppy disks to be accessed by multiple users (using (copies of) a Floppy Disk Key (i.e. non-boot TMD) to be used by more than 1 machine).

Refer to the Kilgetty Security Procedures (ref D) for information regarding the handling of encrypted floppy disks.

Capabilities of Kilgetty and Protective Markings

Protection

The following table describes the protection normally offered by Kilgetty, as well as how Kilgetty affects the protective markings of different components.

Kilgetty Component	Protective Marking
PROTECTION
Hard Disk (With PC Powered off)	Reduced by UP TO two levels:- TOP SECRET to SECRET SECRET to RESTRICTED CONFIDENTIAL to NPM RESTRICTED to NPM
Hard Disk (With PC Powered on and accessed with TMD & password)	NO REDUCTION with a minimum of RESTRICTED (with no protectively marked data stored)
Removable Hard Disk (With power not applied)	Reduced by a single level:- TOP SECRET to SECRET SECRET to CONFIDENTIAL CONFIDENTIAL to RESTRICTED RESTRICTED to NPM
Removable Hard Disk (With power applied and user validated)	NO REDUCTION with a minimum of RESTRICTED (taking into account possible leakage from bootable main hard drive)
Encrypted Floppy Disks	Reduced by UP TO two levels:- TOP SECRET to SECRET SECRET to RESTRICTED (using Default Key) SECRET to CONFIDENTIAL (using Floppy Disk Key (FDK)) CONFIDENTIAL to NPM (using Default Key) CONFIDENTIAL to RESTRICTED (using FDK) RESTRICTED to NPM
INSTALLATION
Full Installation Disk (with seed)	CONFIDENTIAL CRYPTO
Upgrade Installation Disk (with NO seed)	RESTRICTED
Tamper Evident Labels (when not applied)	CONFIDENTIAL
Tamper Evident Labels (when applied)	NPM ACCSEC
ACCESSORIES
Touch Memory Device (used to boot a PC and as the Default FDK)	NPM ACCSEC
Touch Memory Device (used as a FDK)	Highest protective marking of the data being protected

Kilgetty products provide no protection when the computer is running and the User is logged on.

Please see Appendix A, on Security, and the Security Procedures (Ref. D) for further information in the case of loss.

Compatibility

Kilgetty supports the following file systems

Product	Filesystem	Constraints
KILGETTY 2K Version 1.1	FAT(BIGDOS), Primary FAT32, NTFS	Version 1.1, no primary FAT32 partitions allowed on Boot Disk

back to contents

CHAPTER 3

General

Departments are strongly advised to appoint a Kilgetty Local Manager (KLM) to account for Kilgetty software and Touch Memory Devices. In practice this could be the CRYPTO custodian. A Full Kilgetty Installation Disk carries the CRYPTO caveat (see Chapter 2, Capabilities of Kilgetty and Protective Marking) and can only be handling by a person who has been appropriately cleared and CRYPTO authorised, as required by IS4 (Ref E), Chapter 7 part D.

Responsibilities

The Kilgetty Local Manager must :

Become familiar with all elements of this manual and the Security Procedures (Ref. D)

Ensure that Kilgetty is installed only on approved PCs ¹ and strictly in accordance with the instructions laid down in this manual.

Retain the following:-
- Kilgetty installation disks (CONFIDENTIAL CRYPTO for a full installation, RESTRICTED for an upgrade)
- the boot username and password used on initial installation (when recorded, the protective marking is the same level as the data stored on the disk)
- the serial numbers of TMDs and the PCs they are used with (these details do not take on a protective marking when recorded, but should be handled as valuable items (NPM ACCSEC))
- the unique password entered into the BIOS (when recorded, the protective marking is one level down from stored data on the disk)
These items must be stored as required by their protective marking, as well as securely, as different combinations of them are essential for reinstallation and data recovery in case of partial loss or compromise (see Appendix A and Appendix B). A record of the original boot details should always be maintained for recovery purposes, even if these details are subsequently changed.

Retain the KLM password and username used to gain access to the KSM (Kilgetty System Manager) facilities for KSM users. These details do not take on a protective marking when recorded, but should be handled as valuable items (NPM ACCSEC).

Retain records of changes to user passwords and usernames, and kept securely, as required to do so by departmental policy.

¹ Whilst Kilgetty is a generic software product, its use is only authorised on PCs which possess suitable protection of the BIOS parameters. During the ordering procedure the PC on which you intended to use Kilgetty should have been approved. If you are intending to use Kilgetty on a different machine (for instance if you are upgrading your PC) then you should contact the Help Desk (see Appendix C). for further advice on approved PCs.

back to contents

CHAPTER 4

System Requirements

The computer should only use one operating system.

