PGP Desktop 9.8 User Guide

PGP® Desktop 9.8 for Windows

User's Guide

Version Information

PGP Desktop for Windows User's Guide. PGP Desktop Version 9.8.2. Released March 2008.

Copyright © 1991–2008 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support ( Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

http://www.pgp.com/support). PGP

Acknowledgments

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib ( under the MIT License found at freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (

http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse

server ( HTML, developed by the Apache Software Foundation. The license is at binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at Protocol") used for communications between various PGP products is provided under the Apache license found at

http://www.apache.org/licenses/LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions (JMX), is released

under an Apache-style license, available at Independent JPEG Group. ( distributed under the MIT License copyrighted and distributed by University of Cambridge. ©1997-2006. The license agreement is at Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (

• Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at developed by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at

4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at

bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released

under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at

http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free software object-relational database management system, is released under a

BSD-style license, available at PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at database management system, is released under a BSD-style license, available at version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission.

• JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at downloading files via common network services, is open source software provided under a MIT/X derivate license available at

under a BSD-style license, available at

• libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at

to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at

http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted

http://jakarta.apache.org/), web

www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, data-

http://www.castor.org/license.html. • Xalan, an open-source software library from the Apache Software

http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is an implementation of the SOAP ("Simple Object Access

http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version 6a is based in part on the work of the

http://www.ijg.org/) • libxslt the XSLT C library developed for the GNOME project and used for XML transformations is

http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5 Perl regular expression compiler,

http://www.pcre.org/license.txt. • BIND Balanced

http://www.isc.org)

http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2

http://www.openldap.org/software/release/license.html. • Secure shell OpenSSH version

http://www.openbsd.org/cgi-

http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a

http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free software object-relational

http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie

http://www.cs.wustl.edu/~schmidt/ACE-copying.html. • libcURL, a library for

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

http://www.cs.fsu.edu/~engelen/soaplicense.html. • Windows Template Library (WRT) is used for developing user interface components and is

distributed under the Common Public License v1.0 found at utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License, found at

http://www.perl.com/pub/a/language/misc/Artistic.html.

http://opensource.org/licenses/cpl1.0.php. • The Perl Kit provides several independent

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Contents

About PGP Desktop 9.8 for Windows 1

What's New in PGP Desktop for Windows Version 9.8 1

PGP Desktop General Features 2 PGP Whole Disk Encryption Features 2 PGP NetShare Features 4 PGP Desktop Email Features 4

Using this Guide 5

“Managed” versus “Unmanaged” Users 5

Conventions Used in This Guide 6 Who Should Read This Document 6 About PGP Desktop Licensing 7

Checking License Details 7 Getting Assistance 10

Getting product information 10

Contacting Technical Support 10

PGP Desktop Basics 13

PGP Desktop Terminology 13

PGP Product Components 13

Terms Used in PGP Desktop 14 Conventional and Public Key Cryptography 16

Learning More About Cryptography 16 Using PGP Desktop for the First Time 17

Installing PGP Desktop 21

Before You Install 21

System Requirements 21 Installing and Configuring PGP Desktop 22

Installing the Software 22

Upgrading the Software 22

Upgrading From Standalone to Managed PGP Desktop Builds 23

Running the Setup Assistant 23 Uninstalling PGP Desktop 24 Moving Your PGP Desktop Installation From One Computer to Another 24

The PGP Desktop User Interface

Accessing PGP Desktop Features 27

The PGP Desktop Main Screen 28

Using the PGP Tray Icon 29

Using Shortcut Menus in Windows Explorer 31

PGP® Desktop 9.8 for Windows Contents

Using the Start Menu 33 PGP Desktop Notifier alerts 33

PGP Desktop Notifier for Messaging 33

PGP Desktop Notifier for Disk features 37

Enabling or Disabling Notifiers 38 Viewing the PGP Desktop Log 39

Working with PGP Keys 41

Viewing Keys 41 Creating a Keypair 42

Passwords and Passphrases 44 Protecting Your Private Key 45

Protecting Keys and Keyrings 46

Backing up Your Private Key 47

What if You Lose Your Key? 47 Distributing Your Public Key 47

Placing Your Public Key on a Keyserver 48

Including Your Public Key in an Email Message 49

Exporting Your Public Key to a File 50

Copying from a Smart Card Directly to Someone’s Keyring 50 Getting the Public Keys of Others 50

Getting Public Keys from a Keyserver 51

Getting Public Keys from Email Messages 52 Working with Keyservers 52 Using Master Keys 54

Adding Keys to the Master Key List 54

Deleting Keys from the Master Key List 55

Managing PGP Keys 57

Examining and Setting Key Properties 57 Adding and Removing Photographic IDs 58 Managing User Names and Email Addresses on a Key 59 Importing Keys and X.509 Certificates 60

Using the Import Certificate Assistant 61 Changing Your Passphrase 62 Deleting Keys, User IDs, and Signatures 64 Disabling and Enabling Public Keys 64 Verifying a Public Key 65 Signing a Public Key 66

Revoking Your Signature from a Public Key 68 Granting Trust for Key Validations 68 Working with Subkeys 69

