Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Information on KeyArmor technicalities

    • Updated:
    • 1 Mar 2017
    • Product/Version:
    • Endpoint Encryption
    • Platform:
    • Windows 2003 Enterprise

This article provides the technical details about KeyArmor.


The following are the KeyArmor technical information:

  • KeyArmor is a centrally managed USB flash device that is hardware encrypted. Successfully authenticating into the device via KeyArmor software decrypts the 128 or 256-bit hardware encryption allowing access to the data storage partition of the USB flash device.
  • The secure volume is protected by the on-disk encryption services. The password is calculated from the PolicyServer authentication services given a username and password. If the PolicyServer is offline and offline authentication is allowed, the password is calculated from the encrypted authentication data stored in the disk hardware.
  • Network connectivity is not required because this is determined by the client. After the 1x authentication process, a device never needs to be connected back to the network as long as Policies are configured correctly.
  • KeyArmor does not do Secure Session Services. We have no applications that run on the device like FireFox that uses the device’s Encryption.
  • When a KeyArmor device is wiped, erased or killed, the device itself is destroyed rendering it useless. The device hardware can never be used again except as a paper weight.
  • KeyArmor devices can be upgraded via a firmware flash that will be distributed by Endpoint Encryption once an updated version is produced.
  • MA KA provides Product Identification number (PID), Vendor Identification number (VID), and KA device serial number, in order to allow DCM/HBSS to register devices. Once the above data are supplied to the DCM/HBSS, KA devices can be allowed/disallowed automatically via DCM/HBSS.
  • KeyArmor encrypts on-the-fly, transparent to the user, and the NTFS file system has a compression system that can be leveraged if encryption with compression is required.
  • KeyArmor is a hardware chip set encryption product and the file systems are irrelevant to KeyArmor's encryption driver. Multiple file systems are fully supported.
  • As a hardware chip set encryption product, built-in defragmentation utilities are fully supported in KeyArmor.
  • KeyArmor is self-contained and requires no remote agent on a device where it is used. Additionally, KeyArmor does not interfere with any remote distribution and full installations of applications, patches, and updates while connected to a network.
  • KeyArmor will allow Microsoft Windows 7 RSM device features to encrypt any data being stored on a KeyArmor device. However, the Microsoft Windows 7 RSM encryption feature will not be allowed to read or write to KeyArmor until after a user has authenticated to their KeyArmor device.
  • KeyArmor does not interfere with full disk data erasure tools.
  • KeyArmor does not provide built-in data back up and restore capabilities, but KeyArmor does have the ability to restore session state should tampering occur.
  • KeyArmor devices are managed by the PolicyServer which is capable of managing and supporting all KeyArmor versions of the hardware, inventory, software inventory, and hardware configurations.
  • KeyArmor records all audit and log data on local device regardless of sever communication before sending to server. In the event of a communication outage, data is transmitted to the server when connectivity is next available.
  • Key management is only performed by PolicyServer. Once a device is attached to an enterprise it cannot be managed or controlled by any other PolicyServer.
  • KeyArmor does not require administrator rights or a local user account to operate.
  • Once a KeyArmor device is authenticated to, storage supports any method of volume access properly configured on the hosting operating system.
  • KeyArmor supports drag and drop to the user volume after authentication. Product will autorun if enabled on the system; product can still be run manually if autorun is not enabled (ie on AGM).
  • KeyArmor device communication configuration cannot be changed after the device has been registered with the PolicyServer. In addition, Endpoint Encryption recommends using an externally resolvable DNS alias when entering the KeyArmor Host Name value. This allows KeyArmor devices to communicate with an externally facing PolicyServer and facilitates server hardware changes if necessary. Certain KeyArmor devices can be reinitialized by Endpoint Encryption upon request.
  • Here are the supported Host Platforms:
    • Compatibility: Windows®2000 (SP4), Windows® XP, Windows Vista®
    • System Requirements: Microsoft® .NET Framework 2.0 SP1 installed and USB 2.0
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.