Note The PC on which you intend to install Kilgetty MUST NOT have any protectively marked information on it (protectively marked data on a hard disk PRIOR to installation of Kilgetty may leave remnant effects that can be exploited to recover usable data). If the disk does contain protectively marked information prior to installation, then the disk MUST be securely erased, in accordance with IS5 (Ref A)

Things You Should Know Before Installing your Kilgetty Product

Please read the Technical Information supplied in Appendix B to become familiar with compatibility issues.

Kilgetty products encrypt the computer’s entire hard drive(s) at the time of installation. During normal operation, on-the-fly encryption / decryption occurs which requires processing time. In most cases, this processing overhead will be unnoticeable but some disk intensive operations may take slightly longer to complete.

A typical Kilgetty installation may require 30 minutes of your time, including 15 minutes to read the relevant sections of the manual. Installation involves encrypting your computer’s entire hard drive(s), which typically (assuming a system with a Pentium 4 CPU) takes between 2 to 6 hours (~ 5-10 mins per Gb) per drive for most computers, although the exact time is computer dependent ².

You should make sure that the computer has a permanent power supply and that you have enough time to complete the installation. You will not be required to do anything during the encryption but should be available once encryption has completed.

The computer should be in a protected environment during installation to ensure that the power supply is not interrupted and for security reasons. However, the computer can be left unattended if appropriate physical security is guaranteed. If multiple installations are to be undertaken they can be started in sequence to save time. There is no need to fully complete an installation on one computer before starting an installation on another.

Note If the hard disk encryption process is interrupted, all your hard drive data will be fatally corrupted ³.

During installation, a Boot Username, Boot Password and a BIOS Password will be required. It is extremely important to use an adequately secure password. Users should follow the guidance on choosing and handling passwords contained in IM26 (Ref C), Section III, except where instructions in this User Manual override the IM26 recommendations. Due to technical considerations, the other sections of IM26 do NOT apply to Kilgetty. You must record each of these items and store them in a secure location and give copies to your KLM. If this information is lost or forgotten then it will not be possible to access the computer.

Whilst Kilgetty is a generic software product, its use is only authorised on PCs which can provide suitable protection of the BIOS parameters. During the ordering procedure, the PC on which you intended to use Kilgetty should have been approved. If you are intending to use Kilgetty on a different machine (for instance if you are upgrading your PC) then you should contact the Help Desk (see Appendix C) for further advice on approved PCs.

Each Kilgetty product installation disk is unique and should be used for one computer only, for security and legal (copyright) reasons. It is permissible to use the installation disk a second time for the process of recovery from loss of TMD as outlined in Appendix A.

Before Starting Installation

Refer to Kilgetty Kit Contents to ensure that all items you need for installation have been supplied. Should any of these items be missing, consult your supplier.

Assemble your Touch Memory Device by clipping it to the Touch Memory Device holder.

Ensure that the Touch Memory Device reader matches the configuration of one of the serial ports on your computer (9 pin D-type connector). If they are different, consult your supplier for an adapter.

Read the appropriate sections of the manual before installation.

Prior to installing Kilgetty, it is strongly recommended that you install all software that is required for use on your computer i.e. Operating System, Applications and Data (though not protectively marked).

You are strongly recommended to back up all data stored on your computer’s hard disk before installation. Your backup should be sufficient to re-install all software currently installed on your computer (Operating System, Applications and Data. Protectively marked data should only be added AFTER Kilgetty is installed)

Ensure that your computer is virus free before installation. Consult the help file information included with your virus protection software for further information.

Check that your computer’s BIOS has a serial port enabled

Check that your computer’s BIOS is not protecting the hard disk boot sector (also called Track 0) from modification. The user manual for your computer should be consulted to discover how to do this. This may be listed in your BIOS options as ‘boot sector virus protection’.

Check that your computer’s BIOS has disabled all sleep and power save modes, otherwise your machine may shut down the screen during encryption of the hard disk giving you no indication of progress, and leaving the machine in an unknown state. The user manual for your computer should be consulted to discover how to do this, and some help may be available in Chapter 7 .

Laptop Installations

Ensure that the internal battery is fully charged before starting installation.

OR

Ensure that the laptop is powered from an uninterruptible supply during installation.

Devices encrypted on installation

All hard disks in the computer will be encrypted on reboot after running setup.

² Some computer configurations and/or certain hard drives can take significantly longer to encrypt.
³ See Appendix B for full rebuild instructions.

back to contents

CHAPTER 5

Starting Setup

A typical Kilgetty installation may require 30 minutes of your time, including 15 minutes to read the relevant sections of the manual. Installation involves encrypting your computer’s entire hard drive(s) which typically (assuming a system with a Pentium 4 CPU) takes approximately 5-10 mins per Gb for most computers although the exact time is computer dependent ⁴. You should make sure that the computer has a permanent power supply and that you have enough time to complete the installation.

