Client Login
Forgot Password? 


IceLock Quick Start and Installation Guide (pdf)
Implementation Plan Templates (pdf) (doc)
More on the Princeton Cold Boot Attack
Free 30-Day Evaluation Kit

Order Now

For More Information click here to be contacted by a HyBlue salesperson to answer your questions.



What is IceLock?
IceLock is a new way to protect data on laptop computers. It combines powerful NSA-approved encryption, local autonomous monitoring, a multi-factor ephemeral key system and remote policy management and lock-down to create and manage a secure virtual disk on the laptop. Data stored in this disk, usually drive I:, is protected by IceLock’s encryption. Because of its web-based policy and key management system, IceLock is both the most secure and simplest data security solution available. With a few simple steps, IceLock encrypts user data on a laptop computer and goes to work, protecting its data from theft.

Why do I need IceLock?
The risk of disclosure of confidential data affects almost everyone. It's not just credit card and social security numbers that need to be kept safe. Confidential business plans, customer contact information and other data need protection too. IceLock protects data without getting in the way of user productivity. Allowing high security without unnecessary overhead is key to improving user compliance.

How does IceLock work?
IceLock creates a secure virtual disk on your hard disk and then copies your data into that disk. When you successfully log in, the disk appears automatically. But if someone repeatedly fails to login, IceLock takes steps to protect your data. Also, your laptop checks in with the IceLock service center on a regular basis (set by your policies) to see if your computer has been registered as lost or stolen and takes protective action if it is.

How does IceLock compare with other encryption offerings?
IceLock’s approach is unique in several ways. Like most solutions, IceLock uses AES 256 encryption to protect data. Unlike other systems, IceLock provides an ephemeral, multi-factor key system, and then adds user behavior monitoring to watch for hackers trying to get into your laptop. IceLock automatically takes steps to protect your encrypted data when it senses an unauthorized user. IceLock also provides web-based, policy management for all the protected devices in your organization, which reduces your costs and overhead. Best of all, IceLock adds almost no burden to the user. It is easy to use, so it gets used.

How secure is IceLock?
IceLock uses 256 bit AES encryption with 14 rounds, and a 256 bit key operating in LRW mode. In addition, IceLock's keys that are used to encrypt the data have multiple factors, and are ephemeral making it extremely difficult for someone to hack into your data.

What about the "Cold Boot Attack" published by Princeton researchers?
IceLock is aware of the computer environment, which allows it to manage keys much more proactively than other solutions. The Cold Boot phenomenon occurs because other encryption software leaves decryption keys in RAM even when a computer is password protected by a screen saver, sleeping or hibernating. IceLock deletes keys and overwrites them with random data during transitions to other power states ensuring they cannot be recovered in a cold boot situation.

Does IceLock use whole-disk encyption?
No, IceLock protects data files and folders, and decrypts them only as they are used. This provides a higher level of security than whole-disk encryption approaches, as it allows administration of machines without providing access to encrypted data, and also provides “in-flight” monitoring of users and machines, rather than just pre-boot authentication. IceLock’s overall implementation and operation is much lower cost than whole boot encryption, as it doesn’t interfere with system’s normal boot-up sequence. IceLock also reduces support and training costs by enabling IceLock to integrate with the users existing log-in workstream, rather than requiring a separate pre-boot authentication. Also, IceLock is user specific, your data cannot be read by any other logged in user including administrators. Whole-disk encryption does not support this level of user control.

What about email files like Outlook’s OST, PST?
IceLock can encrypt the OST and PST file. When you setup IceLock you can copy your email data files into the secure virtual disk for protection. You will need to configure your email client to access the data files on Drive I:, details on configuring Outlook are in the IceLock help file and on HyBlue’s support pages.

What about the Windows swapfile?
The swapfile cannot be protected by IceLock. Our aggressive management of keys means that there will be times when Windows is running that secured data is not available. If the swapfile was protected by IceLock, Windows would behave unpredictably if a user locked their workstation while the swapfile was in use. We do include a utility that can be used to set your system to flush the swapfile on poweroff, which is not the default for Windows. This minimizes the data that is left in the swapfile.

How does IceLock protect against unauthorized users?
Unlike other encryption applications, IceLock monitors user behavior on the computer. If someone repeatedly fails to login, IceLock detects successive failures and will automatically take steps to protect encrypted data. These steps include destroying essential elements of the decryption key rendering access impossible. If IceLock sees the computer is marked as lost or stolen it automatically takes steps to protect your data.

How many failed password attempts does this take?
This policy is configurable per company and per user profile, the default setting is 5.

