Support Home  Contact Us 
Using the IronKey in Virtual Machines (White Paper)
Reference Number: AA-03200 Views: 15773 Created: 05-15-2019 01:44 PM Last Updated: 05-15-2019 01:44 PM 0 Rating/ Voters


INTRODUCTION

IronKey devices are implemented by many companies that use Virtual Machines (VMs) for remote administration or everyday usage. To provide support for virtualization, IronKey has developed this white paper to explain the usage and limitations of IronKey devices within such environments. The topic does not include running a VM on an IronKey device, but rather, using an IronKey device within a VM. VMs host many operating systems (OSes) with full functionality, but it’s important to consider certain limitations.

IronKey devices can behave the same in a VM as they do in a native OS. However, in some instances, additional configuration is required for the IronKey device to be used within a VM.

================================

WHAT IS A VIRTUAL MACHINE?

A VM is a software implementation of an operating system that executes programs like a native operating system. The software provides “platform virtualization” -- a complete system platform, which supports the execution of multiple operating systems on a single computer. See the “References” section for a list of platform virtualization vendors.

================================

USING AN IRONKEY DEVICE WITHIN A VIRTUAL MACHINE

IronKey devices function within a VM as they do in a native operating system. The following functions and features have been tested:

  • Initialization
  • Online Activation¹
  • Secure Backup and Restore
  • Mozilla Firefox¹
  • Identity Manager¹
  • Secure Sessions¹
  • Device Updates¹

¹Available on Personal and Enterprise devices only

NOTE: Tested IronKey devices are versions 1.3.5 and later. If any issues exist with older devices, we recommend that you update the device to the latest version for full support (Personal and Enterprise only).

================================

TESTED VIRTUAL MACHINES

The following VM environments were tested on various host machines. Compatibility is not limited to the following list, but other VM vendors might require additional configuration to properly use an IronKey device:

  • VMware Server 2.0.1 (Windows)
  • VMware Player 2.5.2 (Windows)
  • VMware Fusion 2.0.5 (Mac OS X)
  • Parallels Desktop 4.0 (Mac) -- IronKey S100 models only
  • Parallels Desktop 5.0 (Mac)

Note: S200 and D200 IronKey devices require Parallels Desktop 5.0.

--------------------------------------------

Compatible VM-Operating Systems Combinations:

Windows Vista SP1 32-bit


> > Admin: IronKey device functions properly

> > Non-Admin: IronKey device functions properly

Windows XP SP3 32-bit


> > Admin: IronKey device functions properly

> > Non-Admin: IronKey device does not function

================================

HOW TO USE AN IRONKEY DEVICE WITHIN A VIRTUAL MACHINE

Several errors can occur when using IronKey devices within a VM environment. Although these errors are rare, it’s a good idea to review possible errors and solutions in advance. Being knowledgeable about such scenarios will help minimize downtime, troubleshoot problems more accurately, and prepare administrators when implementing a VM environment.

--------------------------------------------

* “[FATAL] DevCore error (62) HasSetPassword failed: low-level failure”: This error occurs when initializing a new IronKey device on a non-native OS. The solution is to initialize the IronKey device on a native Windows XP or Vista computer, and then the user can use the device within the VM.

* VMware Fusion 2.0 for Mac: Users must update to VMware Fusion 2.1 or later.

* “IronKey App Status FATAL AppEngine Error (8): The Secure Volume could not be found- Error 1347”:

> > This error might occur for Mac users with Parallels Desktop, Bootcamp, or Mac Cross Over. This can result from a driver conflict. Verify that the USB Mass Storage Device driver does not have any errors, and try to manually update the driver. Some applications might conflict with the IronKey device.

> > This error might occur for Windows users running GuardianEdge. Users must update to GuardianEdge 7.2.1 or later to resolve this compatibility issue.

* The IronKey device does not appear within the VM:

> > VMware Server: Connect to the Server via the VMware Infrastructure Web Access. Configure the VM to have a USB Host Controller enabled. Plug the IronKey device into the host machine (where the server is located). Select the VM to which the IronKey device will be linked, and start the VM. Click the USB Host Controller icon to view the list of all attached USB devices, and select the IronKey. Users connecting to this VM will have access to the IronKey device. The IronKey device must be plugged into the Server and cannot be plugged into client computers that connect to the VMware Server. This is a VMware Server limitation; direct any questions regarding this issue to VMware.

