Zero Overhead Key Management



Zero Overhead Key Management is CryptoMill’s unique, powerful facility for managing access to encrypted items. As the name implies, this key management facility places minimal overhead on organizations. The key management facility is lightweight, flexible and distributed. Most importantly, it avoids the costly overhead and process pitfalls associated with legacy key management systems. Zero Overhead Key Management is the innovative foundation upon which Trust Boundaries are implemented.

Key Storage


We eliminate the need to store thousands and thousands of keys increasing availability and reliability!


Each key is recomputed when it is needed, based on environmental components.

Key Management Benefits


Zero Overhead means Lower TCO


• No elaborate Key Escrow process

• No Key Servers to deploy or manage

• No Key Database to secure


No Key Server means Extremely Scalable


• When securing or accessing disks, removable media and files

• For recovering access to any encrypted item


Zero Overhead Key Management is Mobility Friendly


Fully functional even when clients are disconnected from network

In transit, out of the office, at customer sites, etc.



• From a Key Management perspective, CryptoMill's "Zero Overhead" architecture is highly scalable. With this architecture, keys can be generated, accessed, used and recovered, for hundreds of thousands of users (or more). Each user is able to create and use millions of secured objects, whether connected to the network or not. All of this support is available without the need of a large, unwieldy key escrow database system.

• Trust Boundaries and Policies are managed at the branch/department/campus level using a CryptoMill Site Active Management Server (or SAMS). Management activity at the site can be performed by multiple administrators, using the Management Console application. Each user has a home site (SAMS), from which it receives policy updates, and to which it sends audit/reporting event information.


• To scale out across the organization, IT can deploy as many sites (SAMSs) as needed, to meet their segmentation needs -- whether departmental, functional, jurisdictional, or geographic. Through a simple import/export process, each SAMS can share Trust Boundary and Policy settings as needed, providing any inter-site linkage that may be required.


• Note that the range of PCs covered by a SAMS is purely logical; that is: it is independent of network topology, and independent of enterprise login domains or other such divisions. A SAMS will typically handle up to between 5,000 and 10,000 users.


• In an upcoming release of SEAhawk, CryptoMill is planning on providing a higher-level management architecture to manage, connect, and align the various SEAhawk sites (SAMS). This architecture will introduce concepts of Regions (sets of related Sites), management roles with different scopes (e.g. Regional Administrators as well as Site Administrators), and centralized Policy management, including policy inheritance – allowing Enterprise-wide, or Region-wide policies to underpin the more local Site policies.


• Currently, SEAhawk targets Windows clients. However, the key management, Trust Boundary and Policy concepts are OS-independent and can apply equally to other platforms and architectures (UNIX, Linux, Apple, SUN, IBM and others), once SEAhawk agents are available for them.

Centralized Management

CryptoMill's Web-based Management Console is a Management application for SEAhawk enterprise administrators.


Architectural advantages


 Being web-based, the Management Console:


• Can be run from any administrator's device (desktop PC in his office, laptop in the field, or smart-phone/tablet)

• Independent of OS -- all you need is a web browser

• Requires no installation

• Has the look and feel of modern software.


Functional advantages


 The Management Console provides these features:


• Role-based management

• Different admins can be assigned different duties / capabilities based on role

• Excellent reporting and auditing, including compliance-oriented reports

• Seamless support for customers upgrading from Basic to Premium SEAhawk.

• Remote, Mass secure erase

• Incorporates helpdesk functionality which can be segregated from the policy management by the use of roles

Trust Boundaries

Creates custom cryptographic boundaries within the organization, limiting the accessibility of data within the boundaries.


Trust Boundaries 'A' (Head Office)

Trust Boundaries 'C' (West Branch)

Trust Boundaries 'B' (East Branch)

A Trust Boundary (TB) provides data containment by binding the data to an organization. This prevents data from falling into the wrong hands either accidentally or intentionally. TBs Protect Data, Prevent Internal Breaches and allow for Easy Group Sharing.


Information is secured and accessed only within organizational perimeters thereby preventing internal data breaches to unauthorized parties. For example, a malicious employee will be unable to take data on any removable device to a competitor.


Secured with CryptoMill's Zero Overhead Key Management, data is cryptographically bound to the organization. This prevents decryption of documents or other sensitive information outside of the Trust Boundary.


Within an organization, any number of Trust Boundaries can be employed to segregate users by:


• Functional departments

• Business Units / Project Teams

• Executive / General Staff

• Groups which must legally be separated

• Or, not at all - The entire enterprise.


Trust Boundaries transcend geography and network topology.


Benefits of Trust Boundaries


Data Protection


In the event of a lost device, privacy is always preserved since the data cannot be read or understood, because it is encrypted. For example, a USB drive lost in a parking lot is of no use to anyone that finds it.


Prevents Internal Breaches


Trust Boundaries prevent internal data breaches to unauthorized parties. For example, a malicious employee will be unable to take data on any removable device to a competitor. Protected media simply cannot be decrypted outside of the Trust Boundary.


Easy Group Sharing


Securely share data internally, even without passwords. Any user within a designated Trust Boundary can have automatic access to encrypted data.

