Public authorities, federal armed forces, social services, church institutions as well as companies holding classified information equally record a growing demand for home office or mobile workplaces. Be it the flexibilization of working hours and working place, international activities or the creation of emergency workstations, the requirements are always similar: Equipping as many users as possible on a limited budget and with little effort, but with high demands on data protection and data security.

The new, BSI-certified ECOS SECURE BOOT STICK [SX] allows for the first time to access data or applications classified with secrecy level VS-NfD from any private PC or Mac.

How Does the Stick Work?

The ECOS SECURE BOOT STICK [SX] allows a highly secure access to a terminal server infrastructure, a virtual desktop infrastructure or web applications from within a secure and encapsulated environment through the BSI-certified genua genuscreen gateway. With this stick, any PC or Mac boots the specially-hardened ECOS Secure Linux operating system. The internal hard drive stays disconnected, so potential malware on the computer can't even be activated. This ensures a 100% separation of corporate from private use of the PC. The stick contains all firmware and applications required. The private PC is thus only a private peripheral.

[Bitte in "Englisch" übersetzen:] Workflow ECOS Secure Boot Stick

Click on the + symbol and learn how the ECOS SECURE BOOT STICK can help you achieve your goals.

  • Technology

    Easy Implementation and Administration

    The ECOS SECURE BOOT STICK [SX] terminates at an existing IPsec VPN gateway. If the stick is operated in a BSI-authorized environment, genua genuscreen is mandatory as VPN appliance.
    ECOS Easy Enrollment allows to roll out a large number of accesses in a very short time. All users receive identically pre-configured sticks. The personal smartcards, through which the sticks get their personal configuration, are issued by the central management. The central management also allows to centrally administrate and remotely update all sticks.


    Maximum Compatibility

    The implementation of private end devices increases compatibility requirements. The ECOS SECURE BOOT STICK therefore contains drivers for all popular PCs and Macs. This includes graphics drivers, drivers for LAN, WLAN, UMTS and LTE, as well as a browser for hotspot login. The stick contains the clients required for a highly secure access to Microsoft Terminal Server, Citrix (XenApp and XenDesktop), VMware Horizon (RDP, PCoIP or BLAST), PCs with remote desktop sharing and web applications. For international use, the stick contains keyboard drivers for more than 90 languages and countries.




    Design of the stick

    ECOS SECURE BOOT STICK [SX] divides into two drives. While the first drive contains all the components required for a highly secure access to the infrastructure, the second drive can be used as encrypted data safe. Provided the respective user possesses the required privileges, documents from a server session can thus be stored in the data safe for offline editing. The data safe works as regular drive under Windows and MacOS X after inserting the smartcard and entering the PIN.

    The first drive divides into different partitions too. The bootloaders for UEFI and BIOS, kernel, firmware and all applications are stored on their respective partitions. There is an additional, encrypted partition for access information, rights and user settings.


    Protection by Smartcard

    Protection by SmartcardECOS SECURE BOOT STICK [SX] contains an integrated reader for smartcards in SIM card format ID-000. The smartcard acts as possession component of a strong multi-factor authentication. All processes, be it the rollout, the login to gateway or the stick update, are secured by smartcard. PC-/SC- forwarding allows to use the smartcard for additional functions, for example signing, encrypting or Windows smartcard logon.


    Central Management

    The ECOS SYSTEM MANAGEMENT APPLIANCE allows to centrally administrate and update all accesses. It is thus possible to define very granularly which destination systems users or user groups have access to, who is authorized to store data from a session in the data safe or another shared device, and who is authorized to print documents at home. The System Management Appliance can be coupled with the Active Directory or other directory services and thus synchronize users and rights. The ECOS SYSTEM MANAGEMENT APPLIANCE contains its own CA to issue certificates or roll out and administrate smartcards, but it can also be coupled with an existing PKI. Sticks can be issued, renewed or revoked through the token Lifecycle Management and Easy Enrollment, both part of the management appliance. If a stick gets lost, its access can be blocked centrally and its lifetime license can be transferred to a replacement stick. Additionally, the system management appliance offers a detailed reporting feature with a broad range of pre-defined reports and a report editor that allows to issue and store various evaluations. The ECOS SYSTEM MANAGEMENT APPLIANCE is a virtual appliance, operable under VMware, Microsoft Hyper-V, Citrix XenServer, Oracle Virtualbox or Linux KVM.


  • Security

    The ECOS SECURE BOOT STICK [SX] features the cascading of various security measures to offer maximal protection against all kinds of threat scenarios.


    Protection against Infected PC

    Since the guest PC boots within an encapsulated and hardened Linux environment, no potential malware can be activated on the internal drive. Furthermore, the ECOS Secure Linux Operating System takes control of the connected hardware, so even BIOS or UEFI malware will pose no threat.


    Protection against Spying

    A strong multi-factor authentication is the basis of a secure user authentication. Therefore, the login to the gateway and the access to the data safe do not only require the knowledge of the personal PIN, but also the attached smartcard and the respective ECOS SECURE BOOT STICK. The end device is connected to the gateway through a secured VPN connection that will be only be established after the successful authentication. All relevant parts of the firmware are stored on a write-protected partition to protect the stick against potential Trojans on websites, for example at hotspot logon. Moreover, all parts of the firmware and the applications are digitally signed to prompt the immediate shutdown of the computer in case of any manipulation.


