PGP Whole Disk Encryption
Controller
User's Guide
10.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 10.2.1. Last updated: April 2012.
Legal Notice
Copyright (c) 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
About PGP Whole Disk Encryption Controller
1
Components of a Typical PGP Whole Disk Encryption Controller Solution 1
About the PGP WDE Controller 2
Important Terms 3
Audience 3
Technical Support 4
Contacting Technical Support 4
Licensing and registration 5
Customer service 5
Support agreement resources 6
Before You Install the PGP WDE Controller 9
Before You Begin 9
About PGP WDE Administrator Keys 11
About the Shared Network Folder 12
About Whole Disk Recovery Tokens 12
About Single Sign-On 13
About PGP BootGuard Customization 14
Installing the PGP WDE Controller 15
System Requirements 15
Installing the PGP WDE Controller 15
Working with the PGP WDE Controller 17
Importing a PGP WDE Administrator Key 17
Adding PGP WDE Licenses 18
Specifying the Shared Network Folder Location 19
Establishing Client Settings on the PGP WDE Controller 21
Reporting Tab 21
Administrator Options Dialog Box 22
Whole Disk Encryption Tab 22
General Tab 25
Key Management Tab 26
File & Disk Tab 27
Creating and Testing Client Installers 29
Before You Create Client Installers 29
Creating Client Installers 29
Testing Client Installers 30
ii Contents
Deploying 33
After Deployment
Post-Deployment Considerations 35
Updating Policy After Deployment 36
Using a PGP WDE Administrator Key 37
Using Whole Disk Recovery Tokens 38
Viewing PGP WDE Event Information 39
Migrating to a PGP Universal Server-Managed Environment 39
Index 41
35
1
About PGP Whole Disk Encryption Controller
PGP Whole Disk Encryption Controller is a software tool that provides full-disk
encryption for your organization's Microsoft Windows systems.
PGP Whole Disk Encryption Controller has two parts:
a management application, called PGP Whole Disk Encryption Controller, which
you use to configure policy and create client installers that are pre-configured
with established policy. Once deployed, the management application can also be
used to view status reports on the deployment and create updated policies.
client software, which installs PGP Whole Disk Encryption Controller onto the
Windows systems of your users.
A PGP Whole Disk Encryption Controller can manage up to 100 client installations.
In This Chapter
Components of a Typical PGP Whole Disk Encryption Controller Solution..........1
About the PGP WDE Controller..................................................................................... 2
Important Terms ............................................................................................................. 3
Audience ........................................................................................................................... 3
Technical Support ........................................................................................................... 4
Components of a Typical PGP Whole Disk Encryption Controller Solution
The following are elements of a typical PGP Whole Disk Encryption Controller solution:
PGP Whole Disk Encryption (WDE) Controller is a platform for creation and
management of PGP WDE Workgroup Edition client software. The PGP WDE
Controller:
installs on any Windows system in the network.
provides policies for the client installers.
creates the client installers.
maintains deployment reporting information.
The client installer software is created by the PGP WDE Controller, then deployed
to and installed onto the Windows systems of your users.
Shared network folder (optional, but recommended). A Samba (SMB/CIFS) server
that holds:
2 About PGP Whole Disk Encryption Controller
About the PGP WDE Controller
policy files, which are automatically downloaded and implemented by
installed clients.
log files, for analysis by administrators.
WDRTs, for use when needed to access an encrypted drive.
system usage information, for analysis by administrators.
Related Topics
About the PGP WDE Controller (on page 2)
Important Terms (on page 3)
Audience (on page 3)
Technical Support (on page 4)
About the PGP WDE Controller
Related Topics
PGP WDE Controller is a standalone application that runs on recent versions of
Microsoft Windows (see the System Requirements for supported versions).
It does not require its own computer, and there are no servers or databases to configure
or manage. You can configure and deploy the client software with a basic knowledge of
Microsoft Windows administration.
Install PGP WDE Controller on any Windows system in the same network as the
systems to which the client software will be downloaded.
Note: Installing PGP WDE Controller and PGP Desktop on the same system makes it
easier to create the PGP keypair you will use as the PGP WDE administrator key.
Once installed, use PGP WDE Controller to establish policy for the client installers.
These policies are embedded into the client installers and are implemented when the
software is installed onto the Windows systems of your users. Refer to the PGP WDE
Controller online Help for information on each configuration option.
Updated policies can be created and saved to the network share location; installed
clients (version 10.1 and greater) will automatically download and implement these new
policies.
Note: If the LAN on which the system hosting PGP WDE Controller runs uses a proxy
server (Tools > Internet Options > Connections > LAN Settings > Use a proxy server
for your LAN is checked), then you must also check Bypass proxy server for local
addresses in order for PGP WDE Controller to run.
Components of a PGP WDE Workgroup Edition Solution (see "Components of a
Typical PGP Whole Disk Encryption Controller Solution" on page 1)
Important Terms (on page 3)
Audience (on page 3)
Technical Support (on page 4)
Important Terms
PGP WDE Workgroup Edition: A product from Symantec Corporation that includes the
PGP WDE Controller application, client installers, and a shared network folder.
PGP WDE Controller: An application for creating and managing PGP WDE Workgroup
Edition client software.
client installer: An installer application created by PGP WDE Controller that installs
PGP WDE software on end users' Windows systems.
shared network folder: A shared folder on a network that holds information and files
used to manage installed PGP WDE clients.
PGP Whole Disk Encryption: A software product from Symantec Corporation that
secures files stored on protected drives with transparent full disk encryption. It also
includes other encryption features.
full disk encryption: A security industry term for encryption of all data on a drive
below the application layer.
Whole Disk Recovery Token: A feature of PGP WDE where a recovery token is created
that can later be used to recover access to a drive if the normal authentication method
is no longer available. In a PGP WDE Workgroup Edition environment, WDRTs are
stored on the shared network folder.
PGP WDE administrator's key: A PGP WDE administrator key, used in conjunction
with a smart card or token, logs in to a user's system at the PGP WDE BootGuard screen
using two-factor authentication. This allows the administrator to access the system of a
user if they are not available or willing to provide access.
Important Terms
3 About PGP Whole Disk Encryption Controller
Related Topics
Audience
Components of a Typical PGP WDE Workgroup Edition Solution (see "Components
of a Typical PGP Whole Disk Encryption Controller Solution" on page 1)
About the PGP WDE Controller (on page 2)
Audience (on page 3)
Technical Support (on page 4)
This Guide assumes you are an IT or messaging support professional who will be
performing one or more of the following tasks:
Setting up and configuring PGP Whole Disk Encryption Controller as the
management server for PGP WDE users.
4 About PGP Whole Disk Encryption Controller
Technical Support
Understanding and configuring PGP WDE client options.
Creating, testing, and deploying the PGP WDE client installers.
Handling post-deployment issues.
