README File for SafeGuard PrivateDisk 2.50.0


1. System Requirements


A desktop computer with Microsoft Windows XP (32-bit),

Windows Vista (32-bit, 64-bit) or Windows 7 (32-bit, 64-bit),

In each case the latest service pack.


2. Software Versions


SafeGuard PrivateDisk is available in three different versions:

- Demo Version: This is a fully functional Personal Edition for

  evaluation purposes that works for 30 days without limitation.

  After that, disks can only be mounted for read access until the

  product is bought through the Sophos webshop. A splash screen

  is shown, additionally, as long as the product has not been bought.

- Personal Edition: This is the basic version for single workstations.

- Enterprise Edition: This is for enterprise customers. It has the

  following improvements over the Personal Edition:

  + Central administration through policies (administrative templates)

  + Improved certificate checking

- In Windows Vista and Windows 7, the formatting of new volumes

  is time-consuming. The optimization is planned for the next release.


3. Version Information


SafeGuard PrivateDisk 2.50.0 contains the following improvements over

version 2.30.3:

- Reduced file operations in the background. 

- "PDCMD.exe /new" corrected for background initialize.

- "PDCMD.exe /new" corrected. No more adding an administrator certificate

  to the volume.

- Volume Files on removable media are marked as "hotplug" to disable

  the write cache of the operating system.

- PDPortable performance for NTFS Volumes optimized.

- PDPortable problem on large NTFS Volumes on removable

  media solved.

- PDPortable support for keyring implemented.

- Shell extension for 64 Bit operating systems corrected.

- New GPO attribute: maximum container size.

- New GPO attribute: container only allowed on specified directories.

- New branding for Sophos.

- New setup for Japanese.


SafeGuard PrivateDisk 2.30.3 contains the following improvements over

version 2.30.2:

- In some cases a damaged volume leads to an error while reading the header information.

-  For users without administrator rights it was not possible to format a new volume file within the background initialization.


SafeGuard PrivateDisk 2.30.2 contains the following improvements over

version 2.30.1:

- The feature "simulate harddisk" was improved for Vista.

- For this version we recommend to uninstall the old software and reinstall the new version. Please do not perform an update installation.

- In this version we have the following limitation for Windows Vista: Volumes with the attribute "simulate fixed disk" can only be mounted by administrators, if they start the pdisk.exe with "run as administrator". For normal users the attribute "simulate fixed disk" is disabled.


SafeGuard PrivateDisk 2.30.1 contains the following improvements over

version 2.30:

- Error corrections.


SafeGuard PrivateDisk 2.30 contains the following improvements

over version 2.02.0:

- Support for 64 bit operating systems with a 64 bit driver. Tested with Windows XP, Vista and Server 2003.

- Increase in performance for initializing new drives.

- Interruption of initialization of new volumes is handled and continued at next restart.

- Support for Sophos keyring by SafeGuard Enterprise.

- Function to log off from master password.

- Recovery certificates are searched in HKLM and HKCU.

- Function to create a backup header via the context menu

- Support of NTFS volumes in portable reader. Compressed and encrypted drives from windows operating systems are not supported.

- Portable reader shows long filenames in FAT drives correct.

- Group Policies (GPO) are enhanced.

- Disabling of "Single Login" in the GPO.

- New GPO option "ForceUnmount".

- The portable reader will be copied to the volume file.

- In this version Portable Reader cannot open volume files which are protected with a keyring passphrase.


SafeGuard PrivateDisk 2.02.0 contains the following improvements

over version 2.01.0:

- The check box 'Add SafeGuard PrivateDisk Portable' in the 'New Disk

  Wizard' is always enabled if PDPortable.exe can be found in the

  application directory of SafeGuard PrivateDisk.


SafeGuard PrivateDisk 2.01.0 contains the following improvements

over version 2.00.1:

- New Disk Wizard contains a check box where you can select to

  add the application PD Portable to the destination directory of the

  newly created PrivateDisk volume in case it is located on removable media.


SafeGuard PrivateDisk 2.00.1 contains the following improvements

over version 1.11.1:


- Support of encryption algorithm AES-256.

  To create disks compatible with versions before 2.00 you can still

  use AES-128. To have the highest possible security level, create

  a disk with AES-256.


- Support of more than one recovery certificate (Enterprise Edition only)



4. Installation


Administrative privileges are required to install the software.