Note If the hard disk encryption process is interrupted, all your hard drive data will be fatally corrupted ⁵.
Note KILGETTY must only be installed on Microsoft Windows installations using supported file systems. See Compatability

Connect the TMR to an available 9 pin serial port provided by your computer, ensure that there are no BIOS conflicts with this port. If the Kilgetty Installation reports that there is a problem with reading the Touch Memory Device, then refer to the Technical Information in Appendix B.

Boot the computer as usual and log on to Windows with Administrator rights.

Insert the disk labelled "KILGETTY 2K Version 1.1, Installation Disk" into the CD drive of your computer.

If Autorun is enabled the CD will start up and a Kilgetty start up screen will be displayed. If the screen is not displayed, open the CD Drive and double-click on Autorun.exe. From this screen it is possible to view the User Manual and launch the installation process.

Click on the Install software button, and you will see the following screens

Select "Run this program from its current location" and click OK.
Then click "Yes" on the SecurityWarning page.

When the installation process is launched, InstallShield will display a Welcome Screen. Press Next to continue the installation process.


Installation Welcome Screen

Licence Agreement Screen

The installation will then display the License Agreement Terms and Conditions that were issued for Kilgetty 2K v1.1. If you accept the terms, press Next to proceed to the next stage of installation. If you do not agree, press Cancel to abort installation.

The next screen displayed asks for Customer Information.


Customer Information Screen

Installation Type Screen

The Setup Type installation screen allows users to select which components of Kilgetty they wish to install. Select Complete to fully install Kilgetty 2K v1.1. Custom Install will only allow the option to not install the User Manual as all other components are required for Kilgetty to function correctly.

The installation will ask that you enter boot details ⁶ and KLM details. The KLM details will be used for the first use of the KSM. The KLM may later decide to change their password, but the KLM username cannot be changed. You are recommended to choose different details for the KLM than for the boot details to avoid giving every user of the machine access to all the KSM facilities. These details must be recorded as mentioned in Chapter 3.

Note Usernames are 8 characters long and passwords are 10 characters long. These must consist of alphanumeric characters i.e. no spaces or punctuation is allowed. Usernames and passwords are NOT case sensitive


Username & Password entry

TMD Input Screen

Once the usernames and passwords have been entered, the TMD supplied must be read. When the NEXT button is pressed the TMD Input Screen will appear, once the Read TMD button is pressed a window will appear asking for the TMD to be applied to its reader as shown in the photograph.

If the TMD has been successfully read a message box will be displayed confirming this.
If the TMD read is not successful, one (or both) of the following message boxes will appear informing of an error.

Setup for installation is now complete. To install the product, press the Install button. This will make the necessary changes to your hard disk.


Ready to Install

Status Bar

Setup Completed Screen

Once Setup has completed, the screen above will be displayed and your computer will need to be rebooted by clicking on the Finish button.

The hard disk(s) will be encrypted during the reboot. During this process the standard Windows boot screen will be displayed with a progress indicator. NOTE: This indicator gives a value between 0 and 100%, indicating the percentage of the disk encrypted. It is possible that with the value at 100%, there may still be up to around 5-10 minutes of encryption time left.

When the encryption is complete, Windows will continue to load as normal. Your computer is now fully protected by Kilgetty.

Note: It is highly recommended that the User re-boots the machine following the encryption process and transition into Windows. This will verify the correct working of the boot up sequence.

Every time your computer is booted, you will have to supply the Touch Memory Device, Boot Username and Boot Password before access to the computer is granted

Your computer BIOS should now be configured as described in Chapter 7 of this manual.

You should now return the installation disk to your KLM for safekeeping, together with a record of all details used during installation.

⁴ Some computer configurations and/or certain hard drives can take significantly longer to encrypt.
⁵ See Appendix B for full rebuild instructions
⁶ It is particularly important that this password is adequately secure and should be chosen with reference to IM26 (Ref C.) Section III, except where instructions in this User Manual override the IM26 recommendations. Due to technical considerations, the other sections of IM26 do NOT apply to Kilgetty. .

back to contents

CHAPTER 6

Note In order to do a successful upgrade, your system MUST currently have Windows 2000 with at least Service Pack 4 loaded and a copy of Kilgetty 2K v1.0 installed.

The kilgetty installation media can come in two forms.

A full install CD which includes a seed.dat file.
An upgrade CD, that also requires a previous installation of Kilgetty 2K v1.0.

The process for upgrading from Kilgetty v1.0 is should take approximately 10 minutes assuming your system meets the necessary requirements.

Do not attempt to install any Service Pack over the top of an existing Kilgetty installation, as this will result in an unusable system.

Starting Setup

The following instructions assume that you currently have Windows 2000 with Service Pack 4 and Kilgetty 2K v1.0 already installed.

Note If you already have Kilgetty v1.0 installed but less that Service Pack 4 then an upgrade is only possible by saving your data, reformating the hard disk, installing windows 2000, applying Service Pack 4, and then reinstalling Kilgetty 2K v1.0.