Related Topics
Components of a Typical PGP WDE Workgroup Edition Solution (see "Components
of a Typical PGP Whole Disk Encryption Controller Solution" on page 1)
About the PGP WDE Controller (on page 2)
Important Terms (on page 3)
Technical Support (on page 4)
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base. The
Technical Support group works collaboratively with the other functional areas within
Symantec to answer your questions in a timely fashion. For example, the Technical
Support group works with Product Engineering and Symantec Security Response to
provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
A range of support options that give you the flexibility to select the right amount
of service for any size organization
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
Upgrade assurance that delivers software upgrades
Global support purchased on a regional business hours or 24 hours a day, 7 days a
week basis
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site at the
following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and
the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Technical Support
5 About PGP Whole Disk Encryption Controller
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at the
computer on which the problem occurred, in case it is necessary to replicate the
problem.
When you contact Technical Support, please have the following information available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs or manuals
6 About PGP Whole Disk Encryption Controller
Technical Support
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan customercare_apac@symantec.com
Europe, Middle-East, Africa semea@symantec.com
North America, Latin America supportsolutions@symantec.com
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 10.2.1. Last updated: April 2012.
Legal Notice
Copyright (c) 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
2
Before You Install the PGP WDE Controller
This section describes the things you should do before you install the PGP WDE
Controller and also provides background information about a number of important
features of PGP WDE.
In This Chapter
Before You Begin ............................................................................................................. 9
About PGP WDE Administrator Keys......................................................................... 11
About the Shared Network Folder ..............................................................................12
About Whole Disk Recovery Tokens ..........................................................................12
About Single Sign-On ...................................................................................................13
About PGP BootGuard Customization........................................................................14
Before You Begin
Before you install the PGP WDE Controller or deploy the client installers, complete
these tasks:
Create a PGP keypair with PGP Desktop to use as the PGP WDE administrator key.
The PGP WDE administrator key has several purposes. During client installation,
it is used to encrypt the WDRTs during the client installation process. After
deployment, it is used for administrator access to the WDRTs, as well as providing
an additional means of access (in combination with smart cards or tokens) to
locked systems.
Note: If you don't already have an existing installation of PGP Desktop to use to
create the keypair, you need to install it. With the acquisition of PGP Corporation
by Symantec Corporation, PGP operations is in the process of integrating with
Symantec operations. To obtain a copy of PGP Desktop, use the second download
link if the first link does not appear operational.
To obtain PGP Desktop if needed:
• Go to the PGP License and Entitlement Management System (LEMS) and log in
https://lems.pgp.com/account/login). Install the software using your PGP Whole
(
Disk Encryption license. The PGP Desktop installer is posted in the PGP WDE
Workgroup Edition section of the Download Center on LEMS.
• Go to Symantec FileConnect (
language, and enter your serial number.
Export the keypair to a file once you create it. Once exported, make sure the file is
accessible to the system on which you intend to run PGP WDE Controller. This is
necessary the first time you run PGP WDE Controller.
https://fileconnect.symantec.com/), select your
10 Before You Install the PGP WDE Controller
Before You Begin
You must import the file into PGP WDE Controller before you can create .MSI files.
For instructions to create a PGP keypair with PGP Desktop, see "Creating a PGP
Keypair," in the PGP Desktop User's Guide.
Create an accessible shared folder on the network.
This folder stores the log files, WDRTs, and updated policies for all of the PGP
Whole Disk Encryption installations. The shared folder must be accessible by all
installations of the deployment, and should be Common Internet File System
(CIFS) compliant.
Although using a shared folder is highly recommended, it is not required. When
not using a shared folder, for example in a very small workgroup situation where a
share is unavailable, the WDRTs are encrypted to the PGP WDE administrator key
and stored on the local disk. In these situations, you might need to instruct the
user to send the WDRT to the administrator for safekeeping in the event the user
loses the passphrase or needs help accessing the system.
Note: When not using a shared folder both WDRTs and log files are stored on the
local disk of the client system. The WDRTs are stored in the user’s application
data directory at \Documents and Settings\User Name\Application Data\PGP
Corporation\PGP\WDRT\. The log files are stored in \Documents and
Settings\User Name\Application Data\PGP Corporation\PGP\.
Related Topics
When using such a shared folder, make sure the systems on which you are
installing PGP Whole Disk Encryption are on the network at the time of initial
encryption so that the WDRT is successfully delivered to the shared folder. If the
system is not on the network, the WDRT gets encrypted to the PGP WDE
administrator key and is queued to be sent the next time it connects to the
network. In such a situation, if the user forgets their passphrase before the WDRT
gets delivered to the share, the user is prevented from using a WDRT remotely,
leaving a PGP WDE administrator key (used with a smart card or token) as the only
option for remote access.
Make sure your license information is accessible from the system which you
intend to run PGP WDE Controller.
When you purchased the product, you received an email order confirmation with
an attached .PDF file. Make a note of the name, organization, and license number
you received in the email order confirmation. These are shown in the section titled
Important Note in the .PDF. Your license number also appears on the download
page of your PGP product.
Place the PGPWholeDiskEncryptionController.exe file in an accessible
location on the system from which you intend to run PGP WDE Controller.
Create backups of the systems to which you intend to deploy PGP WDE.
About PGP WDE Administrator Keys (on page 11)
About the Shared Network Folder (on page 12)
About Whole Disk Recovery Tokens (on page 12)
About Single Sign-On (on page 13)
About PGP BootGuard Customization (on page 14)
About PGP WDE Administrator Keys
If you need to perform maintenance or other tasks on a user's system, a PGP WDE
administrator key eliminates the need to request the user's passphrase. A PGP WDE
administrator key, used in conjunction with a smart card or token, logs in to a user's
system at the PGP WDE BootGuard screen using two-factor authentication. Once you
have logged in like this at the PGP Bootguard screen, you can then log on to the user's
system using your administrator user name and password.
The benefits of using two-factor authentication to access a user's system are:
Each administrator has a unique token that allows access to systems encrypted
with PGP Whole Disk Encryption.
Because both the smart card or token and a PIN are required to access the system,
security is maintained if the smart card or token is lost or stolen.
Note: If you want to add an administrator key to systems that have already been
encrypted, or if you want to change the administrator key after deployment, you
must create a new .MSI file with the desired key and redeploy the product as needed.
About PGP WDE Administrator Keys
11 Before You Install the PGP WDE Controller
Supported Smart Cards and Tokens
These smart cards and tokens can be used for the PGP WDE administrator key:
ActivIdentity ActivClient CAC cards, 2005 models
Aladdin eToken 64K, 2048 bit RSA-capable
Aladdin eToken PRO USB Key 32K, 2048 bit RSA-capable
Aladdin eToken PRO without 2048-bit capability (older smart cards)
Athena ASEKey Crypto USB Token
Athena ASECard Crypto Smart Card
EMC RSA SecurID SID800 Token
Charismathics CryptoIdentity plug 'n' crypt Smart Card only stick
S-Trust StarCOS smart card
SafeNet iKey 3000
Supported smart card readers
Use any of the supported smart cards with any chip/smart card interface device
(CCID) smart card reader. However, only these smart card readers were tested by
Symantec Corporation:
OMNIKEY CardMan 3121 USB for desktop systems
OMNIKEY CardMan 6121 USB for mobile systems
ActivIdentity USB 2.0 reader
Reiner SCT CyberJack pinpad
Athena ASEDrive IIIe USB reader
12 Before You Install the PGP WDE Controller
About the Shared Network Folder
Note: Check the technical specifications for PGP Whole Disk Encryption for updates
to the list of supported smart cards, tokens, and smart card readers.
