PGP Whole Disk Encryption Controller - 10.2 Instruction Manual
PGP Whole Disk Encryption
Controller
User's Guide
10.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 10.2.1. Last updated: April 2012.
Legal Notice
Copyright (c) 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
About PGP Whole Disk Encryption Controller
1
Components of a Typical PGP Whole Disk Encryption Controller Solution 1
About the PGP WDE Controller 2
Important Terms 3
Audience 3
Technical Support 4
Contacting Technical Support 4
Licensing and registration 5
Customer service 5
Support agreement resources 6
Before You Install the PGP WDE Controller 9
Before You Begin 9
About PGP WDE Administrator Keys 11
About the Shared Network Folder 12
About Whole Disk Recovery Tokens 12
About Single Sign-On 13
About PGP BootGuard Customization 14
Installing the PGP WDE Controller 15
System Requirements 15
Installing the PGP WDE Controller 15
Working with the PGP WDE Controller 17
Importing a PGP WDE Administrator Key 17
Adding PGP WDE Licenses 18
Specifying the Shared Network Folder Location 19
Establishing Client Settings on the PGP WDE Controller 21
Reporting Tab 21
Administrator Options Dialog Box 22
Whole Disk Encryption Tab 22
General Tab 25
Key Management Tab 26
File & Disk Tab 27
Creating and Testing Client Installers 29
Before You Create Client Installers 29
Creating Client Installers 29
Testing Client Installers 30
ii Contents
Deploying 33
After Deployment
Post-Deployment Considerations 35
Updating Policy After Deployment 36
Using a PGP WDE Administrator Key 37
Using Whole Disk Recovery Tokens 38
Viewing PGP WDE Event Information 39
Migrating to a PGP Universal Server-Managed Environment 39
Index 41
35
1
About PGP Whole Disk Encryption Controller
PGP Whole Disk Encryption Controller is a software tool that provides full-disk
encryption for your organization's Microsoft Windows systems.
PGP Whole Disk Encryption Controller has two parts:
a management application, called PGP Whole Disk Encryption Controller, which
you use to configure policy and create client installers that are pre-configured
with established policy. Once deployed, the management application can also be
used to view status reports on the deployment and create updated policies.
client software, which installs PGP Whole Disk Encryption Controller onto the
Windows systems of your users.
A PGP Whole Disk Encryption Controller can manage up to 100 client installations.
In This Chapter
Components of a Typical PGP Whole Disk Encryption Controller Solution..........1
About the PGP WDE Controller..................................................................................... 2
Important Terms ............................................................................................................. 3
Audience ........................................................................................................................... 3
Technical Support ........................................................................................................... 4
Components of a Typical PGP Whole Disk Encryption Controller Solution
The following are elements of a typical PGP Whole Disk Encryption Controller solution:
PGP Whole Disk Encryption (WDE) Controller is a platform for creation and
management of PGP WDE Workgroup Edition client software. The PGP WDE
Controller:
installs on any Windows system in the network.
provides policies for the client installers.
creates the client installers.
maintains deployment reporting information.
The client installer software is created by the PGP WDE Controller, then deployed
to and installed onto the Windows systems of your users.
Shared network folder (optional, but recommended). A Samba (SMB/CIFS) server
that holds:
2 About PGP Whole Disk Encryption Controller
About the PGP WDE Controller
policy files, which are automatically downloaded and implemented by
installed clients.
log files, for analysis by administrators.
WDRTs, for use when needed to access an encrypted drive.
system usage information, for analysis by administrators.
Related Topics
About the PGP WDE Controller (on page 2)
Important Terms (on page 3)
Audience (on page 3)
Technical Support (on page 4)
About the PGP WDE Controller
Related Topics
PGP WDE Controller is a standalone application that runs on recent versions of
Microsoft Windows (see the System Requirements for supported versions).
It does not require its own computer, and there are no servers or databases to configure
or manage. You can configure and deploy the client software with a basic knowledge of
Microsoft Windows administration.
Install PGP WDE Controller on any Windows system in the same network as the
systems to which the client software will be downloaded.
Note: Installing PGP WDE Controller and PGP Desktop on the same system makes it
easier to create the PGP keypair you will use as the PGP WDE administrator key.
Once installed, use PGP WDE Controller to establish policy for the client installers.
These policies are embedded into the client installers and are implemented when the
software is installed onto the Windows systems of your users. Refer to the PGP WDE
Controller online Help for information on each configuration option.
Updated policies can be created and saved to the network share location; installed
clients (version 10.1 and greater) will automatically download and implement these new
policies.
Note: If the LAN on which the system hosting PGP WDE Controller runs uses a proxy
server (Tools > Internet Options > Connections > LAN Settings > Use a proxy server
for your LAN is checked), then you must also check Bypass proxy server for local
addresses in order for PGP WDE Controller to run.
