Roxio Secure Burning Solution

Removing the Risk from Portable Media

Roxio Secure Burning FAQ

Overview

Q:
What is Roxio Secure?
A:
Roxio Secure is a family of software products that encrypts files written to CD, DVD, Blu-ray Disc or USB Flash media per organizational policies.
Q:
What products are included in the line?
A:

There are 3 products:

  • Roxio Secure Burn
  • Roxio Secure Burn Plus
  • Roxio Secure Managed
Q:
Do all Roxio Secure products include Roxio Burn?
A:
Yes.

Roxio Burn

Q:
What is Roxio Burn?
A:
Roxio Burn is an application that makes it extremely easy to burn data to discs and to copy discs. The user interface consists of a simple icon that appears on the desktop when a disc is inserted in the disc drive of the PC.

When a disc is inserted in the drive, the Roxio Secure Burn icon automatically appears on the desktop.

If the disc is blank and files or folders are dragged onto it, it will expand. Click on the burn button (the flame) on the lower left to burn the files to disc.

If the disc is not blank, the disc can be copied. To copy the disc, click the blue disc icon on the lower left

Roxio Burn can also span files and folders across multiple discs if they are too big to fit on one disc, and can burn and copy disc image files. There is more you can do with Roxio Secure Burn, but these are some of the key features. It is designed to make data disc burning and copying very light and streamlined, with just the essential features you need for your daily burning tasks. For a more complete description of the functionality of Roxio Burn, see the Help file in that application.

Encryption

Q:
What kind of encryption is used in Roxio Secure?/dd>
A:

Roxio secure burning uses an encryption module called Microsoft RSAENH Cryptographic Provider, a certified FIPS 140-2 module that ships as part of Windows OS. This uses an AES 128 bit encryption key.

Roxio secure burning products do not install the encryption module. They access the encryption module which is built into Windows.

Q:
What is FIPS 140-2? Do Roxio's secure burning products comply with the requirements for FIPS 140-2?
A:

FIPS 140-2 is a US government security standard used to accredit cryptographic modules. Roxio�s secure burning product line complies with the requirements of FIPS 140-2 level 1 under Windows, because it uses the certified RSAENH Cryptographic Provider.

The NIST certification for this encryption module under Vista, XP and Windows 7 is available at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm (#989, #1002, #1330)

The NIST certification for this module states: "Products which use the above identified cryptographic module may be labeled as complying with the requirements of FIPS 140-2 so long as the product, throughout its life cycle, continues to use the validated version of the cryptographic module as specified in this certificate."

Q:
What if a password is lost or misplaced? Can Roxio somehow retrieve the data?
A:

No, this would defeat the purpose. The files are truly encrypted and there is no back door. So it is important not to lose the password.

However, Roxio Secure Managed, which is explained later in this document, gives system administrators the right to access data on any discs that are burned regardless of the password.

Q:
What encryption is used for USB Flash devices? Is it FIPS 140-2 certified?
A:
LDDFlash uses a non certified proprietary strong encryption module using AES and SHA (HMAC) algorithms with 256-bit key.
Q:
Can media written with Roxio Secure be read on Macintosh or Linux PCs?
A:
No, because these operating systems do not include the Microsoft RSAENH Cryptographic Provider.

Roxio Secure Burn

Q:
What is Roxio Secure Burn?
A:

Roxio Secure Burn provides the option of encrypting the files when they are burned to the disc. When you click on the burn button in Roxio Burn, a dialog opens and prompts you to enter a password. In addition to the user selected files, special 'reader' files will be burned to the disc. These 'reader' files will allow you to read the files from the disc by entering the password.

When you insert the burned disc in a drive to read it, the reader application should launch automatically as an AutoPlay option, and prompt you to enter your password. If it doesn't, you can use explorer to open the disc and launch it from the disc itself. The reader applet is in the Roxio Burn folder on the disc and is called RoxioBurnReader.exe.

