BIIM Support     Overview Installation Using the BIIM MFA Authentication - TPM - Biometrics - SmartCards / Tokens Windows Client Logon Single Sign On Secure eWallet Document Manager Managing My Identity BioCert BIIM Settings AD & LDAP Integration

BioCert® Intelligent Identity Manager Support

Document Manager

BioCert® Identity includes encryption services provided by the Document Manager. This allows the user to create encrypted Secure Disks as well the ability to encrypt individual files and documents.

By using encryption, your sensitive data is protected and may only be un-encrypted with the correct key. The encryption key is stored securely within BioCert® Identity and may only be used after you have authenticated with your Identity.

The following topics are available to familiarize users with BioCert® Identity Document Manager features:

Document Manager Overview

BioCert® Identity Document Manager allows the user to create encrypted Secure Disks as well the ability to encrypt individual files and documents. Although both of these services utilize encryption, they are handled separately. Below is a description of each service and the differences between them.

A Secure Disk is not actually a physical disk but rather a virtual disk that mounts on your system and shows up like a drive (C:, D:, E:, etc.). It is actually just a file created by BioCert® Identity which contains a pre-allocated amount of disk space for storing files and documents within in. In essence, it is a file which stores other files within it, but looks to the operating system as if it is a separate disk. Access to the entire disk is managed by BioCert® Identity and only authorized users will be able to "mount" it on the system (mounting a drive simply means enabling it and making it visible to the system as one of the drive letters). Thus the user need not worry about encrypting every file within the Secure Disk because the entire disk is encrypted. Even if your computer or its hard drive is physically stolen, the files and documents contained within the Secure Disk would not be accessible.

Note
Secure Disks can be created in the following locations:

• Physical hard drives (IDE, SCSI, SATA, etc.)
• USB Flash drives
• Network drives
• Removable drives

The ability to encrypt individual files and documents is provided by the Document Manager service. In contrast to mounting a Secure Disk, this option allows file-by-file encryption on any file located anywhere the operating system can see it, except read-only locations like CDs and Secure Disks. The Encrypt and Decrypt functions are provided through tight integration with Windows Explorer and Microsoft Word. In addition, you may create encrypted Packages, which are self-extracting executable files which contain a set of encrypted files within it (much like a common ZIP file).

For more information on how to use these two services please see the following sections:

Creating and Using Secure Disks

BioCert® Identity Document Manager can create encrypted Secure Disks in the following locations:

• Physical hard drives (IDE, SCSI, SATA, etc.)
• USB Flash drives
• Network drives
• Removable drives

Creating a Secure Disk

To create a Secure Disk, follow these steps:

1. Log on to BioCert® Identity.
2. In the My Identity panel, select Create New Secure Disk or right-click the BioCert® Identity icon in the task bar notification area and select Document Manager > Create New Secure Disk. The Secure Disk Wizard will come up.
3. If this is the first time creating a Secure Disk, you may be required to set up your encryption settings and a recovery pass-phrase. If so, please see the section on Encryption Key Wizard.
4. Specify a name for the Secure Disk, such as My Secure Documents.
5. Pick a location for the Secure Disk from the drop-down or browse to an acceptable path. The Secure Disk will end up as a file in that location with a .DMD extension.
6. Chose the size for the Secure Disk, from 64Kb up to as much free space as is available on the drive location chosen above. Keep in mind that the Secure Disk will immediately consume this much disk space, regardless of how many files get stored on it. Also, know that a certain small amount of the specified size will be consumed by BioCert® Identity for housekeeping. It is recommended that you leave enough space available for other applications and system files. A good size to start with might be 100Mb.
   
   Note: The size of a Secure Disk may be changed later.
7. If you would like to configure advanced options, including the encryption method used, drive letter to assign the Secure Disk, File System settings (FAT, FAT32, NTFS), and other options, select Configure advanced secure disk options (see below for details).
8. Click on Finish to complete the wizard and make the new Secure Disk available for use.

Configuring Secure Disk

Configuring advanced settings for a Secure Disk:

1. First, select the Cryptographic Provider to use for the Secure Disk encryption from the drop-down.
2. Next, select a Cipher from the list provided by the provider. A cipher is the encryption method used, such as RC2, RC4, DES, etc.
3. Select a key length for the cipher and click Next. In general, the longer the key, the more secure the encryption, but longer keys may require more computing resources.
4. On the next page, choose a drive letter to assign the Secure Disk to or leave it on Auto.
5. Select a file system to use for the Secure Disk. In general, it is recommended that you use the same file system type as the underlying drive where the Secure Disk file is being placed.
6. Chose whether to have the drive Automatically mount when logging on. Checking this box will make the drive available as soon as you log on, otherwise the drive must be mounted manually.
7. Chose whether to have BioCert® Identity Authenticate user before mounting the secure disk. This option will authenticate the user before mounting the drive, even if the user has already logged on to BioCert® Identity.
8. Chose whether to Simulate a fixed disk with the Secure Disk. This option must be checked if you plan to make the drive shareable under Windows XP.
9. Click Finish to finalize the Secure Disk.