What if I mess up my password and trigger a lockout?
Keys can be regenerated through the HyBlue Service Center. If your company has given you access to the service center, you can do this yourself, otherwise you can ask your IT support technician to do this for you. Simply login to the HyBlue website and approve your use again. In fact, if your computer is online and you fail to login, an email is automatically generated to let you and your technical contact know. You'll need to connect to the Internet briefly to update your laptop with this permission.

Can I recover from a lockout if I’m not online?
No. This process is automated and requires authentication from the computer and complex keys to be precisely rebuilt on your laptop.

Can HyBlue access my protected data?
No. IceLock has been designed specifically to keep everyone out of your data, including HyBlue and technicians administering your security settings. While we manage the public key side of IceLock, the main Customer Private Key is never shared with HyBlue. Because HyBlue never knows this Customer Private Key we can never decode your data.

Can my technicians and admins access my protected data?
Technicians in your organization providing routine support cannot decrypt data on your machine without the Customer Private Key.

What happens to my data if HyBlue goes offline?
IceLock can either integrate with the users system login, or, you can set a policy requiring that users must create a secondary, IceLock-specific password. If you stipulate the use of an IceLock password, then if for some reason the system log-in password is compromised, encrypted data is still protected.

What is the “IceLock password”?
Technicians in your organization providing routine support cannot decrypt data on your machine without the Customer Private Key.

What happens if someone uses a hacking program to change my password and logs into my computer as me?
IceLock’s secondary password protects against this type of attack. The IceLock password, which is separate and ideally different than your Windows password, protects access to your secure virtual disk. If a hacker manages to login to Windows on your computer they would still have to guess your IceLock password and not have multiple login failures since those trigger key deletion to protect your data.

What if a hacker removes my hard disk and puts it in another computer?
IceLock’s sophisticated key system includes elements from the pc the disk is running in. Removing the disk disconnects the disk from these critical elements and your data remains encrypted.

Does IceLock impact performance?
Not at a level that humans can perceive

How does IceLock know which files to protect?
During setup you select which directories contain files that should be protected. We recommend the My Documents folder at a minimum. These directories are then copied into the secure virtual disk, and in the case of the My Documents folder, the registry is changed so that you automatically access My Documents from the new, encrypted location. You can also select files after by simply copying them into the secure virtual disk.

How do I install IceLock?
There are two steps involved in deploying IceLock, and you can find all the details in our Installation and Quick Start Guide. The short version: First, you set up the keys for your organization. This includes setting up your Customer Private Key, which you must store in a secure location, and setting up the keys for each computer which are automatically stored at the IceLock service center. Then you install the IceLock Autonomous Agent on each computer you wish to protect. The process usually takes several minutes for each computer, depending on the amount of data you wish to initially encrypt and the speed of your processor. Encrypting 100 Gigabytes takes about 20 minutes using a single core Intel processor.

What Policy Management capabilities does IceLock provide?
IceLock allows you to set the number of log-in attempts that a user can make before the system is shut down, the number of days protected data can be accessed without checking in with the service center, whether or not to require a second, IceLock –specific password to access data, and what action to take when a stolen system comes online.

What if my laptop is lost or stolen?
IceLock has a number of protections built in to protect data in the case of a lost or stolen laptop. First, all your data is encrypted and can't be seen without authentication (i.e. unless the thief knows your passwords and can log-in with your identity). Next, you can register your computer at the HyBlue Service center as lost, and when the computer connects to the Internet, we'll automatically trigger destruction of the encryption key or your data, at your option. Finally, if a computer has not connected to the Internet and checked in for a pre-set number of days per your company's policies, IceLock automatically breaks the key on the laptop. IceLock maintains a record of all these actions for auditing purposes.

How much memory does IceLock use?
The IceLock service takes less than 2MB of memory during normal operation.

Does IceLock work with Microsoft Active Directory?
IceLock does not require Active Directory, however if you’re not using a secondary “IceLock Password”, part of the credentials users need to access encrypted data is being managed by Active Directory (because IceLock is using the Windows password in that case). IceLock does not take advantage of Active Directory’s group and policy management features.

What happens if someone leaves my company and I don't have their password?
IceLock utilizes a public/private key system to give you options for recovering data in this and other scenarios. By using your Customer Private Key, you can read data from any disk associated with your organization encrypted with IceLock. This is also useful if a laptop cannot boot but the disk can still be accessed when mounted in another computer. Files can be read on another computer that is setup to run IceLock and is part of the same company as the original computer, provided you have the Customer Private Key.

Did we miss something?

If there is a question you feel we should address here, please let us know by submitting it in the text box below:

If you’d like a personal response, please type your email address :

Copyright © 2005-2008 HyBlue, Inc. Privacy Policy    Terms of Service & Legal    Company   Other Services   Partners