PGP WDE FAQ
From Provider Wiki
How do I know if my users need to use PGP Whole Disk Encryption(WDE)?
University policy states that computers holding sensitive data need to be encrypted. Using a tool like Identity Finder, will help LSPs determine which users absolutely need to use encryption. Visit this link for more information.
Do I need to run PGP WDE in a server-managed environement?
Although PGP offers a standalone encryption solution, it is not recommended at Penn. Among other benefits, enrolling users with a Universal Server allows IT Staff to help users reset forgotten passphrases. This option is not available without server management.
Are there compatibility issues with other software?
There are some compatibility issues especially with other security software. See PGP WDE Known Compatibility Issues for a fuller discussion.
How do I purchase licenses?
Software licenses for PGP are annual and need to be kept up to date. If a license expires, PGP will automatically decrypt the encrypted drive (after a 90 day grace period).
- Licenses can be purchased through Penn's Office of Software Licensing
- If you are contracting with ISC for LAN Technology Services' PGP offering, licenses will be included in their fee. It is not necessary to order licenses through OSL for your users.
I support both Macs and PCs. Is PGP WDE cross-platform?
Yes. However, PGP WDE for Mac OS is a fairly new product and is not as mature as the Windows version. Unfortunately, problems do exist with its overall functionality and consistency. PGP is actively working to improve this product, and a significantly improved version is expected within this calendar year. For the near term, units may wish to consider deploying Windows PGP first, while waiting for the Mac OS product to mature. If this is not possible, please proceed with caution, read this wiki's PGP for Mac OS documentation, and work with the Provider Desk for insight into lessons they have learned during testing.
Why are backups so important?
In normal cases of disk failure, either due to physical damage, component failure, or a mistaken write by the OS or drive controller, data on the hard drive is still visible and distinguishable. This allows recovery via a recovery disk or attaching to another machine, even if significant portions of the disk have become corrupt. When a disk encrypted with PGP has been corrupted, however, only portions of the boot sector are visible, and those are not useful for data recovery. The rest of the disk is a giant encoded block, and may not be accessible even with the appropriate credentials if certain sections have been overwritten. This renders even bit-level copies potentially useless in the case of physical failure. Read Importance of Backups When Using PGP WDE for more information.
Is PGP WDE subject to export controls?
Yes. Users intending to travel to Cuba, Libya, North Korea, Syria, Sudan, Iran or Iraq must contact the Office of Research Services for assistance in determining whether an export license is required, and, if so, assistance in applying for an export license.
- See http://www.upenn.edu/researchservices/exportcontrols.html and http://www.bis.doc.gov/policiesandregulations/regionalconsiderations.htm.
In addition, any release of the technology or source code to a foreign national from Cuba, Libya, North Korea, Syria, Sudan, Iran or Iraq, or an individual on the denied parties list is prohibited.
- See http://www.bis.doc.gov/dpl/thedeniallist.asp. Even while in the United States, he/she may be prohibited under the “deemed export” rules. Again, you are responsible for contacting Penn’s Office of Research Services for assistance.
PGP products may not be used directly or indirectly in the design, development, fabrication, or use of nuclear, chemical, or biological weapons or missile technology without US government authorization. Contact the Office of Research Service for more information.
Is it recommended for faculty and staff to travel with a laptop which uses PGP WDE?
If feasible, faculty and staff may wish to take an alternate, “clean” computer when traveling to avoid exposing sensitive data to inspection staff.
- Beyond export laws, please be aware that certain countries have been known for inspecting laptops and data upon entry, so you should be extremely careful about any proprietary, patentable or sensitive information that may be stored on your device. PGP has informed Penn that Russia and the People’s Republic of China may currently restrict the importation of PGP’s encryption software, including bringing a laptop with the software installed into those countries.
- US Homeland Security may also decide to inspect your laptop when you return to the US, and by law they have the right to inspect.
Installation and Use
What are the important terms related to PGP that I should know?
Understanding the following terms and concepts are necessary to successfully support PGP WDE:
- PGP Domain account credentials - Those are the credentials (account name and password) provided to the user by the PGP Universal Server administrator. The credentials are used to start the enrollment process.
- PGP Key Passphrase - During the enrollment process, you are prompted to create a unique key pair and assign a passphrase to that key pair. The passphrase for this key is going to remain constant when you enroll on different machines. After setting a Key Passphrase you are prompted to choose 5 security questions and answers. Those questions will help reconstruct or reset your Key Passphrase if you forget it.