Using Separate Subkeys 70

Viewing Subkeys 71

Creating New Subkeys 72

Revoking Subkeys 73

PGP® Desktop 9.8 for Windows Contents

Removing Subkeys 73 Working with ADKs 74

Adding an ADK to a Keypair 74

Updating an ADK 75

Removing an ADK 75 Working with Revokers 75

Appointing a Designated Revoker 76

Revoking a Key 76 Splitting and Rejoining Keys 77

Creating a Split Key 77

Rejoining Split Keys 78 If You Lost Your Key or Passphrase 80

Reconstructing Keys with PGP Universal 80

Reconstructing Keys in a Standalone Installation 82

Resetting Your Passphrase 86 Protecting Your Keys 87

Securing Email Messages 89

How PGP Desktop Secures Email Messages 89

Incoming Messages 90

Outgoing Messages 92 Services and Policies 92

Viewing Services and Policies 93

Creating a New Messaging Service 93

Editing Messaging Service Properties 98

Disabling or Enabling a Service 98

Deleting a Service 99

Multiple Services 99

Troubleshooting PGP Messaging Services 100 Creating a New Security Policy 102

Wildcards and Regular Expressions in Policies 107

Security Policy Information and Examples 107 Working with the Security Policy List 110

Editing a Security Policy 110

Editing a Mailing List Policy 111

Deleting a Security Policy 115

Changing the Order of Policies in the List 116 PGP Desktop and SSL 116 Key Modes 118

Determining Key Mode 119

Changing Key Mode 119 Viewing the PGP Desktop Log 121

Securing Instant Messaging 123

About PGP Desktop’s Instant Messaging Support 123

Instant Messaging Client Compatibility 124

iii

PGP® Desktop 9.8 for Windows Contents

About the Keys Used for Encryption 125 Encrypting your IM Sessions 125

Protecting Disks with PGP Whole Disk Encryption 127

About PGP Whole Disk Encryption 128

How does PGP Whole Disk Encryption Differ from PGP Virtual Disk? 129 Licensing PGP Whole Disk Encryption 129

License Expiration 130 Prepare Your Disk for Encryption 130

Supported Disk Types 131

Supported Keyboards 132

Ensure Disk Health Before Encryption 133

Creating Recovery Disks 133

Calculate the Encryption Duration 135

Maintain Power Throughout Encryption 136

Run a Pilot Test to Ensure Software Compatibility 136 Determining the Authentication Method for the Disk 137

Passphrase and Single Sign-On Authentication 137

Public Key Authentication 138

Token-Based Authentication 138

Trusted Platform Module (TPM) Authentication 138 Setting Encryption Options 139

Partition-Level Encryption 140

Preparing a Smart Card or Token to Use For Authentication 140

Using PGP Whole Disk Encryption Options 143 Encrypting a Disk or Partition 144

Supported Characters for PGP WDE Passphrases 145

Encrypting the Disk 146

Encountering Disk Errors During Encryption 149 Using a PGP WDE-Encrypted Disk 150

Authenticating at the PGP BootGuard Screen 150

Selecting Keyboard Layouts 153 Using PGP WDE Single Sign-On 154

Prerequisites for Using Single Sign-On 155

Encrypting the Disk to Use Single Sign-On 155

Multiple Users and Single Sign-On 156

Logging in with Single Sign-On 156

Changing Your Passphrase With Single Sign-On 156

Displaying the Windows Login dialog box 157 Maintaining the Security of Your Disk 157

Getting Disk or Partition Information 158

Using the Bypass Feature 159

Adding Other Users to an Encrypted Disk or Partition 159

Deleting Users From an Encrypted Disk or Partition 160

Changing User Passphrases 160

Re-Encrypting an Encrypted Disk or Partition 162

Using Automatic Backup Software on a PGP WDE-Encrypted Disk 163

PGP® Desktop 9.8 for Windows Contents

Uninstalling PGP Desktop from Encrypted Disks or Partitions 163 Working with Removable Disks 163

Encrypting Removable Disks 164

Moving Removable Disks to Other Systems 165

Reformatting an Encrypted Removable Disk 165 Using PGP-WDE in a PGP Universal-Managed Environment 166

PGP Whole Disk Encryption Administration 166

Creating a Recovery Token 167

Using a Recovery Token 168 Recovering Data From an Encrypted Drive 168 Decrypting a PGP WDE-Encrypted Disk 169 Special Security Precautions Taken by PGP Desktop 171 Using the Windows Preinstallation Environment 171

Using PGP Whole Disk Encryption with IBM Lenovo ThinkPad Systems 171

Using PGP Whole Disk Encryption with the Microsoft Windows XP Recovery Console 172

Using PGP Virtual Disks 175

About PGP Virtual Disks 176 Creating a New PGP Virtual Disk 177 Viewing the Properties of a PGP Virtual Disk 180 Finding PGP Virtual Disks 180 Using a Mounted PGP Virtual Disk 181

Mounting a PGP Virtual Disk 181

Unmounting a PGP Virtual Disk 182

Compacting a PGP Virtual Disk 182

Re-Encrypting PGP Virtual Disks 183 Working with Alternate Users 184

Adding Alternate User Accounts to a PGP Virtual Disk 184

Deleting Alternate User Accounts from a PGP Virtual Disk 185

Disabling and Enabling Alternate User Accounts 185

Changing Read/Write and Read-Only Status 186

Granting Administrator Status to an Alternate User 186 Changing User Passphrases 187 Deleting PGP Virtual Disks 187 Maintaining PGP Virtual Disks 188

