7 Replies Latest reply on Mar 6, 2018 11:52 AM by Gordon Rigg

    How insecure is an offline PDM vault?

    Gordon Rigg

      I realize that "how secure?" is a vague question.

      The data that I carry about on my laptop is a regularly synchronized PDM standard vault in offline mode. I have a local cached copy of all my vault data because I can't usually predict what I need to access. We are not able to access the vault remotely - its PDM standard not professional.

      Because the vault is in offline mode there is no need for the PDM login details to access them.

      The files are stored in their normal solidworks format. You can copy them easily.

       

      This means that unless you set to clear local cache in the PDM settings all the recent files people are using on their workstations are just stored there on the hard disc in a form anyone can find and open/copy/edit if they gain access to the workstation or the disc on the workstation.

      This would apply to PDM standard and PDM priofessional. The only advantage in PDM professional would be that you can operate in online mode at a remote site, check your files in and clear that local cache so you are not carrying that data with you at all (but you don't have it unless you find internet access, and you might be waiting a while if it is slow).

       

      Solidworks do not offer a means to add a layer of security to the access to these files as far as my VAR knows.

       

      Things I could try:

      Copy the vault data as windows file system onto a usb disc and apply an off the shelf security package to that. I'm not sure the file assembly links are going to work doing that as I think they are handled by the database? I guess I can try a sample of data...

      Then clear the local cache on my laptop before travelling.

       

      Try to apply a 3rd party security system to the local cache location that requires a login. I'm guessing that is almost certain to defeat the PDM system when logged in and at the very least cripple performance.

       

      I raised an enhancement request. 1-16937558706 (can't seem to link to that as yet).

        • Re: How insecure is an offline PDM vault?
          Ravi Teja

          Hi Gordon,

          I think there is a solution to this.

          I tested out Curtain E-Locker  and it pretty much solves all the issues pointed in your post.

          Basically it can manage login and rights even if its offline.

          The way they implemented this does not create any overhead on performance.

           

          Regards

          Ravi T

          • Re: How insecure is an offline PDM vault?
            Ulf Stockburger

            Hi Gordon

             

            I use an encrypted container in which all important data is stored. If required, it will be mounted as a hard drive in order to work with the data. In case I lose my laptop, nobody except me has access to the data in this container. I am using TrueCrypt 7.1a. It's open source and, according to today's standards, still safe enough, although it's no longer being developed further.

             

            BiI SAP-PDM

            • Re: How insecure is an offline PDM vault?
              Gordon Rigg

              I wonder, if I create a partition for my work data, and put my vault view there, then I should be able to use the included with windows professional bitlocker on that partition?

                • Re: How insecure is an offline PDM vault?
                  Gordon Rigg

                  I had a reply from my VAR (solidsolutions) about using bitlocker on a drive where the vault view is placed:

                  Further to your enquiry regarding BitLocker. I’m afraid that the official answer from SOLIDWORKS is as follows.

                   

                  “SOLIDWORKS Quality Assurance (QA) does not test Bitlocker Drive Encryption for SOLIDWORKS PDM. Therefore, SOLIDWORKS PDM does not officially support Bitlocker Drive Encryption.”

                   

                  This does not mean that it will not work, however it does mean that if you did implement this and subsequently have a problem, then we would not be able to get any support from SOLIDWORKS to resolve the matter.

                   

                  For the original question there is an Enhancement Request SPR (963675) to “Add some data protection mechanism while accessing files in offline mode” and I have voted for this on your behalf making a suggestion that one workflow could be to ask the user to enter their password when going offline, then storing this and using it to authenticate client side only whilst working offline. 

                • Re: How insecure is an offline PDM vault?
                  Shaodun Lin

                  Hi Gordon:

                   

                  1. Curtain e-locker Overview Demo (English) - YouTube

                   

                  I have the contact :

                   

                  Kelvin Cheung
                  -----------------------------------------------
                  Coworkshop Solutions Limited

                  Unit 2, 9/F Asia Trade Centre,
                  79 Lei Muk Road, Kwai Chung, Hong Kong
                  HK Mobile: +852 6077 2623
                  China Mobile: +86 14714409030
                  Tel: +852 2776 6161
                  Fax: +852 2776 6183
                  Support Hotline: +852 8199 0642
                  Email: kelvinc@coworkshop.com
                  Website:
                  www.coworkshop.com

                  • Re: How insecure is an offline PDM vault?
                    Gordon Rigg

                    When you work off line, with the computer disconnected from the vault server, you can still read all your files, save copies of them, and build new assemblies out of them - depending on how you have set up your caching.

                    I have chosen to have a complete vault copy in my cache (on my laptop), so I have all my design data when I am offline. The minimum would entail just the files accessed in the last session in the local cache.

                     

                    While you get prompted to log on to access the offline files, you can just exit that and still access the files.

                    So you might vote for this:

                    Enhancement Request SPR (963675) to “Add some data protection mechanism while accessing files in offline mode”

                     

                    Furthermore, you can read all the files in the cache, using dos for example (easily found but i wont publish where here) So anyone could mount your hard disc and read them.

                     

                    I have found I can place the vault view on a disc partition that has bitlocker activated. Everything on that partition is encrypted. To read it they need the chosen bitlocker password, and perhaps also the windows user password.(or a bitlocker "oh sh1t" key that it gives you when you set it up).

                     

                    The vault seems to work without too much of a performance hit opening and closing files and saving them (my testing is not yet extensive).

                    This only affects the locally stored data I am travelling with, so it is not a risk to our live data on the server back at base - unless by some screw up an encrypted file could get from my laptop and over write the one on the server...

                     

                    Anyway its working so far. Bitlocker is included in windows 10 professional so there is no added costs.

                     

                     

                    NOTE:

                    “SOLIDWORKS Quality Assurance (QA) does not test Bitlocker Drive Encryption for SOLIDWORKS PDM. Therefore, SOLIDWORKS PDM does not officially support Bitlocker Drive Encryption.”

                     

                    I don't take any responsibility either