Related Topics
Before You Begin (on page 9)
About the Network Share (see "About the Shared Network Folder" on page 12)
About Whole Disk Recovery Tokens (on page 12)
About Single Sign-On (on page 13)
About PGP BootGuard Customization (on page 14)
About the Shared Network Folder
To store logging information, WDRTs, and updated policies for the PGP Whole Disk
Encryption deployment, you must create a share on your network to store this data.
The share must be accessible by all installations of the deployment. The share, and
server hosting it, should be Common Internet File System (CIFS) compliant.
After deploying the PGP Whole Disk Encryption .MSI file with the embedded location of
the shared folder, a folder is created for each computer named with the following
format: machine name-machine guid. This folder contains all logging information,
WDRTs, and updated policies for all devices associated with the computer.
If you want to change this shared folder location or credentials to access it after
deployment, you have two options: if you have configured automatic policy updates,
you simply create a new policy with the updated information and it will automatically
be downloaded and implemented by the installed clients. If you did not configure
automatic policy updates, you must create a new .MSI file with the new location
embedded, and use it to redeploy the product.
Related Topics
Before You Begin (on page 9)
About PGP WDE Administrator Keys (on page 11)
About Whole Disk Recovery Tokens (on page 12)
About Single Sign-On (on page 13)
About PGP BootGuard Customization (on page 14)
About Whole Disk Recovery Tokens
Whole disk recovery tokens (WDRTs) are a means by which an encrypted device is
accessed once a user has been locked out or has forgotten their password. This is
especially valuable when the device is not in the same location as the administrator.
Related Topics
About Single Sign-On
In a PGP Whole Disk Encryption Controller environment, these are stored in a shared
folder on the network that also holds the log files for the computer.
WDRTs are associated with encrypted drives, not single computers or single users. A
single computer can be associated with multiple encrypted drives. If multiple users
have accounts on the same drive, they share the same whole disk recovery token.
Whatever you do with the token affects all users sharing that drive. Each encrypted
drive has only one whole disk recovery token.
Before You Begin (on page 9)
About PGP WDE Administrator Keys (on page 11)
About the Shared Network Folder (on page 12)
About Single Sign-On (on page 13)
About PGP BootGuard Customization (on page 14)
13 Before You Install the PGP WDE Controller
About Single Sign-On
Microsoft Windows has a few methods available by which other companies can
customize the Windows login experience. One method is the Graphical Identification
and Authentication (GINA) dynamic-link library (DLL), the pluggable part of WinLogon,
which third parties can replace to customize login functionality or the login user
interface. GINA can be used to create, for example, biometric login methods, or smart
card logins.
The PGP Whole Disk Encryption Single Sign-On (SSO) feature does not use GINA, as
there are certain compatibility issues with GINA. For example, it is possible to have
multiple, conflicting GINAs on the same system. Instead, SSO uses another method, the
Windows Automatic Login feature. PGP Desktop uses your configured authentication
information to create, dynamically, specific registry entries when you attempt to log in.
Your Windows password is never stored in the registry, nor in any form on the
disk—neither encrypted, nor as clear text.
Implementation details differ between the various versions of Microsoft Windows, but
user interaction with the feature is the same, regardless of Windows platform.
The SSO feature is not compatible with other GINAs. You might encounter some issues
if you attempt to use SSO in conjunction with another GINA.
PGP Whole Disk Encryption includes the Single Sign-On (SSO) feature. It synchronizes
the PGP Whole Disk Encryption authentication with the one required by Microsoft
Windows when a user boots a computer. Once a disk or boot partition is encrypted, the
next time the user starts the system, the PGP BootGuard screen appears immediately
upon startup. Logging in at this point also logs the user into the Windows session. The
users does not have to log in twice.
Related Topics
Before You Begin (on page 9)
About PGP WDE Administrator Keys (on page 11)
14 Before You Install the PGP WDE Controller
About PGP BootGuard Customization
About the Shared Network Folder (on page 12)
About Whole Disk Recovery Tokens (on page 12)
About PGP BootGuard Customization (on page 14)
About PGP BootGuard Customization
Related Topics
Once installed, you can customize the PGP BootGuard screen of PGP Whole Disk
Encryption with:
Text. You can replace the default text, "Forgot your passphrase? Please contact
your IT department or Security Administrator."
Custom background images of the splash and login screens.
Audio cues that can help vision-impaired users more easily navigate PGP
BootGuard authentication.
In a PGP Whole Disk Encryption Controller environment, PGP BootGuard can be
customized only with PGP Whole Disk Encryption Command Line. For complete
information, see PGP Whole Disk Encryption Command Line User's Guide.
Before You Begin (on page 9)
About PGP WDE Administrator Keys (on page 11)
About the Shared Network Folder (on page 12)
About Whole Disk Recovery Tokens (on page 12)
About Single Sign-On (on page 13)
Installing the PGP WDE Controller
3
This section describes the system requirements for and how to install the PGP WDE
Controller.
In This Chapter
System Requirements...................................................................................................15
Installing the PGP WDE Controller ............................................................................15
System Requirements
Related Topics
PGP WDE Controller runs on any computer with:
32-bit versions of Microsoft Windows XP, Windows Vista, or Windows 7.
64-bit versions of Microsoft Windows XP, Windows Vista, or Windows 7 (under
32-bit emulation).
Microsoft Internet Explorer version 6.0 or later.
Note: The zone security level in Internet Explorer must be set to Medium or
lower on the Security tab of Internet Options (from the Tools menu), otherwise
PGP WDE Controller does not run.
An installation of PGP Desktop with which to create a PGP keypair for use as a PGP
WDE administrator key is also required. You will also need this installation on an
ongoing basis to access and manage whole disk recovery tokens (WDRTs).
If the LAN on which the system hosting PGP Whole Disk Encryption Controller runs
uses a proxy server (Tools > Internet Options > Connections > LAN Settings > Use a
proxy server for your LAN is checked), then you must also check Bypass proxy server
for local addresses in order for PGP Whole Disk Encryption Controller to run.
Installing the PGP WDE Controller (on page 15)
Installing the PGP WDE Controller
To install the PGP WDE Controller:
1 Double click the PGPWholeDiskEncryptionController.exe installer
application.
16 Installing the PGP WDE Controller
Installing the PGP WDE Controller
2 If a security warning dialog appears, click Run.
3 Read the software agreement text, then click I Agree.
The Reporting Tab of the PGP WDE Controller application appears.
Related Topics
System Requirements (on page 15)
4
Working with the PGP WDE Controller
Once the PGP WDE Controller application is installed, do the following before creating
client installer:
Import a PGP WDE administrator key.
Add your PGP WDE licenses.
Specify a shared network folder location.
Establish the settings for the client installers.
