How does SPYRUS back the claim as the Leader in Trusted Windows To Go Solutions?
We do it by offering the widest selection of Windows To Go (WTG) drives with the strongest security available in commercial devices. SPYRUS pioneered hardware-secured bootable Windows USB drives in 2009 with the Secure Pocket Drive, and we’ve developed hardware encryption products since 1992.
Our USB 3.0 Windows To Go drives run at SSD speeds and are configured with standby memory for wear leveling, so they last longer even with heavy use.
SPYRUS WorkSafe Windows To Go drives add Windows 8.1 support for the USB CCID class driver for smart card readers to the long list of features already available in our Portable and Secure Portable Workplace Windows To Go drives. The smart card is built in-no need for a separate card or reader.
SPYRUS Windows To Go drives
SPYRUS Windows To Go drives turn personal computers, including many Macs (service provided by SPYRUS), into compliant enterprise Windows desktops-with or without connectivity. SPYRUS Windows To Go drives boot the OS and completely bypass the host computer’s hard drive. There is no impact on the host computer and no footprint left behind when the drive is shut down.
WorkSafe Pro and Secure Portable Workplace provide military-grade XTS-AES 256 hardware encryption over the entire drive, including the operating system, applications, and data storage. All SPYRUS Windows To Go Drives can be configured with BitLocker software encryption. SPYRUS encrypted drives support the full set of Suite B cryptographic algorithms.
WorkSafe Built-In Smart Card Support
WorkSafe and WorkSafe Pro are the only Microsoft-certified Windows To Go drives that deliver the identity and rooted authentication capabilities of a full smart card. With WorkSafe, the FIPS 140-2 Level 3/EAL 5+ validated Rosetta Micro crypto smart card chip embedded in all SPYRUS Windows To Go drives can be used as a traditional smart card in your enterprise environment.
When not booted, WorkSafe serves as a readerless USB 3.0 smart card (CCID) that enables you to use your RSA and/or elliptic curve ECDSA digital certificates with any compatible computer.
WorkSafe supports PKCS #11 and Microsoft Minidriver crypto standards. The SPYRUS Minidriver Token Utility for managing the WorkSafe smart card, certificates, and passwords is automatically downloaded from Windows Update when the drive is first booted.
Keys are always generated in hardware on the embedded FIPS 140-2 Level 3 validated Rosetta Micro hardware security controller. To ensure the highest level of security, keys are never exported.
Administrators can reset, restore, revoke, and manage user certificates on the embedded Rosetta smart card with standard smart card management systems such as Microsoft Forefront Identity Manager and with the included SPYRUS Minidriver Token Utility.
When WorkSafe is booted, your digital ID is automatically available for PKI digital certificate functions such as:
- Smart card logon
- File signature or encryption
- Signed/encrypted email
- VPN authentication
- Web authentication
Strongest Hardware Encryption
SPYRUS WorkSafe Pro and Secure Portable Workplace drives provide some of the strongest military-grade hardware encryption commercially available.
The on-board hardware security infrastructure includes AES CBC, ECDH, ECDSA, ECC P-384, and SHA-384, which together make up the US Government’s Suite B cryptography, part of its cryptographic modernization program. Sector-based full disk encryption is based on XTS-AES 256 encryption (NIST SP800-38E).
All data encryption is performed in the tamper-resistant, epoxy-coated cryptographic hardware. The access password is never stored on the device, in software, or on a host computer, even in encrypted or hashed form. This safeguards the keys, passwords, and encrypted data from physical attack at all times, whether or not the WorkSafe Pro or Secure Portable Workplace is connected to a host computer.
Layered Data Security
All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth encryption. BitLocker keys are protected in the tamper proof FIPS level 3 Rosetta Micro crypto chip.
SPYRUS encrypted Windows To Go drives defend the integrity of the operating environment even when booting on compromised systems. SPYRUS patented technology enforces on-the-fly hardware pre-boot integrity validation to enable secure boot while maintaining some of the fastest boot speeds in the industry. WorkSafe Pro and Secure Portable Workplace perform extensive boot-sequence validations:
- Power-on self-tests validate HW integrity and operations, FW integrity, and cryptographic operations. Any evidence of tampering shuts down boot sequence.
- UEFI computers may validate the SPYRUS Toughboot loader to provide seamless secure preboot authentication.The SPYRUS Toughboot loader is signed by Microsoft and meets all Secure Boot criteria for driver and OS loader digital signatures. Toughboot requires a password and authenticates users in HW over secure channel before beginning load sequence.
- Toughboot then decrypts the Windows To Go partition and performs a cryptographic integrity check on the Windows boot loader.
- After passing all tests, the operating system boots. Windows then authenticates user accounts, and users can log in to their Windows accounts.
The SPYRUS Toughboot loader is signed by Microsoft and meets all Secure Boot criteria. Secure Boot is a UEFI specification that checks for an approved digital signature in all drivers or OS loaders to prevent malware infections during the boot sequence.
Read Only Data Protection
The Read Only option prevents retention of malware and other unauthorized downloads by resetting all changes to data, OS, and application files (except files in a Data Vault) when the user shuts down the drive. In Read Only mode, your operating system, applications, and data files are completely protected against alteration or infection from outside sources. Use a Read Only Windows To Go drive at an airport kiosk, over WiFi at the coffee shop, or on an untrusted home computer without worry.
