SpyProof!^®

Overview

SpyProof! allows you to create and manage sharable virtual disks that provide transparent data encryption. Sensitive files on these disks remain encrypted at all times. A special "mounting" process (which requires user authentication) makes them accessible to your applications.

To create a "SpyProof! disk," you open the Create Disk dialog using the context menu associated with the SpyProof! icon in the Windows system tray:

Simply name the disk, specify your credentials, select an encryption cipher (128-, 192- or 256-bit AES), and specify the disk's location and size:

You may set the Windows drive letter to be assigned to the mounted disk (or simply let it default to the next available drive letter) and control other options using the Options tab:

The Additional Users tab allow you to grant access to the disk to others before it is created. Additional users may be added or removed from the access control list (and the disk re-keyed) at any time.

When an authorized user "mounts" a SpyProof! disk using their private key and password (or cryptographic token and PIN), Windows assigns a drive letter to it. At this point the disk functions exactly like a normal drive except that all data written to it is encrypted and all data read from it into memory is decrypted on-the-fly. These cryptographic operations are performed in a completely user-transparent manner. AES is so fast you won’t even notice a decrease in disk I/O performance!

A user-configurable hotkey can be assigned to quickly unmount all mounted disks. Individual disks can also be manually unmounted, or you can let Windows unmount them when you logoff, hibernate, or shutdown your system.

SpyProof! may be used independently or alongside SecretAgent®. If SecretAgent is installed, SpyProof! can use its profile settings and can access all of your local, CAPI, and LDAP certificate stores. SpyProof! also reads PolicyAgent registry settings so administrators can establish a consistent security policy (including the specification of trusted root certificates, the enforcement of CRL checking, etc.) for both SecretAgent and SpyProof! using the same tool!

If SecretAgent is not installed, SpyProof! uses Windows’ native CAPI module for private key storage, certificate retrieval and chain validation, and PKCS#11 token support.

Sharing Encrypted Disks

You can easily "export" a SpyProof! disk on a local drive in order to share it with the additional users you specified when you created it. (SpyProof! disks located on a shared server do not need to be exported.) You may also "import" a disk you receive from someone else.

Groups of users can securely share SpyProof! disks located on a shared network drive. However, the current release of SpyProof! only permits one authorized user to mount a disk at a time. Like books, disks can be shared, but cannot be simultaneously used by more than one user.

Automount Feature

SpyProof! provides two mounting options for encrypted disks: manual and automount.

An automount disk is automatically available each time you start SpyProof! and enter its password. Manual disks can be mounted at any time using the context menu attached to SpyProof!’s system tray icon:

To change the type of a disk, select it in SpyProof!’s Disk Manager and click the appropriate type button on the toolbar. It’s that easy!

Key Recovery

SpyProof! supports (optional) data recovery without ever compromising users’ private keys. Key Recovery Agents specified in a security policy appear as (non-removable) additional users whenever a SpyProof! disk is created.

PKCS#11 Support

SpyProof! supports the use of PKCS#11 cryptographic tokens using either Microsoft CAPI or an appropriately configured PolicyAgent profile. You can only mount a SpyProof! token-encrypted disk by inserting your token and entering your PIN. (Once mounted, the disk is accessible even if the token is removed, but if you unmount the disk, you must reinsert the token and reenter your PIN in order to remount the disk.)

SpyProof! has been tested with tokens from ActivCard, Aladdin, Datakey, Gemplus, Litronic, Rainbow, and Schlumberger, and also works with DoD Common Access Cards.