Q:
Is encryption forced? Are all discs burned with Roxio Secure Burn encrypted?
A:
Encryption is optional in the base configuration of Roxio Secure Burn. If a customer requires forced encryption, a configuration can be created that supports this.
Q:
Is there a way to prevent users from using other software or even the Windows OS to write data discs, so that use of encryption cannot be circumvented?
A:
Roxio software is not designed to disable alternative burning options, as this can cause unwanted side effects in the operating system. Employees need to be educated in best data security practices, such as using Roxio Secure to encrypt discs.

Roxio Secure Burn Plus

Q:
What is Roxio Secure Burn Plus?
A:
Roxio Secure Burn Plus is a version of Roxio Burn that allows PCs within designated groups or departments to read encrypted discs without a password. Access to the encrypted data on PCs outside of designated groups is restricted. This makes it very convenient to share data on departmental PCs while preventing unauthorized access outside of the organization.
Q:
How does it work?
A:

When Roxio Secure Burn Plus is installed on a PC, it configures the PC as follows:

  • It grants a 'Group Key', i.e. group membership to the PC. For example, all the PCs in the finance department that include Secure Plus can be granted membership to a group called 'Finance'. All discs written with Secure Plus on a Finance PC will belong to this group.
  • It grants 'Read Permission' to the PC. 'Read Permission' means that this PC can read encrypted discs burned on PCs within permitted groups without a password.
Q:
What if I want to be able to read the discs outside of permitted groups? What if I want to be able to take the disc home to work on it?
A:
An optional password can be added to the disc so it can be read outside of permitted groups. If someone steals the disc when I am underway, they will not be able to access the data without the password. If I choose not to add a password, then the discs can’t be read outside of permitted groups at all.
Q:
Can I create non-encrypted discs with Roxio Secure Burn Plus?
A:
No.
Q:
What if a system administrator doesn't want to allow discs to be read outside of permitted groups at all?
A:
The password is optional in the base configuration of Roxio Secure Burn Plus. If a customer requires the password option to be removed, a configuration can be created that supports this.
Q:
Can you provide an example?
A:

Imagine a company with 5 departments, and 5 groups of PCs. These PCs could be set up as follows:

Exec PCs

Can read discs burned on:

  • Exec
  • Sales
  • Engineering
  • Finance
  • Contractor
  • Any Windows PC, such as a home PC (requires password)

Sales PCs

Can read discs burned on:

  • Sales
  • Finance
  • Admin
  • Any Windows PC, such as a home PC (requires password)

Engineering PCs

Can read discs burned on:

  • Engineering
  • Contractor
  • Admin

Finance PCs

Can read discs burned on:

  • Finance
  • Sales
  • Admin

Contractor PCs

Can read discs burned on:

  • Contractor
Q:
How many groups can be included in Read Permission?
A:
Roxio Secure Burn Plus allows a PC to read discs burned on up to 5 departmental groups of PCs.
Q:
How do I read an encrypted disc if my PC has Read Permission?
A:

When Roxio Secure Burn Plus is installed, it also installs the Roxio Secure Disc Viewer plugin. To read the files on the disc, click on the Viewer in My Computer.

Note: Although it is possible to explore the disc using Windows Explorer, the files will not be readable because they are encrypted.

Q:
Is it difficult to set up?
A:

It is easy to set up. There are 2 ways to do it:

  1. It can be done at installation via a command line. There are command lines to define group membership (Group Key), and Read Permission. These command lines are described in the System Administrator�s Deployment Guide.
  2. If Roxio Secure Burn Plus is already installed, Group Key and Permission can be changed using a small application called the Roxio Permissions Manager. This application can run from a memory stick without needing installation, so it is easy for a system administrator to run it on several PCs.

