To solve these key file deployment challenges and overcome the sheer complexity of possible use cases, WinMagic has developed a two-stage key file deployment model based on nearly 20 years of experience with enterprise key management involving a variety of authentication methods. This model greatly simplifies key file deployment to make it easy for enterprises with a wide range of security needs. Let’s take a quick look at these stages and what happens during each one.
Stage 1 – Provisioning
Stage 1 is known as the Provisioning Stage. In this stage, the user’s device contains a temporary provisioning key file. This file is not specific to the user; it is present simply to enable the device to provide basic operations so that the actual user can be identified. The device at this point is usually set up for autoboot or configured with a known static password to facilitate the user’s initial login. Autoboot is defined as unattended, automatic pre-boot authentication for the device.
The transition point between the end of Stage 1 and the beginning of Stage 2 is known as the Secure Moment. In the Secure Moment, the device “owner” is identified and authenticated, the user’s key file for the device is prepared, the key file is transferred to the device and stored, and finally the provisioning key file is removed.
Stage 2 – Deployed/Secured
Stage 2 is called the Deployed/Secured Stage. At this point, the user’s key file is present and secured on the device, so the user can proceed with their normal use of the device, being authenticated as needed, such as to unlock the FDE software at boot to allow device use.
In some cases, organizations do not need to have a Provisioning Stage, for example because the owner of the device is already known and will automatically reach the Secure Moment. Under this arrangement, the user enters his or her username and chosen password for key file access, and the key file deployment solution generates a matching key file and delivers it to the device, then securely stores it. At this point, the Secure Moment has been achieved and the Deployed/Secure Stage starts. There is never a temporary provisioning file deployed to the device. Some organizations require the additional degree of security that can be achieved by omitting the Provisioning Stage; for example, if there is no Provisioning Stage, then devices are not placed in autoboot mode, which can temporarily reduce their security.