How does SPYRUS back the claim as the Leader in Trusted Windows To Go Solutions?

We do it by offering the widest selection of Windows To Go (WTG) drives with the strongest security available in commercial devices. SPYRUS pioneered hardware-secured bootable Windows USB drives in 2009 with the Secure Pocket Drive, and we’ve developed hardware encryption products since 1992.

Our USB 3.0 Windows To Go drives run at SSD speeds and are configured with standby memory for wear leveling, so they last longer even with heavy use.

SPYRUS WorkSafe Windows To Go drives add Windows 8.1 support for the USB CCID class driver for smart card readers to the long list of features already available in our Portable and Secure Portable Workplace Windows To Go drives. The smart card is built in-no need for a separate card or reader.

SPYRUS Windows To Go drives

WTG-Drives-colorSPYRUS Windows To Go drives turn personal computers, including many Macs (service provided by SPYRUS), into compliant enterprise Windows desktops-with or without connectivity. SPYRUS Windows To Go drives boot the OS and completely bypass the host computer’s hard drive. There is no impact on the host computer and no footprint left behind when the drive is shut down.

WorkSafe Pro and Secure Portable Workplace provide military-grade XTS-AES 256 hardware encryption over the entire drive, including the operating system, applications, and data storage. All SPYRUS Windows To Go Drives can be configured with BitLocker software encryption. SPYRUS encrypted drives support the full set of Suite B cryptographic algorithms.

WorkSafe Built-In Smart Card Support

worksafe-colorWorkSafe and WorkSafe Pro are the only Microsoft-certified Windows To Go drives that deliver the identity and rooted authentication capabilities of a full smart card. With WorkSafe, the FIPS 140-2 Level 3/EAL 5+ validated Rosetta Micro crypto smart card chip embedded in all SPYRUS Windows To Go drives can be used as a traditional smart card in your enterprise environment.

When not booted, WorkSafe serves as a readerless USB 3.0 smart card (CCID) that enables you to use your RSA and/or elliptic curve ECDSA digital certificates with any compatible computer.



WorkSafe supports PKCS #11 and Microsoft Minidriver crypto standards. The SPYRUS Minidriver Token Utility for managing the WorkSafe smart card, certificates, and passwords is automatically downloaded from Windows Update when the drive is first booted.

Keys are always generated in hardware on the embedded FIPS 140-2 Level 3 validated Rosetta Micro hardware security controller. To ensure the highest level of security, keys are never exported.

Administrators can reset, restore, revoke, and manage user certificates on the embedded Rosetta smart card with standard smart card management systems such as Microsoft Forefront Identity Manager and with the included SPYRUS Minidriver Token Utility.

When WorkSafe is booted, your digital ID is automatically available for PKI digital certificate functions such as:

  • Smart card logon
  • File signature or encryption
  • Signed/encrypted email
  • VPN authentication
  • Web authentication

Strongest Hardware Encryption

hardware-encryption-colorSPYRUS WorkSafe Pro and Secure Portable Workplace drives provide some of the strongest military-grade hardware encryption commercially available.

The on-board hardware security infrastructure includes AES CBC, ECDH, ECDSA, ECC P-384, and SHA-384, which together make up the US Government’s Suite B cryptography, part of its cryptographic modernization program. Sector-based full disk encryption is based on XTS-AES 256 encryption (NIST SP800-38E).

All data encryption is performed in the tamper-resistant, epoxy-coated cryptographic hardware. The access password is never stored on the device, in software, or on a host computer, even in encrypted or hashed form. This safeguards the keys, passwords, and encrypted data from physical attack at all times, whether or not the WorkSafe Pro or Secure Portable Workplace is connected to a host computer.

Layered Data Security

layered-security-colorAll SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth encryption. BitLocker keys are protected in the tamper proof FIPS level 3 Rosetta Micro crypto chip.

SPYRUS encrypted Windows To Go drives defend the integrity of the operating environment even when booting on compromised systems. SPYRUS patented technology enforces on-the-fly hardware pre-boot integrity validation to enable secure boot while maintaining some of the fastest boot speeds in the industry. WorkSafe Pro and Secure Portable Workplace perform extensive boot-sequence validations:

  • Power-on self-tests validate HW integrity and operations, FW integrity, and cryptographic operations. Any evidence of tampering shuts down boot sequence.
  • UEFI computers may validate the SPYRUS Toughboot loader to provide seamless secure preboot authentication.The SPYRUS Toughboot loader is signed by Microsoft and meets all Secure Boot criteria for driver and OS loader digital signatures. Toughboot requires a password and authenticates users in HW over secure channel before beginning load sequence.
  • Toughboot then decrypts the Windows To Go partition and performs a cryptographic integrity check on the Windows boot loader.
  • After passing all tests, the operating system boots. Windows then authenticates user accounts, and users can log in to their Windows accounts.

The SPYRUS Toughboot loader is signed by Microsoft and meets all Secure Boot criteria. Secure Boot is a UEFI specification that checks for an approved digital signature in all drivers or OS loaders to prevent malware infections during the boot sequence.

Read Only Data Protection

read-only-colorThe Read Only option prevents retention of malware and other unauthorized downloads by resetting all changes to data, OS, and application files (except files in a Data Vault) when the user shuts down the drive. In Read Only mode, your operating system, applications, and data files are completely protected against alteration or infection from outside sources. Use a Read Only Windows To Go drive at an airport kiosk, over WiFi at the coffee shop, or on an untrusted home computer without worry.

