KRYPTOSTORAGE 1.0 - Security Software KASPERSKY LAB - Free user manual and instructions

USER MANUAL KRYPTOSTORAGE 1.0 KASPERSKY LAB

2.1. Hardware and Software Requirements

4.1.2. Rules for Using Protected Folders

4.2.3. Rules for Using Protected Containers..

4.2.5. Formatting a Containe

4.2.6. Detaching a Container...

4.2.7. Protecting Containers from Deletion

4.3. Protecting Disk Volumes and Removable Devices

4.3.1. Specific Features of Using Hard Disk Management Utilities

4.3.5. Rolling back to the Unencrypted State

4.3.7. Starting up Using Protected System Volume andior Boo Volum

4.3.8. Attaching the P rotected Volumes of Hard Disks and Removable Devices 38

4.3.9. Detaching the Protected Volumes of Hard Disks and Removable Devices

à. 3. 10. Disk Recovery. e 4.4. Wiping Protected and Unprotected Objects Al

CHAPTER 1. KASPERSKY

KRYPTOSTORAGE OVERVIEW Kaspersky KryptoStorage (hereafter Kaspersky KryptoStorage or the System) is a system for the cryptographic protection of confidential data stored on PC from unauthorized access. The system is intended to protect the user's confidential data against unauthorized access and to prevent data leakage when the operating system saves system information to disk or when the user's files are not wiped. Transparent encryption is used to encrypt information. The transparent encryption is a mechanism which enables the storage of information in the encrypted form inside of a protected object. The protected data is processed in the following way: the data is automatically decrypted in RAM when requested and the uploaded data is encrypted. Data is encrypted with the 128-bit AES algorithm. The algorithm is approved by the international cryptography community and represents a cryptographic standard. AES is approved by the U.S. National Institute of Standards and Technology (Standards and Technology (NIST) Federal Information Processing Standards (FIPS) PUB 197 26.11.2001). The cryptographic key is generated from the user's password. Thereby the length of this password can be limited by the local legal requirements. The main functions of the System are listed below. Protecting Data With the System, you can:

• create single protected NTFS virtual folders to store confidential data; ° create protected virtual volumes (the protected containers) to store confidential data; + protect all data on disk volumes, including the system and the boot volumes, on Flash drives, and other USB Mass Storage devices;

6 Kaspersky KryptoStorage 1.0 The protection of system disk allows you to keep the following confidential: + RAM contents which are saved to a hard disk when the system hibernates; e crash dump data which is saved to a hard disk when a fatal error occurs; + data oftemporary files and swap files. Handling protected data With the System, you can: .__delimit access to protected information using password authorization; + store protected objects inside other protected objects with any nesting depth:; °__ prevent accidental or intended deletion of protected objects by limiting access to these objects; . use protected folders, containers and volumes which are located on the user's computer; + move protected objects together with the physical carrier to another computer where the System is installed. At the same time the objects can be used; «+ __ wipe files and folders. 1.1. The Components of Kaspersky KryptoStorage The components of Kaspersky KryptoStorage are listed in the table. Component Description Create protected objects; enable use of the protected data, decrypting and wiping files and folders The components integrated into the Explorer shell Enables activating the program, managing Kaspersky KryptoStorage | licenses, configuring Kaspersky KryptoStorage manager subsystems, creating protected objects, recovering protected disks

Kaspersky KryptoStorage 1.0 Component Description Kaspersky KryptoStorage Help A file containing .CHM help topics 1.2. Protected Objects The protected objects are any objects encrypted with Kaspersky KryptoStorage which are intended to store data. There are the following types of protected objects A protected folder is a special NTFS folder created by a user on the user's computer with Kaspersky KryptoStorage. After the folder is attached using Kaspersky KryptoStorage, you can use itas a common NTFS folder. À protected container is a special file created by a user on the users computer with Kaspersky KryptoStorage. After the container is attached using Kaspersky KryptoStorage, you can use it as a virtual disk. Also, container files can be copied, recorded to CD or DVD, emailed and moved to another computer where the System is installed. At the same time the containers can always be attached. À protected volume is created by converting (encrypting) an existing hard drive volume which contains data using Kaspersky KryptoStorage. This operation also includes protecting the system and/or the boot volumes and USB Mass Storage devices (Flash drives, USB storages, etc). After the protected volume is attached using Kaspersky KryptoStorage, you can use itas a common volume. Attention! All data placed to a created protected object is automatically protected, i.e. encrypted. When you copy data from a protected object into an unprotected area, the data is placed in the decrypted (unprotected) form.

8 Kaspersky KryptoStorage 1.0 1.3. Rights of Access to Protected Objects A user must be authorized to access protected objects. It prevents unauthorized operations on the objects. The authorization is required to: e Attach protected objects; e Change password: + Decrypt volumes, interrupt and continue encrypting, decrypting and also rolling the protected volumes back to a previous state. To be authorized, you must type your password for accessing the protected. Note: If you type an incorrect password (for example, if you forgot the password), the System displays the message that access is denied and a password hint, if you specified the hint while selecting the password 1.4. Password Recommendations. Using Password Hints All protected objects are accessed upon authorization only. Password is the mandatory authorization parameter. Follow the recommendations for selecting a password: + __a password should be made up of 7 characters or more; a password can contain digits, English characters, space and special characters («.», «,», «?», «ln, «<y, «>», «», etc.); + _itis highly advised to create a password which includes a combination of upper- and lower-case alphabetic letters and digits You must not use in the password: <__ words found in a dictionary or set expressions; . _ anyeasy-to-guess sequence like: qwerty, 123456789, qazxsw, etc

9 Kaspersky KryptoStorage 1.0 e personal data: first and last names, addresses, passport numbers, social security numbers, etc. + _Itis strongly advised not to reuse the passwords which you use to run other programs (e-mail, databases, etc). Attention! If you lose the password to a protected object, the object's contents cannot be restored! You can use password hints. À password hint is a character string which is displayed in the special field. The password hint is specified by the user when the user selects a password. If the hint has been specified and you type an incorrect password, the System displays the hint after denying access to an object. The password hint can contain certain information to help you recall your password Attention! When you specify a password hint for your password, you must remember that the password hint will be displayed to every user who tries to attach the object. Therefore, the password hint must not contain the explicit description of your password.

