Sophos Disk Encryption 5.61 release notes

New in this release

Full Disk Encryption

With Full Disk Encryption, data on endpoint computers is protected against unauthorized access. Drives are encrypted transparently and Power-on Authentication (POA) provides an additional authentication mechanism before the operating system starts. You can manage Full Disk Encryption with Sophos Enterprise Console 5.1.

Note: Full Disk Encryption is not included with all licenses. If you want to use it, you might need to customize your license. For more information, see http://www.sophos.com/en-us/products/complete/comparison.aspx.

For more information about the new features, see the Sophos Enterprise Console Help and the Sophos Disk Encryption Help.

System requirements

Sophos Disk Encryption agent system requirements

Platforms supported 32-bit 64-bit IA-64 (Itanium) recommended available disk space Minimum RAM
Windows 7, SP1 Home Premium/Enterprise/Ultimate/Professional Yes Yes   300 MB* 1 GB**
Windows Vista SP1, SP2 Enterprise/Ultimate/Business Yes Yes   300 MB* 1 GB**
Windows XP Professional SP2, SP3 Yes     300 MB* 1 GB**

*  The installation needs at least 300 MB of free hard disk space. For the Sophos Disk Encryption agent, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.

** This memory space is recommended. Not all of this memory is used by Sophos Disk Encryption.

Required software: Internet Explorer version 6.0 or higher

Languages supported: English, French, German, Italian, Japanese, Spanish

SafeGuard Policy Editor system requirements

You only need to install the SafeGuard Policy Editor 5.61 in the following case: When you have multiple independent Sophos SafeGuard Disk Encryption/SafeGuard Easy 5.x environments with different company certificates and want to merge them into one environment, you need to carry out a company certificate change in the SafeGuard Policy Editor 5.61.

Platforms supported 32-bit 64-bit IA-64 (Itanium) recommended available disk space Minimum RAM
Windows 7, SP1 Enterprise/Ultimate/Professional Yes Yes   1 GB 1 GB*
Windows Vista SP1, SP2 Enterprise/Ultimate/Business Yes Yes   1 GB 1 GB*
Windows XP Professional SP2, SP3 Yes     1 GB 1 GB*
Windows Server 2008 SP1, SP2 Yes Yes   1 GB 1 GB*
Windows Server 2008 R2, SP1   Yes   1 GB 1 GB*
Windows Server 2003 SP1, SP2 Yes Yes   1 GB 1 GB*
Windows Server 2003 R2 SP1, SP2 Yes Yes   1 GB 1 GB*
Windows Small Business Server 2003, 2008, 2011       1 GB 1 GB*

* This memory space is recommended. Not all of this memory is used by SafeGuard Policy Editor.

Required software: .NET Framework 3.0 SP1

Languages supported: English, French, German, Japanese

Keyboard layouts

Check the keyboard layouts that are supported at Power-on Authentication:

http://www.sophos.com/en-us/support/knowledgebase/112782.aspx.

Anti-virus products tested with Sophos Disk Encryption

Sophos Disk Encryption has been successfully tested against concurrent installations of anti-virus products by Sophos as well as the following:

Manufacturer Product Version
AVG Free Anti-Virus Small Business Edition 2011 10.0.1153
Computer Associates Security Center Version 6.0.0.285
F-Secure Anti Virus 2011 10.51
G Data AntiVirus Version 2011 21.1.0.5
Kaspersky Internet Security Version 2011 11.0.0.232
Symantec Endpoint Protection 11.0.6
Trend Micro Titanium Internet Security 2011  
McAfee Internet Security 2011  
Norman Virus Control 2010.02.22
Microsoft Security Essentials  

Third-party encryption software detection

It has been tested that Sophos Disk Encryption 5.61 deployment is aborted if the following third-party encryption software is detected on the endpoint computer:
  • Symantec PGP Desktop versions 10.0 and 10.1

  • TrueCrypt versions 6.3a and 7.0a

  • Checkpoint version 7.3va

  • McAfee version 1.2.0

  • Microsoft BitLocker Drive Encryption

Note: Always make sure that third-party encryption software has been uninstalled before you deploy Sophos Disk Encryption 5.61.

Known issues

General

  • Novell Client

    To use Sophos Disk Encryption 5.61 in combination with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.

  • Fast user switching is not supported and must be disabled.

    Before the installation is started, it is verified that only one user is logged on. Logging on with another user during installation is not supported.

  • Floppy drive

    After installing Sophos Disk Encryption 5.61 on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.

  • Partition resizing not supported

    Resizing any partition on an endpoint where Sophos Disk Encryption 5.61 is installed is not supported.

  • Boot time increase

    Boot time increases by about one minute after installing Sophos Disk Encryption 5.61 on an endpoint.

  • Virtualization platform support

    Sophos Disk Encryption only supports VMware Workstation and Player as virtualization platform. All other platforms like VMware ESX/ESXi Server, MS Virtual PC or MS HyperV are not supported.

  • (DEF82166) On a Japanese operating system, logon recovery using Local Self Help may fail because Japanese characters cannot be entered at Power-on Authentication (POA).

    In the Local Self Help Wizard, on Japanese operating systems, users can define answers to questions for logon recovery in Japanese characters. But when answering these questions during logon recovery in the POA, Japanese characters are not supported. If the answers entered in the Wizard and in the POA do not match, logon cannot be recovered.

    Workaround: When entering answers in Japanese in the Local Self Help Wizard, you have to use Romaji (Roman) characters. Otherwise the answers will not match when you answer the questions in the POA.