In This Chapter
Importing a PGP WDE Administrator Key ................................................................17
Adding PGP WDE Licenses ..........................................................................................18
Specifying the Shared Network Folder Location......................................................19
Importing a PGP WDE Administrator Key
Use this procedure to import a public key to use to access any whole disk encrypted
systems that had PGP Whole Disk Encryption installed using the MSI file created with
the key. You may need to do this if a user is unable or unwilling to log in to the system.
If you want to add or change the administrator key after deployment, you must create a
new policy file that includes the new key and save it to the network share folder (where
it will be automatically downloaded and implemented by the installed clients).
Therefore, Symantec Corporation recommends importing the desired key before you
begin creating .MSI files with PGP Whole Disk Encryption Controller.
To import a public key to use as an administrator key:
1 Create a key (for example, AdminSales) using PGP Desktop. For more information
on creating a key, see the PGP Desktop User's Guide .
Note: Creating a PGP WDE administrator key requires access to PGP Desktop.
Do not specify a preferred keyserver for this key. If you do specify a keyserver on
the key, you need to upload and publish the key to the specified keyserver.
2 Launch the PGP Whole Disk Encryption Controller executable, and then click
Change... next to Administrator Options. The Administrator Options dialog box
appears.
3 Click Import, then browse to the file of the public key you are importing (use PGP
Desktop to create this file if it does not already exist), select the file, and then click
Open.
18 Working with the PGP WDE Controller
Adding PGP WDE Licenses
4 Click Finish.
5 Copy the key to a smart card or token using PGP Desktop.
The same key can be copied to multiple tokens. Each token should have its own
unique PIN.
Note: To access the whole disk encrypted drive via the token-based user, the key
must be on a supported token/smart card. Use PGP Desktop to either create a
keypair on or copy a keypair to a supported token/smart card. For more
information, see the PGP Desktop User's Guide.
Related Topics
Adding PGP WDE Licenses (on page 18)
Specifying the Shared Network Folder Location (on page 19)
Adding PGP WDE Licenses
Before you can create PGP WDE client installers using PGP WDE Controller, you must
add PGP WDE licenses to the PGP WDE Controller. Without valid licenses, PGP WDE
Controller will not create client installers.
If you need to change to a different license number on existing installations of PGP
Whole Disk Encryption, you must either create a new policy file that includes the new
license number and save it to the network share folder (where it will be automatically
downloaded and implemented by the installed clients), or change the license directly
from PGP Desktop on the local systems. (If you are not using automatic policy updates,
you must create a new .MSI file and redeploy it to your clients or change the license on
the local systems.)
However, if you're only adding new computers to an existing deployment, simply create
a new .MSI file with the new license, and deploy PGP Whole Disk Encryption to the
additional systems with the new .MSI file.
Before you begin
When you purchased the product, you received an email order confirmation with an
attached .PDF file. Make a note of the name, organization, and license number you
received in the email order confirmation. These are shown in the section titled
Important Note in the .PDF. Your license number also appears on the download page of
your PGP product.
To add a PGP Desktop license:
1 Launch PGP Whole Disk Encryption Controller.
2 Click Change... next to Licensing. The Licensing dialog box appears.
3 Type the Name and Organization exactly as specified in your PGP email order
confirmation PDF.
4 Type the email address you want to assign to the licensing of the product.
5 Type the email address again to confirm it.
Related Topics
Specifying the Shared Network Folder Location
6 Click Next.
7 Enter your 28-character license number in the provided fields (for example,
DEMO1-DEMO2-DEMO3-DEMO4-DEMO5-ABC).
Note: To avoid typing errors and make the authorization easier, copy the entire
license number, put the cursor in the first License Number field, and paste. Your
license number will be correctly entered into all six "License Number" fields.
8 Click Next to authorize.
9 When the license is authorized, click Next, and then click Finish to complete the
process.
Importing a PGP WDE Administrator Key (on page 17)
Specifying the Shared Network Folder Location (on page 19)
19 Working with the PGP WDE Controller
Specifying the Shared Network Folder Location
You can embed the location of a shared network folder into the PGP WDE client
installers. This location is used to store logs, WDRTs, and updated policies for all
installations of PGP WDE.
Note: If you want to change this shared folder location or credentials to access it
after deployment, you have two options: if you have configured automatic policy
updates, you simply create a new policy with the updated information and it will
automatically be downloaded and implemented by the installed clients. If you did not
configure automatic policy updates, you must create a new client installer with the
Before you begin
new location embedded, and use it to redeploy the product.
Create a shared folder on a server that is accessible to all intended installations of PGP
Whole Disk Encryption.
To specify the shared folder location in PGP Whole Disk Encryption Controller:
1 Launch PGP Whole Disk Encryption Controller.
2 Click Change... next to Administrator Options. The Administrator Options dialog
box appears.
3 Type the path to the shared folder in Network Path. (For example,
'smb://user:password@server/share').
Note: The credentials used in the path must have write access to the shared
folder.
4 Click Finish.
20 Working with the PGP WDE Controller
Specifying the Shared Network Folder Location
Until you change this location, the location is embedded into any .MSI files created with
PGP Whole Disk Encryption Controller. When the product is installed on a computer
with the .MSI file, a folder for that computer is created within the shared folder. The
logs, WDRTs, and updated policies are stored in this folder.
Related Topics
Importing a PGP WDE Administrator Key (on page 17)
Adding PGP WDE Licenses (on page 18)
5
Establishing Client Settings on the PGP WDE Controller
This section describes the tabs and options you can set in the PGP Whole Disk
Encryption Controller administration console.
In This Chapter
Reporting Tab................................................................................................................ 21
Whole Disk Encryption Tab ........................................................................................ 22
General Tab.................................................................................................................... 25
Key Management Tab................................................................................................... 26
File & Disk Tab............................................................................................................... 27
Reporting Tab
Related Topics
Use this page to learn more about the status of your deployment, and access licensing
and administrative options.
Number of Licenses: Displays the number of systems in your organization that are
licensed for PGP Whole Disk Encryption.
Systems with Whole Disk Recovery Tokens: Displays the number of systems that
have sent whole disk recovery tokens to the shared folder.
Systems not Encrypted: Displays the number of systems that do not have
corresponding WDRTs, which usually indicates they are not encrypted.
If the number of encrypted systems and the number of systems with WDRTs total
to a number larger than the number of licenses you have, you may need to acquire
new licenses.
Change... (Administrative Options): Returns you to the Administrative Options
dialog box where you import administrator keys and set the location of the Samba
share for reporting.
Change.. (Licensing): Returns you to the Licensing dialog box where you enter all
of the license details.
Save Client: Creates the MSI file with embedded policy based on all of the current
selections.
Administrator Options Dialog Box (on page 22)
Whole Disk Encryption Tab (on page 22)
General Tab (on page 25)
Key Management Tab (on page 26)
22 Establishing Client Settings on the PGP WDE Controller
Whole Disk Encryption Tab
File & Disk Tab (on page 27)
Administrator Options Dialog Box
Use this dialog box to import an administrator key and set the location of your shared
folder where logging information and whole disk recovery tokens are stored
(recommended).