Using Secure Disk

Once a Secure Disk has been created and mounted, you are free to use it just as you would any other available drive. The difference being, of course, that the Secure Disk drive is protected by encryption and only usable by you or those you authorize to use it. There is no need to treat this drive any differently than you would any other mounted drive; the experience is transparent.

Managing Secure Disks

To manage your Secure Disk Drives, perform the following actions:

1. Log on to BioCert® Identity.
2. In the My Identity panel, select Manage Secure Disks or right-click the BioCert® Identity icon in the taskbar notification area and select Document Manager > Manage Secure Disks.
3. Select the Secure Disk you would like to manage.
4. You may view its properties, mount or un-mount the disk, and remove it. Note that by removing the drive, it is only removed from management within BioCert® Identity. The .DMD file will still exist, and unless you delete that file, the Secure Disk and all of its contents will remain intact (just not accessible) If you remove the Secure Disk, you may add it back later by selecting More > Add existing disk. This is convenient if you ever need to transfer a Secure Disk between computers or restore a Secure Disk that was backed up.

You can also manage some settings for the previously created Secure Disk including disk size. To configure a Secure Disk settings:

1. Log on to BioCert® Identity.
2. In the My Identity panel, select Manage Secure Disks or right-click the BioCert® Identity icon in the taskbar notification area and select Document Manager > Manage Secure Disks. A list of registered Secure Disks is displayed.
3. Select the Secure Disk you wish to modify, and then select Properties. Secure Disk Properties dialog box is displayed.
4. On General tab, configure the settings related to disk mounting operation.
5. To change the size of Secure Disk, select Change button, and then specify a new size for the selected Secure Disk.
6. On Sharing tab, you can allow and configure sharing of the Secure Disk among other users.
7. Select OK to save the changes.

Sharing Secure Disks

BioCert® Identity allows you to share your Secure Disks among other users and configure permissions other users may have over your Secure Disks. To configure Secure Disks sharing:

1. Log on to BioCert® Identity.
2. In the My Identity panel, select Manage Secure Disks or right-click the BioCert® Identity icon in the taskbar notification area and select Document Manager > Manage Secure Disks. A list of registered Secure Disks is displayed.
3. Select the Secure Disk you wish to share among other suers, and then select Properties. Secure Disk Properties dialog box is displayed.
4. On Sharing tab, you can add, remove and mofidy users and groups that may have an access to the selected Secure Disk. You can also specify permissions that other users may have over the Secure Drive, such as Full Control, Read Only, etc.
5. Select OK to save the changes.

Encrypting Individual Files and Documents

BioCert® Identity offers individual file and document encryption, in addition to the services provided by the Secure Disk feature. This may be preferable when the number of documents which need encrypting are few or the storage needs for such documents must be flexible. Also, encrypting individual files or creating encrypted packages is more convenient when those files must be transmitted to another location securely and the network cannot be trusted.

As mentioned in the overview section, the encryption services are tightly integrated into both Windows Explorer and Microsoft Word. The first time you use an encryption feature, you will need to go through the Encryption Key Wizard. The encryption services will then be available. The next sections will describe how to use these services. In general, the following actions are possible:

• Encrypt files and documents
• Decrypt files and documents
• Open encrypted files and documents
• Save encrypted files and documents
• Secure delete files and documents
• Make encrypted package (self-executing)

Using Windows Explorer

Encrypting files and documents

To encrypt files or documents:

1. Select the file, files, or folders you wish to encrypt within an Explorer window or on the desktop.
2. Right click the mouse on the selected files or select the File menu in Windows Explorer.
3. Select Encrypt or Document Manager > Encrypt from the menu.
4. You may hold down the shift key if you would like to confirm each file for encryption from a list.

Decrypting files and documents

To decrypt previously encrypted files or documents:

1. Select the file, files, or folders you wish to decrypt within an Explorer window or on the desktop.
2. Right click the mouse on the selected files or select the File menu in Windows Explorer.
3. Select Decrypt or Document Manager > Decrypt from the menu.
4. You may hold down the shift key if you would like to confirm each file for decryption from a list.
5. Depending on the options set, you may be asked to authenticate your identity before the file is decrypted.

