IceLock is an encryption based service that enables select data on individual machines of an organization to be encrypted (AES 256) such that only the user can access the data. Along with the autonomous agent that is loaded onto the target laptops (and therefore provides encryption protection whether the laptop is online of offline) IceLock includes a Web-based service where the organization's security admins can setup keys for individual users, as well as remotely disable access to a laptop's data (if the laptop is stolen/lost, the employee is fired, etc.).

In brief, the security administrator first registers on the HyBlue site and downloads the initial customer configuration application, which enables them to generate their own master customer-specific private key (which only they know; HyBlue personnel do not see or know this key), as well as public/private key pairs for use on each laptop to be protected. The administrator then registers the laptops that will be used with the service on the HyBlue site, and installs on them the agent software that will perform and automate the data encryption. This agent then creates a virtual drive on the laptop (usually represented as I:) into which the user can place files for automated encryption/decryption as needed.

Various parameters of the platform can be configured, including what files/directories will be encrypted into the virtual drive, whether a secondary "IceLock" password will be required of the user when they access the encrypted drive, how many failed login attempts cause the destruction of the laptop encryption key (making the data inaccessible), among others. The vendor states that access to the laptop-specific encryption key is itself protected via several factors, including the user's passwords as well as machine specific information (so that if the disk is removed and installed in a different machine the data will not be accessible). Further, the vendor states that the agent is aware of state changes of the laptop--such as going to screen saver or to sleep mode--and will automatically remove/overwrite the encryption key in RAM memory, forcing a re-authentication when the machine is re-activated and preventing certain types of memory scanning attacks. The IceLock system encrypts only selected files and folders and not the entire hard drive; thus the Windows swapfile itself is not encrypted. In response to this, the vendor offers a utility that will automatically clear the Windows swapfile on poweroff, if desired.

The hosted service-based feature of the product also enables check-in capabilities such that the laptop must connect to the service (through the Internet) within a configurable time period or access to the data will be disabled. This feature also allows the administrator to remotely lock out the data on the laptop in the event it is stolen/lost or the employee is fired; I.E., the administrator can mark the machine as disabled and when it does check-in to the online service it will see the flag and destroy the access key and/or the data at the administrator's discretion. The customer's Security Administrator can regenerate the keys for a specific laptop as needed, using the customer-specific private key they generated during their initial configuration.

The product is initially available for Windows XP/Vista laptops, with Mac OS X versions expected to be available "later in 2008." Initial pricing ('till July 1, 2008) is $49.95 per year per computer.

Visit the HyBlue Web site for further information.