Import... (Administrator Key): To import the public key, click Import and do one
of the following:
Select Import Public Key File, Browse to navigate to the file of the public
key you are importing (use PGP Desktop to create this file if it does not
already exist), select the file, click Open, then click Import.
Select Import Public Key Block, then paste the key block of the public key
you are importing, then click Import.
To access the whole disk encrypted drive via the token-based user, the private key
must be on a supported token/smart card. Use PGP Desktop to either create a
keypair on or copy a keypair to a supported token/smart card. For more
information, see the PGP Desktop User's Guide.
Network Path: Type the path to the shared folder on the file server that will
collect the logging information (For example,
'smb://user:password@server/share'). Make sure you use a location that is
accessible by all installations of the deployment, and that the credentials used in
the path have write access to the shared folder.
Encrypt Windows WDE disks to a Disk Administrator Passphrase: Allows for the
creation of an administrator passphrase which can be used to authenticate at PGP
Bootguard if one of your PGP WDE users forgets their passphrase. When checked,
a box appears; enter the desired passphrase in the box.
Note: Creating a Disk Administrator Passphrase is not compatible with
automatically updating policy.
Report information on encrypted machines for PGP support purposes: Allows
for information about PGP Whole Disk Encrypted systems to be sent to Symantec
Corporation for support purposes.
Privacy: Click to view Symantec Corporation's privacy policy.
Related Topics
Reporting Tab (on page 21)
Whole Disk Encryption Tab
Use this page to configure user permissions and PGP Whole Disk Encryption
preferences that are embedded into the MSI file.
Allow User Management: Selecting this option means a user can add or remove
Whole Disk Encryption Tab
23 Establishing Client Settings on the PGP WDE Controller
other passphrase users from the user's device.
Allow Encryption: Selecting this option means users can initiate encryption of
internal and/or removable disks. Automatic disk encryption during setup is not
affected by this policy.
Allow Decryption: Selecting this option means users can initiate decryption of
internal and/or removable disks. If you do not enable this option, users cannot
decrypt disks. Decryption after license expiration is not affected by this policy.
Store decryption policy on fixed disks: When selected, the policy that specifies
whether users can initiate decryption of the disk is stored on the encrypted disk.
When the policy is stored on the disk, current and future versions of PGP Whole
Disk Encryption, as well as Windows PE tools and other recovery methods, are all
prevented from decrypting the disk. This information is not stored on removable
devices.
Allow encryption of disks to existing Windows Single Sign-On password: The
Single Sign-On (SSO) feature of PGP Desktop lets your users log in to PGP Desktop
and Windows at the same time. Allow lets your users decide whether or not to use
SSO, Deny prevents them from using it, Force requires them to use it.
Note: The Single Sign-On feature can be leveraged to enforce PGP Desktop
passphrase quality alignment with your corporate passphrase quality
requirements.
Automatically encrypt <volume type> at installation: When selected, forces
whole disk encryption of the boot disk, only the boot partition, or only the
Windows partition when PGP Desktop is installed. Deselect to disable this feature.
Require <authentication method>: When selected, you must specify a required
method for securing the whole disk encrypted drive. This option is active only if
Automatically encrypt boot disk at installation is selected.
Options include:
Trusted Platform Module (TPM): Requires that a system with a hardware
TPM be used to secure the drive. The drive is not whole disk encrypted if a
hardware TPM is not present.
standard passphrase authentication: Requires that standard passphrase
authentication be used to secure the drive. This is the default setting.
supported smart cards for hardware security: Requires that a supported
smart card be used to secure the drive. The drive cannot not be whole disk
encrypted until a supported smart card is provided; for example, an Aladdin
eToken. The smart card must be configured before attempting to use it to
secure a drive and the system must already have the appropriate drivers
installed. Keys created on smart cards and tokens are not compatible with
PGP Desktop's key reconstruction feature.
Force maximum CPU Usage: When selected, whole disk encrypting a drive is
faster by using more CPU cycles. Deselect to prevent extra CPU cycles from going
to whole disk encryption. Some systems might experience lag during usage when
Maximum CPU Usage is enabled. You can only select this option if Automatically
encrypt boot disk upon installation is selected.
24 Establishing Client Settings on the PGP WDE Controller
Whole Disk Encryption Tab
Force power failure safety: When selected, in the event of a power failure during
whole disk encryption of a drive, the system can recover the data and restart
encryption. Deselect to disable this feature. Initial encryption takes longer when
Power Failure Safety is enabled. You can only select this option if Automatically
encrypt boot disk upon installation is selected.
Lock passphrase user accounts after 3 failed login attempts: Type in how many
failed login attempts can occur before the encrypted disk is locked. You cannot
lock out a user before three failed attempts.
If the disk is locked, all passphrase users lose access. All accounts on the disk are
locked. Users cannot log in again without using a WDRT or other token. An
administrator with a PGP Whole Disk Encryption administrator key can also
unlock the account. If one user logs in with a WDRT or other token, the disk
unlocks and all passphrase users can log in again. Without a WDRT or other token,
the disk is permanently locked.
Enable automatic encryption or locking of removable devices: If you select this
option, the Automatic Encryption dialog box appears when the user inserts an
unencrypted removable disk. The Automatic Encryption dialog box warns the user
that the disk will be either mounted read-only, or encrypted after the time
specified.This prevents copying protected data to an unprotected drive.
Lock device as read-only and provide users with the option to encrypt: If you
select this option, the unencrypted disk is mounted read-only. Users can read the
data on the disk, but cannot save anything to the disk. Users can choose to encrypt
the disk instead.
Automatically encrypt: <time frame>: The dialog box displays a countdown until
the device is encrypted. Removable drives on the system are encrypted after the
dialog box times out.
By default, PGP Desktop encrypts the drive to the existing credentials if the
primary computer disk is encrypted. If the primary computer is not encrypted,
PGP Desktop tries to encrypt the portable drive to another private key, if one is
available. If there is no other private key, the user is prompted to create a
passphrase user account to use to encrypt the disk.
If a Whole Disk Recovery Token is required for encryption, then if the user
attaches a previously unencrypted removable drive to the client computer while
the PGP WDE Controller cannot be reached, the removable disk cannot be
encrypted and automatically unmounts. The removable disk cannot be used and
the following error message appears: "The administrative server is not available
for storing the administrative recovery token. Disk encryption cannot continue."
Options include 30 seconds, 1 minute, 2 minutes, 5 minutes, Immediately
Enable Whole Disk Recovery Tokens: If you select this option, Whole Disk
Recovery Tokens (WDRTs) can be created by your PGP WDE users. The default
setting is selected.
Automatically configure WDE Local Self Recovery for Windows clients: If you
select this option, your users will be forced to configure the local self recovery
option, which allows them to recover their PGP Bootguard passphrase on their
system.
Display a list of users who are eligible for local recovery: If you select this option,
PGP Whole Disk Controller creates a list of users who have local self recovery
configured.
Related Topics
General Tab
General Tab
Reporting Tab (on page 21)
General Tab (on page 25)
Key Management Tab (on page 26)
File & Disk Tab (on page 27)
Use this page to configure general policy options.
