Windows To Go Live Drives

Save money and improve security

SPYRUS Windows To Go live drives turn personal computers, including many Macs (service provided by SPYRUS), into compliant enterprise Windows desktops-with or without connectivity. SPYRUS Windows To Go drives boot the OS and completely bypass the host computer’s hard drive. There is no impact on the host computer and no footprint left behind when the drive is shut down.

Download the white paper >

Windows To Go offers workers new ways to stay fully productive and connected. For starters, it makes it easier to support BYOD policies for both employees as well as for Contractors and Teleworkers. Windows To Go is even used in Computer Replacement decisions as a way to extend life and performance of computers without the full cost of replacement.

In addition, the unparalleled hardware based security features specifically found in the flagship SPYRUS Windows To Go live drives allow many government and enterprise organizations to provide new solutions for Secure Remote Access, Secure Internet Browsing, and Secure Cloud Computing Access and Storage.

Regardless of your application, there is a SPYRUS Windows To Go solution for your needs that can empower your workforce while improving security and saving money in the process.

SPYRUS Windows To Go drives –
security to the edge®.

Certified by Microsoft for Windows 10

To meet the wide range of requirements being faced in today’s mobile computing environment, SPYRUS provides four different models of its Microsoft certified Windows To Go (WTG) drives. Each of these models is built on the same robust hardware platform and is available in a variety of memory sizes ranging from 32GB up to 512 GB; and they all take advantage of SSD memory to provide high performance over a USB 3.0 interface.

A summary of the SPYRUS Certified Windows To Go Products and Features is show below for Worksafe Pro™, WorkSafe™, Secure Portable Workplace™ and Portable WorkPlace™:

 XTS-AES 256
Hardware Encryption
Layered Data
Built in PKI
Smart Card
Data Vault
Read Only
SEMS Device
Management Option
Bit Locker full disk and/or Data Vault
WorkSafe Pro
Secure Portable Workplace
Portable WorkplaceUpgrade

XTS-AES 256 Hardware Encryption

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable WorkPlace 

SPYRUS Worksafe Pro and Secure Portable Workplace drives provide some of the strongest military-grade hardware encryption commercially available for full disk encryption to protect data at rest.

Sector-based full disk encryption is based on XTS-AES 256 encryption (NIST SP800-38E). The on-board hardware security infrastructure includes AES CBC, ECDH, ECDSA, ECC P-384, and SHA-384, which together make up the US Government’s Suite B cryptography, part of its cryptographic modernization program. All data encryption is performed in the tamper-resistant, epoxy-coated cryptographic hardware. The access password is never stored on the device, in software, or on a host computer, even in encrypted or hashed form. This safeguards the keys, passwords, and encrypted data from physical attack at all times, whether or not the WorkSafe Pro or Secure Portable Workplace is connected to a host computer.

Layered Data Security

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable Workplace 

All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth encryption. BitLocker passwords are protected in the tamper proof FIPS 140-2 Level 3 encrypted hardware memory partition.

SPYRUS encrypted Windows To Go drives defend the integrity of the operating environment even when booting on compromised systems. SPYRUS patented technology enforces on-the-fly hardware pre-boot integrity validation to enable “Secure Boot” while maintaining some of the fastest boot speeds in the industry. WorkSafe Pro and Secure Portable Workplace perform extensive boot-sequence validations:

  • Power-on self-tests validate HW integrity and operations, FW integrity, and cryptographic operations. Any evidence of tampering shuts down boot sequence.
  • UEFI computers may validate the SPYRUS Toughboot™ loader to provide seamless secure preboot authentication.The SPYRUS Toughboot loader is signed by Microsoft and meets all Secure Boot criteria for driver and OS loader digital signatures. Toughboot requires a password and authenticates users in HW over secure channel before beginning load sequence.
  • Toughboot then decrypts the Windows To Go partition and performs a cryptographic integrity check on the Windows boot loader.
  • After passing all tests, the operating system boots. Windows then authenticates user accounts and users can log in to their Windows accounts.