KASPERSKY KRYPTOSTORAGE This chapter contains hardware and software requirements and describes how to install and update the Product, and manage its licenses. 2.1. Hardware and Software Requirements Your computer must meet the following hardware and software requirements to run Kaspersky KryptoStorage. Hardware requirements: + processor Intel Celeron 1 GHz or higher; ° RAM256 MB; + 10 MB free disk space to install the application. Software requirements: e Anyofthe listed operating systems: — Microsoft Windows 2000 Professional (Service Pack 4 + all updates); — Microsoft Windows XP (Service Pack 2); — Microsoft Windows Vista (Service Pack 1); — Microsoft Windows 7. System supports operating systems on both x86 and x64 platforms.

11 Kaspersky KryptoStorage 1.0 2.2. Installation Attention! You must have administrator rights to the computer to install Kaspersky KryptoStorage. The installation starts with the installation wizard. Each window contains à set of buttons to control the installation process. The buttons provide the following operations: + Next- accept the action and go to the next step of the installation procedure. + _Back- return to the previous step. ° Cancel cancel the installation. See below the step-by-step description of the System installation procedure. Step 1. Start the Installation Insert the Kaspersky KryptoStorage setup disk into the CD-ROM drive or run the installation file kksVVven .exe. The vvvv letters in the name of the installation file stand for the version of the Product. Note: You can download an update of the Kaspersky KryptoStorage software product at http://Www.kaspersky.com/downloads. The Welcome to the Kaspersky KryptoStorage Setup Wizard screen opens. Click Next to proceed to the next step. Or click Cancel to cancel the installation. Step 2. Accept License Agreement You must accept the terms of the license agreement to continue the installation and click Next.

12 Kaspersky KryptoStorage 1.0 Step 3. Select the Installation Directory The default path to the directory where Kaspersky KryptoStorage will be installed is specified in the input field of the Destination Folder screen. You can change the installation directory. Click Change. and select a directory in the standard window for selecting the directory, or type the path to the directory in the appropriate input field. Click Next to proceed to the next step. Step 4. Complete the Installation After proceeding to the Ready to install Kaspersky KryptoStorage screen, click Install, to install Kaspersky KryptoStorage Follow the installation wizard instructions to complete the installation of Kaspersky KryptoStorage. When the installation is complete, you will be asked to activate the product. You can select one of the following options: + Activate 30-day trial version. < Activate full version. To activate the full version, you must get and install a license using an activation code. See information on the procedure for getting and using a license key in Item 2.4 on Page 14. After the type of activation is selected, click Next. Restart the computer to finish the installation. The corresponding notification is displayed Attention! It is strongly advised not to turn off computer's power supply when restarting (when Microsoft Windows is shutting down). It may cause an error while the operating system is starting Up. If the power supply fails, keep hitting the F8 key when restarting. In the Windows Advanced Options Menu, select the Last Known Good Configuration option. After that, reinstall Kaspersky KryptoStorage.

13 Kaspersky KryptoStorage 1.0 2.3. Managing Licenses You must get and register a commercial license to make Kaspersky KryptoStorage fully functional. Note: With the activated trial license, you can use the full-featured Kaspersky KryptoStorage for 30 days. The password length is limited by 1 character. When trial license expires, the functionality of the product is partially limited. You can use the existing (protected) objects. Specifically, you can access your information and decrypt the data. But you cannot create new protected objects, or get technical assistance. You can manage licenses using the Kaspersky KryptoStorage manager. To run the Kaspersky KryptoStorage manager:

2. Inthe opened window, click Licenses.

14 Kaspersky KryptoStorage 1.0 This window contains a list of installed licenses and detailed information on each license: type, serial number, current status and validity period. To add a license to the list, click Add license... In the opened dialog window, specify the path to a license file and click Open Note: The added license must be given to the same user who owns all other licenses in the list. Otherwise you cannot add a license. To remove a license from the list, selectthe license and click Remove license. Note: You cannot remove the Trial license from the license list. Attention! Itis strongly not advised to remove the valid commercial license from the list. Otherwise the functionality of the Product will be limited in a way similar to the expired trial license. To get and install a license using an activation code, click Activate... Activating a license using an activation code is covered in Item 2.4 on Page 14. When you finish editing the list of installed licenses, click Exit to close the window. 2.4. Getting and Installing Licenses using an Activation Code You can use an activation code to get and install a license while installing the Product or after the Product is installed, when managing licenses (see Item 2.3 on Page 13). Attention! When using an activation code, your computer must be connected to the Internet to get a license from the license service. To get a license, type a product code consisting of five parts. Each part of the code contains five characters (Figure 2). The code contains digits (except zero) and upper-case English letters.

Figure 2 Activating the Product Then, in the customer information pane, specify your country. You can also specify your name and e-mail address as additional information. Click OK. After that the license is acquired and installed automatically. Attention! Only one license is given for each activation code. Keep your product activation code secret. Copy the license file to another hard disk or removable device. This copy will be needed to restore the System after a failure.

16 Kaspersky KryptoStorage 1.0 2.5. Updating the Product You can download updates of the Kaspersky KryptoStorage software product at http://www.kaspersky.com/downloads. To update the Product to a newer version, run the setup program of the update. Note: You cannot update an older version to an earlier version. To install an earlier version, you must first uninstall the existing version of the Product (see Chapter 6 on Page 45).

1. Select the necessary object (a folder, a container, or a volume) and right-

(see Figure 3). This menu item contains a submenu which depends on the type of object and whether the object is protected or not. Open Fkaspersky kryptoStorage + Open With. Send To » Cut Copy Create Shorteut Delete Rename Properties Figure 3 The Kaspersky KryptoStorage menu

18 Kaspersky KryptoStorage 1.0 To create a protected folder or container: Right-click any place in the opened folder or on the desktop and from the opened context menu select New > Kaspersky KryptoStorage Folder or New » Kaspersky KryptoStorage Container. 3.2. The Window of the Kaspersky KryptoStorage Manager To run the Kaspersky KryptoStorage manager, from the Start menu, select Programs > Kaspersky KryptoStorage > Kaspersky KryptoStorage. The window of the manager will be opened (Figure 4). 21x| L'Encrypt data Create a pratected folder. | Encrypt volume. | Create a protected container. -KryptoStorage subsystems Protected volumes: Running Autorun M Protected containers: Running Autorun Protected Folders: Running Autorun M Object attachment settings F after attaching, use Explorer to open the object in a new window :] 30 days) remaining iskrecovery Figure 4 The manager window