Mounting PGP Virtual Disk Volumes on a Remote Server 188

Backing up PGP Virtual Disk Volumes 188

Exchanging PGP Virtual Disks 189 The PGP Virtual Disk Encryption Algorithms 190 Special Security Precautions Taken by PGP Virtual Disk 190

Passphrase Erasure 191

Virtual Memory Protection 191

Hibernation 191

Memory Static Ion Migration Protection 191

Other Security Considerations 192

PGP® Desktop 9.8 for Windows Contents

Using PGP NetShare 195

About PGP NetShare 195

PGP NetShare Roles 197 Licensing PGP NetShare 198 Authorized User Keys 199 Establishing a PGP NetShare Admin (Owner) 199 Working with Protected Folders 199

Choosing the Location for a Protected Folder 200

Creating a New PGP NetShare Protected Folder 203

Using Files in a PGP NetShare Protected Folder 210

Unlocking a Protected Folder 210

Determining the Files in a Protected Folder 211

Adding Subfolders to a Protected Folder 212

Checking Folder Status 212

Copying Protected Folders to Other Locations 213 Working with PGP NetShare Users 214

Adding a PGP NetShare User 214

Changing a User's Role 216

Deleting a User from a Protected Folder 217 Importing PGP NetShare Access Lists 218 Working with Active Directory Groups 218

Setting up PGP NetShare to Work with Groups 219

Refreshing Groups 219 Removing a Folder 220 Re-Encrypting a Folder 221 Clearing a Passphrase 222 Protecting Files Outside of a Protected Folder 222 Accessing PGP NetShare Features using the Shortcut Menu 224 PGP NetShare in a PGP Universal-Managed Environment 225 Accessing the Properties of a Protected File or Folder 226 Using the PGP NetShare Menus in PGP Desktop 227

The File Menu 227

The Edit Menu 227

The NetShare Menu 227

Using PGP Zip

Overview 229 Creating PGP Zip Archives 230

Encrypting to Recipient Keys 234

Encrypting with a Passphrase 238

Creating a PGP Self-Decrypting Archive (SDA) 242

Creating a Sign Only Archive 245

229

PGP® Desktop 9.8 for Windows Contents

Opening a PGP Zip Archive 248 Opening a PGP Zip SDA 248 Editing a PGP Zip Archive 249 Verifying Signed PGP Zip Archives 251

Shredding Files with PGP Shredder 253

Using PGP Shredder to Permanently Delete Files and Folders 253

Shredding Files using the PGP Shredder Icon on Your Desktop 254

Shredding Files From Within PGP Desktop 254

Shredding Files in Windows Explorer 255 Using the PGP Shred Free Space Assistant 256

Scheduling Free Space Shredding 257

Storing Keys on Smart Cards and Tokens 259

About Smart Cards and Tokens 259

Supported Smart Cards 261

Recognizing Smart Cards 261 Examining Smart Card Properties 262 Generating a PGP Keypair on a Smart Card 263 Copying your Public Key from a Smart Card to a Keyring 264 Copying a Keypair from Your Keyring to a Smart Card 265 Wiping Keys from Your Smart Card 266 Using Multiple Smart Cards 267 Special-Use Tokens 268

Configuring the Aladdin eToken 268

Setting PGP Desktop Options 271

Accessing the PGP Options dialog box 271 General Options 272 Keys Options 274 Master Keys Options 277 Messaging Options 277

Proxy Options 280

vii

PGP® Desktop 9.8 for Windows Contents

PGP NetShare Options 284 Disk Options 285 Notifier Options 288 Advanced Options 289

Working with Passwords and Passphrases 293

Choosing whether to use a password or passphrase 293 The Passphrase Quality Bar 294 Creating Strong Passphrases 295 What if You Forget Your Passphrase? 297

Using PGP Desktop with PGP Universal Server

Overview 299 For PGP Administrators 300

299

Messaging with Lotus Notes and MAPI 303

About Lotus Notes and MAPI Support 303 Using PGP Desktop with Lotus Notes 303

Sending email to recipients inside your Lotus Notes organization 304

Sending email to recipients outside your Lotus Notes organization 304 Binding to a Universal Server 305

Pre-Binding 305

Manual Binding 305 Notes Addresses 306 Notes Client Settings 306

The Notes.ini Configuration File 307

Index 309

viii

About PGP Desktop 9.8 for

Windows

PGP Desktop is a security tool that uses cryptography to protect your data against unauthorized access.

PGP Desktop protects your data while being sent by email or by instant messaging (IM). It lets you encrypt your entire hard drive or hard drive partition—so everything is protected all the time—or just a portion of your hard drive, via a virtual disk on which you can securely store your most sensitive data. You can use it to share your files and folders securely with others over a network. It lets you put any combination of files and folders into an encrypted, compressed package for easy distribution or backup. Finally, use PGP Desktop to shred (securely delete) sensitive files—so that no one can retrieve them— and shred free space on your hard drive, so there are no unsecured remains of any files.

Use PGP Desktop to create PGP keypairs and manage both your personal keypairs and the public keys of others.

To make the most of PGP Desktop, you should be familiar with PGP Desktop Terminology (on page key cryptography, as described in Conventional and Public Key Cryptography (on page

16).