Simply execute the SafeGuard PrivateDisk MSI package to install

the software.


It is possible to install the software on a network location. Note that

in this case some files might be left over in the installation directory

after uninstallation.


When installing the software with Active Directory (GPO), the

following issues should be considered:

- SafeGuard PrivateDisk can only be installed per computer

  (Computer Configuration), not for single users (User Configuration).

- If a program package has a different language than the operating

  system of the client machine, then the setting “Ignore language

  when deploying this package” must be enabled for the package,

  otherwise the software will not be installed automatically.


5. Notes


* Single Login Password


The single login password is not shared between the multiple

modules of SafeGuard PrivateDisk. If you mount some disks from

within the main application and some others using the tray icon or

the shell extension and you are using the single login feature, then

you will have to enter the single login password more than once.


* Recovery Certifcate (Enterprise Edition Feature)


The administrative template (ADM) of the Enterprise Edition can

be used to define a recovery certificate, which is added automatically

to new PrivateDisk volumes. This feature can be used by security

administrators to gain access to encrypted data of users, e.g. after

a user left the company or when users forget their passwords.


Note that the recovery certificate is only identified by its serial number,

which is not always unique (there might be multiple certificates with

identical serial numbers from different issuers). In that case the

first certificate found would be entered as recovery certificate.

The next version of PrivateDisk will be able to exactly specify

the recovery certificate.


6. Known Issues


* Sharing of removable volumes


In Windows Vista and Windows 7 users can

share removable media.

This feature is not yet supported by PrivateDisk.

Currently only drives with the attribute

"fixed disk" can be shared by the administrator.


* Renaming of volumes


Sporadically an error appeared in the test, so volumes

In the PrivateDisk GUI could not be renamed.

After restarting the GUI the renaming of volumes is possible.


* Volume names with special characters


Windows XP and Vista: A virtual disk with a name which contains

special characters and letters an error message does not appear
during creation, but during the mounting of a disk.

In Windows 7 special characters are allowed.


* Uninstallation of Sophos Products


When uninstalling SafeGuard Biometrics 1.60, SafeGuard Advanced

Security 3.10 or older versions of this software, the ADM template

files are deleted. Please run a "Repair" command for the

SafeGuard PrivateDisk installation (Control Panel / Add or Remove

Programs / SafeGuard PrivateDisk / Change) to restore the files.


* SafeGuard LAN Crypt 2.10 and 2.00


The definition of a LAN Crypt profile for encrypting whole PrivateDisk

drives (e.g. “P:\*.*”) leads to an encryption of all files on all drives!

This issue will be solved in later releases of SafeGuard LAN Crypt.


Encrypting PrivateDisk volume files (*.vol) with SafeGuard LAN Crypt

is not possible.


* Drive label for PrivateDisk Drive replaced by removable storage

  device label


In some situations, the drive label assigned to a PrivateDisk may get

re-assigned to another removable storage device. When this occurs, the drive

letter for the PrivateDisk will display the drive label for a newly attached device,

even though the PrivateDisk can be accessed using the drive and not the newly

attached device. If this occurs, un-mount the affected PrivateDisk and re-mount

it to ensure access to both devices.


* PrivateDisk Volume-Files on removable media that get different drive letters



PrivateDisk keeps a list of previously used volume files using their fully

qualified path name. In case that the volume file resides on a removable

media for which the drive letter has changed, e.g. a USB memory stick or a network

share, the volume file can no longer be located using its original file name,

thus marking its entry in PrivateDisk accordingly. In order to mount this particular

volume file again it has to be imported from the new drive with the changed

drive letter using the ‘File Import…’ function.


* Loss of data when writing to a PrivateDisk


When storing data onto a PrivateDisk whose volume file is located

on a removable USB drive or a network share that is accessed via WLAN

it may occasionally happen, caused by the delayed write operation of the

file system cache, that the stored data is lost in case that access to the

volume file can no longer be accessed. This can happen if removable

media is removed suddenly after the write operation has finished, or the

connection to a wireless LAN connection is broken. Therefore it is strongly

recommended not to remove any removable storage device that has a

a PrivateDisk mounted without un-mounting it before. Besides that it is

not recommended to access PrivateDisk via wireless network connections

that cannot ensure trouble-free operation.



March, 28th 2011, Sophos, Abingdon, UK