Professional Edition Only

Using Smartcards for Administration

Companies with large numbers of employees are faced with the problem of needing to delegate routine tasks such as resetting lost passwords internal support departments, yet at the same time, don't really want to distribute administrator passwords to personnel manning the company help desk.

With SafeHouse, the solution to this dilemma is easy!

SafeHouse includes an amazing feature known as administrator smartcards. These are special smartcards prepared using the SafeHouse Branding Wizard with a single goal in mind: to be able to delegate sensitive administration tasks to support personnel or sub-level administrators without needing to tell them the SafeHouse group administrator password.

All smartcards are protected by a PIN or password. As such, SafeHouse administrator smartcards can only be used by people who are in possession of the card and also know the PIN.

Smartcards are created on a per-group basis. You must know the administrator password for a group in order to create a smartcard which can be used to administer that group.

Safe Delegation Using Smartcards

As the top-level SafeHouse administrator, you can create an administrator smartcard and hand it to somebody you trust to perform certain administrative tasks, such as resetting SafeHouse volume passwords. When you no longer wish to allow this person to perform these tasks, simply take back the smartcard or disable it using the website. Either way, this person will not be able to perform any future administrator tasks.

Administrator Smartcards

Administrator smartcards offer the following features:

SafeHouse Branding Groups

All administrator smartcard operations in SafeHouse are performed on behalf of a specific group.

Administrator smartcards are associated with specific SafeHouse branding groups. Although information for multiple groups can actually be stored on the same physical smartcard device, the intent is to give you fine-grained control over the range of groups that a specific smartcard user can administer.

When you use the SafeHouse Branding Wizard to create an administrator smartcard, what you are actually doing is creating a record on the smartcard for a given group; indexed by its serial number. Throughout the product, wherever the SafeHouse software can authenticate an administrator using a smartcard in lieu of a password, it will search the smartcard looking for an entry (by serial number) corresponding to the current SafeHouse group. If found, the holder of the smartcard is deemed to be an authenticated administrator.

Compatible Smartcard  Devices

Please note that the operational requirements for commercial smartcards compatible with this SafeHouse feature are higher than the much-simpler requirements for smartcards used to store SafeHouse volume passwords. The reason for this is that not all smartcards support the industry-standard cryptographic features required by SafeHouse for administrator smartcards. These advanced features are not needed to store SafeHouse volume passwords.

Smartcards compatible with this feature include:

Common Administrator Smartcard Tasks

Below are links for the most-common tasks relating to administrator smartcards:

Smartcard Use in SafeHouse Must be Enabled

You must enable SafeHouse's use of smartcards prior to creating or using an administrator smartcard.

Smartcards are enabled using the drop list found on the Options tab of the SafeHouse system tray utility.  The screen shot below shows the dialog where smartcards are configured within SafeHouse. In this case, the virtual smartcard has been selected, which carries the additional requirement that you must create the virtual smartcard file on your USB flash device.

It is fully permissible to use the same smartcard for both volume passwords and the branding group entries which are being described herein.

Compare to PGP  USB Software  free encryption software  encryption tool