13). You should also understand conventional and public-

In This Chapter

What's New in PGP Desktop for Windows Version 9.8............................ 1

Using this Guide ........................................................................................ 5

Who Should Read This Document ............................................................ 6

About PGP Desktop Licensing .................................................................. 7

Getting Assistance .................................................................................. 10

What's New in PGP Desktop for Windows Version 9.8

Building on PGP Corporation’s proven technology, PGP Desktop 9.8 for Windows includes numerous improvements and the following new and resolved features.

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

PGP Desktop General Features

 Additional platform support. PGP Desktop is now available for Microsoft

Windows Vista 64-bit and Mac OS X 10.5 (Leopard).

 Feature deployment control. Administrators can now enforce policy by

providing end users only with authorized client features, enabling or disabling client capabilities before distributing PGP client software to endusers. Disabled features are then unavailable in the PGP Desktop user interface.

 Intel AMT support. PGP Desktop supports Intel Active Management

Technology (AMT) Agent Presence on those computers with properly configured Intel AMT-equipped motherboards. PGP Desktop reports its current status via AMT to enable Enterprises to query configuration information even when a system is turned off.

 Updated key reconstruction user interface. The PGP Desktop Key

Reconstruction user interface has been significantly improved in this release. Primary new features include the ability to select and customize a set of provided questions, a visually more appealing experience, and a new Assistant to help guide the user through the process.

 Local key reconstruction. Standalone installations of PGP Desktop

support Local Key Reconstruction. The Key Reconstruction Assistant saves Key Reconstruction information in a file that can be used later to reconstruct the user key.

 PGP Log message filtering. The PGP Log feature of PGP Desktop now

provides a menu option to filter local log messages by topic to facilitate troubleshooting (for example, displaying messages related only to Email, IM, NetShare, or WDE).

 Passphrase quality evaluation improvements. Passphrase quality

evaluation has been significantly enhanced both visually and functionally in this release.

PGP Whole Disk Encryption Features

 Advanced centralized event logging. PGP Universal now provides

significantly expanded reporting on PGP Whole Disk Encryption usage on client systems. This logging feature itemizes events such as which systems have been encrypted, the progress of encryption or decryption for an individual system, errors encountered during encryption, the status of recovery tokens, removable storage usage, and failed/successful login attempts. Administrators can set thresholds that raise alerts in PGP Universal on the PGP Daily Status Email or dashboard screen after a configured number of failed logins has been exceeded.

 Extended pre-boot smart card support. PGP Whole Disk Encryption has

greatly expanded pre-boot authentication to a variety of smart cards.

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

 Customizable WDE BootGuard screens. Administrators in a PGP

Universal-managed environment can configure the PGP Whole Disk Encryption boot screen to display the text and graphics of their choice.

 Group administration access tokens. PGP Whole Disk Encryption admin

accounts can be added, allowing an administrator with a smart card key to override the BootGuard prompt. This key can be specified separately for each Internal User Policy. Using a single keypair copied to multiple smart cards (each with its own PIN), an organization can enable multiple administrators for each Policy.

 Domain administrator restart bypass. Windows System and

Administrator account(s) may now engage a mode to bypass WDE authentication on the next restart by utilizing the privileges of the administration account to act as the authenticated user. This feature enables administrators to perform remote software installations requiring a restart of the target computer. Use of this feature is logged to the PGP Universal server.

 Partition encryption deployment. Administrators in a PGP Universal-

managed environment may now configure encryption of only the boot partition or only Windows partitions rather than always encrypting entire disks.

 PGP WDE Single Sign-On for Novell environments. The PGP WDE

Single Sign-On (SSO) feature is now available for Windows systems running in Novell network environments.

 User Interface modifications for ADA compliance. As part of our

expanding support for the Americans with Disabilities Act (ADA) standards for accessible design, the PGP WDE BootGuard screen has been modified to provide audible feedback when the screen is ready for user input, when a user types in an incorrect password, and when a user types a correct password. This audio feedback is optional, configurable using PGP Universal for managed clients.

 Lenovo laptop Recovery button. PGP Whole Disk Encryption now

provides complete support for the Lenovo Rescue and Recovery software (version 3.x and 4.x) including using the “Access IBM” blue button for boot-level recovery of the OS even when the disk (or partition) is encrypted.

 Microsoft Windows PE support. PGP Desktop provides administrators

with the ability to create a Windows PE (Preinstallation Environment) boot disk containing a subset of PGP Whole Disk Encryption. This bootable disc can be used to perform a variety of management and recovery tasks.

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

 Trusted Platform Module (TPM) support for PGP WDE. PGP Desktop

supports using the Trusted Platform Module as an additional authentication device for PGP Whole Disk Encryption if present on the motherboard and enabled via proper driver installation for your hardware. When use of the TPM is specified prior to encryption, the user can authenticate to the disk only on that particular machine, locking the disk to the machine hardware and thus deterring attacks such as hard disk theft. This feature works with passphrase users only and is compatible with the PGP WDE Single Sign-On feature.

PGP NetShare Features

 PGP NetShare per-folder administration. PGP NetShare administrative

granularity has been extended to restrict administrator control to a perfolder level, thus limiting administrative access to exactly where it is needed.

 Whitelists and blacklists. Administrators can now centrally define PGP

NetShare policy to protect files stored in specific directory locations, enforcing security policy without impacting user behavior. Conversely, administrators can also force specific directories to prevent encryption.