Insert the KILGETTY v1.0 Upgrade medium and run setup.exe

If autorun is working you will see the Installation Splash Screen where you can click on the Install Software button. In this case you will first see the following screens

Select "Run this program from its current location" and click OK.
Then click "Yes" on the SecurityWarning page.

The Installshield Welcome screen will be displayed, follow the on screen instructions.

Read, then confirm you agree to the license agrement but clicking the "I accept the terms in the license agreement" button, and clicking Next.

Next the TMD supplied must be read. On the TMD Input Screen when the "Read TMD" button is pressed a window will appear asking for the TMD to be applied to its reader as shown in the photograph. Click the "Read TMD" button and apply the TMD to the TMR, then click Next.

On the Boot Username and Password details screen, enter the existing Kilgetty 2K v1.0 boot username and password, then click Next.

Presuming that the details you supplied are correct, the "Ready to Install the Program" screen appears. Click on the Install button to do the upgrade. Once this has completed click finish to reboot the system.

Once the PC has rebooted, the upgrade is complete!

As the hard disk was already encrypted by the installation of Kilgetty 2K v1.0 it will not be encrypted again.

You should now return the upgrade CD to your KLM for safekeeping, together with a record of all details used during the upgrade.

See Chapter 10 for the new features for Kilgetty 2K v1.1.

back to contents

CHAPTER 7

Note The instructions in this Chapter MUST be followed.

After completing the installation of your Kilgetty product, the security of the computer should be further enhanced by using some of the facilities provided by the computer’s BIOS. The user manual for your computer should be consulted to discover which facilities are provided and how they are configured.

The following facilities must be applied:

Allow boot from the bootable hard drive only: Disable boot from floppy drive, CD-ROM drive, PC Card slot, network etc.

Enable BIOS password protection to protect against unauthorised changes to the BIOS configuration.

Note for the KLM Record these passwords as they will be required if these options ever need to be changed.

If these facilities exist, they must also be applied To prevent irreversible corruption of the data stored on the hard disk:

Disable Standby / Sleep / Suspend / Hibernate functions.

Disable disk save function.

As a result of these changes, your BIOS may report an error of the form "Suspend-to-disk partition does not exist. Suspend feature disabled". This error is a direct consequence of updating the BIOS and may be overlooked.

back to contents

CHAPTER 8

Note The Boot Touch Memory Device (TMD) is to be handled as NPM ACCSEC (See IS4 Ref E). It must be kept in a secure location, separate from the PC, when not in use.

After installation of Kilgetty, whenever the user starts up the PC, a request for the Touch Memory Device is made. This is done by touching the Touch Memory Device (TMD) to the Touch Memory Reader (TMR) which should be connected to one of the PC’s serial ports.

Once this has been read successfully, the user is then prompted to enter their boot username followed by their boot password. If the all the information is entered correctly, the PC will boot as normal. It is highly recommended that the user remove the TMR from the serial port, though it will be necessary to attach it again if access to the Kilgetty Management program is required, and when restarting the PC.

When the PC starts up, the floppy drive will always be in ‘cipher mode’ using the Default Floppy Key, as an additional security feature. Therefore, it will not be possible to access clear disks until the floppy operating mode is changed (see Floppy Disk Manager below).

Multiple Users

The computer MUST BE rebooted when a user logs off. This ensures that user permissions are not compromised.

Boot Sequence

You will become familiar with the Kilgetty boot sequence after using your computer for a short time. Please be aware of the usual startup messages. Information is presented to the user concerning the status of the system devices.

If you notice that the sequence has changed, then you should take the following action immediately.

Possible changes to boot sequence:

BIOS password is no longer requested.
BIOS password has been reset to default.
You are asked to enter the TMD, boot username and boot password twice⁸.
The computer reboots after you enter the TMD, boot username and boot password.
The computer reboots and does not ask for TMD, boot username and boot password.

Take the following action:

The computer should now be handled according to the highest protective marking of stored data.

The computer MUST NOT BE USED. This helps to determine the extent of the compromise.

The protective marking of the TMD must immediately be raised to the same level of the highest level of the stored data.

Contact the Help Desk (Appendix C) to arrange dispatch of the computer for investigation.

USB Devices

You should note that this version provides support for USB devices. For further information please refer to Chapter 10 New Features for Kilgetty 2K v1.1.

To back up data from your Kilgetty hard disk, files should either be:

Written to the floppy disk drive or other backup medium (e.g. tape drive) unencrypted, in which case the floppy disk (or backup media) takes the protective marking of the highest protective marking of data EVER held on the hard disk.

Written to the floppy disk drive using the (Default) Floppy Disk Key stored on the machine. See the following table for the protective marking of the floppy disk.

Highest protective marking	Protective marking of floppy disk when encrypted by Default Floppy Disk Key	Protective marking of floppy disk when encrypted by Floppy Disk Key
TOP SECRET	Two levels lower than material, unless the material is at TOP SECRET, in which case the material goes down one level to SECRET	One level lower than material

You are strongly advised to mark such encrypted backup disks as ENCRYPTED and mark with both the current protective marking and the actual protective marking of the data. You are advised never to decrypt such a backup disk but if it cannot be avoided then you must clearly denote the new protective marking on the disk.