Self Encrypting Drives (SED)

Many new generation laptops are now carrying Self Encrypting Drives. A Self-Encrypting Drive (SED), is a Hard Disk Drive (HDD) 100% compatible with the SATA specifications which can be accommodated in lieu of a regular HDD on any computer. These drives offer hardware-based data security by encrypting any and all the data that is written to the disk. Unlike typical hard drives, SEDs have built-in encryption that "scrambles" all stored data so it is completely unreadable to all unauthorized persons or devices, by default. The encryption is internal to the disk, transparent and automatic. There is no way to turn it off. The SED will encrypt all data that it receives.

The growing presence of SEDs in the data protection market can be attributed to several drivers including:


• Federal regulations increasingly require public disclosure in the event personally identifiable information has been mishandled

• Storage technology is getting faster

• Growing awareness from IT that costs related to encryption encompass more than simply licenses

• There’s significant expense related to management and integration,    as well as the cost of acquisition


With SEDs, the encryption keys are generated in the drive itself and access control/ authorization also takes place in the drive. The drive-embedded encryption executes below the partition table and below the file system. Hardware-based self-encrypting drive technology enables "always embedded" key management, which, when managed properly, does not expose the encryption key outside the drive hardware. This protected key management effectively creates multi-factor security for drive data. To access the data, both access credentials and the original drive hardware are required (i.e., something you know and something you own).


In contrast, software-encrypted partitions can be copied and attacked offline (this becomes even easier if the keys are centrally stored and accessible through insider attack) Today almost all hard drive vendors have developed their own versions of Self Encrypting Drives, spurred by the passage of a single industry standard, Opal, published by the Trusted Computing Group in January 2009. Currently, Seagate, Hitachi, Toshiba, Samsung and Micron are offering OPAL-compliant SEDs. Samsung and Micron are offering SSD SEDs.

How does Hardware FDE

compare to Software FDE?

Built-in Dedicated CPU


Hardware - Encryption operations are performed by the hard drive itself, preventing performance loss Software - Encryption operations are performed by the main processor, causing performance loss


The Best Security


Hardware - Encryption keys are locked securely within the drive and are never released to main memory at any time Software - Keys are stored in computer memory. This is vulnerable to attacks like ‘Cold-boot’ and ‘Evil Maid’


Instant Activation


Hardware - Encryption is always on, making activation instantaneous.

Software - After installation, the hot encryption operation can take hours or days.


No Performance Impact


Hardware - 0% to 1% Software - 20% to 25%

Benefits of SEDs

SED provide extremely important benefits. SEAhawk SED management facilitates all these SED benefits to an organisation.

1. Superior performance


All the encryption and decryption is done in line with the data fetching within the drive itself. Most of these drives utilize a specialized chip that implements an extremely fast and low power AES engine. Data throughput is not limited by the speed of the cryptographic operations and the main CPU is never used for encryption. We have not found any performance differences between a regular HDD and an SED.

2. Superior security


The actual encryption keys never leave the drive enclosure so the protected machine is immune to “evil maid” and “cold boot” attacks.


3. Instant activation


With the Software FDE one would typically have to wait for 3-36 hours while the computer would go through all the existing data on the HDD and encrypt it on the fly. This process is slow and in order to prevent any data loss (e.g. in the event of power failure) there is a lot of redundant disk I/O going on. In contrast, SED drives are already encrypted from the factory. All that is needed is to turn on the authentication. There is no need to re-encrypt. Therefore activating the protection takes seconds.


4. Instant deactivation


The authentication can just as quickly be deactivated when needed (given proper authorization). This is important in some situations where the security has to be immediately disabled to perform maintenance on the Operating System in case it is suffering from boot failure or data corruption. After the maintenance task, reactivation is also fast. With Software FDE the process of decrypting the disk, fixing the issue and re-encrypting the disk could take days to complete.


5. Instant secure erase


To prevent data leakage and to ensure conformity with corporate governance practices, IT must have a means of effectively “wiping” sensitive data from a machine. With an always embedded key architecture, data can be cryptographically erased just by destroying the key. By sending a command to the drive to destroy its key, all content of the drive becomes undecipherable, random data. This process is extremely fast as the key data is relatively small.


6. Clean Windows boot environment


With SED you don’t need custom boot loaders or custom filters loaded during Windows start-up. No INT13 filters are required either. This allows for easy repair operations even on an encrypted and activated SED, something that is impossible with Software FDE.


7. Auto-locking


The drive will automatically revert to the locked state once it loses power, like on shutdown, without any other input. The event of losing power is the terminal point of the encryption key life-cycle.

Removable Device Encryption

Removable Device Encryption


SEAhawk employs Intelligent Device Access Management on access to removable storage devices like USB flash drives, iPod®s and CD/DVD. Based on SEAhawk policy settings, a user’s ability to use these devices can be restricted to Read-Only or Blocked access.

Intelligent Device Access Management distinguishes between secure media and non-secure media. As a result, a user’s SEAhawk policy can be set to permit full read/write access to secure media, while only allowing read access to non-secure media – or, blocking it completely.

Proudly Canadian