 Directory roles. There are now three roles for PGP NetShare-protected

directories: Admin, with full rights over the directory; Group Admin, who can add/remove users that are not Admins or Group Admins; and Users, who can only access content, and have no administration abilities.

 Centralized PGP NetShare logging. Centralized logging on PGP Universal

provides visibility into the activity of PGP NetShare deployments to satisfy management and auditing requirements.

 PGP NetShare Command Line. Most PGP NetShare functions can now

be scripted. This utility is documented in the PGP NetShare Command Line Programmer's Guide.

PGP Desktop Email Features

 MAPI support for PGP/MIME formatted messages. PGP Desktop now

provides the ability to encrypt PGP/MIME messages in Outlook clients using MAPI. PGP/MIME decryption has also been significantly improved in this area.

 Microsoft CAPI integration. PGP Desktop supports the use of Microsoft

Cryptographic Application Programming Interface (CAPI) credentials, enabling the user to make use of existing X.509 certificates directly from the Microsoft operating system certificate store. PGP Universal administrators can specify automatic enrollment of such certificates as well.

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

 IMAP speed improvements. This release of PGP Desktop contains

significant IMAP performance improvements. Users will experience quicker responses and shorter downloads, particularly when accessing large mailboxes, switching between folders, and checking for new messages.

 Out-of-the-mail-stream support. PGP Desktop and PGP Universal

Satellite will selectively send email messages directly to the PGP Universal Server via a SOAP connection if required by policy, such that the server does not need to be in the mail stream to support Web Messenger or Smart Trailer functionality.

 Weak-cipher decryption. PGP products now decrypt S/MIME encoded

messages encrypted with weak 40-bit RC2 encryption for backwards compatibility with older email clients. Additional warnings are added to messages decrypted using that algorithm. Note that PGP Desktop will not encrypt using weak ciphers.

Using this Guide

This Guide provides information on configuring and using the components within PGP Desktop. Each chapter of the guide is devoted to one of the components of PGP Desktop.

“Managed” versus “Unmanaged” Users

A PGP Universal Server can be used to control the policies and settings used by components of PGP Desktop. This is often the case in enterprises using PGP software. PGP Desktop users in this configuration are known as managed users, because the settings and policies available in their PGP Desktop software are pre-configured by a PGP administrator and managed using a PGP Universal Server. If you are part of a managed environment, your company may have specific usage requirements. For example, managed users may or may not be allowed to send plaintext email, or may be required to encrypt their disk with PGP Whole Disk Encryption.

Users not under the control of a PGP Universal Server are called unmanaged or standalone users.

This document describes how PGP Desktop works in both situations; however, managed users may discover while working with the product that some of the settings described in this document are not available in their environments. See Using PGP Desktop with PGP Universal Server (on page information.

299) for more

Note: References to PGP Universal-managed environments do not apply to

the PGP Virtual Disk or PGP Virtual Disk Professional products.

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

Features Customized by Your PGP Universal Administrator

If you are using PGP Desktop as a "managed" user in a PGP Universal-managed environment, there are some settings that can be specified by your administrator. These settings may change the way features are displayed in PGP Desktop.

 Disabled features. Your PGP Universal administrator can enable or disable

specific functionality. For example, your administrator may disable the ability to create PGP NetShare protected folders.

When a feature is disabled, the control item in the left side is not displayed and the menu for that feature is not available. The graphics included in this guide depict the default installation with all features enabled. The PGP Desktop interface may look different if your administrator has customized the features available.

 Customized BootGuard. If you are using PGP Desktop in a PGP Universal-

managed environment, Your PGP administrator may have customized the PGP Whole Disk Encryption BootGuard screen to include additional text or a custom image such as your organization's logo. The graphics included in this guide depict the default installation. Your actual login screen may look different if your administrator has customized the screen.

Conventions Used in This Guide

Notes, Cautions, and Warnings are used in the following ways.

Notes: Notes are extra, but important, information. A Note calls your

attention to important aspects of the product. You will be able to use the product better if you read the Notes.

Cautions: Cautions indicate the possibility of loss of data or a minor security

breach. A Caution tells you about a situation where problems could occur unless precautions are taken. Pay attention to Cautions.

Warnings: Warnings indicate the possibility of significant data loss or a major

security breach. A Warning means serious problems are going to happen unless you take the appropriate action. Please take Warnings very seriously.

Who Should Read This Document

This document is for anyone who is going to be using the PGP Desktop for Windows software to protect their data.

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

Note: If you are new to cryptography and would like an overview of the

terminology and concepts in PGP Desktop, please refer to An Introduction to Cryptography (it was installed onto your computer when you installed PGP

Desktop).

About PGP Desktop Licensing

A license is used within the PGP software to enable the functionality you purchased, and sets the expiration of the software. Depending on the license you have, some or all of the PGP Desktop family of applications will be active. Once you have entered the license, you must then authorize the software with PGP Corporation, either manually or online.

To license PGP Desktop Do one of the following:

 If you are a managed user, you are most likely already using a licensed

copy of PGP Desktop. Check your license details as described in Checking License Details (on page administrator.

