IGEL Cosmos
Secure Endpoint Platform
Simplify and secure the delivery of digital workspaces to access any cloud while reducing costs.
The KOBRA VS Stick is a bootable encrypted USB-C flash drive, fully developed and manufactured inside Germany, with patented 2-Factor-Authentication (Smartcard + PIN) that enables the secure booting of IGEL OS, data protection compliant storage and the secure transport of sensitive business and private data. It is easy to
use and offers secure protection of all stored data. IGEL OS supports the Kobra VS Stick from Digittrade, a BSI (German Federal Office for Information Security)-certified USB-C flash drive with approval for applications up to the classification levels VS-NfD (German Public Sector),
NATO Restricted, and EU Restricted. The Kobra Stick VS can also be connected to an existing PKI based smartcard system (example: The German military troop ID has already been connected and can be used for authentication onto the device). Also, partitions can be created, where on partitions boots IGEL OS and another is used to store encrypted critical data.
About the Kobra VS storage devices: Kobra Drive VS
and Kobra Stick VS
The external encrypted data storage devices Kobra Drive VS as well as Kobra Stick VS
(1FF) and Kobra Stick VS (2FF) are an external USB-C storage device (HDD/SSD) and
USB-C memory stick with hardware-based encryption in stable, elegant metal housings
with integrated keyboard. The storage devices provide the same security features and
differ only in their form-factor, design and storage capacities. For this reason, they are
all referred to as Kobra VS in this Administrator’s Guide.
The Kobra VS storage devices enable the GDPR/EU-DSGVO data protection compliant
storage and safekeeping as well as secure transport of sensitive, personal and
confidential information up to the classification level NATO Restricted, EU Restricted
and VS-NfD (classified information – for official use only). These data carriers were
developed in accordance with the “Technical Guidelines” of the German Federal Office
for Information Security (BSI) and bear the quality mark “IT-Security made in Germany”.
They correspond to the current “state of technology” (German: Stand der Technik) and,
due to their security functions, are currently one of the safest ways to store and transport
data on mobile devices.
The data stored on the Kobra VS data carrier is protected against unauthorized access
with regard to the confidentiality of the information, for example if the Kobra VS storage
device is lost, misplaced or stolen. In doing so, it resists logical and physical attacks.
Thanks to the built-in storage in 2.5” format, the Kobra Drive VS is already small and
handy as an HDD. The optional SSD version offers additional protection against shocks
and vibrations. The data transfer and power supply are provided via the USB-C port. The
Kobra Stick VS (1FF) and Kobra Stick VS (2FF) offer the same security features as the
Kobra Drive VS, only in an even more compact format.
Kobra VS devices can be delivered in a PKI-based or stand-alone environment. There
are two basic application scenarios. In the PKI-based variant, only Kobra VS devices
are provided. These are set up by the user’s administrators. Therefore, the PKI-related
properties of the Kobra VS are also regulated by the administrator’s IT security concepts.
7
Deutsch
This mainly concerns the generation and storage of the key pair (consisting of a public
and a private key), the User-PIN and SO-PIN specifications (length and number of failed
attempts) and other organizational measures. For this reason, the properties of the
Kobra VS storage device are described in detail below, mainly regarding the stand-alone
environment.
The stand-alone scenario, on the other hand, involves the delivery of the Kobra VS
together with two Digittrade smart cards (Atos Card OS 5.3, CC EAL 4+) in the completely
preset state. This Kobra VS can basically be used immediately in case of urgent need.
In the VS-NfD approved configuration, however, the user may only put the Kobra VS
into operation after changing the User-PIN and SO-PIN and generating a new DEK (Data
Encryption Key) on the Kobra VS device itself.
In order to use the security features of the Kobra VS storage devices to the full extent
and within the scope of the VS-NfD approval, the following steps are required:
– Ensure that your host system has adequate protection for all data accessed
from the protected area of the Kobra VS
– After receiving the Kobra VS, check the completeness and correctness of the
delivery (Chapter 10)
– Check via the host system that the USB properties of the device match the
model name and serial number on the back of the Kobra VS (chapter 1.12)
– Change the User-PIN and SO-PIN on both Digittrade smartcards
(chapter 4.3, 4.5)
– Change the Admin-PIN if you have administrator rights (Chapter 4.6)
– When selecting the Admin-PIN, User-PIN and SO-PIN, trivial PINs should not be
considered and standard PINs should be excluded
– Create a new DEK (Data Encryption Key) on the Kobra VS storage device
(Chapter 4.7)
– Check if the registration is possible with all activated Digittrade smartcards
(or your PKI card)
– Protect your authentication features (smartcard and PIN), they must remain
confidential
For a detailed description of the above steps, refer to the appropriate chapters in this
Administrator’s Guide. The model name and serial number can be found on the back
of each Kobra VS. This information can be obtained using the supplied Kobra Client VS
software and the USB device information on the host system.
– KOBRA VS storage devices: Security mechanisms
– Encryption – 256 Bit AES in XTS Mode
– Access Control – Patented 2-Factor-Authentication by Smartcard and PIN
– Management of Encryption Key – Creation, modification and destruction by user,
– User-Management – By Administrator
– Mobile access to EU Restricted / NATO Restricted / VS-NfD data – Users cannot bypass encryption
– Use as encrypted boot device launching pre-installed IGEL OS out of the box
– Integrated power supply enables
pre-boot authentication
– Encrypted installation of
operating systems on Kobra VS
storage devices
– Flexible change of purpose from
laptop/PC
– pSLC memory to
ensure longest possible lifespan
– When the storage device is
disconnected from the PC, the
data remains encrypted and is
stored only on the Kobra VS
storage device.
– Advantages of using the Kobra Stick VS with IGEL OS
– Two-factor Pre-Boot authentication
• Protects Igel OS from manipulation and prevents
attackers from starting the operating system
• Protects configuration information
– Passwortless Single Sign On
– The user only has to remember his PIN, all further
authentication can be done by the smartcard
– Kobra VS driver is already fully integrated into
Igel OS
– The internal Smartcard reader of Kobra VS can be used for
PKI-based authentication of the VPN connection
– Smartcard reader can be forwarded to target VM
and used for further authentication procedures
– Smartcard can be Employee ID Card or vice versa (Employee ID used for authentication)
– The combination of Kobra Stick VS and IGEL OS has been well tested and
works out of the box
– Additional Use of the multi-purpose Kobra Stick VS
– Secure backup storage
– Server system migration (with Kobra Drive VS – up to 16TB)
– Simplified transport of critical sensitive data
– Airgap Bypass
– Data Diode (1 Smartcard with Read and Write, 1 Smartcard with Read Only)
– Use on smartphones as a data storage device
– 2-Factor-Authentication for E-Mail Encryption, VPN Access, Cloud Access, Windows or Linux Login, digital signatures