19 Kaspersky KryptoStorage 1.0 With the manager you can: + Create protected folders (Item 4.1.1 on Page 21) e Create protected containers (Item 4.2.1 on Page 25) e _ Encrypt volumes (Item 4.3.2 on Page 33) e _ Configure subsystems (Chapter 5 on Page 42) + Use Explorer to open the object in a new window after attaching + Manage licenses and activate the product (see Item 2.3 on Page 13) + Recover disks (Item 4.3.10 on Page 39)

OBJECTS This chapter describes how to use the following protected objects: + Protected folders (Item 4.1 on Page 20). + Protected containers (Item 4.2 on Page 25). + Protected hard disk volumes and removable media (see Item 4.3 on Page 31). 4.1. Protected Folders You can create a protected folder only if the following conditions are met: . You can use the protected folders if Kaspersky KryptoStorage is installed on the computer and the Protected folders subsystem is running (for more information about the subsystem, see Chapter5 on Page 42). The subsystem is running by default. A device (a hard disk or a removable media) where you create a protected folder must be write-enabled. The user who creates the protected folder must have privileges for creating folders. A protected folder can be created only in the NTFS file system. + You cannot create a new Kaspersky KryptoStorage folder inside of another Kaspersky KryptoStorage folder. A protected folder cannot be created in an EFS-protected folder (an encrypting file system, which is included into the Microsoft Windows OS); + A folder must have a full name which does not exceed 255 characters.

4.1.1. Creating a Folder

Attention! Before starting, read about the specific features of creating protected folders {Item 4.1 on Page 20). You can create a protected folder on a hard disk or removable media. Moreover, a protected folder can be created inside of another protected object (a volume or protected container). Note: If a folder is created inside of any other protected object, you must attach this object prior to creating the folder. To create a protected folder:

1. Complete one of the following steps:

• _ Right-click any place in an opened folder or on the desktop and from the opened context menu select New » Kaspersky KryptoStorage Folder. *< Run the Kaspersky KryptoStorage manager: from the Start menu select Programs D» Kaspersky KryptoStorage> Kaspersky KryptoStorage. In the opened window of the manager, click Create a protected folder. After that, the Create protected folder dialog window will be displayed {Figure 5).

y KryptoStorage | Select folder [E:i0ocuments and SettingsiAdministratar {My Documents\ [Protected folder name: [New kaspersky kryptoStorage Folder Password Password I Figure 5 Creating a protected folder

2. Inthis window, specify parameters for the created protected folder:

+ Select folder. Select a folder in which the protected folder will be located. By default, if the protected folder in created using the Explorer context menu, then the folder of the menu is specified, if the folder is created using the manager, the My Documents folder of the current user's profile is specified. You can specify different folders. Protected folder name. Specify the name of the protected folder. Note: While using the protected folders, you can change the names of the folders using the tools of the operating system. °< Password, Confirm, Password hint. Specify a password to access the protected folder and a hint for your password (optional). You will need these parameters to access the folder. Note: See password and hint recommendations in Item 1.4 on Page 8.

A protected folder is created. When the folder is created, it is attached and is ready for use.

4.1.2. Rules for Using Protected

Folders While using the protected folders, you must consider the following rules: All files and folders which are located inside a protected folder are encrypted and they are protected objects too. You can do any operations on a protected folder (reading, writing, renaming, archiving, removing and etc.) only when the folder is attached. An attached folder can be accessed by any user or software who/which uses the same computer locally under the account of the user who attached the object. The System prohibits network access to protected folders Note: It is advised to detach a protected folder after you have finished using it. Copies and moved files and folders are protected only by the objects which they are placed inside. Note: Copies and moved files and folders are not protected when they are placed into objects which are not protected by the System. The System does not support the following operations on the protected folders and their contents: moving to the Recycle Bin, moving within one volume of files and folders which contain files. Note: If you move a folder which contains files within a volume, the source folder remains unchanged. An empty folder which has the same name as the source folder will be created in the target place. This folder is protected by the object which itis placed inside.

Kaspersky KryptoStorage 1.0 Some file managers, for example, Total Commander, can delete the source objects after copying if files or folders are moved within a volume. In this case you can move the objects, but the moved files and folders will be protected by the objects which they are placed inside. You can move unprotected folders containing protected subfolders within a volume to unprotected folders. In this case, protected objects do not have to be attached and at the same time their properties remain. An unprotected folder containing protected subfolders can be moved to the Recycle Bin if all protected objects are attached. Note: You can delete or restore a folder which is moved to the Recycle Bin. When restoring the folder, all protected objects of the folder will be attached. After you restart the computer or log off the system, you cannot delete the folder which is moved to the Recycle Bin but you can restore it. When restoring, all protected objects of the folder will be detached. With Microsoft Windows Vista and Microsoft Windows 7, you can delete the folder from the Recycle Bin after restarting the Windows or logging out. Total Commander cannot move an unprotected folder containing protected subfolders to the Recycle Bin.

4.1.3. Attaching Protected Folders

You can use a protected folder (reading, writing, renaming, copying, deleting and etc.) only ifthe folder is attached. To attach a folder:

Select a protected folder to attach. Right-click the selected folder and from the opened context menu select Kaspersky KryptoStorage » Attach folder. . In the opened dialog window, type the password to access the protected folder. . Click OK.

4.1.4. Detaching Protected Folders

When you detach a protected folder, the folder is transited to the state in which it cannot be used until you attach it again. Attention! Before detaching a folder, save all changes and complete using the folder. These steps are needed because some applications can retain access to the data until all operations with the data are completed. To detach a protected folder:

1. Select a protected folder to detach.

2. Right-click the selected object and from the opened context menu select

Kaspersky KryptoStorage » Detach folder. The System requires more time to detach several protected objects simultaneously. In some emergency situations, you may need to detach all protected objects simultaneously. For this purpose you must save the changes and restart or shut down the computer. After that, all protected objects will be detached. You can detach all protected folders by logging off the system. 4.2. Protected Containers A device (a hard disk or a removable disk) where you create a protected container must be write-enabled. The user who creates the container must have privileges for creating files Creating protected containers on CD/DVD disks is not supported. At the same time, you can use CD/DVD disks to store the created protected containers You can use the protected containers if Kaspersky KryptoStorage is installed on your computer and the Protected containers subsystem is running.

