SecureDisc

Password-protected encryption for automated CD & DVD production for the Rimage Systems and disc burning

Have a product question?

703-486-0500

SecureDisc – Rimage Edition (SDR) integrates with the Rimage production suite to secure the contents of any DVD or CD using a password. SDR makes it simple to integrate encryption into an existing work flow by automatically encrypting the image data for each disc as part of the automated production process. Discs are encrypted using the Advanced Encryption Standard (AES) 256-bit algorithm, and processed at the image format level for even stronger security. SecureDisc does not require the use of specialized media.

To read encrypted discs, the intended receiver only needs the correct password and does NOT need to download or install any software on their PC. The SecureDisc Explorer decryption client automatically deployed on each encrypted disc supports Windows XP, Vista, 7, 8, 8.1 and 10 (including 64-bit installations) and will automatically launch AUTORUN.INF scripting in the encrypted session once the correct password has been entered.

SDR works with Rimage’s Production Server service as a transparent proxy. When encryption is enabled, SDR automatically intercepts and encrypts the ISO or UDF image for each disc before recording. SDR’s unique ‘Forced Encryption Mode’ can also encrypt every disc production job regardless of the upstream software work flow, eliminating the need to modify any third party applications.

Encryption passwords may be specified per job through Rimage API calls, legacy (Network Publisher/IOF/POF) job requests, a merge field in the label file, a password file included with the disc content or a fixed password that will be used for all discs produced.

Benefits At A Glance

  • Automated encryption of DVDs and CDs during production regardless of current software workflow
  • Highly secure 256-bit AES encryption using a FIPS 140-2 Validated Engine*
  • User friendly ‘zero footprint’ decryption on client PC supporting all major Windows versions 
  • Simple password integration options to accommodate almost any production environment
  • Supports all standard media compatible with Rimage production systems
  • Compatible with any Rimage Producer or Professional Series equipment including many legacy models

Requirements

Disc Creation:

  • Rimage Producer or Professional Series
  • Rimage software version 8.0 and above
  • A modern Windows operating system, NOT available for Linux or OS X
  • 5MB free disk space for program files

Disc Viewing:

  • Windows XP, Vista, 7, 8, 8.1 or 10 (32-bit or 64-bit); Windows RT is not supported
  • CD or DVD reader
  • Free disk space for caching the contents of the encrypted disc session

Encryption Engine Specifications

  • 256-bit AES (Advanced Encryption Algorithm) with FIPS 140-2 Validation
  • CBC Encryption Mode (each encrypted block has it’s own key)
  • 256-bit SHA for password-to-key generation
  • Format/Image based encryption (performed at the block/sector level)

Licensing

  • SecureDisc – Rimage Edition is licensed per Rimage system (or Control Center, for non-embedded systems)
  • Sub-licensed on a per-encrypted image basis
  • SecureDisc Explorer and Resident Clients are free of charge for SAE customers

Documentation

Frequently asked questions

SecureDisc utilizes a 256-bit AES cryptographic engine which provides the highest level of security recognized by commercial and government entities. Although no technology can claim to be ‘unbreakable,’ a 256-bit key is the closest commercially available technology to that theoretical goal. However, the encryption engine alone is not the sole component of a secure solution. SecureDisc encrypts the entire disc image. Picture this as taking all the files to be protected and placing them inside a virtual ‘safe.’ This is distinct from file-based encryption methods that individually ‘lock’ each file on the media. Encrypting the entire disc image creates a more secure solution since there is no visibility to any of the protected files until the image is decrypted by entering the correct password. This is one of an array of methods SecureDisc uses in order to prevent ‘cracking’ software from extracting the password and allowing unauthorized access. There are widely available software applications that can ‘brute force attack’ encrypted files by making thousands of attempts per second using every possible password combination and eventually obtain the password. These applications cannot be used to defeat SecureDisc, as every time an unsuccessful password attempt is made the disc is automatically ejected from the drive, requiring manual re-loading of the disc for each failed attempt.

SecureDisc uses a ‘disc-in-disc’ system that places the encrypted disc image inside a standard, non-encrypted UDF base file system. Using this system, SecureDisc can place decryption clients, documentation and other useful files in the non-encrypted base file system, while providing full security for files in the encrypted image. Also, since the encrypted image is simply a file on the disc, it requires no special permissions or disc features to access, preserving compatibility with end-user optical drives and making decryption client deployment much easier.

SecureDisc provides two different decryption clients, the Resident Client and the Explorer Client. Both present the same interface to the end user: When an encrypted disc is inserted, the decryption client will ask for a password. If a correct password is inserted, SecureDisc works in the background, decrypting files on-the-fly and providing drive-letter access. If an incorrect password is provided, SecureDisc will deny access and eject the disc.

The Resident Client uses a kernel-mode driver to perform decryption. This is more compatible with third-party viewers, but requires installation as an Administrator, and as such may not be suitable for all environments. The Explorer Client uses the built-in WebDAV redirector in Windows XP and above to mount the encrypted image as a network drive. This is not as compatible, but does not require intervention by an Administrator to work. Before deploying SecureDisc in your workflow, please evaluate both clients with your viewer software and your end users to see which one works best.

The Explorer Client makes use of Windows’ AutoRun system, and may not launch properly on systems that have AutoRun disabled.

There is a base license that is paid only once per system. The base license authorizes that system to produce encrypted discs and it never needs to be renewed. Updates within the major release purchased are covered under optional SAE. If a new major release is issued and an existing SecureDisc owner wants to purchase the new major release, SAE customers pay 50% off of the Commercial Price. 

Image Packs are bundled licenses that decrement every time a unique encrypted disc image is generated. Image Pack license keys are ‘plugged in’ to the SecureDisc base license.

Each disc encrypted with SecureDisc is counted as a “image”, and GTGI sells rights to encrypt images in packs of varying sizes, from 1,000 up to 25,000. How many you will need depends on your throughput. We offer complimentary units and licenses for testing and workflow development purposes; please contact us for more information.

Units are licensed per Control Center or “N” robotic unit, and are not transferable between machines without GTGI’s express permission and assistance; if you need to transfer units from a failed or replaced machine to a new machine, please contact us.

We no longer split image packs between machines. Please purchase a separate image pack for each machine you plan to encrypt on.

SecureDisc does not generate or manage passwords, rather, it encrypts using a password provided by your workflow. There are 4 ways to introduce an encryption password:

– Inside the job production order

– Include with disc content (inside a password text file, password blanked before recording)

– Use a fixed, global password (every disc has the same password)

– Use an extra merge field in the label file (password is automatically blanked before printing)

We can also provide ODBC database integration at an extra cost.