SafeGuard Easy (SGE) / Sophos Safeguard Disk Encryption (SDE) 5.60.0 Release Notes
Applies to the following Sophos product(s) and version(s)
Sophos SafeGuard Disk Encryption 5.60.0
SafeGuard Easy 5.60.0
All information apply to SafeGuard Easy (SGE) and Sophos SafeGuard Disk Encryption (SDE) if not otherwise specified.
|Platforms supported ||x86 |
|IA-64 (Itanium) |
available disk space
|SafeGuard Easy / Sophos SafeGuard Disk Encryption - Device Encryption / Data Exchange |
|Windows 7, SP1 Enterprise/Ultimate/Professional || |
| ||300 MB* ||1 GB** |
|Windows Vista SP1, SP2 Enterprise/Ultimate/Business || |
|Windows XP Professional SP2, SP3 || |
|SafeGuard Easy / Sophos SafeGuard Disk Encryption - Policy Editor |
|Windows 7, SP1 Enterprise/Ultimate/Professional || |
|1 GB ||1 GB** |
|Windows Vista SP1, SP2 Enterprise/Ultimate/Business || |
|Windows XP Professional SP2, SP3 || |
|Windows Server 2008 SP1, SP2 || |
| ||1 GB || |
|Windows Server 2008 R2, SP1 || || |
|Windows Server 2003 SP1, SP2 || |
|Windows Server 2003 R2 SP1, SP2 || |
|Windows Small Business Server 2003, 2008, 2011 || |
* The installation needs at least 300 MB free of hard disk space. For Device Encryption, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.
** This memory space is recommended for the PC. Not all of this memory is used by SafeGuard Easy.
Device Encryption / Data Exchange:
Internet Explorer Version 6.0 or higher
.NET Framework 3.0 SP1
• The SGNRUNTimeClient caused a BSOD on Vista 64bit under certain circumstances
• Other resolved issues
Data Exchange Client (SafeGuard Easy only)
• User elevation for encrypted executables
If an encrypted executable or installation package is started and requires a user elevation in Windows Vista or Windows 7, it may happen that the elevation doesn't take place and the executable is not started.
• SafeGuard Portable Link on Read-Only Media
The link to the SafeGuard Portable application created in the root of a removable media might not work under certain conditions (on Windows 7 only). When the media is inserted into a device which device letter differs from the one when SafeGuard Portable was copied to, the link does not work if the drive with this letter is available on the device too.For example: The SafeGuard Portable link was created on a media in drive D:. The media is the used on a different machine in drive E:. The link is broken if this machine also has a drive D:, otherwise the link works as expected.
• Access to Key Ring after closing a Remote Session
A user's key-ring is no longer accessible after an established remote-session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access.
Device Encryption Client
• Windows' Safe Mode boot option, graphics driver updates and accessibility from Windows PE may be impaired depending on the installed BIOS version
Current BIOS versions (see detailed information in below mentioned KBA) have been shown to lead to a black screen when the graphics card is controlled by Windows' own generic graphics driver instead of the dedicated manufacturers driver and SafeGuard Enterprise is installed. While this is not a common configuration during normal operation of the operating system, there are scenarios where this is the default:
- When the user has chosen to start Windows in Safe Mode
- When the machine has been booted into Windows PE from an external medium
- When the manufacturers graphics driver is being updated "on the fly" when Windows is running
When the SGN installer detects that the machine's BIOS matches to one that is known to be affected,
- and that the generic Windows graphics driver is in operation, it will automatically abort the installation to avoid an inaccessible machine.
- and the graphics card's default driver is in operation, it will issue a warning that the BIOS version should be changed and ask the user whether to proceed with the installation.
Install one of the recommended BIOS versions listed in http://www.sophos.com/support/knowledgebase/article/113426.html.
Sophos is in contact with the BIOS and hardware vendors to solve the BIOS issues. Also, a workaround is currently being researched to circumvent these issues in a future version of SafeGuard Enterprise.
• Resume from hibernation fails on some Lenovo machines running Win 7 SP1
Sophos recently identified an issue with Windows 7 Service Pack 1 (32bit & 64bit) on Lenovo machines with Core i3/i5/i7 processor and the corresponding chipset. On these machines resume from hibernation does not work when Safeguard Easy is installed. Machines are not able to resume and stay in a black screen after POA. The issue has been reported with these Lenovo models so far: T510, X201, W701ds.