4.2.1. Creating a Container

Attention! Before starting, read about the specific features of creating protected containers (Item 4.2 on Page 25). You can create containers on a hard disk or removable media. Moreover, a protected container can be created inside other protected object (a volume, removable device, folder or protected container).

Kaspersky KryptoStorage 1.0 Note: If a container is created inside any other protected object, you must attach this object prior to creating the container. To create a container:

1. Complete one of the following steps:

• __Right-click any place in an opened folder or on the desktop and from the opened context menu select New > Kaspersky KryptoStorage Container. + Run the Kaspersky KryptoStorage manager: click Start and from the Start menu select Programs Kaspersky KryptoStorage> Kaspersky KryptoStorage. In the opened window of the manager, click Create a protected container... After that, the Create protected container dialog window will be displayed (Figure 6). KryptoStorage | Select folder [ C:\Documents and Settings\Administrator{|My Documents|, Browse... | Protected container name Container size (Mb) ——| | New Kaspersky KryptoStorage Container.kde

F Password Password | Figure 6 Creating a protected container

In this window, specify parameters for the created protected container: + Select folder. Select a folder in which the file of the protected container will be located. By default, if the container is created using the Explorer context menu, then the folder of the menu is specified, if the container is created using the window of the manager, the My Documents folder of the current user's profile is specified. You can specify different folders + Protected container name. The name and extension of the container file. The default extension of the container file name is .kde (when Kaspersky KryptoStorage is installed, the files with this extension are registered in the operating system as the Kaspersky KryptoStorage Containers). The operating system displays the files as the icon If you specify any other extension which is not registered in the operating system instead of .kde, the container file will be displayed as a file of unknown format. Notes: Attaching container files of the .kde extension somewhat differs from attaching container files of any other extension (see Item 4.2.4 on Page 28). While using these files, you can change the names and extensions ofthe containers using the tools of the operating system. + Container size. The size of the volume. The size is specified in megabytes + Password, Confirm, Password hint. Specify a password to access the protected container and a hint for your password (optional). You will need these parameters to access the container Note: See password and hint recommendations in Item 1.4 on Page 8. When all necessary parameters are specified, click OK. When the protected container is created, you will be asked to attach the container (Item 4.2.4 on Page 28) and format it (Item 4.2.5 on Page 30).

To prepare a container for use, you must:

1. Attach the container (Item 4.2.4 on P age 28)

2. Format the volume to which the protected container is attached

{Item 4.2.5 on Page 30).

4.2.3. Rules for Using Protected

Containers You can use the contents of a protected container only after the container is attached. Attention! You can attach and use the protected containers if Kaspersky KryptoStorage is installed on your computer and the Protected containers subsystem is running. An attached container is not protected and available to all users who work at this computer. Therefore, you must detach a protected object after you finish using it. While using a protected container, remember that all files and folders which are located inside the container are encrypted and they are protected objects too. However, if you move the objects outside the container, the objects become unprotected.

4.2.4. Attaching a Container

You can use the contents of a protected container only after the container is attached. To attach a protected container:

1. Select a protected container.

2. Right-click the selected container and from the opened context menu

select Kaspersky KryptoStorage > Attach container. Note: If the extension of a container file is .kde (displayed as the icon fi), you can attach the container by double clicking it.

3. In the opened dialog window, type the password to access the protected

container: + Mount point. Select a mount point for the protected container. A mount point can be a logical disk (you can specify any free character of volume). + Mount mode. Specify the parameters for attaching the container (grayed out if the container is not formatted yet): — Mount in read-only mode. If the check-box is selected, all contents of the protected container are available only for reading. Adding or deleting data are not permitted. Note: The check-box is selected automatically and cannot be cleared if the container file has the Read-only attribute. Microsoft Windows 2000 does not support the Read-only mode for the NTFS-formatted protected containers. — Mount as removable disk. By default, a protected container can be attached as a removable disk (it is displayed in the list of removable devices in My Computer). However, if you clear the check-box, the protected container is attached as a fixed disk (it is displayed in the fixed disk list in My Computer).

If you attach a container which has not been formatted yet, you will be asked to format the container. Click Yes to start the formatting (see Item 4.2.5 on P age 30).

4.2.5. Formatting a Container

Attention! While formatting a disk to which a protected container is attached, all data inside the container is deleted. A user of a protected container can format an attached container in a way similar to formatting of a disk. The container is formatted using the standard tools of Microsoft Windows. When specifying parameters for formatting, consider the following: e You should not attach the container in the read-only mode. + To format a container to FAT or FAT32 in Microsoft Windows 2000, you must attach the container as a removable disk (when attaching the container, select the Mount as removable disk check box). + If you do a full format, the file of a protected container will have the size specified while creating the container. ° If you do a quick format and select the FAT, FAT32 or exFAT file systems, the size of a protected container is minimized and it increases while you fill the container with data. This feature saves free disk space. + __lfyou do a quick format and selectthe NTFS file system, then the container file will have the size which you specify when creating the container. Note: Regardless of the formatting type, the size of a protected container which is mounted as a virtual disk is always equal to the size specified while creating the container. But the size of the container file can change. Attention! When using a container whose file size increases while you fill it with data, the volume containing the file of the protected container may run out of free space. In this case you will be asked to save data in another place. Ifthe volume where you want to save the data is not protected, the data will not be protected either. If you place the data to the protected area (on other protected volume or removable device), the data is protected as an object placed within a protected area.

Before detaching a container, you must complete all operations on objects of the container (files, folders, protected sub-containers). To detach a protected container:

1. Select a volume to which the protected container is attached or the file of

the protected container.

2. Right-click the selected object and from the opened context menu select

Kaspersky KryptoStorage » Detach container. The System requires more time to detach several protected objects simultaneously. In some emergency situations, you may need to detach all protected objects simultaneously. For this purpose you must save the changes and restart or shut down the computer. After that, all protected objects will be detached.

4.2.7. Protecting Containers from

Deletion A protected container is a standard file which can be deleted by any user. To prevent the unauthorized deletion of a protected container, you can place the container file into a protected folder or protected volume. Attention! This kind of protection requires the Kaspersky KryptoStorage system to be installed on your computer. 4.3. Protecting Disk Volumes and Removable Devices You can encrypt disk volumes (including the system and the boot volumes) and other Mass Storage devices Encrypted disk volumes and removable devices have the following features: e If you encrypt the system or the boot volume, you must authorize prior to loading the operating system to access the protected volume (for more details, see Item 4.3.7 on Page 37).