7). If you have questions, please contact your PGP

 If you are an unmanaged user, or a PGP administrator, check your license

details as described in Checking License Details (on page authorize your copy of PGP Desktop, do so as described in Authorizing PGP Desktop for Windows (on page

Checking License Details

 To see the details of your PGP Desktop license

1 Double-click the PGP Desktop icon in the system tray. 2 Select Help > License. The PGP Desktop License dialog box appears.

7). If you need to

8).

This dialog box displays the following details:

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

Item Description

License Type The name of the licensed product.

License Seats The number of seats available for this license.

License Expiration The date when the license will expire.

Product Information The components that are active in your license.

Move your cursor over the product name to see information about the product and to find out if you are currently licensed to use it.

Note: If you do not authorize your copy of PGP Desktop, only limited features

will be available to you (PGP Zip and Keys).

Authorizing PGP Desktop for Windows

If you need to change to a new license number, or if you skipped the license authorization process during configuration, follow these instructions to authorize your software.

Note: Make sure your Internet connection is active before proceeding. If you

have no Internet connection, you must submit a request for a manual authorization.

 Before you begin

If you purchased PGP Desktop, you received an email order confirmation with an attached .PDF file.

1 Make a note of the name, organization, and license number you received in

the email order confirmation. These are shown in the section titled

Important Note in the .PDF. You will need these details during the

licensing process.

During configuration of your PGP Desktop software, you must type the name, organization, email address, and license number to authorize your copy of PGP Desktop with PGP Corporation's authorization server.

Note: Your license number also appears on the download page of your

PGP product.

Double-click the PGP Desktop icon in the System Tray.

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

2 Select Help > License. The PGP Desktop License dialog box appears.

3 Click Change License. The PGP Licensing Assistant dialog box appears. 4 Type the Name and Organization exactly as specified in your PGP email

order confirmation .PDF. These will be shown in the section titled

Important Note in the .PDF. If the Important Note section does not exist

in your .PDF, your first authorization attempt will set the name and organization permanently.

5 Type the email address you want to assign to the licensing of the product. 6 Type the email address again to confirm it.

Note: If you have previously authorized the same license number, you

must enter the same Name, Organization, and Email Address as you did the previous time. If you enter different information, authorization will fail.

7 Click Next. 8 Do one of the following:

 Type your 28-character license number in the provided fields (for

example, DEMO1-DEMO2-DEMO3-DEMO4-DEMO5-ABC).

Note: To avoid typing errors and make the authorization easier, copy the

entire license number, put the cursor in the first “License Number” field, and paste. Your license number will be correctly entered into all six “License Number” fields.

 To request a one-time, 30-day evaluation of PGP Desktop, select

Request a one-time 30 day Evaluation of PGP Desktop. When you

purchase a license, you can enter it any time before the end of the 30day evaluation period. If you don’t enter a valid license, PGP Desktop will revert to unlicensed functionality when the 30-day evaluation period is over.

 To purchase a PGP Desktop license, select Purchase a license

number now. A Web browser will open and take you to the online

PGP Store.

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

 To use PGP Desktop without a license, select Use without a license

and disable most functionality. The only feature of PGP Desktop

you can use without a license is PGP Zip and Keys.

9 Click Next to authorize. 10 When PGP is authorized, the features enabled by your license will be

displayed. Click Next, and then click Finish to complete the process.

Resolving License Authorization Errors

If you receive any error messages while authorizing your software, the ways to resolve this issue vary based on the error message. See the HOWTO: License PGP Desktop 9.x section in the PGP Support Portal (

https://support.pgp.com)

for suggestions.

Getting Assistance

Getting product information

Refer to these sections for additional resources.

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed with PGP Desktop. Online help is available within the PGP Desktop product. Release notes are also available, which may have last-minute information not found in the product documentation.

Once PGP Desktop is released, additional information regarding the product is entered into the online Knowledge Base available on the PGP Corporation Support Portal (

Contacting Technical Support

 To learn about PGP support options and how to contact PGP Technical

Support, please visit the PGP Corporation Support Home Page

http://www.pgp.com/support).

(

 To access the PGP Support Knowledge Base or request PGP Technical

Support, please visit PGP Support Portal Web Site (

https://support.pgp.com). Note that you may access portions of the

PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.

https://support.pgp.com).

 For any other contacts at PGP, please visit the PGP Contacts Page

http://www.pgp.com/company/contact/index.html).

(

PGP® Desktop 9.8 for Windows About PGP Desktop 9.8 for Windows

 For general information about PGP Corporation, please visit the PGP Web

Site (

http://www.pgp.com).

 To access the PGP Support forums, please visit PGP Support

(

http://forums.pgpsupport.com). These are user community support forums

hosted by PGP Corporation.

PGP Desktop Basics

This section describes the PGP Desktop terminology and provides some highlevel conceptual information on cryptography.

In This Chapter

PGP Desktop Terminology ...................................................................... 13

Conventional and Public Key Cryptography............................................. 16

Using PGP Desktop for the First Time .................................................... 17

PGP Desktop Terminology

To make the most of PGP Desktop, you should be familiar with the terms in the following sections.

PGP Product Components

PGP Desktop and its components are described in the following list. Depending on your license, you may not have all functionality available. See About PGP Desktop Licensing (on page

 PGP Desktop: A software tool that uses cryptography to protect your data

against unauthorized access. PGP Desktop is available for Mac OS X and Windows.