Machines without Service Pack 1 are not affected.
Other vendors (e.g. DELL, HP) equipped with Intel Core Ix processors are not reported to have issues, yet. However, the issue does not only happen with 5.60 but was reported with 5.50.8 as well.
For further information can be found http://www.sophos.com/support/knowledgebase/article/113546.html.
• Wrong Log Time for POA Autologon entries in the Event Viewer of the Management Center
As long as there has been no initial logon to Windows, the POA tags it's events with the timestamp that is available from the BIOS. This timestamp is local to the machine and does not contain any timezone information, which is why the log entries may not appear in the correct chronological order in the Management Center. Once the user has booted into Windows, the POA is updated with the correct timezone settings and subsequent log events appear with the correct Log Time.
• Partition resizing not supported
Resizing any partition on a machine where SafeGuard Easy Volume Based Encryption is installed is not supported.
• Local Self Help is silently disabled when user changes password on a different machine
When a SafeGuard Easy user is registered on more than one machine with activated Local Self Help, changing her password on one machine will disable this feature on all machines other than the one where the change was performed. When she logs into one of the other machines, no notification will appear to inform of this change.
Reactivate Local Self Help on all machines. This requires going through answering the LSH Activation Wizard questions again.
• The SafeGuard Easy installation process requires to be started in the context of a Windows administrator’s logon session. Starting the installation via “Run as administrator” is not supported.
• Installation of the client configuration package
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.
• BitLocker To Go-encrypted devices may prevent Device Encryption installation
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SafeGuard Easy, the installation will fail because Windows reports the system as being BitLocker-enabled, which is a valid failure condition for the DE client installation. The solution is to remove any BitLocker to Go-encrypted devices before installing SafeGuard Easy DE.
• Boot time
Boot time increases by about one minute after installing the SafeGuard Easy Client software.
• It is recommended to reboot a SafeGuard Easy Client PC at least once after activating the Power-on Authentication. SafeGuard Easy performs a backup of its kernel data on every Windows boot. This backup would never happen if the PC is only hibernated or transferred into stand-by mode.
• On some Toshiba OPAL disks, OPAL mode encryption may fail if first partition is not located at the beginning of the disk
The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, SafeGuard Easy will not be able to activate the OPAL encryption for such a drive.
This issue has been reported to Toshiba and is expected to be fixed in an upcoming firmware version for these drives.
Workaround: Relocate the start partition to the beginning of the disk
• OPAL restrictions
As of version 5.60, the SafeGuard Easy support for OPAL self-encrypting drives has the following limitations:
- OPAL mode encryption can only be activated for one OPAL drive per machine.
- If more than one OPAL drive is present, and an encryption policy is assigned to any of it's volumes, these will be software encrypted just as on a non-self-encrypting drive.
This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted.
- If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously.
- The first sector of the start partition of the disk must be located within the first 128 MB.
• Do not use Windows‘ Hybrid Sleep setting on OPAL machines
On computers with an SGN-managed OPAL self-encrypting drive, activating the “Allow hybrid sleep” option in the Advanced Power Options settings may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep.
• OPAL Self Encrypting Drives become unusable in case of a lost encryption key
According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost.
This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting.
SafeGuard Easy will either automatically store encryption keys in its database as soon as an encryption policy has been applied (for managed clients) or prompt the user to back up the key file (for standalone clients), but in case this data is lost, the described scenario applies.
• OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged
Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the deinstallation of SafeGuard Easy, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset a SafeGuard Easy-managed OPAL drive. For security reasons, this tool is not included in the tools folder but available from Sophos' customer service.
• Resume from Sleep fails when Windows' MSAHCI driver is installed on a machine with an activated OPAL drive
When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI harddisk driver is installed. MSAHCI has been introduced with Windows Vista, so this issue applies to Windows Vista and Windows 7, but not Windows XP.
- If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully.
- Change the BIOS setting for the harddisk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...)
• Security concerns when using Solid State Drives
On current SSDs, it is impossible for any software (including the operating system) to determine the exact physical loaction of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally.
This has several implications for the security of the stored data, the details of which are listed in a Knowledge Base Article (KBA113334). The most important one being as follows:
Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of SafeGuard Easy starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished.
Please note that this issue is not specific to SafeGuard Easy but applies to any software-based full disk encryption system.