Transfer By Floppy Disk

Data protected by Kilgetty can be transferred between PCs running the same Kilgetty products via encrypted floppy disk. In order to do this, a Floppy Disk Encryption Key (FDK) has to be loaded from a separate TMD into each PC. When loading the FDK, each user must ensure that the same name or reference is associated with that FDK or there is a danger of using the wrong FDK.

Note A standard boot TMD must NEVER be used as a FDK.

It is necessary to limit the use of the FDK to 6 months after which a new FDK must be obtained. The TMD holding the FDK takes the highest protective marking of the data being protected. The protective marking of the transfer floppy disk is 1 less than the protective marking of the data (see previous table).

The use of FDKs should be controlled by the KLM (see Chapter 3).

You are strongly advised to mark such encrypted transfer disks as ENCRYPTED and mark with both the current protective marking and the actual protective marking of the data. You are advised never to decrypt a transfer disk but if it cannot be avoided then you must clearly denote the new protective marking on the disk.

Transfer By Network

For transfer of data out of the Kilgetty laptop on a network port (either from the encrypted hard disk or from an encrypted floppy disk), all data is presented as unencrypted (Clear) data to the outside world. Therefore, transmission of this data must only be done using systems approved for transmitting the original classification of material. Please refer to the Security Procedures (ref. D) for further information.

Description

The floppy monitor icon is displayed on the Windows Taskbar and reports the current state of the floppy drive. The icon looks like a floppy disk and performs three functions:

Reports whether the floppy drive is in the cipher or clear state.

	Denotes that the Floppy Monitor is functioning correctly, there is at least one floppy device connected to the system, and that it is set to cipher.
	Denotes that the Floppy Monitor is functioning correctly, there is at least one floppy device connected to the system, and that it is set to clear
	Denotes that the Floppy Monitor is functioning correctly and there are no floppy drives present or found. For a system with a removable floppy drive, it is possible to insert the drive whilst the system is running. In this case, this icon will be replaced by the icon with the key.
	Indicates a problem with communications between Kilgetty components. When the all red icon is displayed, Kilgetty prevents the User changing the floppy drive to 'clear' mode.

Reports the state and the currently selected key when the mouse pointer is held over the icon.

Starts the KSM when the mouse is clicked (once) on the icon.

Description

The USB monitor icon is displayed on the Windows Taskbar and reports the current state of external USB devices. This is new for Kilgetty 2K v1.1. Full details on this component can be found in Chapter 10 New Features for Kilgetty 2K v1.1 .

Introduction

The KSM provides users with control and administration facilities related to the operation of the Kilgetty disk encryption system. These facilities can be accessed after a successful log on using the TMD, together with a valid username and password. The KSM supports multiple users provided they have been authorised by the KLM, who can also specify the facilities within the KSM to which each user has access.

Accessing the KSM

To start the KSM, either :

Click on the floppy monitor icon in the system tray [After you have entered your login details this will take you to the Floppy Disk Manager Page], or

*NEW* Click on the USB monitor icon in the system tray [After you have entered your login details this will take you to the USB Manager Page], or

Press CTRL-ALT-DEL, then click on the Kilgetty System Manager button [After you have entered your login details this will take you to the Kilgetty Page]

NOTE When the KSM is activated, the system switches desktop from the user to a secure environment. In this environment, it is not possible to do anything else apart from KSM activities until the KSM is closed down. When the KSM is closed down, the desktop reverts back to the user desktop.

The KSM logon dialog box will now be displayed.
Type your KSM username and password in the Kilgetty System Manager logon dialog box.
You will then be required to apply the TMD to the TMR connected to the PC’s serial port.
If the logon is successful you will then have access to the KSM facilities you are authorised to use.

If the logon is unsuccessful the KSM dialog box will display a failed logon message.

Check that the correct KSM username and password is used.
Check that the correct TMD is used.
Rename the useracc.dat file. N.B. This will remove all KSM user accounts apart from the one supplied on installation.

KSM Functions

Once access has been granted to the KSM, the system facilities will be available through a set of Property Pages. Each page implements a sub-set of the KSM functionality and can be displayed by clicking the tabs associated with the desired page.
Users will be able to view all of the facilities, but will be able to use only those to which they have been granted access by the KLM.

The property pages are:

Kilgetty - provides the opportunity to change the boot username and/or boot password and to read the serial number of the Touch Memory Device.

Floppy Disk Manager - provides facilities for selecting the current Floppy Disk Key (FDK) , encrypting and decrypting floppy disks, and changing the operating mode of the floppy disk drive(s). N.B. it is not possible to format a floppy disk on the machine running Kilgetty. A floppy must be formatted outside of Kilgetty.