 PGP Messaging: A feature of PGP Desktop that automatically and

transparently supports all of your email clients through policies you control. PGP Desktop accomplishes this using a new proxy technology; the older plug-in technology is also available. PGP Messaging also protects many IM clients, such as AIM and iChat (both users must have PGP Messaging enabled).

 PGP Whole Disk Encryption: Whole Disk Encryption is a feature of

PGP Desktop that encrypts your entire hard drive or partition, including your boot record, thus protecting all your files when you are not using them. You can use PGP Whole Disk Encryption and PGP Virtual Disk volumes on the same system. You can protect whole disk encrypted drives with a passphrase or with a keypair on a USB token for added security.

7) for more information.

PGP® Desktop 9.8 for Windows PGP Desktop Basics

 PGP NetShare: A feature of PGP Desktop for Windows with which

you can securely and transparently share files and folders among selected individuals. PGP NetShare users can protect their files and folders simply by placing them within a folder that is designated as protected.

 PGP Keys: A feature of PGP Desktop that gives you complete control

over both your own PGP keys, and the keys of those persons with whom you are securely exchanging email messages.

 PGP Virtual Disk volumes: PGP Virtual Disk volumes are a feature of

PGP Desktop that let you use part of your hard drive space as an encrypted virtual disk. You can protect a PGP Virtual Disk volume with a key or a passphrase. You can even create additional users for a volume, so that people you authorize can also access the volume. The PGP Virtual Disk feature is especially useful on laptops, because if your computer is lost or stolen, the sensitive data stored on the PGP Virtual Disk is protected against unauthorized access.

 PGP Shred: A feature of PGP Desktop that lets you securely delete

data from your system. PGP Shred overwrites files so that even file recovery software cannot recover them.

 PGP Zip: A feature of PGP Desktop that lets you put any combination

of files and folders into a single encrypted, compressed package for convenient transport or backup. You can encrypt a PGP Zip archive to a PGP key or to a passphrase.

 PGP Universal: A tool for enterprises to automatically and transparently

secure email messaging for their employees. If you are using PGP Desktop in a PGP Universal-protected environment, your messaging policies and other settings may be controlled by your organization’s PGP administrator.

 PGP Global Directory: A free, public keyserver hosted by PGP

Corporation. The PGP Global Directory provides quick and easy access to the universe of PGP keys. It uses next-generation keyserver technology that queries the email address on a key (to verify that the owner of the email address wants their key posted) and lets users manage their own keys. Using the PGP Global Directory significantly enhances your chances of finding a valid public key of someone to whom you want to send secured messages. PGP Desktop is designed to work closely with the PGP Global Directory.

Terms Used in PGP Desktop

Before you use PGP Desktop, you should be familiar with the following terms:

 Decrypting: The process of taking encrypted (scrambled) data and making

it meaningful again. When you receive data that has been encrypted by someone using your public key, you use your private key to decrypt the data.

PGP® Desktop 9.8 for Windows PGP Desktop Basics

 Encrypting: The process of scrambling data so that if an unauthorized

person gets access to it, they cannot do anything with it. The data is so scrambled, it’s meaningless.

 Signing: The process of applying a digital signature to data using your

private key. Because data signed by your private key can be verified only by your public key, the ability to verify signed data with your public key proves that your private key signed the data and thus proves the data is from you.

 Verifying: The process of proving that the private key was used to digitally

sign data by using that person’s public key. Because data signed by a private key can only be verified by the corresponding public key, the fact that a particular public key can verify signed data proves the signer was the holder of the private key.

 Keypair: A private key/public key combination. When you create a PGP

“key”, you are actually creating a keypair. As your keypair includes your name and your email address, in addition to your private and public keys, it might be more helpful to think of your keypair as your digital ID—it identifies you in the digital world as your driver’s license or passport identifies you in the physical world.

 Private key: The key you keep very, very private. Only your private key can

decrypt data that was encrypted using your public key. Also, only your private key can create a digital signature that your public key can verify.

Caution: Do not give your private key, or its passphrase, to anyone! And

keep your private key safe.

 Public key: The key you distribute to others so that they can send

protected messages to you (messages that can only be decrypted by your private key) and so they can verify your digital signature. Public keys are meant to be widely distributed.

Your public and private keys are mathematically related, but there’s no way to figure out your private key if someone has your public key.

 Keyserver: A repository for keys. Some companies host keyservers for the

public keys of their employees, so other employees can find their public keys and send them protected messages. The PGP Global Directory

https://keyserver.pgp.com) is a free, public keyserver hosted by PGP

( Corporation.

 Smart cards and tokens: Smart cards and tokens are portable devices on

which you can create your PGP keypair or copy your PGP keypair. Creating your PGP keypair on a smart card or token adds security by requiring possession of the smart card or token in order to encrypt, sign, decrypt, or verify. So even if an unauthorized person gains access to your computer, your encrypted data is secure because your PGP keypair is with you on your smart card or token. Copying your PGP keypair to a smart card or token is a good way to use it away from your main system, back it up, and distribute your public key.

PGP® Desktop 9.8 for Windows PGP Desktop Basics

Conventional and Public Key Cryptography

Conventional cryptography uses the same passphrase to encrypt and decrypt

data. Conventional cryptography is great for data that isn’t going anywhere (because it encrypts and decrypts quickly). However, conventional cryptography is not as well suited for situations where you need to send encrypted data to someone else, especially if you want to send encrypted data to someone you have never met.

