Note: Please refer to article Private Crypto and Private Disk update for details of changes to our product lifecycles, including the retirement of Private Crypto and Private Disk.
1. System requirements
| Platforms supported || 32-bit || 64-bit |
| Windows 8 Pro/Enterprise || Yes || Yes |
| Windows 7 Enterprise/Ultimate/Professional/Home Premium || Yes || Yes |
| Windows XP Professional || Yes || No |
- The latest service pack must be installed on the supported platforms
- Windows Server operating systems are not supported
- Apple computers are not supported
2. Version Information
SafeGuard PrivateDisk 3.00 incorporates the following improvements over version 2.50:
- Support for Windows 8
- Single installer for x86/x64 and all supported languages
SafeGuard PrivateDisk 2.50 incorporates the following improvements over version 2.30:
- Reduced file operations in the background
- "pdcmd.exe new": Area background initialization corrected
- "pdcmd.exe new": No more adding an administrator certificate to the volume
- Volume Files on removable medias are marked as "hotplug" to disable the write cache of the operating system
- PDPortable performance for NTFS Volumes optimized
- PDPortable problem on large NTFS Volumes on removable media solved
- PDPortable support for keyring implemented
- Shell extension for 64 Bit operating systems corrected
- New GPO attribute: maximum container size
- New GPO attribute: container only allowed on specified directories
- New branding for Sophos
- New setup for Japanese
3. Installation and Upgrade
- Administrative privileges required
Administrative privileges are required to install the software. Simply execute the SafeGuard PrivateDisk MSI package to install the software.
- Installation via Active Directory
When installing the software with Active Directory (GPO), the following issues should be considered:
- SafeGuard PrivateDisk can only be installed per computer (Computer Configuration), not for single users (User Configuration).
- If a program package has a different language than the operating system of the client computer, then the setting “Ignore language when deploying this package” must be enabled for the package, otherwise the software will not be installed automatically.
- Installation from network location not recommended
It is possible to install the software from a network location, but it is not recommended. The installation might fail if the network connection is interrupted or files might be left over in the installation directory after uninstallation.
- Upgrade from previous versions
Upgrades are only supported from PrivateDisk 2.30, 2.40 and 2.50 Enterprise Edition. Upgrades from Demo or Personal Editions are not supported.
- Single login password
The single login password is not shared between the multiple modules of SafeGuard PrivateDisk. If you mount some disks from within the main application, and some others using the tray icon or the shell extension, and you are using the single login feature, then you will have to enter the single login password more than once.
- Recovery certificate
The administrative template (ADM) can be used to define a recovery certificate, which is added automatically to new PrivateDisk volumes. This feature can be used by security administrators to gain access to encrypted data of users, e.g. after a user left the company or when a user forgets his password. Note that the recovery certificate is only identified by its serial number, which is not always unique (there might be multiple certificates with identical serial numbers from different issuers). Note: You must ensure that there is only one certificate for a given serial number, because if multiple certificates match the serial number, PrivateDisk may choose any of these, with the possibility of it being the wrong one.
- Secure LDAP access
LDAP over SSL (port 636) and global catalog search over SSL (port 3269) are not standardized in LDAPv2 and therefore not supported by PrivateDisk. Instead use LDAP with StartTLS which works by default with port 389 or 3268 (global catalog).
5. Known Issues
- Sharing of removable volumes
In Windows 7 and Windows 8 users can share removable media. This feature is not yet supported by PrivateDisk. Currently only drives with the attribute "fixed disk" can be shared by the administrator.
- Sophos SafeGuard LAN Crypt and Sophos SafeGuard Enterprise DX/CS/FS
PrivateDisk volume files (*.vol) should not be additionally encrypted with any Sophos file-encryption product. In certain circumstances encrypted volume files can get corrupted if being used concurrently by PrivateDisk. In order to ensure that volume files don't get encrypted accidentally via an encryption policy, *.vol files must be excluded from encryption. Although not really necessary, files that reside within a PrivateDisk volume can be encrypted with Sophos file-based encryption products like SG LAN Crypt or SGN File Share.