- PGP Whole Disk Encryption Passphrase - This passphrase is unique to a device and not tied to any other whole disk encrypted drive for the same user. If you choose Single Sign-On, your WDE Passphrase is synchronized your Windows account credentials. If a user forgets their Whole Disk Encryption Passphrase or their Windows account credentials, a Whole Disk Recovery Token (WDRT) can be used to gain access to the encrypted drive.
- PGP Windows Single Sign-On – This feature gives you the option to synchronize your windows account credentials (domain or local) with the PGP Whole Disk Encryption Passphrase. When a user enters their Windows password at the PGP Pre-boot screen (WDE…) the PGP desktop client proceeds to automatically log them in to windows. The machine effective local Windows password security policies (complexity, length, password expiration…) will over ride the PGP security settings. If the user is using Single Sign-On, using CTRL ALT DEL to change the users Windows password will also change the PGP Whole Disk Encryption Passphrase.
- Windows Single Sign-On should not be used if the user should not automatically log the user in to Windows, such as a Local Support Provider.
- Windows Single Sign-On should not be used when using biometric reader like a thumbprint scanner; these devices may not work with PGP security. Users should proceed with using the PGP Whole Disk Encryption Passphrase and then the biometric device to complete the Windows login process.
- PGP Whole Disk Encryption Recovery Token (WDRT) – The token can be used if the user is unavailable or if the user forgot their PGP Whole Disk Encryption passphrase or their Windows logon credentials. The WDRT is used at the PGP Desktop Whole Disk Encryption Login screen. WDRT are associated with encrypted devices, not single computers or single users. A single computer can be associated with multiple encrypted devices. Only the PGP Universal Server administrator is able to provide a user with a Whole Disk Recovery Token.
Under what circumstance does a PGP client get a policy refresh from the Universal Server?
The PGP clients query PGP Universal Server for updated policy when they have a network connection with the following:
- On every outbound email (Clients without a messaging license or proxy enabled will not do this)
- At reboot
- Once every 24 hours
PGP Policy can be manually refreshed from the Universal Server by stopping and restarting the PGP service. This may be needed for computers with wireless internet connections to AirPennNet since they are likely not to be internet-connected at logon.
- To stop and restart the PGP service on a Mac:
- Log in as an Administrator.
- Open the Terminal application from Applications/Utilities
- Type: sudo killall PGP\ Engine
- Type your user password if prompted.
- Reopen PGP from Applications/
- To stop and restart the PGP service on a PC:
- Click the PGP Tray icon in your system tray, then click Stop PGP Services.
- Acknowledge the alert message.
- To restart PGP services, simply click Start > (All) Programs > Startup > PGPtray.exe
What general troubleshooting steps are recommended?
If PGP Whole Disk Encryption fails at decryption, has troubles with the Master Boot Record, or runs into other difficulties, PGP Corporation has a document that describes using PGPWDE Command Line as well as PGP Recovery Disks to recover lost data. That document is located here. The guide for Data Recovery for Mac OS X is located here in PDF format.
What do I need to do in order to prepare my systems for encryption?
PGP Desktop's Whole Disk Encryption installation exerts a heavy load on a system's drive, whether hard disk drive or solid state drive. WDE installation subjects the drive to extremely intensive disk I/O; what is likely one of the heaviest loads that the disk will ever have to endure. As such, it is very important that all documents, settings, and programs be backed up should the encryption process fail and/or ruin the drive. In addition there are additional steps to prepare depending on the platform. Please read the documents below for more information.
- Getting Started With PGP WDE on Mac
- PGP WDE Installation Preparation for Windows
- Getting Started with PGP WDE on Windows
What happens if my user forgets their PGP WDE passphrase?
PGP Desktop's Whole Disk Encryption generates a recovery token upon installation which will allow a user to access their system and reset a forgotten passphrase. In the event of a forgotten passphrase, this token is retrieved by a PGP Universal Server Administrator and given to the user. See Recovery From a Lost PGP WDE Passphase for further discussion.
What is the PGP shred utility?
The PGP Desktop software, installed to use PGP WDE, also contains a shred utility, which is a secure file deletion module that will overwrite files multiple times and optionally wipe free disk space. See Using PGP Shred Utility for more details.
Can PGP be used to encrypt external drives?
Yes, if the Universal Server administrator has enabled this feature in their policy. See PGP WDE for External Drives for instructions.