Stormshield Data Virtual Disk

Recovering a volume with a container file

The physical medium for a secure volume is a container file (.vbox extension) that contains:

  • The cryptographic components required for mounting the volume: the volume’s symmetric encryption key is protected with the public key for each authorized user and with each recovery key,
  • The content belonging to the volume: files stored in the volume and file system.

The cryptographic components are always saved in a backup file: .vboxsave extension when the volume is created and again with each modification to the user list.

Recovering a Stormshield Data Virtual Disk volume is identical to changing the owner, as described in the product user manual. Basically, the user requesting a change in ownership is not the initial owner but the user whose encryption certificate has been defined as the recovery certificate.

Therefore, recovery consists of defining a new user as the owner of the volume. The new owner can then perform all the chosen operations.

Recovering a volume without a container file

However, for a simple ownership change, a recovery can be launched without a container file, only with the VBOXSAVE volume.

This procedure is particularly useful for remote recovery operations. The user with the container file does not need to send the entire container file so that the recovery can be launched, and only needs to send the .vboxsave file.

For this, users who want a recovery must send the .vboxsave file to the administrator in charge of recovery. The administrator proceeds in the same way as for changing the owner, then send back the .vboxsave file to the user who made the request. They only have to update the .vboxsave file and continue the ownership change procedure as if they had updated the .vboxsave file themselves.

We advise against unmounting a Stormshield Data Virtual Disk volume “by force” or when there are open files in it. If such an operation is necessary, we strongly recommend checking the volume, by using the Windows tool for checking the disk, the next time it is mounted before using it.

If a secure volume is duplicated by copying the .vbox container file, both copies cannot be mounted simultaneously on a single workstation.

Generally, you are advised against duplicating volumes by copying the .vbox container file. This method should be used only for backups.

For a better integration within Microsoft Windows, a Stormshield Data Virtual Disk volume behaves in the same way than a standard storage volume.

An encrypted volume mounted in a Windows session is thus accessible from other Windows sessions opened on the workstation.

To avoid that, the user must select the SDS Enterprise account lockout when the Windows session locks.

Locking the account unmounts encrypted volumes mounted in the session. However unmounting by force a volume may damage the files opened on this volume. The user must save modifications before locking the session.

On a Window server, a remote user cannot see the Stormshield Data Virtual Disk volumes mounted by other remote users connected to the same server. We recommend however selecting automatic locking because disk volumes are actually just hidden. Data on the disks may then be accessed.

  • The maximum size of a Stormshield Data Virtual Disk volume is 2048 GB (2 TB).
  • Volumes larger than 2 GB cannot be formatted in FAT16 (FAT16 limitation).
  • Volumes smaller than 2.5 MB cannot be formatted in NTFS (NTFS limitation).
  • The icon for a Stormshield Data Virtual Disk volume may be incorrect in Explorer (either a normal disk icon or a document icon).