Allow users to change options: When selected, lets your PGP WDE users change
the settings that you, their administrator, have established. Deselect this option to
prevent them from changing these settings. Users cannot skip or cancel any part
of the customized PGP WDE installation.
Allow user-initiated key generation: When selected, lets your PGP WDE users
create new keys and subkeys—in addition to the key created during installation.
Deselect to prevent them from creating new keys after installation and from
making certain changes to their keypairs, such as adding and removing ADKs,
appointing and removing third-party key revokers, or creating and using subkeys.
Allow user-initiated key signing: When selected, lets your PGP WDE users sign
keys. Deselect to prevent them from signing keys. You might need to do this to
enforce centralized control over the validity of keys in your organization.
Allow conventional encryption and self-decrypting archives: When selected, lets
your PGP WDE users conventionally encrypt files using a passphrase instead of a
key, or create self-decrypting archives (SDAs). Conventionally encrypted and
self-decrypting files cannot be decrypted by your organization's PGP WDE
administrator's key, which can conflict with your data recovery policy. Deselect to
prevent users from conventionally encrypting files or creating SDAs.
Enforce minimum passphrase length of X characters: Enable if you want to
require a minimum number of characters in passphrases for new keys created by
your PGP WDE users. The default is eight characters.
Enforce minimum passphrase quality of X%: Enable if you want to require a
minimum passphrase quality level for new keys created by your PGP WDE users.
Saving passphrases: Select one of the three options that will apply to your end
users entering their passphrases:
Save passphrases for the current session only. Automatically saves
passphrases in memory until your end user logs off their computer. If you
enable this option, your PGP WDE users will be prompted for their
passphrase once per private key. They will not be prompted to enter it again
for the same key until they log off their computer.
25 Establishing Client Settings on the PGP WDE Controller
Caution: If you select this option, it is very important to tell your PGP WDE users
to log off their computers before leaving it unattended. Passphrases can remain
cached for weeks if they never log off, allowing anyone to read their encrypted
messages or encrypt messages with their key while they are away from their
computer.
26 Establishing Client Settings on the PGP WDE Controller
Key Management Tab
Save passphrases for X (hh:mm:ss). Automatically saves passphrases in
memory for the specified duration of time. If you enable this option, your
PGP WDE users will be prompted for their passphrases once for the initial
signing or decrypting task; they will not be prompted to enter it again until
the specified time has elapsed. The default setting is 0:3:0 (3 minutes).
Do not save passphrases. Prevents your PGP WDE users' passphrases from
being stored in memory. If you enable this option, your end users must enter
their passphrase each time it is needed.
Activate FIPS 140-2 operational and integrity checks: When selected, FIPS
operational tests are active on your PGP Desktop users' systems the next time PGP
WDE is started. This can slow performance on those systems.
Show PGP Desktop in system tray/menu: When selected, the PGP WDE padlock
icon appears in the system tray of Windows users when PGP WDE is active on
their systems. The icon provides access to some PGP WDE features without
requiring users to launch the whole application.
Hide the option to disable PGP Services: When selected, the Stop PGP Services
command does not appear on the PGP Tray menu for your PGP WDE users. This
prevents your users from using this command to stop PGP WDE services on their
system.
Related Topics
Reporting Tab (on page 21)
Whole Disk Encryption Tab (on page 22)
Key Management Tab (on page 26)
File & Disk Tab (on page 27)
Key Management Tab
Use this page to determine how the system uses keys, and what users can do with their
keys.
Key Management: When selected, allows users to managed keys on their local
systems.
Always encrypt to user's key: When selected, files that your PGP WDE users
encrypt are automatically encrypted to their key. Deselect if you do not want files
to be encrypted to the user’s key automatically. Users can still manually encrypt
their messages to their key.
Override default keyring location: When selected, lets you enter locations for
keyrings that override the default location. This means your users' keyrings will
be created in and backed up to the location you specify instead of the default
keyring location. The default keyring location for Windows is C:\Documents and
Settings\[user]\My Documents\PGP\.
Import X.509 certificates as: Select into which format you want to import X.509
certificates from smart cards. Options include:
PGP Bundle Keys. Bundles user X.509 signing and encryption certificates
into a single identity. This is the recommended option.
Related Topics
File & Disk Tab
PGP Wrapper Keys. This allows user X.509 signing and encryption
certificates to be imported as separate identities. This option is not
recommended because it only functions in an exclusively S/MIME
environment.
User Selectable. Allows users to choose how to import their smart card
X.509 certificates.
Attempt storage of keys on supported smart cards: Select Require or Attempt if
you want to store user keys on any supported smart card.
Ignore use of CAPI-based credentials: Select how you want CAPI-based
credentials to be used during enrollment. Options include:
Force. CAPI keys are used during enrollment. If there are no CAPI-based
credentials, key generation does not continue.
Prefer. CAPI keys are used during enrollment. If there are no CAPI-based
credentials, key generation proceeds as specified by policy.
Ignore. CAPI keys are not used during enrollment. The user does not receive
the option to synchronize CAPI credentials.
Reporting Tab (on page 21)
Whole Disk Encryption Tab (on page 22)
General Tab (on page 25)
File & Disk Tab (on page 27)
27 Establishing Client Settings on the PGP WDE Controller
File & Disk Tab
PGP Zip: Deselect to disable the PGP Zip feature; it will not appear in the user
PGP Virtual Disk: Deselect to disable the PGP Virtual Disk feature; it will not
Automatically create PGP Virtual Disk upon installation: When selected, a PGP
Unmount when inactive for X minutes: When selected, the PGP Virtual Disk
Unmount on system sleep: When selected, the PGP Virtual Disk volumes of your
Use this page to configure policy for PGP Virtual Disk, PGP Shredder, and PGP Zip.
interface and it will be not be available to your users.
appear in the user interface and it will not be available to your users.
Virtual Disk volume will be created automatically for your PGP WDE users using
the Capacity and Format you specify.
volumes of your PGP WDE users will be automatically unmounted after the
specified number of minutes of inactivity on their systems. This could prevent the
protected data on a PGP Virtual Disk volume from being available to unauthorized
persons if you leave work without unmounting the volume, for example. Deselect
to prevent PGP Virtual Disk volumes from being automatically unmounted
because of inactivity.
PGP WDE users will automatically unmount if the system goes to sleep. Some
systems do not support sleep mode, so this option would not apply. Deselect to
prevent unmount on sleep.
28 Establishing Client Settings on the PGP WDE Controller
File & Disk Tab
Prevent sleep if disk(s) cannot be unmounted: When selected, the systems of your
PGP WDE users will not sleep if, for some reason, a PGP Virtual Disk volume
cannot be unmounted. Using this option could prevent loss of data. Deselect to
permit sleep even if a volume cannot be unmounted.
PGP Shredder: Deselect to disable the PGP Shredder feature; it will not appear in
the user interface and it will not be available to your users.
Number of shredder passes: Enter the number of shredder passes your PGP WDE
users will use when they shred. The default is 3. The larger the number, the more
secure the shred, but the longer the shred process takes.
Warn user before shredding files: When selected, your PGP WDE users will be
warned before files on their system are shredded. Deselect to suppress this
warning.
