PGP Whole Disk Encryption - 9.6.1 Deployment Guide

PGP® Whole Disk Encryption

Deployment Guide

Version Information

PGP Whole Disk Encryption Deployment Guide. Version 9.6.1. Released May 2007.

Copyright Information

Copyright © 1991–2007 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks and Rest Secured is a trademark of PGP Corporation in the US and other
countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered
trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of
Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a
trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard
Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered
trademarks of Apple Computer, Inc. Symantec, the Symantec logo, and LiveUpdate are registered trademarks of Symantec Corporation. All other
registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST encryption algorithm is licensed
from Northern Telecom, Ltd. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563
by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a
Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP
Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal
Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject
matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

Acknowledgments

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation,
developed by zlib (http://www.zlib.net
under the MIT License found at http://www.opensource.org/licenses/mit-license.html
freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (http://www.jakarta.apache.org/
server (http://www.apache.org/
HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt
binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group
under an Apache 2.0-style license, available at http://www.castor.org/license.html
Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software
License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1
(JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html
the work of the Independent JPEG Group. (http://www.ijg.org/
MIT License http://www.opensource.org/licenses/mit-license.html
University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt
Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org
daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie
Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun
Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html
by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html
developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgi-

bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released

under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at

http://www.opensource.org/licenses/ibmpl.php

BSD-style license, available at http://www.postgresql.org/about/licence
specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission.

). • Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted

. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a

), web

), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse

. • Castor, an open-source, data-

. • Xalan, an open-source software library from the Apache Software

. • mx4j, an open-source implementation of the Java Management Extensions

. • jpeglib version 6a is based in part on

) • libxslt the XSLT C library developed for the GNOME project and distributed under the

. • PCRE version 4.5 Perl regular expression compiler, copyrighted and distributed by

. • BIND Balanced Binary Tree Library and Domain

) • Free BSD implementation of

. • NTP version 4.2 developed

. • Secure shell OpenSSH version 4.2.1

. • PostgreSQL, a free software object-relational database management system, is released under a

. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau
of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Contents

Overview 3

Who Should Read This Guide 3
Other Relevant Resources 4

Understanding PGP Whole Disk Encryption 5

About PGP Whole Disk Encryption 5
Components of a Typical PGP WDE Deployment 6
How Does PGP Whole Disk Encryption Work? 7
About PGP Universal Server 7

Major Steps 9

Preparation 11

Placing the PGP Universal Server in Your Network 12
Adding the PGP Universal Server to your Network 12

Deployment Options 12
Configuring your Firewall 13
Understanding Enrollment 14
Understanding the Two Enrollment Paths 14
Understanding the LDAP Directory Synchronization Feature 15
Understanding Policies 15
Preparing End-User Systems 16

Installation and Configuration 17

Before You Install 17
Installing the Server Software 17

Configuring the PGP Universal Server 19

Removing Unneeded Services 19
Setting Up Administrators 20
Establishing Backups 21
Securing your PGP Universal Server 21
Configuring Policies 22
Configuring the LDAP Directory Synchronization Feature 23
Configuring Enrollment 24

Email Enrollment 25

LDAP Directory Synchronization Enrollment 26

i

PGP® Whole Disk Encryption Contents

Establishing PGP WDE Client Settings 27

Key Settings for Your PGP WDE Clients 28

Key Generation Settings 28

Key Mode Settings 29

Options Settings 31
Establishing PGP Desktop Settings for Your PGP WDE Clients 33

The General Tab 33

The File & Disk Tab 36

The Licensing Tab 39
Other Internal User Policy Settings 40

Creating the PGP WDE Client Installer 41

Creating an Installer with Auto-Detect Policy 42
Creating an Installer with Preset Policy 43
Creating an Installer with No Policy Settings 45

Testing the PGP WDE Client Installer 47

Deploying the PGP WDE Client Installer 49

Assisting Your PGP WDE Users 51

The End-User Experience 53

During the Installation Process 53
During WDE Setup 54
During Normal Usage 55

Glossary 56

ii

1

Overview

This Guide describes how to create, deploy, and manage the PGP Whole Disk
Encryption (WDE) product in an enterprise environment, using the PGP
Universal Server product as the management server.