    Protection against Online Attacks

    ECOS Secure Linux is a lean operating system that only includes the components required to run the solution. Potential security gaps are thus significantly reduced right from the start. Besides, the operation system has been specially hardened and compiled to meet the highest security requirements. ECOS SECURE BOOT STICK [SX] provides its own firewall as protection against attacks within the same network – be it from hackers or an infected PC. The firewall blocks all TCP/IP and ping requests, so a potential attacker, for example in the same hotel, train or any other location where you share a network with unknown people, will not even be able to detect the computer.


    Protection against Manipulation

    The write protection of the entire firmware and applications combined with encrypted firmware and configuration data ensures a high security level.  Moreover, all data and programs are digitally signed. In a »chain of trust« process, bootloader, kernel and applications verify each other in a permanently recurring process. Any attempt to manipulate the file system or replace the source code will immediately render the stick useless and lead to the immediate shutdown of the computer during operation. Manipulations are thus effectively prevented.


    Protection against Unwanted User Interventions

    Before executing the firmware, a check is performed to detect whether the stick is booted in a virtual machine to prevent the circumvention of the boot stick’s security measures, for example by a key logger or a Trojan on the host system trying to log screen contents or keystrokes.


    Protection against Manipulated Updates

    As soon as the stick is connected to the central management, it looks automatically for potential updates and authorized users. If available, a new image is loaded in the background. The correct origin and the integrity of the update image are verified by the same process. Once download and verification have been successfully completed, the new image will be executed the next time the stick is booted.


    Data protection

    A special instant logout process prevents unauthorized reading of display content. The computer immediately shuts down when the stick is disconnected. Depending on the timeout that has been set, users can continue their work right where they left after replugging the stick.  With its multi-factor authentication, the granular rights assignment, the avoidance of any kind of local data storage, the exclusion of Trojans and the secured VPN connection, ECOS SECURE BOOT STICK [SX] meets all technical requirements according to Art. 32 of the German General Data Protection Regulation (GDPR).

  • User Friendliness

    ECOS SECURE BOOT STICK [SX] is fairly easy to use. After start-up and PIN entry, the PC or Mac boots up and directs the user to a selection of released systems or applications.
    For operation in WLAN, the key entry is just as simple as on a smartphone and the key is stored encrypted for future logins. After selecting the desired system or application, users have access to their accustomed environment.

  • Efficiency

    In the overall cost estimate, the ECOS SECURE BOOT STICK [SX] offers a savings potential of up to 80% compared to the usage of VS-NfD compatible official or corporate notebooks. This is partly due to the significantly lower investments and operating costs, partly to the distinctly reduced support efforts.

ECOS Secure Boot Stick [SX] - Funktionaler Aufbau

Diagramm: ECOS Secure Boot Stick Aufbau

Click on the + to learn more about the performance data of the ECOS SECURE BOOT STICK.

  • Performance data

    BSI Certification

    • Approved for data processing up to classification level VS-NfD



    • RDP client, Citrix Workspace-App (Citrix Receiver), VMware Horizon, Firefox, w or w/o Java support
    • Integrated VPN client for IPsec


    Supported Destination Systems

    • Microsoft Terminal Server (RDSH), Citrix Apps and Desktops (XenApp, XenDesktop), VMware Horizon (RDP, PCoIP, BLAST) or web server



    • Connection to genua genuscreen through IPsec within a BSI-approved environment
    • Connection to any gateway via IPsec or HTTPS outside a BSI-approved environment



    • Profiles for access to various applications/servers on user, group or role level
    • Use of local resources after release by admin (external USB storage devices, local printers)
    • Authorization assignment for external devices tied to manufacturer ID or serial number of the device
    • Remote update for all applications und firmware



    • Integrated smartcard reader for smartcards with CardOS 5.3 in format ID-000
    • Drivers for all common 64-bit-based Intel/AMD computers, x86-based tablets as well as all popular Macs
    • UEFI secure boot support
    • Keyboard drivers for more than 90 languages and countries
    • Multi-monitor support
    • Connection setup via LAN, WLAN, UMTS, LTE, incl. browser for hotspot login
    • Software in German and English (pre-configurable)


    Data Safe

    • 2 GB, usable to store documents securely (not for VS-NfD)
    • Hardware encryption via AES256, secured by 2-factor authentication, smartcard plus PIN
    • Installation-free use as USB drive under Windows, Linux and Mac OS X


    Additional Features

    • Signing, encrypting, Windows smartcard logon by PC-/SC- forwarding
    • Forwarding of external USB and LAN devices



    • Multi-factor authentication by smartcard and PIN entry during boot phase
    • Integrated keyboard for secure PIN entry
    • Write-protected and signed partitions for bootloader and kernel
    • Write-protected, encrypted and signed partition for firmware and applications
    • Separate, encrypted partition for storage of user parameters
    • Hardened ECOS Secure Linux Operating System
    • Digitally signed bootloader, firmware and applications with verification in »chain of trust« procedure
    • Securing of all processes by smartcard such as Easy Enrollment, gateway login, stick update
    • Integrated firewall (protection against attacks within the same network, blocking of TCP/IP and ping requests)
    • Use in virtual environment forbidden
    • Instant logout on stick disconnection
    • Secured process for firmware and application update with verification of integrity and correct update servers


    Dimensions and Weight

    • 27.5 x 84.8 x 12.7 mm, 68g
    • Scope of Delivery
    • ECOS SECURE BOOT STICK [SX] with integrated keyboard and smartcard slot
    • 3 connecting cables for USB (A, C and micro)
    • Carry strap
    • The smartcard is optionally available







Tel: +49 (6133) 939-200

Logo Made in Germany