Floppy Keys - provides facilities for maintaining the Floppy Disk Key (FDK) data: loading or removing key material, and reading the serial number of the Touch Memory Device.

User Accounts - provides facilities for the KLM to manipulate the KSM user accounts within the KSM: add or remove users, and define the facilities available to them.

Personal Details - provides facilities for users to change their KSM password.

Protect System - provides facilities for rendering the Kilgetty PC inoperable in an emergency: disabling the hard disk and erasing the Touch Memory Device (TMD).

*NEW* USB Device Manager - provides facilities for managing KSM users' trusted USB device lists: adding and removing USB devices, enabling or disabling them from use, by the KSM user, with the machine. N.B. USB devices must be connected to the machine in order to be added to a KSM user's trusted list.

Help on the use of these facilities can be found from the Kilgetty Help, see the following Section:

Getting Help

Kilgetty System Manger provides you with two kinds of help.

Help Topics

Help about what you see on the current page of the Kilgetty System Manager

To get Help Topics

Click the Help button on the Kilgetty System Manager logon dialog box.
The list of Help Topics appears.
You can use the Contents tab in Help to find topics grouped by subject, or use the Index tab or Find tab to search for information by typing in a subject, title, or specific word or phrase.

To get Help about what you see on the current page of the Kilgetty System Manager

Click the Help button located below the current property page of the Kilgetty System Manager, or press the F1 button.
Selecting Help will focus on the facilities provided by the current page, though it can be used to access the help for all other pages.
From the KSM Application Help you can access the Help Topics by clicking on the Help Topics at the top of the page.

⁸ Excepting situations where the incorrect TMD, username or password is used.

back to contents

CHAPTER 9

Things You Should Know Before Shutting Down Your Computer

Your computer’s data will only be protected by Kilgetty when it is correctly and completely shutdown. Shutdown means that all components in your computer are powered down. You must read the documentation supplied with your computer to establish how to shut it down completely.

You need to be aware of other methods the computer may use to shutdown completely or partially. This is especially important for laptop computers which can power off individual system devices (PCMCIA cards, hard disks etc.) to conserve battery power without shutting down the entire computer.

Note If the computer is not correctly shutdown then it will not be protected by Kilgetty and should be handled according to the highest protective marking of material stored on its hard disk.

You must disable all standby, sleep, suspend or hibernation functions that your computer may have - see Chapter 7 for details. For instance – closing the lid on some laptop PCs causes entry to a power saving mode which leaves the PC in an unprotected state.

If you cannot disable these functions, do not use them. Your computer’s data will only be protected by Kilgetty when it is correctly and completely shutdown.

back to contents

CHAPTER 10

Kilgetty 2K v1.1 is an upgraded version of Kilgetty 2K v1.0 including new features and enhancements, such as an improved installation procedure using InstallShield and the introduction of Trusted USB support.

InstallShield offers a standardised interface to the installation process, providing users with a familiar environment that makes the process simpler and more user friendly.

Trusted USB allows KSM account holders to use specified USB devices with the Kilgetty 2K v1.1 installed laptop. These devices are added or removed on individual KSM accounts, allowing different users access to different devices.

Note Kilgetty 2K v1.1 only blocks USB devices once windows is running.

Support for specified USB devices is provided using the USB Monitor and the USB Device Manager Property Page within the KSM. Device access is controlled by the USB Monitor, and on insertion of the device it verifies whether the user is allowed access using their KSM account details. These only need to be supplied once per Windows login. Once verified, the device will remain accessible until the user logs out of Windows.

The computer MUST BE rebooted when a user logs off. This ensures that user permissions are not compromised.

Note After each reboot the USB device(s) need to be reinserted and the registration screen details entered. These details are used to decrypt your personal trusted USB list, that informs the system if you have access to the device.

Note Only hard disk type USB devices will be encrypted/decrypted. Solid-state type devices, such as Thumb Drives and Pen Drives will NOT be encrypted/decrypted.

If the device is not approved, the user will be prompted as to whether they want to add the device to their Trusted List.

N.B. that the level of trust afforded to each device is decided purely by you the user. KILGETTY just enforces that level of trust. KILGETTY does not give you any assurance about the device other than it matches the specification of a device you have already agreed to trust.

The management of a KSM user's trusted device list is performed within the KSM using the USB Device Manager page. On this page it is possible to add devices to or remove devices from the currently logged in KSM user's trusted list, provided that the facility has been enabled by the KLM. Users who do not have these facilities granted must contact their KLM to get devices added or removed.

The USB Monitor is a KILGETTY component that provides you with an indication as to the current operating state of the USB port. It is also the component that interrogates the users' trusted device list and decides if the device is to be allowed to connect.