Components of a PGP WDE Workgroup Edition Solution (see "Components of a
Typical PGP Whole Disk Encryption Controller Solution" on page 1)
Important Terms (on page 3)
Audience (on page 3)
Technical Support (on page 4)
Important Terms
PGP WDE Workgroup Edition: A product from Symantec Corporation that includes the
PGP WDE Controller application, client installers, and a shared network folder.
PGP WDE Controller: An application for creating and managing PGP WDE Workgroup
Edition client software.
client installer: An installer application created by PGP WDE Controller that installs
PGP WDE software on end users' Windows systems.
shared network folder: A shared folder on a network that holds information and files
used to manage installed PGP WDE clients.
PGP Whole Disk Encryption: A software product from Symantec Corporation that
secures files stored on protected drives with transparent full disk encryption. It also
includes other encryption features.
full disk encryption: A security industry term for encryption of all data on a drive
below the application layer.
Whole Disk Recovery Token: A feature of PGP WDE where a recovery token is created
that can later be used to recover access to a drive if the normal authentication method
is no longer available. In a PGP WDE Workgroup Edition environment, WDRTs are
stored on the shared network folder.
PGP WDE administrator's key: A PGP WDE administrator key, used in conjunction
with a smart card or token, logs in to a user's system at the PGP WDE BootGuard screen
using two-factor authentication. This allows the administrator to access the system of a
user if they are not available or willing to provide access.
Important Terms
3 About PGP Whole Disk Encryption Controller
Related Topics
Audience
Components of a Typical PGP WDE Workgroup Edition Solution (see "Components
of a Typical PGP Whole Disk Encryption Controller Solution" on page 1)
About the PGP WDE Controller (on page 2)
Audience (on page 3)
Technical Support (on page 4)
This Guide assumes you are an IT or messaging support professional who will be
performing one or more of the following tasks:
Setting up and configuring PGP Whole Disk Encryption Controller as the
management server for PGP WDE users.
4 About PGP Whole Disk Encryption Controller
Technical Support
Understanding and configuring PGP WDE client options.
Creating, testing, and deploying the PGP WDE client installers.
Handling post-deployment issues.
Related Topics
Components of a Typical PGP WDE Workgroup Edition Solution (see "Components
of a Typical PGP Whole Disk Encryption Controller Solution" on page 1)
About the PGP WDE Controller (on page 2)
Important Terms (on page 3)
Technical Support (on page 4)
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base. The
Technical Support group works collaboratively with the other functional areas within
Symantec to answer your questions in a timely fashion. For example, the Technical
Support group works with Product Engineering and Symantec Security Response to
provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
A range of support options that give you the flexibility to select the right amount
of service for any size organization
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
Upgrade assurance that delivers software upgrades
Global support purchased on a regional business hours or 24 hours a day, 7 days a
week basis
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site at the
following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and
the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Technical Support
5 About PGP Whole Disk Encryption Controller
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at the
computer on which the problem occurred, in case it is necessary to replicate the
problem.
When you contact Technical Support, please have the following information available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs or manuals
6 About PGP Whole Disk Encryption Controller
Technical Support
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan customercare_apac@symantec.com
Europe, Middle-East, Africa semea@symantec.com
North America, Latin America supportsolutions@symantec.com
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 10.2.1. Last updated: April 2012.
Legal Notice
Copyright (c) 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
2
Before You Install the PGP WDE Controller
This section describes the things you should do before you install the PGP WDE
Controller and also provides background information about a number of important
features of PGP WDE.
In This Chapter
Before You Begin ............................................................................................................. 9
About PGP WDE Administrator Keys......................................................................... 11
About the Shared Network Folder ..............................................................................12
About Whole Disk Recovery Tokens ..........................................................................12
About Single Sign-On ...................................................................................................13
About PGP BootGuard Customization........................................................................14
Before You Begin
Before you install the PGP WDE Controller or deploy the client installers, complete
these tasks:
Create a PGP keypair with PGP Desktop to use as the PGP WDE administrator key.
The PGP WDE administrator key has several purposes. During client installation,
it is used to encrypt the WDRTs during the client installation process. After
deployment, it is used for administrator access to the WDRTs, as well as providing
an additional means of access (in combination with smart cards or tokens) to
locked systems.
Note: If you don't already have an existing installation of PGP Desktop to use to
create the keypair, you need to install it. With the acquisition of PGP Corporation
by Symantec Corporation, PGP operations is in the process of integrating with
Symantec operations. To obtain a copy of PGP Desktop, use the second download
link if the first link does not appear operational.
To obtain PGP Desktop if needed:
• Go to the PGP License and Entitlement Management System (LEMS) and log in
https://lems.pgp.com/account/login). Install the software using your PGP Whole
(
Disk Encryption license. The PGP Desktop installer is posted in the PGP WDE
Workgroup Edition section of the Download Center on LEMS.
• Go to Symantec FileConnect (
language, and enter your serial number.
Export the keypair to a file once you create it. Once exported, make sure the file is
accessible to the system on which you intend to run PGP WDE Controller. This is
necessary the first time you run PGP WDE Controller.
https://fileconnect.symantec.com/), select your
Loading...