Dynamic Mount Utility
2.2
Administration Guide
Full Disk Encryption
10 September 2013
� 2013 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
�Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
(http://supportcontent.checkpoint.com/documentation_download?ID=27183)
To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date
Description
10 September 2013
First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:[email protected]?subject=Feedback on Dynamic Mount Utility 2.2
Administration Guide).
�Contents
Important Information.............................................................................................3
Introduction .............................................................................................................5
Support and Restrictions ..................................................................................... 5
Known Limitations ............................................................................................... 6
Download ............................................................................................................ 6
Set Up ......................................................................................................................7
Preparing for Use ................................................................................................ 7
Preparing a BartPE Boot CD ............................................................................... 7
Preparing a WinPE Boot CD................................................................................ 7
Installing the Utility Inside Windows ..................................................................... 8
Usage .....................................................................................................................10
Using the Dynamic Mount Utility with a Boot disk ...............................................10
Using the Dynamic Mount Utility inside Windows ...............................................10
�Introduction
Introduction
This document describes the Dynamic Mount Utility 2.2 for the Endpoint Security R80 and E80.x client (Full
Disk Encryption 8.0).
Note - For older FDE versions (7.x) use DMU 1.x.
If the operating system fails on the endpoint computer, the protected disk can be accessed using the
Dynamic Mount Utility (DMU) for Protected Volumes.
The Dynamic Mount Utility:
Lets you access hard disks connected through a USB port
Is hardware independent
Note - The Full Disk Encryption Alternative Boot Menu is not hardware independent.
Runs from a Windows environment, or from a pre-prepared WinPE or BartPE CD/DVD
Replaces the Full Disk Encryption slaving feature of previous releases.
Does not require Full Disk Encryption on the disk
Use the Dynamic Mount Utility if you do not want to do a recovery.
Dynamic Mount Utility 2.2 for the Endpoint Security R80 and E80.x client (Full Disk Encryption 8.0). For
older FDE versions (7.x) use DMU 1.x.
Support and Restrictions
Subject
Restriction
Supported Versions
DMU 1.x supports Full Disk Encryption version 6.x and 7.x
For further information on using DMU with Full Disk Encryption 7.x, see
sk43089 and sk44662.
DMU 2.x supports Full Disk Encryption version 8.x and higher.
Remote Help
Remote Help is available when authenticating to the hard disk, but Remote
Help is not available when authenticating to a recovery file.
Windows Integrated Logon
When using the Dynamic Mount Utility on a computer where Windows
Integrated Logon (WIL) is active, you must authenticate using the credentials
of a valid Full Disk Encryption account.
Recovering Multiple Volume
disks with DMU 2.0
When booting from a BartPE CD and attempting to unlock a multi-volume
disk, the primary volume successfully unlocks but authentication to
secondary disks fails. To unlock secondary disks, export the recovery file
from the server and then authenticate to it.
BIOS (MBR) and UEFI (GPT)
systems
DMU only supports GPT formatted disk(s) on UEFI system and MBR
formatted disk on a BIOS system.
Dynamic Mount Utility Administration Guide 2.2 | 5
�Introduction
Known Limitations
ID
Description
00513055
An error occurs when unlocking a FAT volume on Windows XP with the Dynamic Mount
Utility. Even if authenticating to the volume, you will only see garbage in Explorer when
you are trying to examine the files.
00512932
Windows can crash with the Dynamic Mount Utility in standalone mode. The blue screen
occurs after Windows is loaded (when Windows is searching for drivers for the disk). The
blue screen code is: 0x05001146
Workaround:
Connect the encrypted disk to the machine before booting into Windows or WinPE. After
that, start the Dynamic Mount Utility and unlock the drive. Do not unmount the unlocked
drive in Windows or WinPE.
The Dynamic Mount Utility (Check Point - Full Disk Encryption Dynamic Mount
Utility.msi) cannot be installed on a computer that already has Full Disk Encryption
installed.
Download
Download FDE Dynamic Mount Utility 2.2 from the Support Center (
http://supportcenter.checkpoint.com/file_download?id=11915).
Dynamic Mount Utility Administration Guide 2.2 | 6
�Set Up
Set Up
In This Section:
Preparing for Use
Preparing a BartPE Boot CD
Preparing a WinPE Boot CD
Installing the Utility Inside Windows
7
7
7
8
Preparing for Use
Before a Full Disk Encryption disk can be unlocked, it must first be authenticated.
The user account name associated with the Full Disk Encryption disk must have permissions for
Recovery and Uninstall.
When using the Dynamic Mount Utility on a computer where Windows Integrated Logon (WIL) is active,
you must authenticate using the credentials of a valid Full Disk Encryption account.
Preparing a BartPE Boot CD
Before booting from a BartPE CD, you must first prepare the Bart ISO image with the Full Disk Encryption
dynamic mount plug-in.
To Prepare the Bart ISO Image with the Dynamic Mount Plug-in:
1. Download and install the PE Builder from the BartPE website (http://www.nu2.nu/pebuilder/).
2. Open: FDE - Dynamic Mount Utility.zip
3. Extract two folders:
FDE_DMU_22
FDE_Filter_22
4. Copy the folders to the BartPE C:\pebuilder<version>\plugin folder.
5. Open PE Builder.
6. Click Plugins.
The PE Builder Plugins window opens.
7. Make sure Checkpoint FDE - Dynamic mount utility and Check Point FDE - Encryption filter driver
are enabled.
Note - When selecting the plug-ins, make sure additional FDE filter drivers are not enabled.
8.
9.
10.
11.
Click Close.
Below Media output, make sure Create ISO image is selected.
Select Burn to CD/DVD.
Click Build.