When you first boot the system, you will see, in the system tray (bottom right corner of the screen), one of the following icons:

N.B. If you do not see one of the icons then call Technical Support

	Denotes that the USB Monitor is functioning correctly and there are no external USB devices attached to the system. External devices are those that are plugged into the ports on the PC, and not the HUBs directly attached to your computers motherboard (either onboard or via PCI).
	Denotes that the USB Monitor is functioning correctly and there is at least one external USB device connected to the system. External devices are those that are plugged into the ports on the PC, and not the HUBs directly attached to your computers motherboard (either onboard or via PCI)
	Denotes that the USB Monitor is having some problems communicating properly with the system. No USB devices will be usable should this icon be present. It is recommended that you log off and back on to the computer. If the problem persists, contact support.
	Denotes that the USB Monitor cannot communicate at all with the system. No USB devices will be usable should this icon be present. It is recommended that you log off and back on to the computer. If the problem persists, contact support.

When you first insert a device into the KILGETTY machine you will be prompted to provide your KSM username, password and TMD data

This will only happen the first time you insert a device, after that, USB Monitor remembers your details. These details are used to decrypt your personal trusted USB list.

If you enter your details incorrectly then you will have to either log out and log in again (entering them correctly this time) or stop the USB Monitor and restart it (from Task Manager). You only have one attempt at log in whilst the USB Monitor is running.

The USB Monitor will then interrogate the device you have just inserted and compare it against all devices in your list. If the devices attributes are already in your list then the device will work immediately.

If this was the only external USB device you had inserted, then the icon will change to .

If you do not have that devices details in your list or you have not yet created a list then you will be asked if you want to add that device to your list. This will be in the form of a prompt window

If you select No then the device will not be allowed to communicate with the PC. If you later want to add this device, simply remove it from the port and insert it again. If you press Yes then you will be taken to the usual KSM login screen. Details of how to add a device are in Adding A Device .

When you remove a device you will see the icon switch back from

if this was the last external USB device connected to the system. If it was not the last device then the icon will remain as

.

It is highly likely that some of the USB devices you insert will seem to register twice. These devices have an onboard HUB which, technically speaking, is another, different USB device located on the same physical device. Simply add "both the devices" to your list.

Note If you have multiple devices to add (e.g. via a USB hub), it is worth opening the KSM before inserting the devices, as this will prevent you having to keep opening and it shutting down.

Clicking on the USB Monitor icon

If you left mouse click the USB Monitor icon, you will be taken directly to the KSM log in page. Once you have logged in, you will be taken directly to the USB Manager page.

If you right mouse click the USB Monitor icon you will be shown an 'About' window message giving details about the USB Monitor version

Hovering the mouse over the USB Monitor icon

If you hover the mouse over the USB Monitor icon, you will be given a textual display indicating the status of the icon. This will be of particular help to the visually impaired - or if you just forget what the icons represent.

(KSM Property Page)

The USB Device Manager provides facilities to allow the addition and removal of USB devices to and from a KSM user's Trusted device list. Access to these facilities is only granted to the KLM by default. For all other users, permission has to be given by the KLM using the User Accounts Property Page.

Instructions for the operation of the USB Device Manager are provided below.

On first boot of Kilgetty, all USB device activity is disabled, as are the USB commands in the USB Device Manager. The Enable USB check box must be selected to enable the internal USB hubs and allow external USB devices to be attached. This will then enable all USB Device Manager controls, provided the user has the facility to use them.


USB Manager

To disable USB device activity for all devices, deselect the USB Enable check box. This will block internal USB hubs and disable all USB Device Manager controls. The machine must be rebooted after altering the status of the USB Enable check box for changes to take effect.

Accessing the USB Device Manager

The USB Device Manager can be loaded in a variety of ways. These are:

Insert an unregistered USB device. A prompt will be displayed asking if the device should be added. If 'YES' is selected, the KSM will load with the USB Device Manager being the first page displayed.

Left-Click on the USB Monitor icon in the system tray. This will load the KSM with the USB Device Manager page as the first displayed.

Load the KSM in the usual way (by pressing Ctrl-Alt-Del & selecting the Kilgetty System Manager button) and navigate to the USB Device Manager Page.

Adding a device

When the USB Device Manager is loaded it, will display two lists and an empty information box.

The prohibited list contains all devices attached to the system that have not been blocked and are not in the KSM user's allowed list.

The allowed list contains those devices which have been added along with all internal USB hubs directly connected to the motherboard.

Internal devices are automatically added to every user's Allowed List and can be identified by the NON-REMOVABLE INTERNAL DEVICE text appearing in the device description when the device is selected.

Both of these lists will be updated if a device is inserted with the KSM running. It is possible some devices attached to the system have internal hubs, which means they will have more than 1 entry in the prohibited list. Both entries must be added to the allowed list for the device to work.

To add a device to the currently logged on KSM user's list, simply select the desired device from the prohibited list and press the Add button. When the device is selected, information about the device will be displayed in the bottom window of the USB Device Manager. Once the add button is pressed the device will be transferred to the allowed list. This change will not be written to file until the Confirm Changes button is pressed. If the Cancel button is pressed all changes will be lost.