• Volume based encryption for removable eSATA drives does not work as expected
Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by SafeGuard Easy as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a SafeGuard Easy full disk encryption environment unless the applied encryption policies explicitly take this situation into account.
DEF65729, DEF66438, DEF58796
• Device Encryption may fail on some USB sticks
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends to use file-based encryption (DX module) for removable media encryption.
• Encryption of ‘Virtual Drives’
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes’ is defined.
• During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before suspend to disk works properly again.
• SafeGuard Easy disables Windows´ AutoAdminLogon feature
Due to security reasons, the SafeGuard Easy client actively disables the AutoAdminLogon feature in Windows.
• After updating a SafeGuard Easy or Sophos Disk Encryption client, a reboot is required before a new config package can be applied
Updating the client to a new version and applying a configuration package in one go is not supported. After an update, a reboot is mandatory before applying a new Client Configuration package. Otherwise, the intended configuration changes will be ignored.
• Novell Client
To use SafeGuard Easy Client in conjunction with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.
• Fast user switching is not supported and must be disabled.
• Floppy drive
After installation of SafeGuard Device Encryption on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.
• The enforcement of the SafeGuard Easy password history policy can be avoided by the user during execution of the password change due to enforcement of the system administrator.
• Direct modifications to the original Sophos product MSI Installer Packages are not supported. If you need to modify specific options please do so by applying a Microsoft Transform Files (MST). A list of supported changes can be found in the Sophos Knowledge Database. Deviating modifications are unsupported and might lead to unspecified behavior of the product.
• Microsoft Windows XP up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to machines with SafeGuard Easy. This should be fixed with Windows XP SP3.
• Microsoft Windows XP has a technical limitation of its kernel stack. If several file system filter drivers (e.g. antivirus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.
• SafeGuard LanCrypt needs a repair when uninstalling the SafeGuard Enterprise Client on the same machine
An uninstallation of SafeGuard Enterprise 5.60 on a PC that has the SafeGuard LanCrypt Client (SGLC) installed leads to an internal driver error when the user tries to load his SGLC keyring.
Run a repair installation on the SafeGuard LanCrypt Client package.
• SafeGuard Removable Media and SafeGuard Easy cannot be run on the same machine
The discontinued SafeGuard Removable Media product must be uninstalled before using any SafeGuard Easy components on the same machine.
• Empirum Security Suite Agent
If SafeGuard Easy 5.50 Client software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:
BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS
This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite.
Please contact Matrix42 support for latest details/updates on this issue.
• Lenovo Rescue and Recovery
For information on compatibility of Rescue and Recovery versions with SafeGuard Easy versions see: http://www.sophos.com/support/knowledgebase/article/108383.html
• Compatibility to imaging tools has not been tested and is therefore not supported.
Token/Smartcard (SafeGuard Easy only)
• Resuming from hibernation on a Windows XP client can occasionally lead to a BSOD if an Aladdin eToken 72k (Java) is used for authentication. Therefore, hibernation under Windows XP in combination with Aladdin eToken 72k (Java) is currently not supported as unsaved data could be lost when the BSOD occurs.
• Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware
In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected.
• When using the Gemalto Classic middleware, the non-cryptographic logon mode does not work in the POA
• TCOS tokens are not supported on Windows Vista
• ActivIdentity Notifications cause Winlogon.exe to crash
On some Windows XP systems Winlogon.exe may crash if Notifications in ActivClient are enabled.
Disable ActivClient Notifications in the ActivIdentity’s “Advanced Configuration Manager” under “Notifications Management”
Antivirus products tested with SafeGuard Device Encryption
SGE/SDE volume-based encryption has been successfully tested against concurrent installations of antivirus products by Sophos as well as the following:
|AVG ||Free Anti-Virus Small Business Edition 2011 ||10.0.1153 |
|Computer Associates ||Security Center Version ||18.104.22.1685 |
|F-Secure ||Anti Virus 2011 || 10.51 |
|G Data ||AntiVirus 2011 Version ||22.214.171.124 |
|Kaspersky ||Internet Security 2011 Version ||126.96.36.199 |
|Symantec ||Endpoint Protection ||11.0.6 |
|Trend Micro ||Titanium Internet Security 2011 || |
|McAfee ||Internet Security 2011 || |
|Norman ||Virus Control ||2010.02.22 |
|Microsoft ||Security Essentials || |
Back to Sophos SafeGuard ReleaseNotes landing Page