Some of the information in this Guide also applies to deploying any PGP
Desktop client product.

In This Chapter

Who Should Read This Guide.................................................................... 3

Other Relevant Resources ........................................................................ 3

Who Should Read This Guide

This Guide assumes you are an IT or messaging support professional who will
be performing one or more of the following deployment tasks:

 Setting up and configuring the PGP Universal Server as the management

server.

 Understanding and configuring PGP WDE client options.

 Creating, testing, and distributing the PGP WDE client installers.

 Preparing your end users for a successful installation.

This Guide assumes you have already read the PGP Universal Server
Administrator's Guide and have installed and used a PGP Universal Server in a

lab environment.

Note: PGP Corporation strongly recommends you take the time to
understand your goals for the software products available from PGP
Corporation and your organization's plans for them, both now and in the
future. The decisions you make now in deploying PGP WDE affect how you
can do things in the future. For example, your choice of key mode now will
impact decisions you make later.

3

PGP® Whole Disk Encryption Overview

Other Relevant Resources

Note: This document focuses on details surrounding deployment of the PGP

WDE product. However, the first step in deploying PGP WDE is to install and
configure the PGP Universal Server product, which you will use to manage
your PGP WDE clients. Deployment of the PGP Universal Server itself is
described at a very high level in this document. Refer to the PGP Universal
Administrator's Guide for detailed deployment information.

Use this PGP WDE Deployment Guide in conjunction with the following
resources:

 PGP Universal Administrator's Guide: The Administrator's Guide explains all

aspects of the PGP Universal Server you will be using as a management
server. Specifically, the PGP Universal Administrator's Guide describes
setting up and configuring your PGP Universal Server, using the server to
configure options for your PGP WDE clients, and creating PGP WDE client
installers.

 PGP WDE Quick Start Guide (QSG): The Quick Start Guide introduces you

to the features of the PGP WDE product. Consider distributing the PGP
WDE QSG to your end users to introduce them to the product.

 PGP Desktop User's Guide: The User's Guide explains all aspects of the

PGP WDE product. If you want more information about the PGP WDE
product than is provided in the PGP WDE QSG, consult the PGP Desktop
User's Guide.

 Online help: Both the PGP Universal Server and PGP WDE include built-in

online help.

 PGP Corporation Support forums: Visit the PGP Support forum

(http://forums.pgpsupport.com) for answers to frequently asked questions
about PGP WDE and PGP Universal.

4

Understanding PGP Whole

2

Disk Encryption

This chapter tells you about PGP WDE and shows a typical PGP WDE
deployment.

In This Chapter

About PGP Whole Disk Encryption............................................................ 5

Components of a Typical PGP WDE Deployment..................................... 6

How Does PGP Whole Disk Encryption Work?......................................... 7

About PGP Universal Server...................................................................... 7

About PGP Whole Disk Encryption

PGP WDE is a software product from PGP Corporation that secures files stored
on protected drives with transparent full disk encryption. If a protected system
is lost or stolen, data stored on the protected drive is completely inaccessible
without the proper authentication. For more information about the PGP WDE
product, see the PGP Desktop User's Guide.

The PGP WDE product also provides the following functionality for your users:

 Use part of your hard drive space as an encrypted virtual disk volume with

its own drive letter.

 Create secure, encrypted Zip archives.

 Put files and folders into a single encrypted, compressed archive that can

be opened on Windows systems that do not have PGP WDE or PGP
Desktop installed.

 Completely destroy files and folders so that even file recovery software

cannot recover them.

 Securely erase free space on your drives so that deleted data is truly

unrecoverable.

5

PGP® Whole Disk Encryption Understanding PGP Whole Disk Encryption

PGP WDE is both a product sold by PGP Corporation and a feature in several
PGP Corporation products.

When this Guide refers to "PGP WDE," it refers to the PGP WDE product. Bear
in mind, however, that "whole disk encryption" is only one feature of the PGP
WDE product.

Components of a Typical PGP WDE Deployment

The following are elements of a typical PGP WDE deployment:

1 PGP Whole Disk Encryption is a licensed component of the PGP Desktop

product. To deploy PGP WDE, you must install the PGP WDE software on
a client system via a customized installer you create using the PGP
Universal Server.

