SPYRUS Windows To Go

Transform any PC into a Trusted Enterprise Asset

SPYRUS Windows To Go live drives enable you to turn any personal computers (including Macs) into Trusted enterprise Windows workstations – compliant with your Enterprise policies, no matter how strict.

These pocket SSD drives enable Enterprise IT to provide different ways of working securely whilst maintaining productivity. They SPYRUS offers solutions for cases such as Work from Home, BYOD, Open Seating, and Contractors & Teleworkers.

Features include:

  • Remote Device Management
  • for Enterprise deployment
  • Remote Enable, Disable, Kill and Audit
  • Regulatory Compliance: GDPR, DFARS etc
  • Full Hardware Encryption
  • Safer and Less Expensive than Laptops / Notebooks
  • Full Corporate Image (same image used on notebooks)
  • Strong 2FA Authentication Token

SPYRUS Windows To Go drives bypass the host computer’s hard drive and boot your corporate image from a fully hardware encrypted, Microsoft approved, pocket SSD. There is no impact on the host computer, no footprint left behind and most find our solutions faster than working with the original drive.

More than a flash drive, this pocket SSD is also includes a cryptographic engine which not only protects the contents of your Windows environment, but enables you to: Encrypt, Decrypt, Sign, Authenticate, securely Login and Collaborate. Share Files, Documents, Folders, Vaults and even e-mail across the web, knowing that only your designated recipients can read them. Our cryptographic solutions have been vetted by Fortune 500 Enterprise companies and Government Agencies around the world.

Sound amazing? We want to enable you to try this solution yourself. Contact us and one of our industry professionals can set you up with a two-drive pilot at a special price – so that you can test these features for yourself using your image and on your machines.

To meet the wide range of requirements being faced in today’s mobile computing environment, SPYRUS provides four different models of its Microsoft certified Windows To Go (WTG) drives. Each of these models is built on the same robust hardware platform and is available in a variety of memory sizes ranging from 32GB up to 512 GB; and they all take advantage of SSD memory to provide high performance over a USB 3.0 interface.

A summary of the SPYRUS Certified Windows To Go Products and Features is show below for Worksafe Pro™, WorkSafe™, Secure Portable Workplace™ and Portable WorkPlace™:

 XTS-AES 256
Hardware Encryption
Layered Data
Security
Built in PKI
Smart Card
Data Vault
Read/Write
Read Only
Configuration
SEMS Device
Management Option
Bit Locker full disk and/or Data Vault
WorkSafe Pro
WorkSafeUpgrade
Secure Portable Workplace
Portable WorkplaceUpgrade

XTS-AES 256 Hardware Encryption

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable WorkPlace 

SPYRUS Worksafe Pro and Secure Portable Workplace drives provide some of the strongest military-grade hardware encryption commercially available for full disk encryption to protect data at rest.

Sector-based full disk encryption is based on XTS-AES 256 encryption (NIST SP800-38E). The on-board hardware security infrastructure includes AES CBC, ECDH, ECDSA, ECC P-384, and SHA-384, which together make up the US Government’s Suite B cryptography, part of its cryptographic modernization program. All data encryption is performed in the tamper-resistant, epoxy-coated cryptographic hardware. The access password is never stored on the device, in software, or on a host computer, even in encrypted or hashed form. This safeguards the keys, passwords, and encrypted data from physical attack at all times, whether or not the WorkSafe Pro or Secure Portable Workplace is connected to a host computer.

Layered Data Security

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable Workplace 

All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth encryption. BitLocker passwords are protected in the tamper proof FIPS 140-2 Level 3 encrypted hardware memory partition.

SPYRUS encrypted Windows To Go drives defend the integrity of the operating environment even when booting on compromised systems. SPYRUS patented technology enforces on-the-fly hardware pre-boot integrity validation to enable “Secure Boot” while maintaining some of the fastest boot speeds in the industry. WorkSafe Pro and Secure Portable Workplace perform extensive boot-sequence validations:

  • Power-on self-tests validate HW integrity and operations, FW integrity, and cryptographic operations. Any evidence of tampering shuts down boot sequence.
  • UEFI computers may validate the SPYRUS Toughboot™ loader to provide seamless secure preboot authentication.The SPYRUS Toughboot loader is signed by Microsoft and meets all Secure Boot criteria for driver and OS loader digital signatures. Toughboot requires a password and authenticates users in HW over secure channel before beginning load sequence.
  • Toughboot then decrypts the Windows To Go partition and performs a cryptographic integrity check on the Windows boot loader.
  • After passing all tests, the operating system boots. Windows then authenticates user accounts and users can log in to their Windows accounts.

