Trusted Drive Manager
Frequently Asked Questions
Click on the question to show the answer. Expand All Answers
What is the EMBASSY Trusted Drive Manager?
Wave Trusted Drive Manager (TDM) provides management functions for self-encrypting drives. Self-encrypting drives are laptop hard drives with an on-board security controller and embedded capabilities for media-speed full disk encryption and pre-boot authentication. Self-encrypting drives ensure that all data stored on the drive is encrypted all the time. TDM activates the advanced security features of these drives. TDM ensures that only authorized users can access encrypted data when drive locking is enabled. Specifically,
- TDM prevents data access by unauthorized persons
- TDM protects data in the case of a lost or stolen PC or a lost or stolen hard drive
How is a self-encrypting drive different from a regular hard drive?
Self-encrypting drives are laptop hard drives with an on-board security controller and embedded capabilities for media-speed full disk encryption and pre-boot authentication. Self-encrypting drives with security activated using the Trusted Drive Manager protects against data loss due to a lost or stolen PC. The Trusted Drive Manager software activates the security that distinguishes a self-encrypting drive from a standard hard drive.
Why is a self-encrypting drive better at protecting data than a regular hard drive that is using full disk encryption software?
Security hardware cannot be modified by software, so a self-encrypting drive is more secure than a regular drive with software encryption.
Hardware encryption is also faster than software encryption. A self-encrypting drive will encrypt at host interface speeds and does not require a significant one-time encryption process.
Hardware encryption is also independent of the processor. A self-encrypting drive using encryption has no impact on the PC processing speed.
Finally, self-encrypting drives have much less overhead for management, reassignment, etc. than do regular hard drives with full disk encryption software.
What attacks does the self-encrypting drive protect against?
Self-encrypting drives are designed to protect against off-line or Data at Rest attacks. The attacks are most commonly performed on lost or stolen laptops. For an appropriately configured drive, physical theft of the drive or platform will require knowledge of a pre-boot password.
If the self-encrypting drive is removed from the PC and mounted as a secondary drive in another PC, the data cannot be read unless the proper password is used to unlock the self-encrypting drive.
What new features have been released for Trusted Drive Manager?
- Advanced Windows Logon features for self-encrypting drives.
- Single sign-on to Windows – increases security while reducing costs associated with password management.
- Windows password synchronization – support for existing password policies ensures ease of use.
- New Multi-factor Authentication options for Dell Preboot including:
- Enhanced Security and Usability for Fingerprint Authentication, Smart Cards, and Contactless Smart Cards.
- Integration with Dell ControlPoint and ControlVault.
- Support for multiple self-encrypting drives per platform, including external drives
- Advanced options for remote management using the EMBASSY Remote Administration Server, including:
- Management of multiple drives per platform
- Setting for requiring user to change the password on first use
- Improved reporting and search criteria
- Option for adding custom text to the pre-boot screen
- Advanced Windows Logon features for self-encrypting drives.
What is EMBASSY Remote Administration Server (ERAS) and what does it do for my network?
The EMBASSY Remote Administration Server (ERAS) enables IT administrators to remotely deploy and manage clients that are equipped with Trusted Platform Modules (TPM) and/or Seagate Momentus 5400 FDE.2 Trusted Drives.
What type of reporting is available within ERAS?
The ERAS server logs all self-encrypting drive initialization and enrollment operations.
The ERAS server can also be used to routinely log the status of all self-encrypting drives in an enterprise. This can be used as forensic evidence in case of laptop theft or loss.
How do I set up and manage the self-encrypting drive?
For more information on using a Self-encrypting drive, please see our Wave TDM Getting Started Guide.
Can multiple user accounts be configured on a single self-encrypting drive?
Yes, Embassy Trusted Drive Manager supports whatever the drive allows, which varies by drive manufacturer. Seagate drives currently allow up to 4 users.
Are there any restrictions for passwords that contain characters present on non-English keyboards?
Given the multitude of possible combinations between regional keyboards and locales, there are some restrictions on characters present on non-English keyboards. Please refer to product documentation for more specific details.
Is there an option available that allows the Trusted Drive user-password and the Windows user-password to be identical?
The Trusted Drive Manager user password and the Windows password can be synchronized. On first login after setup, the Trusted Drive Manager user password is set to the user’s Windows password. Any subsequent changes to the Windows password are automatically reflected in the drive password upon the next Windows login. This option can be set through either the local administration screen or through an enterprise policy.
Does a user need to log in to both the self-encrypting drive and Windows?
No. A Single Sign-on feature is available so that the Windows login can be bypassed after authenticating to the self-encrypting drive with Preboot authentication. This option can be set through either the local administration screen or through an enterprise policy.
How do I recover from a lost or forgotten password?
In the standalone client configuration, the Drive Administrator password for the self-encrypting drive is placed in a file and the Drive Administrator is instructed to store that file in a physically secure location (USB drive in a safe place, for example). Or after creating the Drive Administrator (first user), the user ID and password can be written down and stored in a secure location.
In an enterprise configuration, ERAS maintains a recovery password which can be provided to the user in the event of a lost or forgotten password.
Is there event logging and locking in the case of multiple password attempts?
The self-encrypting drive hardware has a tamper-resistant feature that forces the drive to be power cycled if more than 5 consecutive failed authentication attempts occur.
What about data recovery on a self-encrypting drive, is it possible?
Drive level data recovery for a Self-encrypting drive works exactly as it does for a regular hard drive. Existing data backup and restore tools may be used with Self-encrypting drives as part of a normal and proper IT process.
Can the drive be completely erased and used again?
In today’s dynamic business environment, PC’s are frequently repurposed when organization structure changes or work is outsourced. Trusted Drive Manager makes it possible for a drive administrator to destroy the drive’s encryption key. This renders all the data on the drive permanently un-readable. The entire file system is cryptographically obliterated, allowing the drive to be reimaged and repurposed with confidence that no residual data can be recovered.
Will utilities such as “Ghost” work on machines with a self-encrypting drive?
Utilities such as Ghost will work as long as a correct username and password for the self-encrypting drive have been entered. We recommend the drive be in an uninitialized state if you are going to use a ghosting utility.
If you need additional information, please submit a Support Request Form. Customer Service will contact you within one business day with a response to your inquiry. To ensure quality customer service, please include your email address and a detailed description of the issue/inquiry.