Automatically shred when emptying the Recycle Bin/Trash: When selected, your
PGP WDE users will have files they delete from their system shredded instead of
just deleted. Deselect to prevent deleted files from being shredded.
Related Topics
Reporting Tab (on page 21)
Whole Disk Encryption Tab (on page 22)
General Tab (on page 25)
Key Management Tab (on page 26)
Creating and Testing Client Installers
6
This section describes how to create and test client installers.
In This Chapter
Before You Create Client Installers ............................................................................29
Creating Client Installers ............................................................................................. 29
Testing Client Installers...............................................................................................30
Before You Create Client Installers
Make sure you have done the following things before you begin creating client
installers:
Imported a PGP key as your PGP WDE administrator key.
Added your PGP WDE licenses.
Specified the location of the shared network folder.
Related Topics
Importing a PGP WDE Administrator Key (on page 17)
Adding PGP WDE Licenses (on page 18)
Specifying the Shared Network Folder Location (on page 19)
Creating Client Installers (on page 29)
Testing Client Installers (on page 30)
Creating Client Installers
Use this procedure to create a PGP WDE client installer (an MSI file) using PGP WDE
Controller.
For each unique set of options for an installation (product configuration, PGP WDE
administrator key, license number, or shared folder location), you must create a
separate client installer.
If you need to change any of these options after deployment, you must create a new
client installer and redeploy the product as necessary.
30 Creating and Testing Client Installers
Testing Client Installers
To create a client installer:
1 Launch PGP WDE Controller.
2 Make sure the client settings are correctly configured.
3 Click Save Client.
Two client installers (by default named pgpdesktopWin32.msi and
pgpdesktopWin64.msi, one for 32-bit systems and one for 64-bit systems) are
created with the embedded policy and configurations.
Related Topics
Before you Create Client Installers (on page 29)
Testing Client Installers (on page 30)
Testing Client Installers
Once you have created your PGP WDE client installers with the desired settings for
your PGP WDE users, Symantec Corporation strongly suggests that you do not
immediately deploy. Instead, test your client installer on as many representative
machines as you can; you will save yourself a lot of time by finding and solving
problems with the installer before your full deployment.
Naturally, if any if these tests have unexpected results, you will need to fix the
problems and, if necessary, create an updated client installer.
Ways of testing your PGP WDE client installers include:
Install them on a network that is separate from your production environment.
Install them on a system configured with your standard corporate image.
Install them on a system with your standard corporate image plus other software
common in your organization, supported or not.
Run a pilot deployment to a small number of users or a single department.
To test client installers before deploying:
1 Install the client installers on a test system connected to the network and verify
the configurations are as expected.
Note: Although configuring policy and generating client installers is quick and
simple, make sure policy is configured correctly before deploying any .MSI file to
production systems. If policy needs to be changed, you must create a new .MSI
file and deploy it to affected systems.
2 Go to the shared folder and verify a folder has been created for the test system
(the folder's name should follow the format: machine name-unique hex
value). Inside the folder there should be an XML log file and a WDRT.
Related Topics
Testing Client Installers
3 Open the XML log file and find the string "Status Changed (partition #) new status
– Encryption Complete" which demonstrates the installation and initial
encryption was successful.
Alternatively, for a simpler view, run PGP WDE Controller again. On the
Reporting tab, you can see how many installations have sent a WDRT to the
shared folder. Although, this does not always mean the same as the message in the
log file, it is a good indicator and provides a view into the whole deployment.
Before you Create Client Installers (on page 29)
Creating Client Installers (on page 29)
31 Creating and Testing Client Installers
7
Deploying
How you deploy the PGP WDE client installers to your users depends on your unique
circumstances.
Note: The PGP WDE Controller, which manages your PGP WDE clients, cannot be
used to deploy the client installers.
Some common deployment methods include:
Distribute on CD, DVD, or thumb drive.
Attach the file to an email message.
Download from a web/file server.
Distribute using an enterprise software distribution system such as SMS or Tivoli.
8
After Deployment
This section describes the things you may need to do after client deployment.
In This Chapter
Post-Deployment Considerations ...............................................................................35
Updating Policy After Deployment ............................................................................36
Using a PGP WDE Administrator Key........................................................................37
Using Whole Disk Recovery Tokens........................................................................... 38
Viewing PGP WDE Event Information.......................................................................39
Migrating to a PGP Universal Server-Managed Environment ...............................39
Post-Deployment Considerations
Depending on your needs, there are tasks you may need to perform after deployment.
Client Software Updates
As Symantec Corporation releases updates to the client software, you must manually
download the updated version of the PGP Desktop .MSI file from the PGP Support Home
Page (https://pgp.custhelp.com), and deploy as you would any other .MSI file in your
environment.
Note: PGP WDE Controller-created installations of client software do not
automatically check the Symantec Corporation website for updates. These
installations are not updated automatically, allowing the administrator to manage
the updates.
When this default update is installed, the policy and preferences from the original PGP
WDE Controller-created .MSI file are preserved when the update is installed.
Other Uses for the PGP WDE Administrator Key
For deployment purposes, PGP WDE Controller imports only the public key portion of
the keypair. The private key needs be available on the system used to decrypt WDRTs
with PGP Desktop. Otherwise, the WDRTs are not usable.
Also, you can also copy the private key on a supported smart card or token if you plan
on accessing any of the whole disk encrypted systems using the PGP WDE
administrator key instead of a WDRT, at times when such systems would otherwise by
inaccessible.
PGP BootGuard Customization
Once installed, you can customize the PGP BootGuard screen of PGP WDE with:
36 After Deployment
Updating Policy After Deployment
Text. You can replace the default text, "Forgot your passphrase? Please contact
your IT department or Security Administrator."
Custom background images of the splash and login screens.
Audio cues that can help vision-impaired users more easily navigate PGP
BootGuard authentication.
In a PGP WDE Controller environment, PGP BootGuard can be customized only with
PGP Whole Disk Encryption Command Line. For complete information, see PGP Whole
Disk Encryption Command Line User's Guide.
Different Client Language Versions
PGP WDE Controller creates client installer (.MSI) files in multiple languages: English,
Japanese.
Related Topics
Updating Policy After Deployment (on page 36)
Using a PGP WDE Administrator Key (on page 37)
Using Whole Disk Recovery Tokens (on page 38)
Viewing PGP WDE Event Information (on page 39)
Migrating to a PGP Universal Server-Managed Environment (on page 39)
Updating Policy After Deployment
Version 10.1 and above of PGP Whole Disk Encryption Controller lets you easily update
policy for your installed clients by saving an updated policy file to the shared network
folder; installed clients automatically download and implement the new policy. Prior
versions of PGP Whole Disk Encryption Controller required a new client installer be
deployed to update policy.
Automatic policy updates require:
Version 10.1 or above clients deployed and installed.
A shared network folder is defined.
An administrator passphrase is not defined.