2 PGP Universal Server is a platform for creation and management of PGP

Corporation encryption applications, including PGP WDE. The PGP
Universal Server must be able to communicate with your PGP WDE clients
so that it can:

 provide a pre-configured installer for the system.

 enroll and bind the client to the server.

 provide and enforce policies.

 provide recovery options.

3 Directory/LDAP Server (for example, Active Directory). An LDAP server:

 provides an authentication mechanism during PGP WDE client

enrollment/installation.

 enables you to synchronize groups for policy application.

 leverages existing information about the user (email, DN, user certs,

and so on).

4 Your DNS server needs to be configured to support your PGP Universal

Server; be sure to coordinate with your IT group to ensure a successful
installation.

6

PGP® Whole Disk Encryption Understanding PGP Whole Disk Encryption

How Does PGP Whole Disk Encryption Work?

The following is an overview of the PGP WDE encryption process and
subsequent user experience.

1 The PGP WDE passphrase or token user...

2 ... encrypts the boot drive on their system automatically or manually.

3 The drive is transparently encrypted sector by physical sector.

4 Once encryption begins, and thereafter, the PGP WDE user must

authenticate via the BootGuard screen.

5 To access the system, the user enters a passphrase or inserts the USB

token and then authenticates.

6 If the Single Sign-On feature is enabled, the system automatically logs in to

Microsoft Windows.

System behavior is the same as it was prior to encryption.

About PGP Universal Server

PGP Universal Server is a platform for central management and deployment of

PGP Corporation encryption applications, including PGP WDE. You use the PGP
Universal Server to configure PGP WDE client options, provide custom policies
and settings for your PGP WDE users, create the client installers, and manage
the clients after installation (including Whole Disk Recovery Tokens for each
managed client, for example).

7

3

Major Steps

This Guide is organized into sections that correspond with the order PGP
Corporation recommends you use to deploy PGP WDE. Depending on your
environment, you may perform some of these tasks in a slightly different order.

This Guide covers the steps to take to configure and deploy PGP WDE clients
using a PGP Universal Server as the management server:

1 Preparation. Learn what you need to do before you install the PGP

Universal Server, including:

 where to put your PGP Universal Server in your network.

 what you need to know to add the PGP Universal Server to your

network.

 how to configure your firewall to support the PGP Universal Server.

 how to choose the enrollment method your PGP WDE users will use.

 how to set up LDAP directory synchronization (if applicable).

2 Installation and configuration. Describes the process of installing the

PGP Universal Server software and steps you through the configuration
wizard. All PGP Universal setups go through this process, but there are
some things specific to deployments.

3 Configuring the PGP Universal Server. Describes the features of your

PGP Universal Server that impact your deployment:

 directory synchronization

 enrollment

 administrative user email setup

 automated backups

 removal of unneeded services

 other desirable services

 policies

4 Setting PGP WDE client options. Summarizes the PGP WDE options you

control so that you can appropriately configure them to reflect your
organization's security requirements.

5 Creating the PGP WDE client installer. Describes the process of creating

the actual client installer executable.

6 Testing the client installer. Lists ways you can test your client installer

before full deployment.

9

PGP® Whole Disk Encryption Major Steps

7 Deploying the client installer to end users. Provides options for

deploying the client installer executable to your end users.

8 Assisting your users. Discusses some of the things you can do to help

prepare your end users for the new software they will be receiving.

10

4

Preparation

Preparation consists of things you need to do or to understand before you begin
installing your PGP Universal Server as your management server:

 Where to put your PGP Universal Server in your network.

 What you need to know to add the PGP Universal Server to your network.

 How to configure your firewall to support the PGP Universal Server.

 Understanding the LDAP Directory Synchronization feature.

 Understanding policy options.

 Understanding enrollment methods.

 Making sure the systems on which PGP WDE will be installed are

appropriately prepared.

In This Chapter

Placing the PGP Universal Server in Your Network................................. 12

Adding the PGP Universal Server to your Network................................. 12

Configuring your Firewall......................................................................... 13

Understanding Enrollment....................................................................... 14

Understanding the Two Enrollment Paths .............................................. 14

Understanding the LDAP Directory Synchronization Feature ................. 15

Understanding Policies ............................................................................ 15

Preparing End-User Systems................................................................... 16

11

PGP® Whole Disk Encryption Preparation

Placing the PGP Universal Server in Your Network

As a best practice, PGP Corporation recommends placing the PGP Universal
Server in your DMZ for use as a management server for your PGP WDE
deployment.

