Multiple Windows To Go operating environments on a single drive
SPYRUS Windows To Go Xtreme (WTGXtreme) drives bring a new dimension to the world of Windows To Go operations. The drives build on the features of the award winning SPYRUS Windows To Go family, incorporating the most advanced encryption and security technologies with the greatest versatility in size and performance features in the industry. WTGXtreme takes an evolutionary leap forward by allowing multiple processing environments with their own independent operational profile on the same drive. Strong cryptographic separation ensures a high assurance environment for each domain or profile.
Use cases for SPYRUS WTGXtreme with multiple processing environments allow multiple users to share a single device with their own unique cryptographically protected access to their individual Windows profile. In addition, users could have both a Windows 8.1 and a Windows 10 provisioned on a WTGXtreme as organizations transition from one operating system to the next. Or, a system administrator managing multiple networks spanning different administrative domains, could use a different profile for managing each network. And finally, users could potentially use a specific profile for multi-domain type of access to different levels of data classification.
Regardless of your application, there is a SPYRUS Windows To Go solution for your needs that can empower your workforce while improving security and saving money in the process.
Use Cases & Features
To meet the wide range of requirements being faced in today’s mobile computing environment, SPYRUS provides two different models of its Microsoft certified Windows To Go Xtreme (WTGXtreme) drives. Each of these models is built on the same robust hardware platform and is available in a variety of memory sizes ranging from 128GB up to 512 GB; and they all take advantage of SSD memory to provide high performance over a USB 3.0 interface.
A summary of the SPYRUS Certified Windows To Go Xtreme Products and Features is show below for Worksafe Pro™ Xtreme and Secure Portable Workplace™ Xtreme:
XTS-AES 256 Hardware Encryption
SPYRUS WorkSafe™ Pro Xtreme and Secure Portable Workplace Xtreme drives provide some of the strongest military-grade hardware encryption commercially available for full disk encryption to protect data at rest.
Sector-based full disk encryption is based on XTS-AES 256 encryption (NIST SP800-38E).The on-board hardware security infrastructure includes AES CBC, ECDH, ECDSA, ECC P-384, and SHA-384, which together make up the US Government’s Suite B cryptography, part of its cryptographic modernization program. All data encryption is performed in the tamper-resistant, epoxy-coated cryptographic hardware. The access password is never stored on the device, in software, or on a host computer, even in encrypted or hashed form. This safeguards the keys, passwords, and encrypted data from physical attack at all times, whether or not the WorkSafe Pro Xtreme or Secure Portable Workplace Xtreme is connected to a host computer.
Layered Data Security
All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth encryption. BitLocker passwords are protected in the tamper proof FIPS 140-2 Level 3 encrypted hardware memory partition.
SPYRUS encrypted Windows To Go drives defend the integrity of the operating environment even when booting on compromised systems. SPYRUS patented technology enforces on-the-fly hardware pre-boot integrity validation to enable secure boot while maintaining some of the fastest boot speeds in the industry. WorkSafe Pro Xtreme and Secure Portable Workplace Xtreme perform extensive boot-sequence validations:
- Power-on self-tests validate HW integrity and operations, FW integrity, and cryptographic operations. Any evidence of tampering shuts down boot sequence.
- UEFI computers may validate the SPYRUS Toughboot™ loader to provide seamless secure preboot authentication.The SPYRUS Toughboot loader is signed by Microsoft and meets all Secure Boot criteria for driver and OS loader digital signatures. Toughboot requires a password and authenticates users in HW over secure channel before beginning load sequence.
- Toughboot then decrypts the Windows To Go partition and performs a cryptographic integrity check on the Windows boot loader.
- After passing all tests, the operating system boots. Windows then authenticates user accounts, and users can log in to their Windows accounts.
Built In PKI Smart Card
WorkSafe Pro Xtreme is a Microsoft-certified Windows To Go drives that deliver the identity and rooted authentication capabilities of a full smart card. With WorkSafe, the FIPS 140-2 Level 3/EAL 5+ validated Rosetta Micro hardware security module embedded in all SPYRUS Windows To Go drives can be used as a traditional smartcard token for two factor authentication and other smartcard based PKI security services in you enterprise environment.
