Manual / Conseal Server Concepts / Trusted computers

Trusted Computers are computers on which the device may be unlocked without requiring internet access. Computers are trusted after a device user makes a trust request and an administrator subsequently accepts it.

The device user first makes a request for his/her computer to be trusted by inserting the device and selecting "allow this device to be unlocked without internet access". This adds a trust request for the device administrator to accept or reject. If the computer isn't connected to the internet, the process will still work correctly though the user will be asked to insert the device into an internet-connected PC for it to take effect. For more detail, see Step-by-step: How to trust a computer.

Computers are trusted against a particular user and a particular device. So if user Joe set his workstation up as a trusted computer for his USB device, a potentially malicious user Bob, with his own account on Joe's computer, would still not be able to unlock the same device without Internet access. Likewise, neither Joe nor Bob would be able to unlock any other Consealed device without internet access. (Naturally user Bob could make a request to be trusted alongside Joe, and then both users could unlock the device.)

Even when unlocked on a trusted computer by a trusted user, Conseal will always first attempt to unlock the device normally - i.e. by attempting to connect to the central server.

The device's Detailed History page will show unlock attempts made on trusted computers with no internet access. These will appear as soon as an unlock attempt (either successful or not) is made on the device by a computer which is connected to the internet.

The Trusted Computers page is where device administrators accept or reject pending trust requests. They can also revoke the trusted status of a computer.

Any changes to the list of trusted computers (acceptances, rejections and revocations) take effect the next time an unlock attempt is made on the device by a computer connected to the internet.

Note that this means the trusted status of a computer can be revoked even after the computer has been stolen, and even if a malicious user does not subsequently allow the computer a connection to the internet.

How It Works

Conseal's unique Dual Locks system means that a device's encryption key is usually split between the server and password. This means that the device can therefore only be unlocked with the correct password, and only if the server permits it.

Trusted computers are able to unlock the device without the server's part of the encryption key because they are certified by a device administrator. The certification process installs a file on the computer which allows it to do this. Note that this file poses no security threat as it does not contain any part of the device's encryption key (even in encrypted form) and cannot be used to certify other computers. No executable files need be installed or run.

Contents

Frequently Asked Questions

Installation

Using Conseal Server

Conseal Server Concepts