Built In PKI Smart Card

Worksafe Pro   WorkSafe  Secure Portable Workplace     Portable Workplace 

WorkSafe and WorkSafe Pro are the only Microsoft-certified Windows To Go drives that deliver the identity and rooted authentication capabilities of a full smart card. With WorkSafe, the FIPS 140-2 Level 3/EAL 5+ validated Rosetta Micro hardware security module embedded in all SPYRUS Windows To Go drives can be used as a traditional smartcard token for two factor authentication and other smartcard based PKI security services in you enterprise environment.

When not booted, WorkSafe serves as a readerless USB 3.0 smart card (CCID) that enables you to use your RSA and/or elliptic curve ECDSA digital certificates with any compatible computer.

WorkSafe supports PKCS #11 and Microsoft Minidriver crypto standards. The SPYRUS Minidriver Token Utility for managing the WorkSafe smart card, certificates, and passwords is automatically downloaded from Windows Update when the drive is first booted.

Keys are always generated in hardware on the embedded FIPS 140-2 Level 3 validated Rosetta Micro hardware security controller. To ensure the highest level of security, keys are never exported.

Administrators can reset, restore, revoke, and manage user certificates on the embedded Rosetta smart card with standard smart card management systems such as Microsoft Forefront Identity Manager and with the included SPYRUS Minidriver Token Utility.

When WorkSafe is booted, your digital ID is automatically available for PKI digital certificate functions such as:

  • Smart card logon
  • File signature or encryption
  • Signed/encrypted email
  • VPN authentication
  • Web authentication

Data Vault Read/Write

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable Workplace 

Data Vault read/write partition can store changed user files even when Reset Write Protection Read-Only mode is enabled. You can also configure separate BitLocker encryption for the Data Vault and use separate passwords for each instance of BitLocker or the same BitLocker password for both the drive and the Data Vault. All SPYRUS Windows To Go drives can be configured with a Data Vault partition during provisioning.

Read Only Option

Worksafe Pro   WorkSafe (upgrade)   Secure Portable Workplace    Portable Workplace (upgrade)

The Read Only option prevents retention of malware and other unauthorized downloads by resetting all changes to data, OS, and application files (except files in a Data Vault) when the user shuts down the drive. In Read Only mode, your operating system, applications, and data files are completely protected against alteration or infection from outside sources. Use a Read Only Windows To Go drive at an airport kiosk, over WiFi at the coffee shop, or on an untrusted home computer without worry.

SPYRUS Enterprise Management System – Device Management

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable Workplace 

All SPYRUS Windows To Go drives can be managed by an enterprise with the SPYRUS Enterprise Management System (SEMS) for mobile device management (MDM). SEMS features include remote device disable and destroy functions, remote password reset, policy enforcement, transaction auditing, and more.

SEMS provides secure lifecycle management on enterprise domains for USB devices. SEMS-managed drives must have the SEMS client software (separate order, requires licensed server software) installed and be joined to a SEMS domain.

Remotely disabled drives can later be cost-effectively reprovisioned and redeployed.

Bit Locker

Worksafe Pro   WorkSafe    Secure Portable Workplace    Portable Workplace 

All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth on SPYRUS hardware encrypting drives. BitLocker passwords are protected in the SPYRUS tamper proof FIPS140-2 Level 3 encrypted hardware memory partition.

Click on the links below to download a PDF of the product overview and technical specifications. All products are available in memory sizes ranging from 32GB up to 512 GB; and they all take advantage of SSD memory to provide high performance over a USB 3.0 interface

WorkSafe and WorkSafe Pro    View/Download

Linux2Go    View/Download

Portable Workplace and Secure Portable Workplace   View/Download

Secure Windows To Go & Secure Storage in the Microsoft Ecosystem   View/Download

Surface Pro 3 Demo

The new SPYRUS Windows To Go Replicator is here!

View our instructions and video tutorials here.

SPYRUS in the Microsoft ecosystem

Looking for a Linux2Go drive?

Get in touch with our sales team for more information.

Get in touch

Speak to an Expert

If you would like to speak with a SPYRUS expert regarding our products and services, please click on the button below to get all of our contact information. We look forward to assisting you and answering all of your questions.

Get in Touch >