Note: For security purposes, automatic policy updates are not compatible with the
Disk Administrator Passphrase feature. If you want to use automatic policy updates,
you must not configure an administrator passphrase. If you want to use an
administrator passphrase, you must update policy and then redeploy client installers
with the new policy. The Disk Administrator Passphrase feature is not the same as
the Administrator Key feature, which can be used with automatic policy updates (for
more information about the Disk Administrator Passphrase and the Administrator
Key features, please go to the PGP Support Portal and view Knowledge Base Article
2086).
When you want to automatically update policy settings on the client, simply create the
desired polices using the PGP WDE Controller, then click Save Client. New policies will
be saved to the shared network folder, where they will be automatically downloaded
and implemented by the installed clients. You do not need to actually use or save the
.MSI files that are created; the new policy file is created when you click Save Client.
Related Topics
Post-Deployment Considerations (on page 35)
Using a PGP WDE Administrator Key (on page 37)
Using Whole Disk Recovery Tokens (on page 38)
Viewing PGP WDE Event Information (on page 39)
Migrating to a PGP Universal Server-Managed Environment (on page 39)
Using a PGP WDE Administrator Key
Using a PGP WDE Administrator Key
37 After Deployment
Related Topics
When a user is unable or unwilling to log in to a whole disk encrypted system, use your
PGP WDE administrator key to access the system.
The key on the smart card or token must match the key that was embedded in the .MSI
file used to install PGP Whole Disk Encryption on the system you want to access.
To use a PGP WDE Administrator Key
1 Insert the smart card into one of the USB ports.
2 Start the system to be accessed.
3 At the PGP BootGuard screen, type the PIN, and then press CTRL + ENTER.
4 At the Windows login dialog box, after the system has booted, type your
administrator user name and password to access the system.
5 Perform the tasks needed on the system, and shut down the system.
Post-Deployment Considerations (on page 35)
Updating Policy After Deployment (on page 36)
Using Whole Disk Recovery Tokens (on page 38)
Viewing PGP WDE Event Information (on page 39)
Migrating to a PGP Universal Server-Managed Environment (on page 39)
38 After Deployment
Using Whole Disk Recovery Tokens
Using Whole Disk Recovery Tokens
Use this procedure to use a WDRT to access a system encrypted with PGP WDE. This is
necessary when a user has been locked out of the system or forgot their password, and
is in a location other than the administrator.
Whole disk recovery token strings are case-sensitive and contain both letters and
numerals. Because it can be difficult to tell the difference between certain letters and
numerals, whole disk recovery tokens use letter and numeral equivalencies. You can
type either letter or numeral when you use a whole disk recovery token, and the token
string are still accepted. The following are interchangeable:
Capital letter B and numeral eight (8)
Capital letter O and numeral zero (0)
Capital letter I and numeral one (1)
Capital letter S and numeral five (5)
To use a WDRT:
1 Go to the folder in the network shared folder containing logs and WDRTs for the
computer (folder names follow the format: machine name-machine guid).
Note: If the computer has multiple encrypted drives, there are multiple WDRTs
in its folder, one per drive. The WDRT string contains the device GUID. If you
don't know the device GUID of the encrypted drive you are attempting to access,
you can look in the logs to determine the device GUID. You can also get the
device GUID of the boot disk from the Advanced panel of the initial PGP
BootGuard screen.
Related Topics
2 Select and copy the WDRT string.
3 Provide this information to the user, who then uses it to recover the disk.
Once the token is used, it is presented as a “broken” or opened token, and a new
token is automatically generated by PGP Desktop and synchronized with the
computer's folder in the shared folder.
Post-Deployment Considerations (on page 35)
Updating Policy After Deployment (on page 36)
Using a PGP WDE Administrator Key (on page 37)
Viewing PGP WDE Event Information (on page 39)
Migrating to a PGP Universal Server-Managed Environment (on page 39)
Viewing PGP WDE Event Information
When you launch PGP WDE Controller, it retrieves information from the shared folder
and displays (on the Reporting tab) how many systems have sent a WDRT to the shared
folder. The existence of a WDRT is an indicator that initial encryption has begun or
completed.
Note: If you are using multiple shared folders in your environment for this purpose,
you can only view this information from one shared folder at a time. Simply change
the location of the shared folder on the Administrator Options dialog box, and the
summary information reflects the new location.
For the most detailed and recent information, see the log files for the specific system in
the shared folder.
You must view the log files from a system with Internet access so that the XSL file,
which determines how the log data is displayed, can be reached. If you cannot view the
log files from such a system, then save a copy of the XSL file for local use from
http://www.pgp.com/pgpreport.xsl (http://www.pgp.com/pgpreport.xsl). Once you have
a local copy of this file, you must edit the XML log file to point to the local copy of the
XSL file.
Viewing PGP WDE Event Information
39 After Deployment
To view the most recent encryption events and status:
1 Go to the computer's folder in the shared folder.
2 Open the most recent XML log file in the folder for the most recent information
(for example, the most recent date and time encryption completed).
3 Close the file when finished.
Related Topics
Post-Deployment Considerations (on page 35)
Updating Policy After Deployment (on page 36)
Using a PGP WDE Administrator Key (on page 37)
Using Whole Disk Recovery Tokens (on page 38)
Migrating to a PGP Universal Server-Managed Environment (on page 39)
Migrating to a PGP Universal Server-Managed Environment
When you decide to migrate to a PGP Universal Server-managed environment, you will
deploy new client installers created by PGP Universal Server. Deploy the client
installers as you would any other in your environment, but you must also change
several registry settings on the client systems.
Use the steps below to run command-line options on the client system that make the
necessary registry changes using the Microsoft Windows application Msiexec.
40 After Deployment
Migrating to a PGP Universal Server-Managed Environment
Before You Begin
Related Topics
Create the PGP Desktop .MSI file (by default named pgpdesktop.msi) with PGP
Universal Server, and download it to the system on which it is to be installed.
To migrate to a PGP Universal Server-Managed client:
1 Log on to the client system.
2 From the Start menu, select Run.
3 Type cmd, and then press ENTER.
4 In the command prompt, go to the location of the .MSI file.
5 In the command prompt, type msiexec.exe/I pgpdesktop.msi
PGP_INSTALL_MAPI=1 PGP_INSTALL_GROUPWISE=1 PGP_INSTALL_LSP=1
PGP_INSTALL_NETSHARE=1 PGP_INSTALL_NOTES=1, and then press ENTER.
PGP Desktop is upgraded on the client system to the new version and license.
Post-Deployment Considerations (on page 35)
Updating Policy After Deployment (on page 36)
Using a PGP WDE Administrator Key (on page 37)
Using Whole Disk Recovery Tokens (on page 38)
Viewing PGP WDE Event Information (on page 39)
Index
A
administrator keys • 11, 17, 37
Administrator Options Dialog Box • 22
B
BootGuard customization • 14
F
File & Disk tab • 27
G
General Options tab • 25
K
Key Management tab • 26
L
licensing • 18
Logging information • 12, 39
M
MSI files • 29, 35
R
Reporting tab • 21
S
Shared folder, defining • 19
Single-Sign On • 13
W
WDRTs • 12, 38
Whole Disk Encryption tab • 22
Whole disk recovery tokens • See WDRTs
Loading...