Preparing a WinPE Boot CD
The Windows Preinstallation environment (WinPE) is part of the Windows Automated Installation Kit (WAIK)
WinPE and WIM files
The Windows preinstallation environment (WinPE) provides a minimum Windows operating system on a
CD drive.
Windows Imaging (WIM) technology is used to deploy Windows from an image (WIM) file.
Dynamic Mount Utility Administration Guide 2.2 | 7
�Set Up
To prepare the WinPE CD:
The commands shown in this procedure are for 64-bit architecture. For 32-bit architecture, replace "64" with
"86" in the commands.
1. Get WinPE by downloading the Windows Automated Installation Kit (WAIK) from Microsoft.
Download a WAIK version applicable to the Operating system.
2. Install WAIK.
3. From the Start menu, run: Microsoft Windows AIK \Deployment tools command Prompt
The WAIK command prompt opens.
4. Run these commands in the WAIK command prompt:
a) Run copype.cmd with desired architecture (x86 or x64).Run:
copype.cmd amd64 c:\WinPEx64
b) Mount the Windows PE image. Run:
imagex /mountrw c:\winPEx64\winpe.wim 1 c:\winPEx64\mount
c) Extract the DMU zip package to the temp folder, c:\temp
d) Copy the DMU application from the dmu zip package you extracted above.
For 32-bit, copy FDE_dmu. For 64-bit, copy fde_dmu_x64
Run: copy /y /e c:\temp\Windows AIK\fde_dmu_x64
c:\winPEx64\mount\program files\fde_dmu\
e) Install the FDE filter driver into the WIM with the /add-driver command. Run:
dism /image:c:\winPEx64\mount /add-driver:"c:\temp\Windows AIK\FDE dmu
driver" /forceunsigned
f)
Unmount the WIM and commit the changes to the WIM file. Run:
imagex /unmount /commit c:\winPEx64\mount
g) Copy the modified WIM to the ISO creation folder. Run:
copy c:\winPEx64\winpe.wim c:\winPEx64\ISO\sources\boot.wim
h) Create an ISO from the ISO folder that includes the modified WIM.
To create a BIOS ISO, run: oscdimg -n -bc:\winPEx64\etfsboot.com
c:\winPEx64\ISO c:\winPEx64\winPEx64_FDE.iso
To create a UEFI bootable ISO, run: Oscdimg -m -o -u2 -udfver102 bootdata:2#p0,e,bc:\winpex64\Etfsboot.com#pEF,e,bc:\winpex64\Efisys.bin
c:\winpex64\ISO C:\winpex64\WinpeX64.iso
5. Burn the ISO file to a CD.
Installing the Utility Inside Windows
Prerequisites
If running XX Product XX from Windows, you must have Microsoft Visual C++ 2008 Redistributable
Package (x86) installed by the installer.
If running from Windows PE, the Redistributable Package is not required.
Note - The Dynamic Mount Utility cannot be installed on a computer that already
has Full Disk Encryption installed.
Dynamic Mount Utility Administration Guide 2.2 | 8
�Set Up
These packages are available:
Architecture
File to download
x86
Check Point - Full Disk Encryption Dynamic Mount Utility.msi
x64
Check Point - Full Disk Encryption Dynamic Mount
Utility_x64.msi
Note - The x86/x64 number refers to the operating system the DMU program is
installed on, not the OS on the locked disk that you want to mount. For example,
install Check Point - Full Disk Encryption Dynamic Mount
Utility.msi on a 32-bit windows machine, and then use the utility to mount a 64bit external disk connected through USB.
To install the Dynamic Mount Utility on Windows:
1.
2.
3.
4.
5.
Download the DMU package from the User Center (https://support.checkpoint.com).
Using an administrator account, run the .msi file.
Follow the on-screen instructions.
When prompted, reboot the computer.
Run the Dynamic Mount Utility from the Start menu.
Dynamic Mount Utility Administration Guide 2.2 | 9
�Usage
Usage
In this Section:
Using the Dynamic Mount Utility with a Boot disk
Using the Dynamic Mount Utility inside Windows
10
10
Using the Dynamic Mount Utility with a Boot disk
1. Boot the endpoint computer using a BartPE or WinPE boot disk
On a WinPE disk, start the Dynamic Mount Utility by running (depending on the architecture):
<x:>\Program files\FDE_Dyn_Disk.exe
or:
<x:>\Program files\FDE_DMU_X64.exe
On a BartPE disk use the Start >Programs> Check Point > Full Disk Encryption > Full Disk
Encryption Dynamic Mount Utility.
The utility opens and shows a list of connected hard drives.
2. Select the disk with Full Disk Encryption to mount.
If the selected hard drive fails to mount (it cannot be unlocked), click Browse and go to a recovery file.
Then select the drive in the list.
Note - Remote Help is not available if you authenticate to a recovery file.
3. When prompted, authenticate to the selected disk.
Note - The Set Max Failed Logons Before Reboot system setting applies to authentication
to the Dynamic Mount Utility. If you exceed the number of logons, you must reboot before you
can try again to unlock the hard disk.
Using the Dynamic Mount Utility inside Windows
1. Connect the disk with the protected volume to the Windows computer. Either:
Install the disk locally
Access the disk through a USB port.
Important - To prevent data corruption, power off the computer before you connect or
disconnect a disk that uses a USB port.
2. Open Start > Programs > Check Point > Full Disk Encryption > Full Disk Encryption Dynamic
Mount Utility.
The utility shows a list of all connected hard drives.
3. Click the drive to mount.
If mounting fails, click Browse and select the correct recovery file.
Click the drive to mount.
4. After mounting the disk, the Unlock Volume Authentication window opens.
5. When prompted, enter name and password for a user account that has uninstall and recovery
permissions for the protected volume.
Dynamic Mount Utility Administration Guide 2.2 | 10
