Product Support Information

The following products are 'End of Life' and not subject to further standard release cycles. However, Becrypt can provide extended help desk support if requested by an existing customer. Please contact support@becrypt.com for further information.

• Advanced Port Control
• Connect Protect
• Convex430
• DISK Protect Baseline
• DISK Protect Enhanced
• Media Client
• mShare
• tVolution

Paradox support and maintenance contracts are currently available through to 31st December 2026. Please contact support@becrypt.com to discuss additional support and maintenance requirements.

Paradox support and maintenance contracts are currently publicised as available through to 31st December 2026.

https://www.becrypt.com/uk/products/product-suppor...

Becrypt use a code-signing certificate to sign all Paradox OS Updates. BEM will not load OS updates or applications signed with an expired or invalid code signing certificate.

Paradox devices cryptographically validate that an OS Update has been issued by a trusted source by checking an update has been signed by a valid Becrypt certificate. OS update signing allows the Paradox device to ensure no tampering or corruption has occurred during transit. This prevents an attacker from sending a fake or malicious update, or to corrupt an update so it will not install.

If an update is rejected due to failing authentication or integrity checks, the event is reported to BEM over a secure (encrypted) channel. This allows an administrator to investigate and put in place appropriate mitigations. A remote attacker with no access to the management network will not have visibility of update failure.

Becrypt Enterprise Manager (BEM) simplifies the provision of OS updates and allows their deployment as a single administrative action once loaded within BEM. BEM allows the rollout of OS updates to be staged across an organisation by designated device groups.

Paradox prevents attackers from masquerading as a legitimate device to intercept or manipulate communicated data. Communication with BEM uses TLS with mutual authentication. Paradox supports 802.11X authentication for controlled access to networks preventing an attacker from spoofing a device, or causing the device to share sensitive data.

Paradox supports OUATH2, API signatures and 802.1x. Additional protocols may be configured by request.

Paradox supports certificate-based device authentication leveraging the TPM. Hardware-backed user authentication may be enabled through the use of physical tokens (e.g. Yubikeys) for secondary user authentication.

Paradox binds device identity to a physical TPM instance, providing hardware-backed device identity. The TPM is used for key attestation to demonstrate that the identity is protected by the device.

Firmware updates are validated using cryptographic signatures. The Paradox operating system image is integrity protected using cryptographic signatures and hash trees to ensure that it is only modifiable through an update process combined with the relevant signature.

Secure boot ensures that the operating system cannot be corrupted or compromised, enforced through bootloader validation of TPM register outputs.

The device is deployed by an organisation via their MDM (BEM) platform and once provisioned is instantly protected as no third-party software is required to be installed.

Cryptographic integrity checks of applications are performed as applications are executed.

Cryptographic integrity checks of policy updates are enforced to ensure they originate from a trusted management server.

Optionally, third-party antivirus software may be deployed.

All Paradox C++ components are built with stack canaries. ASLR in the kernel is turned on.

Use of stack canaries by 3rd party components cannot be verified.

Paradox undertakes device health measurements during system start. A remote attestation protocol has been implemented to allow a remote authentication service to validate device health and inform subsequent access control policies.

The remote attestation protocol and supporting device health measurement architecture is full documented and available for prospective customer review.

A hardware-backed cryptographically validated chain of trust is used to protect device health measurements. Details are available as described above.

Paradox employs secure boot, followed by a TPM-backed trusted boot process to cryptographically validate the integrity of firmware, boot components and all operating system components including 3^rd party binaries and drivers.

Evidence of an unsafe boot is available to Paradox and the device management software.

Paradox undertakes device health measurements during system start. A remote attestation protocol has been implemented to allow a remote authentication service to validate device health and inform subsequent access control policies.

The Paradox device management platform (BEM) is used to deploy authorised (signed) applications, allowing organisations to restrict trust in applications as appropriate e.g. Becrypt applications, VPN clients, VDI clients. Unauthorised applications will fail to execute on a Paradox device.

Becrypt provide the facility to allow organisations to sign their own applications (and operating system components) based on their own Certificate Authority if required.