Kaspersky KryptoStorage 1.0 Moreover, if you encrypt the system volume of a hard disk using Kaspersky KryptoStorage, you protect the crash damp file as well as the RAM data which is saved to the system disk when the system hibernates. If you encrypt the system volume, you prevent the leak of confidential data through the system information which is saved on the hard disk You can use à protected disk or a removable device only if Kaspersky KryptoStorage is installed on the computer and the Protected volumes subsystem is running (see Chapter 5 on Page 42). If the subsystem is disabled, the unprotected data on an encrypted disk or a removable disk cannot be accessed. The operating system displays this volume as an unformatted volume or a volume containing errors. If the system and/or the boot volume of a hard disk is encrypted, the manager does not allow disabling the Protected volumes subsystem. It is not advised to use Kaspersky KryptoStorage on computers where several operating systems are installed, to protect the disk volumes which are used to load the installed operating systems. The System's data on all encrypted volumes of a physical media (physical hard disk, Flash disk, etc) is stored in the root directory of the first volume of the physical media in the iwcs.bin file. If the volume containing iwcs.bin is formatted or if iwcs.bin is removed, replaced or corrupted, you can lose access to all protected volumes of the physical media. If the Protected volumes subsystem is running on the computer where Kaspersky KryptoStorage is installed (see Chapter 5 on Page 42), the System protects the iwcs.bin file from removal or modification. Therefore, it is not advised to disable the Protected volumes subsystem if some volumes are encrypted. If you need to format the volume containing iwcs.bin, you must decrypt all volumes of the physical media, format the volume and then encryptthe volumes again. There are some limitations for encrypting disk volumes and removable disks: You can encrypt hard disk volumes and removable storages only if the sector size of a device is 512 bytes (the standard sector size of the majority of devices of this kind). Encrypting dynamic volumes is not supported. You can encrypt only local disks. Encrypting network disks is not supported. You cannot simultaneously encryptidecryptire-encrypt several volumes of a hard disk. But you can simultaneously use the volumes of different disks. You can encrypt the hard disk volume where Kaspersky KryptoStorage is installed only if the volume is the system or/and the boot volume.

33 Kaspersky KryptoStorage 1.0 + _ The encryption is allowed if the volume which you want to encrypt is write-enabled. ° _ You can start encrypting a removable disk if the removable disk is not used by any programs. You can use the files on the removable disk while the removable disk is being encrypted. In Windows 7, if you physically attach a protected removable USB device, the operating system reports that the device is not formatted and does not allow the access to the device till the device is attached by means of the System (see Item 4.3.8 on P age 38). *< The System does not support the direct encryption of CD/DVD disks. At the same time, you can use CD/DVD disks to store protected containers (see Item 4.2 on Page 25).

4.3.1. Specific Features of Using Hard

Disk Management Utilities Some utilities allow you to change the size of disk volumes. Do not change sizes of hard disk volumes protected with Kaspersky KryptoStorage. It may lead to data loss If you need to change the size of a volume, you must first decrypt all protected volumes, reallocate free disk space and then encrypt the volumes again.

4.3.2. Encrypting Disk Volumes and

Removable Disks Attention! Before encrypting, read about the rules of encrypting disk volumes and removable devices (see item 4.3 on Page 31). Disk volumes and removable devices are encrypted in the background mode. Consequentiy, you can continue using the device while the encryption process is running. If necessary, the encryption process can be interrupted (Item 4.3.3 on Page 35). You can resume the encryption later (see Item 4.3.4 on P age 36), or cancel it (see Item 4.3.5 on Page 36).

34 Kaspersky KryptoStorage 1.0 Note: When a computer hibernates or goes into Standby mode, the encryption process is automatically interrupted. After the computer returns from Hibernation or Standby mode, you can resume the encryption or cancel it. To encrypt a disk volume or a removable disk:

1. Complete one of the following steps:

e In the Explorer, select an object (a volume of a hard disk or a removable disk) to encrypt. Right-click the selected object and from the opened context menu select Kaspersky KryptoStorage > Encrypt volume. *< Run the Kaspersky KryptoStorage manager: from the Start menu select Programs D» Kaspersky KryptoStorage> Kaspersky KryptoStorage. In the opened window select Encrypt volume. specify a volume which must be protected and click OK. As the result, the dialog window Encrypt volume will be displayed {Figure 8). C4Encrypt volume persky KryptoStorage r Volume name

| Password Figure 8 Protecting a volume

After that, the System starts encrypting the object. From this moment the volume (removable disk) is a protected object. Attention! If the system and/or the boot volume is encrypted, then you must be authorized prior to loading the operating system (for more details, see Item 4.3.7 on Page 37). Authorization is required every time you start or restart the computer and also when the computer returns from hibernation or Standby mode

4.3.3. Interrupting Encryption

In some cases you may need to interrupt the encryption manually or the encryption is interrupted due to a fatal error (for example, when the computer's power is unexpectedly tumed off). You can resume the encryption later. Attention! A volume (a removable disk) is a protected object regardless of whether it is fully protected or partially. Consequently, if you interrupt the encryption, you can use the volume (or the removable device) only after attaching it (successful authorization). At the same time, if the encryption is not completed some data on the volume remains unencrypted. To interrupt the encryption process:

1. Select an object which is being encrypted.

2. Complete one of the following steps:

+ _Inthe dialog window displaying progress of the encryption, click Stop.

• _Right-click the selected object and in the opened context menu select Kaspersky KryptoStorage » Stop.

3. In the opened dialog window, type the Password to access the protected

object. Click OK. The encryption process is interrupted. The protected disk (removable device) remains attached and you can continue using it.

4.3.4. Resuming Encryption

An object is safely protected only after the encryption process is completed. If you interrupt the encryption for some reason, some data remains unprotected. You can continue encrypting using a special function. To resume the encryption:

1. Select an object which is partially encrypted.

2. Ifnecessary, attach the protected object (Item 4.3.8 on Page 38).

3. Right-click the selected object and from the opened context menu, select

Kaspersky KryptoStorage » Continue volume encryption.