It is only possible to select 1 device from a list at a time. If you wish to add all the devices in the prohibited list select the Add All button. This will copy every device in the prohibited list to the allowed list. This change will not be written to file until the Confirm Changes button is pressed. If the Cancel button is pressed all changes will be lost.

All USB devices have the facility to store a serial number which can be used to identify a particular device. If this serial number is not present then the device is non-unique. If a non-unique device is added to a trusted list, it is possible for the user to attach and use any device of the same model, whereas if the device is unique only the device added to the list can be used.

When the system detects a non-unique device a prompt will be displayed asking if the user is sure that they wish to add the device. The prompt for the addition of non-unique devices varies depending on whether the Add button or the Add All button has been selected. If the Add button is selected the prompt displayed is the same as the one shown below.

It has the following functionality:

Yes - The device is added to the allowed list and all devices of the same model can be used.
No - The device is not added to the allowed list.

For the Add All button the prompt will be the same as shown below.

In this prompt the name of the non-unique device is displayed, and the buttons have the following functionality:

Yes - The device is added to the allowed list and all devices of the same model can be used. The next item in the prohibited list will be evaluated and added.

No - The device will not be added and the next device in the prohibited list will be evaluated and added.

Cancel - The device will not be added and the Add All procedure will be terminated.

Note At some point during the installation of a USB device the system may request the relevant device drivers to be loaded.

Removing a device

The process of removing a USB device from a KSM user's trusted list is similar to that of adding one. The allowed list contains those devices which have been added and are approved for use.

It is possible some devices attached to the system have internal hubs, which means they will have more than 1 entry in the allowed list. Both entries must be removed from the prohibited list for the device to be fully blocked.

To remove a device from the currently logged on KSM user's list, simply select the desired device from the allowed list and press the Remove button. When the device is selected, information about the device will be displayed in the bottom window of the USB Device Manager. Once the Remove button is pressed the device will be transferred to the prohibited list. This change will not be written to file until the Confirm Changes button is pressed. If the Cancel button is pressed all changes will be lost.

In every user's trusted list there will be some devices that have not been added by the user. These are internal hubs that are directly connected to the system motherboard. These devices are automatically added to the trusted list as it would not be possible to use any other USB device without them. It is not possible to remove internal devices from the system, if an attempt is made the following message box will appear.

Internal USB devices can be identified by the NON-REMOVABLE INTERNAL DEVICE text appearing in the device description window when the device is selected.

Granting and removing users access to the USB Device Manager facilities

By default only the KLM, whose username and password are supplied during setup, has the ability to modify their own Trusted USB device list. For every other KSM account created this option is turned off.

To allow a user to add or remove USB devices to and from their Trusted USB device list, the facility must be added using the KSM User Accounts Property Page.

To grant a user access to the USB Manager facilities the following procedure should be followed:

Log into the KSM as the KLM or other user who is allowed to grant user facilities.
Navigate to the User Accounts page.
From the drop down box, select the KSM user who is to have the facilities granted.
Highlight the relevant USB facility from the Functions Not Available list.
Press Add.
Repeat steps 4 and 5 for each of the desired USB Manager facilities.
Users must also have the Confirm USB Changes facility.
Once all the required facilities have been added, press Confirm Changes.

Note Changes will not be written to file unless the Confirm Changes button is pressed. Selecting OK without confirm the changes will lose all modifications.

The process for removing a user's access to the USB Device Manager facilities is similar to that of adding and is done in the KSM User Accounts Property Page. To remove a user's access to the USB Manager facilities the following procedure should be followed:

Log into the KSM as the KLM or other user who is allowed to remove user facilities.
Navigate to the User Accounts page.
From the drop down box, select the KSM user who is to have the facilities removed.
Highlight the relevant USB facility from the Functions Available list.
Press Remove.
Repeat steps 4 and 5 for each of the desired USB Manager facilities
Once all the required facilities have been added, press Confirm Changes.

Note Changes will not be written to file unless the Confirm Changes button is pressed. Selecting OK without confirm the changes will lose all modifications.

Managing Trusted USB lists for users who do not have access to the USB Manager Facilities

By default only the KLM, whose username and password are supplied during setup, has the ability to modify their own Trusted USB device list.

For every other KSM account created this option is turned off.

If the KSM user requires access to use a USB device but not access to the facilities to modify their Trusted USB list, then the KLM should modify the users list.

The procedure for doing this is outlined below. It is assumed that the user account has already been created and that no devices have been inserted. If a device has been inserted please restart the machine.

Log into the KSM as the KLM.
Navigate to the User Accounts page.
From the drop down box, select the KSM user who need to use the device.
Highlight the Add USB Device facility from the Functions Not Available list.
Press Add.
Press Confirm Changes and log out of the KSM. <