Roxio Permissions Manager

Q:
How do I set up Group Keys and Read Permission on multiple PCs on my organization?
A:

There are 2 easy ways to do it:

  1. Install Roxio Secure Burn Plus via network deployment using a command line. Decide what Groups you want. Then, select your first Group of PCs and Read Permission settings and deploy. Repeat the process with the other Groups.
  2. You can also use Roxio Permissions Manager to set a Group Membership and Read Permission on one PC. Export the settings, and then copy the exported file (.pmf file) to a second PC in the same group. Use Roxio Permissions Manager to import this file (Import Settings), and apply the changes. Repeat this process on all the PCs that you want to have the same settings.
Q:
Do all PCs that are within the same group have the same Read Permission?
A:
Not necessarily.
Q:
Are end users able to use Roxio Permissions Manager to make changes?
A:

Roxio Permissions Manager is installed separately from the Roxio Burn application, and is installed in a directory in Program Files that requires administrator privileges: "C:\Program Files\Roxio\Roxio Burn Administration\Permissions Manager.exe". The system administrator can optionally uninstall the applet after the Group Key and Read Permissions are set.

Alternatively, the system administrator can run Permissions Manager from a USB stick or disc. Copy the entire Roxio Burn Administration directory to a USB stick or disc, and you will be able to run the Permissions Manager executable. Using this method, you will not need to install Permissions Manager on every PC in the group, just the first one.

Roxio Secure Managed

Q:
What is Roxio Secure Managed?
A:

Roxio Secure Managed is a subscription service that gives system administrators real time control over read and write permissions on a per user basis via a web control panel.

For example, a contractor could be allowed to write and read discs during their tenure at a company, but when he or she is no longer with the company, the discs can be made unreadable by the contractor. The disc can still be read by authorized users within the company

Q:
How does it work?
A:
Roxio Burn communicates with an authorization server. When a user tries to read or write a disc, Roxio Burn sends an authorization request to the server. The server returns a command to Roxio Burn that authorizes the user to continue (or not).
Q:
Is it complicated for users?
A:

It is not complicated to use. If the user is in the corporate domain, there are no special dialogs or workflow. To burn data, just drag it to the Roxio Burn icon. To access data, use the Roxio Burn Reader in My Computer.

If the user is not in the domain, they can still access the data. Roxio Burn will present a dialog where users can enter their user name and password.

Clicking 'OK' causes Roxio Burn to send a request to the authorization server. The server returns a command to Roxio Burn that authorizes the user to continue (or not).

Authorized users can then proceed to read and write discs with Roxio Burn as usual. Unauthorized users will be presented with a dialog that informs them that they are not authorized.

This user name and password credentials can be set by the system administrator on the web console per Optical Disc User Group.

Q:
What if the user is offline. For example, what if the user is traveling on a plane and wants to read a disc?
A:
A local keystore is periodically sent to the user's PC by the server. This keystore allows the user to read discs for a limited period of time as set by the system administrator. After the time period expires, the user will need to go online again before discs burned with Roxio Secure Managed can be read.
Q:
How does the system administrator set authorizations?
A:

System administrators log into a web console. On the web console, user authorizations are set for individual users and can also be set for groups.

Setting authorizations in the web console

Q:
How many system administrators can be allowed to use the service?
A:
There is no limit to the number of admins. However, one administrator must be designated as the lead, and only this administrator has permission to create new admin accounts.
Q:
What kinds of authorizations can be set?
A:

Group authorizations: Users can be authorized to access only discs created by themselves, discs created by any member of a defined group of users, discs created by users in other groups, or any disc created by Roxio Burn.

Offline authorization: If the user is offline, authorization to access discs can be cancelled until they log in again, or they can be allowed to access discs for a limited time, e.g. 1 week. This is useful in case the user is traveling and does not have internet access.

Incorrect login: If a user logs in incorrectly several times, authorization can be revoked until the system administrator resets it.

Q:
How do I read an encrypted disc?
A:

When Roxio Secure Managed is installed, it also installs the Roxio Burn Disc Viewer plugin. To read the files on the disc, click on the Viewer in My Computer. If you are an authorized user, you will be able to read the files on the disc.

Note: Although it is possible to explore the disc using Windows Explorer, the files will not be readable because they are encrypted.