4. In the opened dialog window, type the Password to access the protected

object. Click OK. The encryption process resumes. The protected disk (removable device) remains attached and you can continue using it.

4.3.5. Rolling back to the Unencrypted

State If you interrupt the encryption, you can cancel it and roll the object back to the unprotected state. To cancel the encryption and roll back to the unprotected state:

1. Select an object which is partially encrypted.

2. Ifnecessary, attach the protected object (Item 4.3.8 on Page 38).

3. Right-click the selected object and from the opened context menu select

Kaspersky KryptoStorage » Rollback volume encryption

4. In the opened dialog window type the Password to access the protected

object. Click OK. After that, the roll back process starts. The protected disk (removable device) remains attached and you can continue using it.

4.3.6. Decrypting Objects

This operation is available only if the object (a disk volume or a removable device) is attached (for more information about how to attach a protected object, see Item 4.3.8 on P age 38). Note: You can decrypt only one volume of a physical disk. Several protected volumes are decrypted one-by-one. To decrypt an object:

1. Select an object to decrypt.

2. Right-click the selected object and from the opened context menu select

Kaspersky KryptoStorage » Decrypt volume.

3. In the opened dialog window, type the Password to access the protected

object. Click OK. Disk volumes and removable devices are decrypted in the background mode. Consequentiy, you can continue using the volume while the decryption process is running. If necessary, you can interrupt the decryption. The canceling of the decryption process is identical to the canceling encryption (Item 4.3.3 on Page 35). Decryption can be resumed later. Resuming decryption is identical to resuming encryption (Item 4.3.4 on Page 36). Moreover, you can cancel the decryption and roll the object back to the previous state. The procedure of rolling back is identical to rolling back to the unencrypted state (Item 4.3.5 on P age 36). After you cancel the decryption, the object remains encrypted

4.3.7. Starting up Using Protected

System Volume and/or Boot Volume If a system and/or a boot volume is protected with Kaspersky KryptoStorage, you must attach the volume to load the operating system. To attach a protected volume, you must be authorized prior to loading the system. To attach a protected system and/or boot volume: type your Password to access the protected object.

38 Kaspersky KryptoStorage 1.0 Note: If the system and the boot volumes are located on different volumes on your computer and the both volumes are protected, you must attach each volume. After that, a user must be authorized. If the authorization is successful the operating system, installed on a protected volume, starts up. Note: If you type an incorrect password while authorizing, the System displays the notification that the password is incorrect and a password hint, if you specified it while selecting the password. You will be asked to type your password again. If you have not specified the password hint, you must restart the computer using the <CTRL+ALT+DEL> key combination to repeat the authorization.

4.3.8. Attaching the Protected

Volumes of Hard Disks and Removable Devices You can use a protected volume (reading, writing, renaming, copying, deleting and etc.) only ifthe object is attached. To attach a protected volume of a hard disk or a removable storage:

1. Select a protected volume to attach.

2. Right-click the selected object and from the opened context menu select

Kaspersky KryptoStorage Attach volume.

3. In the opened dialog window, type the password to access the protected

volume. Click OK. If the object is attached, it is not protected and available to all users who use this computer. Therefore, itis advised to detach the object after using it.

Volumes of Hard Disks and Removable Devices When you detach a protected object, the object is transited to the state in which it cannot be used until you attach it again. Attention! Before detaching an object, save all changes and finish using the object. You cannot detach a protected system and/or boot volume while using it. To detach a protected volume of a hard disk or a removable storage:

1. Select a protected object (a disk volume or a removable storage) to

2. Right-click the selected file or folder and from the opened context menu

select Kaspersky KryptoStorage > Detach volume. The System requires more time to detach several protected objects simultaneously. In some emergency situations, you may need to detach all protected objects simultaneously. For this purpose you must save the changes and restart or shut down the computer. After that, all protected objects (including the system and/or the boot volumes) will be detached.

4.3.10. Disk Recovery

Attention! You must have administrator rights to the computer to use the disk recovery feature. From the window of the Kaspersky KryptoStorage manager, you can access a feature which cleans the space on a hard disk, Flash drives, USB mass storage devices used by protected volumes when the access to the volumes cannot be recovered: You may need to delete the data on a protected volume without decrypting it, when: + You have lost the access keys to the protected volume and consequentiy cannot attach or decryptit.

40 Kaspersky KryptoStorage 1.0 + The protected volume is formatted without using Kaspersky KryptoStorage and its subsystem Protected volumes. As a consequence, all of the data of this volume is lost, but the record made by the System that the volume exists on the disk still remains. You can access this volume on a computer where Kaspersky KryptoStorage is installed and the Protected volumes subsystem is running after you delete the information about protection. For example, you may need to access the volume if unencrypted data is written to the volume after the volume has been formatted. e The size of a protected volume is changed (see Item 4.3.1 on Page 33). As a consequence, the size allocated by the System does not correspond to the real size of the protected volume. You cannot access the abovementioned protected volumes, if the Protected volumes (see Chapter 5 on Page 42) subsystem is running on a computer where Kaspersky KryptoStorage is installed. Moreover, the space allocated for the volumes on a disk cannot be used. With the feature, you can make this space available for use including for use by Kaspersky KryptoStorage. You must complete the following steps before using the recovery feature:

1. Complete all operations on encrypting, re-encrypting and decrypting

volumes of the physical disk.

2. Detach the protected volumes of the physical disk whose information you

want to delete from the System using the recovery feature. Attention! Be attentive when selecting a protected volume. After the System's information about the protected volume is deleted, the data on this volume cannot be decrypted. Therefore, if the volume is encrypted, it will look like an unformatted volume. To make the disk space used by a protected volume available:

3. In the Disk recovery window, select a protected volume to delete

System's information about it. Right-click the selected volume and from the opened context menu select Delete information about encrypted area.

41 Kaspersky KryptoStorage 1.0 4.4. Wiping Protected and Unprotected Objects Files and folders which you delete with the standard operations can be restored using special utilities. Consequentiy, the data stored in the deleted object can be accessed by unauthorized persons. This problem is solved by wiping. Wiping is available both for protected and unprotected objects Attention! When a folder is wiped, its subfolders and all files in its subfolders will be deleted A protected folder can be wiped only after attaching. A protected container can be wiped only after detaching. To wipe a file or folder:

1. Select an object (a file, folder or protected container) to wipe.

2. Right-click the selected object and from the opened context menu select

Kaspersky KryptoStorage > Wipe.