Built In PKI Smart Card

Worksafe Pro   WorkSafe  Secure Portable Workplace     Portable Workplace 

WorkSafe and WorkSafe Pro are the only Microsoft-certified Windows To Go drives that deliver the identity and rooted authentication capabilities of a full smart card. With WorkSafe, the FIPS 140-2 Level 3/EAL 5+ validated Rosetta Micro hardware security module embedded in all SPYRUS Windows To Go drives can be used as a traditional smartcard token for two factor authentication and other smartcard based PKI security services in you enterprise environment.

When not booted, WorkSafe serves as a readerless USB 3.0 smart card (CCID) that enables you to use your RSA and/or elliptic curve ECDSA digital certificates with any compatible computer.

WorkSafe supports PKCS #11 and Microsoft Minidriver crypto standards. The SPYRUS Minidriver Token Utility for managing the WorkSafe smart card, certificates, and passwords is automatically downloaded from Windows Update when the drive is first booted.

Keys are always generated in hardware on the embedded FIPS 140-2 Level 3 validated Rosetta Micro hardware security controller. To ensure the highest level of security, keys are never exported.

Administrators can reset, restore, revoke, and manage user certificates on the embedded Rosetta smart card with standard smart card management systems such as Microsoft Forefront Identity Manager and with the included SPYRUS Minidriver Token Utility.

When WorkSafe is booted, your digital ID is automatically available for PKI digital certificate functions such as:

  • Smart card logon
  • File signature or encryption
  • Signed/encrypted email
  • VPN authentication
  • Web authentication

Data Vault Read/Write

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable Workplace 

Data Vault read/write partition can store changed user files even when Reset Write Protection Read-Only mode is enabled. You can also configure separate BitLocker encryption for the Data Vault and use separate passwords for each instance of BitLocker or the same BitLocker password for both the drive and the Data Vault. All SPYRUS Windows To Go drives can be configured with a Data Vault partition during provisioning.

Read Only Option

Worksafe Pro   WorkSafe (upgrade)   Secure Portable Workplace    Portable Workplace (upgrade)

The Read Only option prevents retention of malware and other unauthorized downloads by resetting all changes to data, OS, and application files (except files in a Data Vault) when the user shuts down the drive. In Read Only mode, your operating system, applications, and data files are completely protected against alteration or infection from outside sources. Use a Read Only Windows To Go drive at an airport kiosk, over WiFi at the coffee shop, or on an untrusted home computer without worry.

SPYRUS Enterprise Management System – Device Management

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable Workplace 

All SPYRUS Windows To Go drives can be managed by an enterprise with the SPYRUS Enterprise Management System (SEMS) for mobile device management (MDM). SEMS features include remote device disable and destroy functions, remote password reset, policy enforcement, transaction auditing, and more.

SEMS provides secure lifecycle management on enterprise domains for USB devices. SEMS-managed drives must have the SEMS client software (separate order, requires licensed server software) installed and be joined to a SEMS domain.

Remotely disabled drives can later be cost-effectively reprovisioned and redeployed.

Bit Locker

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable Workplace 

All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth on SPYRUS hardware encrypting drives. BitLocker passwords are protected in the SPYRUS tamper proof FIPS140-2 Level 3 encrypted hardware memory partition.

Click on the links below to download a PDF of the product overview and technical specifications. All products are available in memory sizes ranging from 32GB up to 512 GB; and they all take advantage of SSD memory to provide high performance over a USB 3.0 interface

WorkSafe and WorkSafe Pro    View/Download

Linux2Go    View/Download

Portable Workplace and Secure Portable Workplace   View/Download

Secure Windows To Go & Secure Storage in the Microsoft Ecosystem   View/Download

Browse through our related videos below, or for instructions and video tutorials click here.

Surface Pro 3 Demo

The new SPYRUS Windows To Go Replicator is here!

WTG Creator Video

Click below to get the SYPRUS Security Paper.

SPYRUS Windows To Go drives

SPYRUS in the Microsoft ecosystem

Certified by Microsoft for Windows 10