- Drive label for PrivateDisk drive replaced by removable storage device label
In some situations, the drive label assigned to a PrivateDisk might get re-assigned to another removable storage device. When this occurs, the drive letter for the PrivateDisk will display the drive label for a newly attached device, even though the PrivateDisk can be accessed using the drive and not the newly attached device. If this occurs, un-mount the affected PrivateDisk and re-mount it to ensure access to both devices.
- PrivateDisk volume files on removable media with changed drive letter
PrivateDisk keeps a list of previously used volume files, using their fully qualified path name. If the volume file resides on a removable media of which the drive letter has changed, e.g. a USB memory stick or a network share, the volume file can no longer be located using its original file name, thus marking its entry in PrivateDisk accordingly. In order to mount this particular volume file again it has to be imported from the new drive with the changed drive letter using the ‘File Import…’ function.
- Possible loss of data caused by delayed write operations
When storing data onto a PrivateDisk drive where the volume file is located on a removable USB drive or a network share connected via WiFi, you should take suitable precautions to ensure that no data is lost. Data loss can be caused by pending delayed write operations in the file system cache in conjunction with an abrupt interruption of the connection to the volume file. This can happen if a removable media is removed suddenly after the write operation has finished, or the connection via WiFi is broken. Therefore you are strongly advised to unmount any removable storage device that has a PrivateDisk drive before removing it. Besides that it is not recommended to access PrivateDisk volume files via WiFi that can not ensure trouble-free operation.
- Unnecessary event in Windows system event log
When using an automatically mounted NTFS formatted PrivateDisk volume, an error with ID 137 is written into the Windows system event log with every logon to this volume. The event has the text "The default transaction resource manager on volume XYZ encountered a non-retryable error and could not start". This event can be safely ignored. It is a false alarm from the NTFS driver.
- Windows 8 start screen
A tile in the Windows 8 start screen is only created for the user in which context the installation of PrivateDisk was executed. All other users can still launch PrivateDisk through the icon in the Windows notification area. Alternatively a tile can also be created manually.
- No administrative installation on 64-bit Windows
The administrative installation (MSIEXEC /A SGPD300_e.msi) on 64-bit Windows is not supported and leads to the situation that the wrong drivers get installed. Therefore on 64-bit Windows only use the normal MSI installation mode (without /A).
- PDPortable may fail to open keystore
If a private disk was created on a computer with SafeGuard Enterprise installed and secured with a local key, then PDPortable might have a problem opening that disk. This issue occurs randomly.
- Creation of a volume with a property "Fixed Disk" may fail on a network share
Creation of a PrivateDisk volume with the option "Fixed Disk" enabled, will fail on a network share that is mounted to a drive letter. In this case do not enable the "Fixed Disk" option (the default).
- Files exported with PDPortable may have the wrong modified time
When files are exported with PDPortable, the modified time of the resulting files may be wrong. It depends on the time zone where PDPortable is executed and may lead to a difference of up to a few hours.
6. Security Note
Due to its character as a roaming program, PDPortable may be used in target OS environments whose security state is not known beforehand. Consequently, a special flavour of ‘DLL preloading’ (http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx, also known as ‘DLL Hijacking’) may apply: PDPortable (involuntarily) attempts to load certain OS DLLs from its application directory (i.e. the directory where it actually resides) before it attempts to load them from the OS directory where they actually reside (e.g. <Windows>\System32). If an attacker manages to place a malicious DLL in the application directory, its code may get executed when PDPortable starts. Please note that a malicious DLL will be found and loaded even when it is set to hidden!
PDPortable provides all available mechanisms to mitigate this vulnerability. Nevertheless, several attack vectors remain open. The vulnerability is unconditionally present in Windows XP (and before). Beginning with Windows Vista and Windows Server 2008, the vulnerability is mitigated when Microsoft Security Patch KB2533623 has been installed on the system. In Windows 8 and Windows Server 2012, there is no such vulnerability.
As general advice, always install all available Security Patches for the systems you manage. If PDPortableis going to run on systems where the vulnerability exists, the user needs to be aware that any DLL (even a hidden one) of unknown or dubious origin in the application directory means a risk. Accordingly, make sure that PDPortable is not started in such environments.