Protecting Design and Commercial Secrets when on the Move

A Major Aeronautical Manufacturer looks to keep Industrial and Commercial Espionage at bay


This Aeronautical Manufacturer has identified two categories of employees who are called upon regularly to travel around the world with confidential data such as design data or sensitive commercial information: maintenance technicians and sales engineers.


Data security on workstations must be assured in the event of theft or of the hard disk being copied without the knowledge of the user (e.g., device deposited in a hotel safe).
There are different types of workstations: high-end laptops, 2-in-1 tablets (Surface Pro type), and ruggedized touchscreen tablets for workshop environments.

VPN access to network shares must guarantee that users possess, in addition to Windows access rights, the Right-to-Know. The security team demands that any workstation taken off company premises must be fully encrypted. Workstations are prepared by the security team technicians, and fully encrypted before being handed over to users.
To guarantee a high security level, a cryptographic token must be used for containing the user access key. This token was already used inside the company for Windows identification.


The client deployed CRYHOD and ZONECENTRAL on the ruggedized tablets of the operators and the high-end laptops of the sales fleet. The PRIM’X products make it possible to interface with any type of token, and a certificate dedicated to the encryption operations was added to the token already used in production.

A security team technician prepares the workstation and encrypts it with CRYHOD. The technician then adds the cryptographic access of the end user before personally handing over the fully encrypted workstation.
The encrypted data are:

  • the workstation partitions,
  • the network shares accessed via the VPN.

For a better user experience, the cryptographic context is shared between
CRYHOD and ZONECENTRAL, thereby avoiding having to enter redundant PINs. Users enter their token PIN only once when starting up the device, in order to work on their sensitive encrypted data.


IT SERVICES: Remotely distributed deployment on the CRYHOD and ZONECENTRAL workstations.
USERS: Single entry of token PIN code when starting up the workstation.
SECURITY DEPT: Generation of one encryption certificate per user.


CRYHOD and ZONECENTRAL share the cryptographic context and facilitate the user experience, both in everyday usage and in the case of cryptographic access renewal operations.

Next steps

The client would like to extend the CRYHOD solution to on-call IT operators by distributing to them Windows To Go sticks encrypted with Cryhod To Go. The purpose is to replace loaned laptops with encrypted bootable USB sticks, which cost less.