Background:
DataLocker offers a suite of devices that are OS agnostic. DataLocker's Sentry K300, Sentry K350, DL3/DL3FE, and DL4F devices have onboard authentication mechanisms. The Sentry K300 and K350 have a pin-pad and OLED to perform login with the encrypted device and the DL3/DL3FE and DL4FE have a touchscreen where login can occur. As such, these devices can be used to collect or disseminate data to devices that may not have a traditional OS such as networking devices, factory equipment, or robotics.
SafeConsole management is also available for each of these devices to provide auditing, policy management, password reset, and remote actions for these hardware-encrypted devices.
Problem:
SafeConsole management requires an application (Unlocker.exe) to interface with the device in order to provide remote actions, policy updates, auditing, and more. On the K300, K350, DL3/DL3FE, and DL4FE, this application can only run on a Windows OS.
Solution:
DataLocker saw the need for these hardware-encrypted devices to be used in OS-agnostic equipment while also maintaining SafeConsole Management and added new functionality - Standalone Mode.
Standalone Mode can be used with the following devices: Sentry K300, Sentry K350, and DL4FE (This functionality is not available on the DL3/DL3FE).
The Standalone Mode policy can be configured within SafeConsole to allow the device to be unlocked without requiring a Windows OS up to 9999 times. This number is stored in the hardware of the device and will be decreased by one each time the user logs in with Standalone mode instead of SafeConsole mode.
Process:
First - The policy should be set to allow Standalone mode. You will find this policy under the corresponding tab within the Policy Editor (K300, K350, or DL4FE)
The checkbox should be checked and the maximum number set. We recommend keeping this number as low as possible while meeting user needs. (Typically this will be under 10 total but can be up to 9999)
The "Auto request maximum Standalone Logins" option allows the user to refresh their logins to the Maximum # each time they login in SafeConsole mode.
Second - The device will need to be connected to SafeConsole to establish management. This process is slightly different for each device but consists of the following steps.
1. Log into the device with the admin password
2. Access the menu
3. Navigate to the SafeConsole option
4. Set the option to "Enabled"
5. Connect the device to a Windows OS
6. Open the Unlocker.exe application (Can be found in the CD/DVD drive that mounts to Windows)
7. Follow the device deployment process (Can be found in the "Help" section of SafeConsole"
More device-specific details can be found in the User Guide for your device. These are linked at the bottom of this article.
Third - The device will need to request Standalone logins (unless Auto request is enabled)
1. If not logged into the device, login using the Admin password
2. Choose the connect option
3. Open the Unlocker.exe application
4. Click Unlock
5. Click the "Standalone" tab
6. Select a reason for Standalone and click "Request"
More device-specific details can be found in the User Guide for your device. These are linked at the bottom of this article.
Finally - The device will now have a new option after login to select whether the device will connect in Standalone mode or SafeConsole mode. The user will need to be trained to know when each type of login is required.
For example, instructions could look like this:
When logging into a non-OS system (example: network equipment), select "Standalone" after entering your device password. You have a total of X logins to use in this manner. Should you need more Standalone logins, please select "SafeConsole" during login, connect to a Windows OS and run the Unlocker.exe application.
Restrictions and Considerations:
As mentioned above, SafeConsole performs auditing, remote actions, password resets etc. through the use of the Unlocker.exe application. So, if a device is used in Standalone mode, the above will not apply to the device until it returns to the SafeConsole mode. This can create a small gap in auditing and remote control.
With this in mind, DataLocker recommends the following:
1. Ensure the Maximum allowed logins are kept to the lowest number that allows the user to complete their duties.
2. Ensure a secure device password policy is set - This will prevent unauthorized users from accessing the device. Note: The device will still have brute force protection in any mode.
3. Train users in the correct way to access the device for each use. I.e. Only use Standalone logins when there is not a Windows OS.
User Guides:
Sentry K300 - https://media.datalocker.com/manuals/sentry/DataLocker_K300_Managed_User_Guide.pdf
Sentry K350 - https://media.datalocker.com/datasheets/flashdrives/DataLocker-SentryK350-DataSheet.pdf
DL4FE - https://media.datalocker.com/manuals/dl4/DataLocker_DL4FE_User_Guide.pdf