This allows both internal and external users access to the server (for example, if
you have laptop users who travel, you cannot count on them being on the VPN
when they install the PGP WDE client).

For details on the tasks involved in placing your server, see the PGP Universal
Administrator’s Guide.

Adding the PGP Universal Server to your Network

Once you have determined a network location for your PGP Universal Server,
you must do the following:

Note: You may need to consult with your network and/or system engineering

teams to support the deployment of your PGP Universal Server.

 Assign an appropriate IP address to the PGP Universal Server.

 Configure the appropriate subnet and gateway.

 Configure the appropriate hostname and DNS.

Deployment Options

There are other options to consider at this point:

 Do you want to replace the default self-signed server SSL certificate with a

Note: The use of forward and reverse DNS is required; using a host files
is not sufficient.

Make sure the DNS includes appropriate A and PTR records that are in
place prior to installation of the PGP Universal Server.

Also make sure the DNS is reachable by the PGP Universal Server in the
DMZ.

real SSL certificate?

PGP Corporation strongly recommends that you obtain a valid SSL/TLS
certificate for each of your PGP Universal Servers from a public Certificate
Authority (CA), such as GeoTrust, available at the PGP Online Store
(https://store.pgp.com/). This ensures that clients will have confidence in
establishing secure communications with your servers. An in-house CA will
not be recognized by the PGP WDE client.

12

PGP® Whole Disk Encryption Preparation

 Are you going to use DNS round robin or a load balancer with your PGP

Universal Server?

If so, acquire the proper number of IP addresses or VIP addresses required
for each machine in the cluster as well as proper DNS forward and reverse
pointers. Getting this information in advance will help to ensure a smooth
implementation.

Configuring your Firewall

The PGP WDE clients you are deploying will be in contact with your PGP
Universal Server management server on a regular basis. They must be able to
communicate with each other; otherwise, many aspects of your deployment
will not work. Also, the management server needs certain ports open on your
firewall for a variety of purposes.

Firewall changes should be done before you install the PGP Universal Server.

Specifically:

 Clients must be able to access the management server via HTTPS on port

443; allow traffic in both directions.

 The management server must be able to make LDAP and LDAPS queries

on ports 389 and 636, respectively, to the LDAP server you are using for
directory synchronization.

 If you are using email enrollment, no LDAP connectivity is required

internally, but external LDAP access may be required to support other PGP
WDE functionality; key lookups or file/folder encryption, for example.

 The management server needs Internet access on port 80 for updates and

licensing. Only outbound access on port 80 is required.

 Licensing can be done manually without Internet connectivity, but requires

pre-authorization from PGP Customer Support (support.pgp.com).

 The management server needs FTP or SCP access on ports 21 or 22,

respectively, for delivery of backups to an appropriate location.

 Regular backups are important to support the ability to recover from

unexpected failure of the PGP Universal Server. PGP Corporation strongly
recommends you set up regular schedule of backups of the data on your
PGP Universal Server.

 You will be configuring the PGP Universal Server you are using as a

management server via its web-based administrative interface using
HTTPS on port 9000, so this port needs to be open.

 Enabling SSH access to the management server on port 22 will give you

access should web-based access be down for some reason.

13

PGP® Whole Disk Encryption Preparation

 Notification emails from the management server to administrators of the

PGP Universal Server are sent via SMTP on port 25, so that port should be
open between the PGP Universal Server and the mail server that will
accept email from administrators.

Understanding Enrollment

PGP WDE clients synchronize with their PGP Universal Server during installation
via the PGP client enrollment process. Once enrolled with their PGP Universal
Server, clients receive encryption keys, policies, and management updates from
the PGP Universal Server. The enrollment process establishes the relationship
between the client and the server, binding the managed client to the specific
PGP Universal Server.