When not booted, WorkSafe serves as a readerless USB 3.0 smart card (CCID) that enables you to use your RSA and/or elliptic curve ECDSA digital certificates with any compatible computer.
WorkSafe supports PKCS #11 and Microsoft Minidriver crypto standards. The SPYRUS Minidriver Token Utility for managing the WorkSafe smart card, certificates, and passwords is automatically downloaded from Windows Update when the drive is first booted.
Keys are always generated in hardware on the embedded FIPS 140-2 Level 3 validated Rosetta Micro hardware security controller. To ensure the highest level of security, keys are never exported.
Administrators can reset, restore, revoke, and manage user certificates on the embedded Rosetta smart card with standard smart card management systems such as Microsoft Forefront Identity Manager and with the included SPYRUS Minidriver Token Utility.
When WorkSafe is booted, your digital ID is automatically available for PKI digital certificate functions such as:
- Smart card logon
- File signature or encryption
- Signed/encrypted email
- VPN authentication
- Web authentication
Data Vault Read/Write
Data Vault read/write partition can store changed user files even when Reset Write Protection Read-Only mode is enabled. You can also configure separate BitLocker encryption for the Data Vault and use separate passwords for each instance of BitLocker or the same BitLocker password for both the drive and the Data Vault. All SPYRUS Windows To Go drives can be configured with a Data Vault partition during provisioning.
Read Only Option
The Read Only option prevents retention of malware and other unauthorized downloads by resetting all changes to data, OS, and application files (except files in a Data Vault) when the user shuts down the drive. In Read Only mode, your operating system, applications, and data files are completely protected against alteration or infection from outside sources. Use a Read Only Windows To Go drive at an airport kiosk, over WiFi at the coffee shop, or on an untrusted home computer without worry.
SPYRUS Enterprise Management System – Device Management
Coming soon to Worksafe Pro Xtreme and Secure Portable Workplace Xtreme. SPYRUS Windows To Go drives can be managed by an enterprise with the SPYRUS Enterprise Management System (SEMS™) for mobile device management (MDM). SEMS features include remote device disable and destroy functions, remote password reset, policy enforcement, transaction auditing, and more.
The SPYRUS Enterprise Management System (SEMS) provides secure lifecycle management on enterprise domains for USB devices. SEMS-managed drives must have the SEMS client software (separate order, requires licensed server software) installed and be joined to a SEMS domain.
Remotely disabled drives can later be cost-effectively reprovisioned and redeployed.
All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth on SPYRUS hardware encrypting drives. BitLocker passwords are protected in the SPYRUS tamper proof FIPS140-2 Level 3 encrypted hardware memory partition.