Data Vault R/W Storage

data-vault-colorA Data Vault read/write partition can store changed user files even when ResetWP Read-Only mode is enabled. You can also configure separate BitLocker encryption for the Data Vault and use separate passwords for each instance of BitLocker or the same BitLocker password for both the drive and the Data Vault. All SPYRUS Windows To Go drives can be configured with a Data Vault partition during provisioning.

Enterprise Central Device Management


All SPYRUS Windows To Go drives can be managed over an enterprise domain with the SPYRUS Enterprise Management System (SEMS) for mobile device management (MDM). SEMS features include remote device disable and destroy functions, remote password reset, policy enforcement, transaction auditing, and more.

The SPYRUS Enterprise Management System (SEMS) provides secure lifecycle management on enterprise domains for USB devices. SEMS-managed drives must have the SEMS client software (separate order, requires licensed server software) installed and be joined to a SEMS domain.

Destroyed drives can later be cost-effectively reprovisioned and redeployed.

Compare SPYRUS Windows To Go Drives

XTS-AES 256 Hardware Encryption Layered Data Security Built-In PKISmart Card Data Vault Read/Write Read Only Option SEMS Device Management Option Bit Locker full disk and/or Data Vault
WorkSafe Pro
Secure Portable Workplace
Portable Workplace

Use Cases

use-cases-colorSPYRUS Windows To Go drives are great for remote or traveling workers, who can enjoy the same networking experience at the office or at remote locations using smart card authenticated VPNs.

SPYRUS Windows To Go drives make an ideal configuration for remote access/VDI/Cloud, and Office 365, providing a true secure trusted endpoint. Your enterprise can enforce access to only your network and prevent local access or data storage.

As a cost-effective teleworker solution, use 32 GB SPYRUS Windows To Go drives with the Read Only option to boot SPYRUS drives securely from untrusted home computers. Your organization can enforce work and data saving to the enterprise network, or if required, changed files can be saved on a Data Vault read/write partition.

For disaster recovery, SPYRUS Windows To Go drives configured with your enterprise image can quickly restore Continuity of Operations on rental hardware. You can be up and running in hours instead of days, saving the time it could take to configure each new computer.

How can SPYRUS Windows To Go drives help your enterprise?

  • BYOD at the office
  • Road warriors
  • Teleworkers
  • Managed computing environment for temporary/contract workers
  • Secure VDI and cloud access
  • New employees up and running quickly
  • Continuity of Operations during disaster recovery
  • Cost-effective deployment of enterprise environment
  • Access legacy Windows XP applications with dual booting from hard disk or Windows To Go drive

SPYRUS Deployment Suite

provisioning-colorUse the SPYRUS Deployment Suite for Windows To Go with your custom enterprise Windows image (WIM) to create SPYRUS Windows To Go drives exactly tailored to your organization’s requirements. When you provision your own drives, you have full control over all operating system configurations, applications, settings, Data Vault configuration, and options such as Read Only or SEMS. You can provision up to eight identical drives at one time.

Provisioning requires a 64-bit computer running Windows 8 Enterprise and the SPYRUS Deployment Suite, provided with all drive orders.

Request another copy the SPYRUS Deployment Suite.

Macintosh Support Service

mac-colorSPYRUS Windows To Go drive boot Windows 8 or Windows 8.1 on almost any PC certified for use with Windows 7 or Windows 8. SPYRUS also provides a preparation service for creating custom Windows 8 Enterprise images that boot SPYRUS Windows To Go drives running Windows 8 on Apple Macintosh hardware. Use of SPYRUS Windows To Go drives on Macintosh is not supported by Microsoft.



Hardware SecuritySuite B cryptographic algorithm supportFull Disk Encryption: XTS-AES 256 IEEE-1669Digital signatures: RSA and Elliptic Curve Digital Signature (ECDSA)PKI Compliance

Cryptographic functions:

Elliptic Curve Update all P-384, SHA 2 384; XTS AES 256

Legacy Algorithms: RSA, DES, 3DES, SHA 1

Extensive health checks and hardware alarms enabled


Microsoft Windows To Go certified drives

FIPS 140-2 Level 3 Certified PKI device Certificate 1302

EAL 5+ validated hardware security core

FCC 47 Part 15, Class B






USB 3.0 Super Speed


Read: 240 MB/sec (100 GB)

Write: 240 MB/sec (100 GB)

Boot or shut down in under 30 seconds


MTBF: 1,000,000 hours

Data Retention: 10 years


Operating voltage: Vcc=3.3 to 5VDC

Power consumption: ~30mA @ 3.3VDC


Operating Shock: 1500G

Operating Vibration: 16G

Operating Temperature: 0C to +70C

Operating Humidity: 5 to 98%


32 GB, 64 GB, 128 GB capacities

Cryptographic Standards

Suite B, a set of cryptographic algorithms promoted by the National Security Agency as part of its cryptographic modernization program to serve as an interoperable cryptographic base for both unclassified information and most classified information, including:

Elliptic Curve Cryptography (P-256, P-384, P-521)

ECDH per SP 800-56A

ECDSA Digital Signature Algorithm

Concatenation KDF

RSA 1024 and 2048 digital signature algorithm

RSA-1024/2048 key exchange

DES, two & three-key triple DES with ECB, CBC

AES 128/192/256 with ECB, CBC

SHA-1 and SHA-224/256/384/512 secure hash algorithms with HMAC support

Case Measurements

95.3 mm x 24.5 mm x 9.8 mm

© 2014 SPYRUS, Inc. All rights reserved.