Encryption

  • (DEF69429) On some Toshiba OPAL disks, OPAL mode encryption may fail if the first partition is not located at the beginning of the disk

    The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, Sophos Disk Encryption will not be able to activate the OPAL encryption for such a drive.

    Workaround: Relocate the start partition to the beginning of the disk.

  • (DEF69695) OPAL restrictions

    The Sophos Disk Encryption support for OPAL self-encrypting drives has the following limitations:

    • OPAL mode encryption can only be activated for one OPAL drive per machine.
    • If more than one OPAL drive is present and an encryption policy is assigned to any of its volumes, these will be software encrypted just as on a non-self-encrypting drive. This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted.
    • If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously.
    • The first sector of the start partition of the disk must be located within the first 128 MB.
  • (DEF70019) Do not use Windows Hybrid Sleep mode on OPAL machines

    On computers with an OPAL self-encrypting drive, activating Allow hybrid sleep in the Advanced Power Options dialog may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep.

  • (DEF69207) OPAL Self Encrypting Drives become unusable in case of a lost encryption key

    According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost. This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting. Sophos Disk Encryption will prompt the user to back up the key file, but in case this data is lost, the described scenario applies.

  • (DEF69207) OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged

    Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the uninstallation of Sophos Disk Encryption, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset an OPAL drive managed by Sophos Disk Encryption. For security reasons, this tool is available from Sophos' customer service.

  • (DEF66126) Resume from Sleep fails when Windows' MSAHCI driver is installed on a computer with an activated OPAL drive

    When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI hard disk driver is installed. MSAHCI has been introduced with Windows Vista, so this issue applies to Windows Vista and Windows 7, but not Windows XP.

    Workarounds: If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully. Change the BIOS setting for the hard disk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...).

  • (DEF68440) Security concerns when using Solid State Drives (SSD)

    On current SSDs, it is impossible for any software (including the operating system) to determine the exact physical location of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally. This has several implications for the security of the stored data, see http://www.sophos.com/en-us/support/knowledgebase/113334.aspx. The most important one being as follows: Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of Sophos Disk Encryption starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished. Please note that this issue is not specific to Sophos Disk Encryption but applies to any software-based full disk encryption system.

  • (DEF65729, DEF66438, DEF58796) full disk encryption for removable eSATA drives does not work as expected

    Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by Sophos Disk Encryption as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a Sophos full disk encryption environment unless the applied encryption policies explicitly take this into account.

  • Encryption of Virtual Drives

    Virtual drives that are mounted on the endpoint (e.g. VHD file into Windows using Microsoft Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for other volumes is defined.

  • During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) Suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a restart is required before Suspend to disk works properly again.

Windows XP

  • Microsoft Windows XP up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to endpoints with Sophos Disk Encryption. This should be fixed with Windows XP SP3.
  • Microsoft Windows XP has a technical limitation in its kernel stack. If several file system filter drivers (for example anti-virus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.

Compatibility

  • (WKI81667) SDE 5.61 is not compatible with third-party full disk encryption solutions such as Microsoft BitLocker Drive Encryption and cannot be used on the same endpoint.

    If SDE 5.61 is installed on an endpoint but the drive is not encrypted and then Microsoft BitLocker Drive encryption is installed on top and used to protect the endpoint, the LocalCache will be corrupted causing the endpoint to restart. Further restarts then result in a restart loop.

    Workaround: Do not install third-party full disk encryption solutions on an endpoint with SDE 5.61 installed.

  • (DEF69644) SafeGuard LAN Crypt needs a repair when uninstalling the Sophos Disk Encryption 5.61 agent on the same computer. 

    An uninstallation of Sophos Disk Encryption 5.61 on a computer that has the SafeGuard LAN Crypt Client (SGLC) installed leads to an internal driver error when the user tries to load their SGLC keyring. 

    Workaround:  Run a repair installation on the SafeGuard LAN Crypt Client package. 
  • (DEF69092) SafeGuard RemovableMedia and Sophos Disk Encryption 5.61 cannot be run on the same endpoint. The discontinued SafeGuard RemovableMedia product must be uninstalled before using any Sophos Disk Encryption 5.61 components on the same computer.
  • Empirum Security Suite Agent

    If Sophos Disk Encryption 5.61 software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:

    BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS

    This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite. Please contact Matrix42 support for latest details/updates on this issue.

  • AbsoluteSoftware Computrace

    Sophos Disk Encryption 5.61 fails to install on endpoints which have AbsoluteSoftware Computrace with activated track-0 based persistent agent installed.

  • Compatibility with imaging tools has not been tested and is therefore not supported by Sophos.

Upgrading

  • When upgrading from Sophos SafeGuard Disk Encryption/SafeGuard Easy 5.x to Sophos Disk Encryption 5.61, POA bitmaps are not updated to the new Sophos branding.

  • When upgrading to SafeGuard Enterprise managed encryption, the SafeGuard Management Center and SafeGuard Enterprise Server must have at least version 6.0.

Resolved issues

  • (DEF76145) Sophos Disk Encryption Help launched from "User Machine Assignments" dialog did not display the help page

    Clicking on the help button on the "User Machine Assignments" dialog now launches the corresponding help page.

  • (DEF79546) Sophos Disk Encryption POA only deployment and restart is not correctly reported

    Users are now prompted to do a further restart after encryption agent installation to activate POA.

  • (DEF78786) POA exceptions not working as expected

    POA exceptions now take effect as expected on the encryption agent.

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2012 Sophos Group. All rights reserved. SafeGuard is a registered trademark of Sophos Group.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

You find copyright information on third party suppliers in the Disclaimer and Copyright for 3rd Party Software document in your product directory.