> > VMware Player: Ensure that the VM image has the USB Host Controller enabled. This is done when the VM is being created by the administrator. The option to enable/disable a USB Host Controller is not possible through VMware Player.

> > VMware Fusion: Ensure that the VM image has the USB Host Controller enabled. VMware Fusion allows a user to change hardware settings, so it is not required to enable the USB Host Controller when the image is created.

> > Other VM Vendors: Several other vendors provide virtualization, and the configuration might differ. The common factor is for the USB Host Controller to be enabled. You might also want to install any software provided by the vendor that optimizes the VM.

> > VMs hosted on a Mac (not vendor-specific): Some testing indicates that the USB Mass Storage Device drivers fail to install properly upon inserting an IronKey device into a freshly created VM on a Mac. Insert the IronKey, open Device Manager, and update the USB Mass Storage Device driver. Remove the IronKey device, and plug it back in (it is not necessary to reboot the VM).

================================

OVERVIEW OF LIMITATIONS

This section will discuss the known limitations and issues with using IronKey devices within VMs. Compatibility can change when a vendor releases an update or new version. A new release might resolve some issues or it might introduce new problems. Changes will be documented and updated as they become known.

--------------------------------------------

Windows XP non-admin users

Thorough testing has shown that IronKey devices will not work when the VM is Windows XP and the user is logged in without administrative privileges. This affects Users and Power Users (although custom groups can be created, these are the common built-in groups). The IronKey Unlocker and Secure Files volumes will mount properly, the IronKey.exe process will launch, but the Unlocker window will not appear. Opening Windows Task Manager will display the IronKey.exe process, and the CPU usage will fluctuate.

To resolve the issue when the VM OS is logging into a domain, create a domain group for users that will have access to the VM. Add the domain VM group to the Administrators group.

--------------------------------------------

Example

Step 1: Domain Controller: Create a new group named “VM_Users”.
Step 2: Domain Controller: Add “user1”, “user2”, “user3” to the “VM_Users” group.
Step 3: VM: Login as an administrator, and go to Start > Control Panel > Administrative Tools > Computer Management.
Step 4: VM: Open the “Administrators” Group, and add the “VM_Users” Group located in the domain.

--------------------------------------------

Users without Administrative privileges within the domain will then have escalated privileges within the VM. For security purposes, the system administrator might want to modify the local policy to be more strict and verify that the IronKey device still functions properly.

If the VM OS is not linked to a domain, you might want to give users local Administrative privileges.

NOTE: If other USB flash drives mount within a VM without any issues, and all basic troubleshooting steps have been completed, contact your company’s system administrator or IronKey Technical Support.

================================

CONCLUSION

After the initial configuration to allow USB devices within a VM, you can expect to use your IronKey in the same manner as within a native operating system. IronKey devices perform and behave the same way in a VM from an end-user’s point of view. The ability to adapt to virtual environments is important given the expansion and widespread use of the technology.

================================

REFERENCES

Many resources and general FAQs are available on various websites.

NOTE: The majority of the above documentation was derived from in-house testing; results might not be the same for different versions of the software. VMs are known to have issues with mounting USB devices, which might not always be specific to IronKey.

--------------------------------------------

IronKey References

Supported IronKey Platforms

DevCore error (62) KB Article

-------------------------------------------

Microsoft References

Connect USB devices to a Virtual PC VM: http://support.microsoft.com/kb/824369

Requirements for USB devices with Virtual PC: http://support.microsoft.com/kb/824364

--------------------------------------------

 

Other Documentation

Using USB Devices in a VM: http://www.vmware.com/support/ws45/doc/devices_usb_ws.html

Forum thread regarding USB devices in a VM: http://communities.vmware.com/thread/172689

Vendors: http://en.wikipedia.org/wiki/comparison_of_platform_virtual_machines

Virtual Machine definition: http://en.wikipedia.org/wiki/virtual_machine

Quick Jump Menu
Copyright © 2014- Kingston Digital Inc. All rights reserved.