There are two methods for enrolling your PGP WDE users:

 LDAP Directory Synchronization: Requires that the LDAP Directory

Synchronization feature be enabled (and correctly configured) and the
Enroll clients using directory synchronization checkbox be selected on
the Directory Synchronization screen in the PGP Universal Server's
management interface. To enroll, the client will provide authentication
credentials to the LDAP directory specified in the LDAP Directory
Synchronization feature.

 Email: Requires only that the PGP WDE client and the management server

are able to communicate via SMTP email. This method is available for all
client installations, provided there is a usable email account on the client
system. This method is available even if the PGP Universal Server is not
performing email encryption. To enroll with a server, the client sends an
email to the PGP Universal Server. The PGP Universal Server will process
the email message and then send an email message back to the PGP WDE
client, which will use the return email to finalize the enrollment process,
and then continue with the installation.

Understanding the Two Enrollment Paths

There are two basic "paths" for deciding how to configure the LDAP Directory
Synchronization feature, policies, and enrollment methods:

 If you have an up-to-date LDAP directory server in your organization, you

will probably want to enable the LDAP Directory Synchronization feature
(and turn enrollment on), select Auto detect policies, and use the LDAP
Directory Synchronization feature for enrollment. This leverages the
information in your LDAP directory and simplifies the job of the
administrator.

14

PGP® Whole Disk Encryption Preparation

 If you do not have an up-to-date LDAP directory server in your organization,

you will want to keep the LDAP Directory Synchronization feature disabled,
select Preset policy, and use email enrollment.

Understanding the LDAP Directory Synchronization Feature

LDAP Directory Synchronization is a feature of PGP Universal which, if enabled
(it is disabled by default), can be used with your PGP WDE deployment.
Enabling this feature lets your PGP Universal Server query your organization's
LDAP directory server for information about users and import the appropriate
users, thus taking advantage of existing information about users and their
authentication credentials.

Note: Proper LDAP syntax must be used when you work with the LDAP
Directory Synchronization feature.

There are three LDAP Directory Synchronization configuration options:

 LDAP Directory Synchronization enabled, enrollment on. The specified

LDAP directory will be used to determine which users are in what groups
for the purposes of applying the appropriate policy and for enrollment.

 LDAP Directory Synchronization enabled, enrollment off. The specified

LDAP directory will be used to determine which users are in what groups
for the purposes of applying the appropriate policy, but not for enrollment
purposes. (Email enrollment will be used).

 Disabled. LDAP Directory Synchronization is disabled; the PGP Universal

Server will not check any LDAP directories in your organization either for
users to be imported or for enrollment. (Email enrollment will be used).

Understanding Policies

There are three methods available to determine how your PGP WDE users will
receive internal user policies from the PGP Universal Server; which one you
choose depends on your particular circumstances.

The three policy methods are:

 No policy. Your PGP WDE users can do anything their license allows; they

will not receive any policies from the PGP Universal management server.

 Auto detect policy. Your PGP WDE users are constrained by the policy

that applies to the LDAP directory group they are in. (This option requires
that you enable the LDAP Directory Synchronization feature.) Using this
policy option means that the most appropriate policy will be selected
automatically and applied for the LDAP directory group your users are in.
Users could have a different policy applied in the future if a new policy is
created that is more appropriate for their LDAP directory group.

15

PGP® Whole Disk Encryption Preparation

 Preset policy. Your PGP WDE users are constrained by the settings of the

selected preset policy , either default policy or a custom policy you create.
You can change the settings of the selected preset policy in the future and
the new settings will apply to the users constrained by the policy, with the
exception of actions taken at installation.

Preparing End-User Systems

PGP Corporation strongly recommends you check the PGP Desktop
Release Notes and PGP Universal Release Notes to make sure the systems
in your deployment environment are ready for installation of both the
server and WDE client.

 Make sure clients meet the listed minimum system requirements.

 Determine whether the email clients used in your environment are

supported clients.

 Verify that your anti-virus and firewall software is compatible.

 Review the list of known software conflicts and ensure you will not

encounter these in your deployment.

 Ensure that target client systems include scandisk (Windows chkdsk.exe,

for example, or SpinRite or Norton Disk Doctor, if available) and
defragmentation (Windows defrag.exe, for example, or PerfectDisk, if
available) software, for preparing their drives for installation of PGP WDE.

16