Opening encrypted files and documents

To open encrypted files or documents:

1. Select the file, files, or folders you wish to open within an Explorer window or on the desktop.
2. Right click the mouse on the selected files or select the File menu in Windows Explorer.
3. Select Decrypt and Open from the menu.
4. For single files, simply double-clicking on the file will, by default, decrypt and open the file in the appropriate application.
5. Depending on the options set, you may be asked to authenticate your identity before the file is decrypted or opened.

Securely deleting files and documents

To securely delete files or documents:

1. Select the file, files, or folders you wish to securely delete within an Explorer window or on the desktop.
2. Right click the mouse on the selected files or select the File menu in Windows Explorer.
3. Select Document Manager > Secure Delete from the menu.
4. You may be asked to confirm the deletion. Click OK to confirm.

Making an encrypted package

To make an encrypted package (self-extracting executable) from files and documents:

1. Select the file, files, or folders you wish to include in the package from within an Explorer window or on the desktop.
2. Right click the mouse on the selected files or select the File menu in Windows Explorer.
3. Select Document Manager > Make Package from the menu.
4. Enter a path and name for the package file. By default, the path will be the same location as the files.
5. Enter a pass-phrase (password) for the package that will be used to extract the files later.
6. Confirm the pass-phrase by typing it again.
7. Optionally check the box to securely delete the original files after the package is created.
8. Click Finish to complete the wizard and create the package.

Using Microsoft Word

Encrypting documents

To encrypt a document:

1. Select File > Document Manager > Save As Encrypted from the menu.
2. Enter a name for the encrypted document.
3. Click Save to save it.

Opening encrypted documents

To open the previously encrypted documents:

1. Select File > Document Manager > Save As Encrypted from the menu, then select the desired file.
2. Depending on the options set, you may be asked to authenticate your identity before the file is decrypted or opened.

Saving encrypting documents

To save an encrypted document:

1. Select File > Document Manager > Save As Encrypted from the menu.
2. Enter a name for the encrypted document.
3. Click Save to save it.

Encryption Key Wizard

The Encryption Key Wizard will come up the first time you try to use an encryption feature. It must be completed before you can use any encryption-based functionality. Here are instructions for how to set up your encryption settings and recovery pass-phrase:

1. First, you will have the option to configure Advanced cryptographic parameters. If you would like to use the default settings, leave this box unchecked and skip to step 3 after clicking Next.
2. If you have selected the advanced checkbox, you will be asked to enter a key length. The default length is 1,024 bits long but you may choose lower (512) or higher (up to 8,192). A length of at least 1,024 is recommended and longer keys do offer better security, however this will require additional storage in the user identity files and will consume more processing power to encrypt/decrypt. After selecting a key length, click Next to continue.
3. Pick a recovery pass-phrase, if desired. A recovery pass-phrase will allow you to decrypt encrypted files without using your user identity. This is helpful in the event of identity damage or if you ever need to decrypt files outside of BioCert® Identity. If you choose not to use a pass phrase, check the Do not use recovery pass-phrase checkbox.
4. Click Finish to finish the wizard and begin using encryption-related features.

Recovering Files, Documents and Secure Drives

BioCert® Identity recovery utility allows to decrypt the previously encrypted user files and documents when user cannot use the BioCert® Identity software to do so.

Important
In order use the recovery utility, you must know the pass-phrase that was specified during the encryption operation.

BioCert® Identity recovery utility ASRecovery.exe is located in BioCert® Identity Bin folder on a hard drive and should be used with the following parameters:

ASRecovery <FileName> [<UserName> [<"Pass-phrase"> [<TargetDir>]]]

where:

FileName - Name of the file to be decrypted. No wildcards allowed in this version of the product. The recovering operation can be applied against an encrypted (.dmf) file as well as secure disk (.dmd) file.

UserName - Name of the user who has encrypted the specified file or is eligible for decryption. The the name is not specified, the recovery utility displays the list of users who have rights to decrypt the data.

Pass-phrase - Secret pass-phrase that was used during the encryption operation. If pass-phase contains spaces, it should be surrounded by quotes "".

TargetDir - Destination folder where the decrypted file will be copied. If not specified, the current folder is used as destination one.

To run BioCert® Identity recovery utility:

1. Run Command Prompt from Start menu > Programs > Accessories.
2. Navigate to Program Files\BioCert® \BIC\Bin .
3. Type ASRecovery among with the required parameters described above.

Document Manager Troubleshooting

The following sections describe some of the problems that can be encountered when using Document Manager and suggest ways to resolve them.

The Document Manager functionality is missing from the My Identity panel.

One possible reason is that the administrator has implemented a policy which will not allow you to use this feature, or will not allow you to use it unless you are authenticated with a certain type of credential (fingerprint, for example). Ask your administrator for access to this feature.