If an authorized user is on a system that does not have Roxio Secure Managed installed, the disc can be read by using the Roxio Burn Reader which is on the disc. The reader will autoplay, just like in Roxio Secure Burn Plus (as mentioned previously in this FAQ).

Q:
Does Roxio Secure Managed also allow the system administrator to monitor disc activity?
A:

Yes, the following information is logged:

  • User who accessed the data
  • Files added along with time. Files appended along with time. Discs accessed along with user and time
  • If a disc is erased, the time of erasure is tracked
Q:
Is there a log of what system administrators do?
A:

Yes, every action that system admins make is logged, and this log cannot be edited or modified by the admin. This is called the audit log. Logged activities include:

  • Group added (with time and admin)
  • Group deleted (with time and admin)
  • Disc set deleted (with time and admin)
  • Admin added (with time and admin)
  • Admin deleted (with time and admin)
  • Group password reset (with time and admin)
Q:
Does Roxio Secure Managed also support USB flash memory devices?
A:
Yes. Roxio Secure Managed includes LDDFlash from Beachhead Software Solutions. Flash devices can be not only encrypted and authorized, but the data can also be destroyed according to rules set up by the system administrator. For example, a rule can be created by the system administrator such that if the device is not logged in for more than 14 days, all the data on the device self-destructs. This is especially useful in case a device is stolen.
Q:
Are flash memory devices administered the same as optical media?
A:
Flash memory devices are administered per device and groups of devices. Optical media is administered per user and groups of users.
Q:
Are USB hard drives also supported?
A:
No. However, if you require support for internal and external hard drives, a solution is available from Roxio's partner, Beachhead Solutions. Ask your account representative for details.
Q:
Is company confidential data sent to a third party server?
A:
The data files that are written to discs or USB flash devices do not get sent to the server. Information about the files, such as filename, user and time get sent to the server and can be logged.
Q:
Does the server control my ability to install or uninstall the software? Do I need to be logged in to install, or uninstall?
A:

Yes, the installer requires authorization from the server. This prevents unauthorized installation of the software, and also prevents employees from removing the software without permission.

In order to install Roxio Secure Managed, you will need an Activation Code. You can get this from your Roxio Enterprise account manager.

Q:
I tried to uninstall the software, but I received an error code. What should I do?
A:
If your PC is online, then the system administrator needs to set this PC to ‘Inactive’ on the web console before the software can be uninstalled.
Q:
I re-imaged my PC, and now I can’t install the software, even though the PC is online. What should I do?
A:
The PC is probably still registered on the web console as 'Active', and the installer is preventing a dual installation to the same PC. The solution is to set the computer to 'Inactive' on the web console, Save the setting, and then set the computer to 'Stolen', save this setting, and then Delete the computer. This will remove the ghost item from the server, so you can start fresh.
Q:
What if I want to host the service within my own organization, and do not want to use an external server to host it?
A:
Ask your Roxio Account Manager about the availability of this option for your organization.
Q:
Does it require Microsoft Active Directory? I have already created groups in Active Directory. What if I want to use Active Directory to control policies?
A:

Active Directory is not required, but if it is present, Roxio Secure Managed can use it to confirm that the user is in the domain.

Active Directory groups cannot be imported into Roxio Secure Managed. In Active Directory, a user can be a member of multiple groups, but in the Roxio product, a user is only a member of one group, so it is not practical to use Active Directory to manage groups.

Although Active Directory groups cannot be imported, it is very easy to set up groups in the Roxio Secure Managed.

Q:
What if my subscription expires and I no longer have access to the authorization server? Can I still read encrypted discs I created when the subscription is active?
A:
When the subscription is cancelled, customers can optionally obtain a keystore that will authorize reading of discs created earlier. Since this keystore will unlock all discs, it is up to the customer to ensure that only authorized personnel can use it.
Q:
Does LDDFlash use the same encryption module as Roxio Burn? Is it FIPS 140-2 certified?
A:
LDDFlash uses a non certified proprietary strong encryption module using AES and SHA (HMAC) algorithms with 256-bit key.