Data Vault R/W Storage
A Data Vault read/write partition can store changed user files even when ResetWP Read-Only mode is enabled. You can also configure separate BitLocker encryption for the Data Vault and use separate passwords for each instance of BitLocker or the same BitLocker password for both the drive and the Data Vault. All SPYRUS Windows To Go drives can be configured with a Data Vault partition during provisioning.
Enterprise Central Device Management
All SPYRUS Windows To Go drives can be managed over an enterprise domain with the SPYRUS Enterprise Management System (SEMS) for mobile device management (MDM). SEMS features include remote device disable and destroy functions, remote password reset, policy enforcement, transaction auditing, and more.
The SPYRUS Enterprise Management System (SEMS) provides secure lifecycle management on enterprise domains for USB devices. SEMS-managed drives must have the SEMS client software (separate order, requires licensed server software) installed and be joined to a SEMS domain.
Destroyed drives can later be cost-effectively reprovisioned and redeployed.
Compare SPYRUS Windows To Go Drives
|XTS-AES 256 Hardware Encryption||Layered Data Security||Built-In PKISmart Card||Data Vault Read/Write||Read Only Option||SEMS Device Management Option||Bit Locker full disk and/or Data Vault|
|Secure Portable Workplace||✓||✓||✓||✓||✓||✓|
SPYRUS Windows To Go drives are great for remote or traveling workers, who can enjoy the same networking experience at the office or at remote locations using smart card authenticated VPNs.
SPYRUS Windows To Go drives make an ideal configuration for remote access/VDI/Cloud, and Office 365, providing a true secure trusted endpoint. Your enterprise can enforce access to only your network and prevent local access or data storage.
As a cost-effective teleworker solution, use 32 GB SPYRUS Windows To Go drives with the Read Only option to boot SPYRUS drives securely from untrusted home computers. Your organization can enforce work and data saving to the enterprise network, or if required, changed files can be saved on a Data Vault read/write partition.
For disaster recovery, SPYRUS Windows To Go drives configured with your enterprise image can quickly restore Continuity of Operations on rental hardware. You can be up and running in hours instead of days, saving the time it could take to configure each new computer.
How can SPYRUS Windows To Go drives help your enterprise?
- BYOD at the office
- Road warriors
- Managed computing environment for temporary/contract workers
- Secure VDI and cloud access
- New employees up and running quickly
- Continuity of Operations during disaster recovery
- Cost-effective deployment of enterprise environment
- Access legacy Windows XP applications with dual booting from hard disk or Windows To Go drive
SPYRUS Deployment Suite
Use the SPYRUS Deployment Suite for Windows To Go with your custom enterprise Windows image (WIM) to create SPYRUS Windows To Go drives exactly tailored to your organization’s requirements. When you provision your own drives, you have full control over all operating system configurations, applications, settings, Data Vault configuration, and options such as Read Only or SEMS. You can provision up to eight identical drives at one time.
Provisioning requires a 64-bit computer running Windows 8 Enterprise and the SPYRUS Deployment Suite, provided with all drive orders.
Macintosh Support Service
SPYRUS Windows To Go drive boot Windows 8 or Windows 8.1 on almost any PC certified for use with Windows 7 or Windows 8. SPYRUS also provides a preparation service for creating custom Windows 8 Enterprise images that boot SPYRUS Windows To Go drives running Windows 8 on Apple Macintosh hardware. Use of SPYRUS Windows To Go drives on Macintosh is not supported by Microsoft.
Hardware SecuritySuite B cryptographic algorithm supportFull Disk Encryption: XTS-AES 256 IEEE-1669Digital signatures: RSA and Elliptic Curve Digital Signature (ECDSA)PKI Compliance
Elliptic Curve Update all P-384, SHA 2 384; XTS AES 256
Legacy Algorithms: RSA, DES, 3DES, SHA 1
Extensive health checks and hardware alarms enabled
Microsoft Windows To Go certified drives
FIPS 140-2 Level 3 Certified PKI device Certificate 1302
EAL 5+ validated hardware security core
FCC 47 Part 15, Class B
USB 3.0 Super Speed
Read: 240 MB/sec (100 GB)
Write: 240 MB/sec (100 GB)
Boot or shut down in under 30 seconds
MTBF: 1,000,000 hours
Data Retention: 10 years
Operating voltage: Vcc=3.3 to 5VDC
Power consumption: ~30mA @ 3.3VDC
Operating Shock: 1500G
Operating Vibration: 16G
Operating Temperature: 0C to +70C
Operating Humidity: 5 to 98%
32 GB, 64 GB, 128 GB capacities
Suite B, a set of cryptographic algorithms promoted by the National Security Agency as part of its cryptographic modernization program to serve as an interoperable cryptographic base for both unclassified information and most classified information, including:
Elliptic Curve Cryptography (P-256, P-384, P-521)
ECDH per SP 800-56A
ECDSA Digital Signature Algorithm
RSA 1024 and 2048 digital signature algorithm
RSA-1024/2048 key exchange
DES, two & three-key triple DES with ECB, CBC
AES 128/192/256 with ECB, CBC
SHA-1 and SHA-224/256/384/512 secure hash algorithms with HMAC support
95.3 mm x 24.5 mm x 9.8 mm