3. In the opened confirmation window click Yes.

SUBSYSTEMS Kaspersky KryptoStorage consists of three subsystems which protect objects of specific types. The purposes of the subsystems are described in the table. Subsystem Purpose Protects volumes of à hard disk and Protected volumes removable devices Creates protected containers, allows Protected containers for the use of the protected containers Creates protected folders, allows for Protected folders the use of the protected folders The Kaspersky KryptoStorage manager is intended to configure the subsystems included in Kaspersky KryptoStorage. To open the window of the Kaspersky KryptoStorage manager, from the Start menu, select Programs D Kaspersky KryptoStorage> Kaspersky KryptoStorage The window containing data on the Kaspersky KryptoStorage subsystems which are installed on your computer is displayed (Figure 9)

43 Kaspersky KryptoStorage 1.0 Cäkaspersky kryptoStorage ?1x| y KryptoStorage rEncrypt data Create a pratected folder. | Encrypt volume. | Create a protected container… | -KryptoStorage subsystems Protected volumes: Running Autorun M Protected containers: Running Autorun Protected folders: Running Autorun Object attachment settings F after attaching, use Explorer to open the object in a new window icense: 30 day(s) remaining iskrecovery Figure 9 Configuring Kaspersky KryptoStorage subsystems To the right of the subsystem's name there is the Autorun field. If the check-box in the field is selected, the autorun of the subsystem is enabled. After Kaspersky KryptoStorage is installed, the autorun option is enabled for all subsystems. However, you can change the autorun parameters of each subsystem: + to disable autorun, clear the Autorun check-box; < to enable autorun, selectthe Autorun check-box. Note: The autorun settings come into effect after you restart the computer. When disabling the autorun option of the subsystems, you must consider the operating specifics of the Kaspersky KryptoStorage subsystems. The table describes the consequences which arise from disabling the subsystems.

Kaspersky KryptoStorage 1.0 Subsystem The result of disabling the subsystem Protected volumes The operating system identifies protected volumes as unformatted volumes. The contents are encrypted. The functions of the System for using disk volumes and removable devices are not available. Note: You cannot disable the subsystem if the system and/or the boot volumes are protected. Protected containers The contents of protected containers cannot be used. The contents are encrypted. The functions of the System for using the protected containers are not available Protected folders The protected files and folders in these folders can be deleted from the computer by any user. The contents of files are encrypted; you can view only the structure of subfolders. The functions of the System for using protected files and folders are not available.

KASPERSKY KRYPTOSTORAGE If Kaspersky KryptoStorage is uninstalled it means that all subsystems are disabled for all protected objects (see Chapter 5 on Page 42): + The protected files and folders in these folders can be deleted from the computer by any user. The contents of files are encrypted; you can view only the structure of subfolders < The containers remain protected, but you cannot use them because the containers cannot be attached < The disk volumes and removable devices remain protected. However, you cannot access the data stored on the devices because they cannot be attached Attention! The operating system displays these objects as the unformatted objects and when you try to access a protected object, you are prompted to format the objects. Once the object formatting is done all data is deleted. Therefore, if the object contains important data, you must cancel the formatting. The System must not be removed if the system and/or the boot volume of hard disk is protected. If you uninstall the System, the operating system cannot be loaded and consequently the data stored on the disk cannot be accessed Before uninstalling the System, complete the preliminary steps: ° _ Decrypt the system and/or the boot volumes, non-system volumes and removable disks.

• Attach the protected containers and folders and copy the contents of these containers and folders to unprotected hard disks and removable media. Attention! You must have administrator rights to the computer to uninstall Kaspersky KryptoStorage. Kaspersky KryptoStorage is uninstalled using Microsoft Windows standard tools.

1. Open the Add or Remove programs tool. To do this, from the Start

menu select Settings > Control Panel. In the control panel, double-click the Add or Remove Programs icon.

2. In the Add or Remove Programs window, select Kaspersky

KryptoStorage and click Remove. You must restart the computer to finish uninstalling the System

Confidential data The data with restricted access. Confidential data can be accessed by the users on a need-to-know basis. Kaspersky KryptoStorage A system which is intended to cryptographically protect confidential information stored on a user's computer from unauthorized access. Password A combination of characters which is used to access the contents of a protected object. A user must keep the password secret. Protected container A file of a specific format which is displayed by the System as a virtual volume. Data is located in the file. Protected object Protected objects are any objects which are intended for storing data and are encrypted with Kaspersky KryptoStorage. Protection of information Preventive measures to limit access of users (user groups) to information. Transparent encryption A mechanism which enables storage of information in the encrypted form inside of a protected object. The protected data is processed in the following way: the data is automatically decrypted in RAM when requested and the uploaded data is encrypted Wiping of an object A function of wiping files and folders which deletes the name of an object from the file system as well as wipes the contents of the deleted object.

INFORMATION B.1. Contact Us If you have any questions, comments, or suggestions, please refer them to one of our distributors or directly to Kaspersky Lab. We will be glad to assist you in any matters related to our product by phone or via email. Rest assured that all of your recommendations and suggestions will be thoroughly reviewed and considered Please find the technical support information at Technical support http://support.kaspersky.com/ Helpdesk: http://support.kaspersky.com/helpdesk WWW: http://www.kaspersky.com E-mail: info@ kaspersky.com General information B.2. License for the Windows Installer XML (WiX) Library Kaspersky KryptoStorage uses the Windows Installer XML (WiX) 3.0 library, Copyright (c) 2005-2008 Microsoft Corporation under the license CPL 1.0 Distribution kit: http://sourceforge.net/projects/wix/ This Appendix contains the license text for Windows Installer XML (WiX) Library version 3.0 Copyright (c) 2005-2008 Microsoft Corporation. Note: The license text is copied from the source: http://www.opensource.org/licenses/cpl1.0.php.

RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.