[one_half spacing=”yes” last=”no” center_content=”no” hide_on_mobile=”no” background_color=”” background_image=”” background_repeat=”no-repeat” background_position=”left top” link=”” hover_type=”none” border_position=”all” border_size=”0px” border_color=”” border_style=”solid” padding=”” margin_top=”” margin_bottom=”” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ animation_offset=”” class=”” id=””]
|Capacities & Dimensions (LxWxH)|
|128 GB, 256 GB|
86.1 mm x 24.2 mm x 10.8 mm (+/- 0.20)
|512 GB capacities (1 TB coming soon)|
101.6 mm x 24.2 mm x 10.8 mm (+/- 0.20)
|Performance (based on 512 GB drive)|
|USB 3.0 Super Speed; USB 2.0 Compatible|
|Please note Random Read and Random Write Performance is the most important metrix for bootable live drives.|
|Sequential Read: up to 249 MB/sec|
|Sequential Write: up to 238 MB/sec|
|Data Retention: 10 years|
|Microsoft Windows To Go|
|FIPS 140-2 Algorithm Certificates|
|FIPS 140-2 Level 3|
|Operating Voltage Vcc = 3.3 to 5 VDC|
|Power Consumption 275mA @ 3.3 VDC|
|Humidity 100%, noncondensing|
|Physical Device Integrity:|
|At SPYRUS, we understand that people rely on their WTG device for mission critical functions. In essence, it is their computer SSD drive. So unlike a traditional USB that is used less regularly and is much easier to replace, we realized early-on in our customer deployments that the device must withstand punishment from a physical design perspective. To that end we designed our Windows To Go devices meet the highest physical standards in design and component materials. The combination of stringent environmental testing and additional testing for magnetic fields, X-Ray and long term immersion demonstrate the usability of this high security configuration of the SPYRUS WTG devices in the challenging healthcare environments as well.|
[one_half spacing=”yes” last=”yes” center_content=”no” hide_on_mobile=”no” background_color=”” background_image=”” background_repeat=”no-repeat” background_position=”left top” link=”” hover_type=”none” border_position=”all” border_size=”0px” border_color=”” border_style=”solid” padding=”” margin_top=”” margin_bottom=”” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ animation_offset=”” class=”” id=””]
|SPYRUS WTG Xtreme drives can be provisioned with up to 4 independent, cryptographically isolated, Windows operating environments to support multi-user, cross-domain, enterprise migration, BYOD, and other operational scenarios. It is recommended each profile have a minimum 64 GB capacity.|
|Operating Temperature (MIL-STD-202, METH 503) 0ºC – 70ºC|
|Non-Operating Temperature Cycling (MIL-STD-810, METH 503) -40ºC – 85ºC|
|High Temperature Storage (MIL-STD-810, METH 501) 85ºC; 96 hours|
|EMI (FCC/CE) FCC Part 15, Class B/EN55022 – EN55024/etc|
|ESD (EN61000-4-2) Enclosure Discharge – Contact & Air|
|Waterproof Test (IEC 60529, IPX7) As per defined|
|Operating Shock, MIL-STD 883J, Method 2002.5, Cond. B,1500g, 0.5ms, 1/2 sine wave|
|High Temperature Storage/Data Retention, MIL-STD-810, METH 501, 100ºC; 96 hours|
|Waterproof test,MIL-STD-810, METH 512.6,1 meter depth, 30 minutes|
|Hardware Security & Cryptographic Standards|
|SPYRUS Algoritm Agility includes Suite B (a set of cryptographic algorithms used for cryptographic modernization) and RSA based cryptography.|
|XTS – AES 256 Full Disk Encryption^|
|AES 128, 196, and 256 ECB, CBC, CTR, and Key Wrap Modes^|
|SP800 – 90 DRBG (Hash DRBG)|
|Elliptic Curve Cryptography (P-256, P-384, P-521)|
|ECDSA Digital Signature Algorithm|
|CVL (ECC CDH) [ECDH per SP 800-56A]|
|Concantenation KDF (SP800-56A)|
|RSA 1024 and 2048 Signature Algorithm (Note RSA 1024 has been depricated by NIST.) RSA 1024 and 2048 Key Exchange (Note RSA 1024 has been depricated by NIST.)|
|PBKDF – 2 (per PKCS#5 version 2)^|
|DES, two-& three-key triple DES with ECB, CBC Mode (Note DES has been deprecated by NIST.)|
|SHA-1 and SHA-224/256/384/512 hash algorithms with HMAC Support|
|Support for the cryptography can vary depending on version.|
|FIPS 140-2 Level 3 opaque epoxy filled housing can be modified by special order.|
» Download Data Sheet
The Anatomy of the SPYRUS Secured Endpoint Device
A detailed 3D animation of the SPYRUS endpoint device architecture, including features and benefits.
[vimeo id=”168590593″ width=”600″ height=”350″ autoplay=”no” api_params=”” class=””]
SPYRUS and Information Security Service
A explanatory summary of ISS and SPYRUS security products with examples of physical device durability.
[vimeo id=”168421177″ width=”600″ height=”350″ autoplay=”no” api_params=”” class=””]