Public-key cryptography uses two keys (called a keypair) for encrypting and decrypting. One of these two keys is your private key; and, like the name suggests, you need to keep it private. Very, very private. The other key is your public key, and, like its name suggests, you can share it with the general public. In fact, you’re supposed to share.

Public-key cryptography works this way: let’s say you and your cousin in another city want to exchange private messages. Both of you have PGP Desktop. First, you both need to create your keypair: one private key and one public key. Your private key you keep secret, your public key you send to a public keyserver like the PGP Global Directory (keyserver.pgp.com), which is a public facility for distributing public keys. (Some companies have their own private keyservers.)

Once the public keys are on the keyserver, you can go back to the keyserver and get your cousin’s public key, and she can go to the keyserver and get yours (there are other ways to exchange public keys; refer to Working with PGP Keys (on page

41) for more information). This is important because to send an

encrypted email message that only your cousin can decrypt, you encrypt it using your cousin’s public key. What makes this work is that only your cousin’s private key can decrypt a message that was encrypted using her public key. Even you, who have her public key, cannot decrypt the message once it has been encrypted using her public key. Only the private key can decrypt data that was encrypted with the corresponding public key.

Your public and private keys are mathematically related, but there’s no feasible way to figure out someone’s private key if you just have a public key.

Learning More About Cryptography

For more information about cryptography, refer to An Introduction to Cryptography, which was installed on your system when PGP Desktop was

installed. It is available through the Start menu.

PGP® Desktop 9.8 for Windows PGP Desktop Basics

Using PGP Desktop for the First Time

PGP Corporation recommends the following procedure for getting started with PGP Desktop:

1 Install PGP Desktop on your computer.

If you are a corporate user, your PGP administrator may have specific installation instructions for you to follow or may have configured your PGP installer with certain settings. Either way, this is the first step.

2 Let the Setup Assistant be your guide.

To help you get started, after you install PGP Desktop and reboot your computer, the Setup Assistant appears. It assists with:

 Licensing PGP Desktop  Creating a keypair—with or without subkeys (if you do not already

have a keypair).

 Publishing your public key on the PGP Global Directory.  Enabling PGP Messaging  Giving you a quick overview of other features.

If your PGP Desktop installer application was configured by a PGP administrator, the Setup Assistant may perform other tasks.

3 Exchange public keys with others.

After you have created a keypair, you can begin sending and receiving secure messages with other PGP Desktop users (once you have exchanged public keys with them). You can also use the PGP Desktop diskprotection features.

Exchanging public keys with others is an important first step. To send them secure messages, you need a copy of their public key, and to reply with a secure message, they need a copy of your public key. If you did not upload your public key to the PGP Global Directory using the Setup Assistant, do so now. If you do not have the public key for someone to whom you want to send messages, the PGP Global Directory is the first place to look. PGP Desktop does this for you—when you send email, it finds and verifies the keys of other PGP Desktop users automatically. It then encrypts your message to the recipient public key, and sends the message.

4 Validate the public keys you get from untrusted keyservers.

PGP® Desktop 9.8 for Windows PGP Desktop Basics

When you get a public key from an untrusted keyserver, try to make sure that it has not been tampered with, and that the key really belongs to the person it names. To do this, use PGP Desktop compare the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s key (a good way to do that is by telephoning the key’s owner and having them read you the fingerprint information so that you can compare it). Keys from trusted keyservers like the PGP Global Directory have already been verified.

5 Start securing your email, files, and instant message (IM) sessions.

After you have generated your keypair and exchanged public keys, you can begin encrypting, decrypting, signing, and verifying email messages and files. The secure IM chat session feature generates its own keys automatically, so you can use this feature even before you generate your keypair. The only requirement is that you must be chatting with another PGP Desktop user for the chat session to be secured.

6 Watch for information boxes from the PGP Desktop Notifier feature to

appear.

As you send or receive messages, or perform other PGP Desktop functions, the PGP Desktop Notifier feature displays information boxes that appear in whichever corner of the screen you specify. These PGP Notifier boxes tell you the action that PGP Desktop took, or will take. After you grow familiar with the process of sending and receiving messages, you can change options for the PGP Notifier feature—or turn it off.

7 After you have sent or received some messages, check the messaging

logs to make sure everything is working correctly.

If you want more information than the Notifier feature displays, the Messaging Log provides detailed information about all messaging operations.

8 Modify your messaging policies, if necessary.

Email messages are sent and received—automatically and seamlessly—if PGP Desktop messaging policies are configured correctly. If your message recipient has a key on the PGP Global Directory, the default PGP Desktop policies provide opportunistic encryption. Opportunistic encryption means that, if PGP Desktop has what it needs (such as the recipient's verified public key) to encrypt the message automatically, then it does so. Otherwise, it sends the message in clear text (unencrypted). The default PGP Desktop policies also provide optional forced encryption. This means that, if you include the text “[PGP]” in the Subject line of a message, then the message must be sent securely. If verified keys cannot be found, then the message is not sent, and a Notifier box alerts you.

9 Start using the other features in PGP Desktop.

Along with its messaging features, you can also use PGP Desktop to secure the disks that you work with:

+ 297 hidden pages