"Contribution" means: a) in the case of the initial Contributor, the initial code and documentation distributed under this Agreement, and b) in the case of each subsequent Contributor:

i) changes to the Program, and

äi) additions to the Program; where such changes and/or additions to the Program originate from and are distributed by that particular Contributor. A Contribution ‘originates' from a Contributor if it was added to the Program by such Contributor itself or anyone acting on such Contributor's behalf. Contributions do not include additions to the Program which: (i) are separate modules of software distributed in conjunction with the Program under their own license agreement, and (ii) are not derivative works of the Program. "“Contributor" means any person or entity that distributes the Program. "Licensed Patents " mean patent claims licensable by a Contributor which are necessarily infringed by the use or sale of its Contribution alone or when combined with the Program. "Program" means the Contributions distributed in accordance with this Agreement. "Recipient" means anyone who receives the Program under this Agreement, including all Contributors.

a) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, distribute and sublicense the Contribution of such Contributor, if any, and such derivative works, in source code and object code form.

Kaspersky KryptoStorage 1.0 b) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed Patents to make, use, sell, offer to sell, import and otherwise transfer the Contribution of such Contributor, if any, in source code and object code form. This patent license shall apply to the combination of the Contribution and the Program if, at the time the Contribution is added by the Contributor, such addition of the Contribution causes such combination to be covered by the Licensed Patents. The patent license shall not apply to any other combinations which include the Contribution. No hardware per se is licensed hereunder. c) Recipient understands that although each Contributor grants the licenses to its Contributions set forth herein, no assurances are provided by any Contributor that the Program does not infringe the patent or other intellectual property rights of any other entity. Each Contributor disclaims any liability to Recipient for claims brought by any other entity based on infringement of intellectual property rights or otherwise. As a condition to exercising the rights and licenses granted hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if any. For example, if a third party patent license is required to allow Recipient to distribute the Program, it is Recipients responsibility to acquire that license before distributing the Program. d) Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the copyright license set forth in this Agreement.

A Contributor may choose to distribute the Program in object code form under its own license agreement, provided that: a) it complies with the terms and conditions of this Agreement; and b) its license agreement:

i) effectively disclaims on behalf of all Contributors all warranties and

conditions, express and implied, including warranties or conditions of title and non-infringement, and implied warranties or conditions of merchantability and fitness for a particular purpose; üi) effectively excludes on behalf of all Contributors all liability for damages, including direct, indirect, special, incidental and consequential damages, such as lost profits;

ii) states that any provisions which differ from this Agreement are offered

by that Contributor alone and not by any other party; and

iv) states that source code for the Program is available from such

Contributor, and informs licensees how to obtain it in a reasonable manner on or through a medium customarily used for software exchange.

51 Kaspersky KryptoStorage 1.0 When the Program is made available in source code form: a) it must be made available under this Agreement; and b) a copy of this Agreement must be included with each copy of the Program. Contributors may not remove or alter any copyright notices contained within the Program. Each Contributor must identify itself as the originator of its Contribution, if any, in a manner that reasonably allows subsequent Recipients to identify the originator of the Contribution

4. COMMERCIAL DISTRIBUTION

Commercial distributors of software may accept certain responsibilities with respect to end users, business partners and the like. While this license is intended to facilitate the commercial use of the Program, the Contributor who includes the Program in a commercial product offering should do so in a manner which does not create potential liability for other Contributors. Therefore, if a Contributor includes the Program in a commercial product offering, such Contributor ("Commercial Contributor") hereby agrees to defend and indemnify every other Contributor ("Indemnified Contributor') against any losses, damages and costs (collectively "Losses") arising from claims, lawsuits and other legal actions brought by a third party against the Indemnified Contributor to the extent caused by the acts or omissions of such Commercial Contributor in connection with its distribution of the Program in a commercial product offering. The obligations in this section do not apply to any claims or Losses relating to any actual or alleged intellectual property infringement. In order to qualify, an Indemnified Contributor must: a) promptly notify the Commercial Contributor in writing of such claim, and b) allow the Commercial Contributor to control, and cooperate with the Commercial Contributor in, the defense and any related settlement negotiations. The Indemnified Contributor may participate in any such claim at its own expense. For example, a Contributor might include the Program in a commercial product offering, Product X. That Contributor is then a Commercial Contributor. If that Commercial Contributor then makes performance claims, or offers warranties related to Product X, those performance claims and warranties are such Commercial Contributor's responsibility alone. Under this section, the Commercial Contributor would have to defend claims against the other Contributors related to those performance claims and warranties, and if a court requires any other Contributor to pay any damages as a result, the Commercial Contributor must pay those damages

52 Kaspersky KryptoStorage 1.0

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON- INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the appropriateness of using and distributing the Program and assumes all risks associated with its exercise of rights under this Agreement, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and unavailability or interruption of operations.

6. DISCLAIMER OF LIABILITY

CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST

If any provision of this Agreement is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this Agreement, and without further action by the parties hereto, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. IfRecipient institutes patent litigation against a Contributor with respect to a patent applicable to software (including a cross-claim or counterclaim in a lawsuit), then any patent licenses granted by that Contributor to such Recipient under this Agreement shall terminate as of the date such litigation is filed. In addition, if Recipient institutes patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Program itself (excluding combinations of the Program with other software or hardware) infringes such Recipients patent(s), then such Recipient's rights granted under Section 2(b) shall terminate as ofthe date such litigation is filed.

53 Kaspersky KryptoStorage 1.0 All Recipients rights under this Agreement shall terminate if it fails to comply with any of the material terms or conditions of this Agreement and does not cure such failure in a reasonable period of time after becoming aware of such noncompliance. If all Recipient's rights under this Agreement terminate, Recipient agrees to cease use and distribution of the Program as soon as reasonably practicable. However, Recipients obligations under this Agreement and any licenses granted by Recipient relating to the Program shall continue and survive. Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new versions (including revisions) of this Agreement from time to time. No one other than the Agreement Steward has the right to modify this Agreement. IBM is the initial Agreement Steward. IBM may assign the responsibility to serve as the Agreement Steward to a suitable separate entity. Each new version of the Agreement will be given a distinguishing version number. The Program (including Contributions) may always be distributed subject to the version of the Agreement under which it was received. In addition, after a new version of the Agreement is published, Contributor may elect to distribute the Program (including its Contributions) under the new version. Except as expressly stated in Sections 2(a) and 2(b) above, Recipient receives no rights or licenses to the intellectual property of any Contributor under this Agreement, whether expressly, by implication, estoppel or otherwise. All rights in the Program not expressly granted under this Agreement are reserved This Agreement is governed by the laws of the State of New York and the intellectual property laws of the United States of America. No party to this Agreement will bring a legal action under this Agreement more than one year after the cause of action arose. Each party waives its rights to a jury trial in any resulting litigation.