PGP Whole Disk Encryption for Linux - 10.0 User's Guide
PGP Whole Disk Encryption for Linux
User's Guide
Version Information
PGP Whole Disk Encryption for Linux User's Guide. Version 10.0.0. Released December 2009.
Copyright Information
Copyright © 1991-2009 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of
Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger
is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered
trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of
International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are
trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All
other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm,
implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a
license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP
Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you
would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (https://support.pgp.com). PGP
Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the fur n ishing of this
software or documentation does not give you any license to the se patents.
Acknowledgments
This product includes or may include:
z The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation,
developed by zlib (http://www.zlib.net
the MIT License found at http://www.opensource.org/licenses/mit-license.html
available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. z Application server (http://jakarta.apache.org/), web server
(http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML,
developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. z Castor, an open-source, data-binding
framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an
Apache 2.0-style license, available at http://www.castor.org/license.html
Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software
License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1
Protocol") used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt
an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. z jpeglib version 6a is based in part on the work of the Independent
JPEG Group. (http://www.ijg.org/) z libxslt the XSLT C library developed for the GNOME project and used for XML transformations is distributed under
the MIT License http://www.opensource.org/licenses/mit-license.html. z PCRE version 4.5 Perl regular expression compiler, copyrighted and distributed
by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt
Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) z Free BSD implementation of
daemon developed by The FreeBSD Project, © 1994-2006. z Simple Network Management Protocol Library developed and copyrighted by Carnegie
Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun
Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html
by Network Time Protocol and copyrighted to various contributors. z Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html
developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgi-
bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. z PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released
under the BSD license. z Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php
BSD-style license, available at http://www.postgresql.org/about/licence
PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a
BSD-style license, available at http://jdbc.postgresql.org/license.html
database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence
version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission.
z JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the
GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html
ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in
C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California,
Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html
library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at
http://curl.haxx.se/docs/copyright.html
under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING
libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at
http://directory.fsf.org/libs/COPYING.DOC
communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at
http://www.cs.fsu.edu/~engelen/soaplicense.html
distributed under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php
utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License, found at
). z Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under
. Copyright © 2007 by the Open Source Initiative. z bzip2 1.0, a freely
. z Xalan, an open-source software library from the Apache Software
. z Apache Axis is an implementation of the SOAP ("Simple Object Access
. z mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under
. z BIND Balanced Binary Tree Library and Domain
. z NTP version 4.2 developed
. Secure shell OpenSSH version 4.2.1
. z PostgreSQL, a free software object-relational database management system, is released under a
. z PostgreSQL JDBC driver, a free Java program used to connect to a
. z PostgreSQL Regular Expression Library, a free software object-relational
. z 21.vixie-cron is the Vixie
. Copyright © 2006 The JacORB Project. z TAO (The ACE
. z libcURL, a
. Copyright (c) 1996 - 2007, Daniel Stenberg. z libuuid, a library used to generate unique identifiers, is released
. Copyright (C) 1996, 1997 Theodore Ts'o. z
. Copyright © 2000-2003 Free Software Foundation, Inc. z gSOAP, a development tool for Windows clients to
. z Windows Template Library (WTL) is used for developing user interface components and is
. z The Perl Kit provides several independent
http://www.perl.com/pub/a/language/misc/Artistic.html. z rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text
rendering, and alpha blending, and is distributed under the license found at
http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.txt?revision=288
Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public License
(LGPL) found at http://www.gnu.org/licenses/lgpl.html
Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at http://developer.yahoo.com/yui/license.html. z
JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the
Apache 2.0 license, available at http://json-lib.sourceforge.net/license.html
available at http://ezmorph.sourceforge.net/license.html
available at http://commons.apache.org/license.html. z Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license,
available at http://commons.apache.org/license.html.
. z Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.
. z EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,
. z Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license,
. Copyright (c) 2006 Christoph Pfisterer. All rights reserved. z
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of
Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
4
Contents
Introduction 1
About PGP Whole Disk Encryption for Linux 1
Important Terms 1
Audience 3
System Requirements 3
Installing and Uninstalling 5
Installing 5
Uninstalling 6
Licensing 7
Overview 7
--license-authorize 8
Licensing via a Proxy Server 8
The Command-Line Interface 11
Overview 11
Scripting 12
Passphrases 12
--interactive 12
Before You Encrypt 15
Ensure Disk Health 15
Choose Encryption Options 16
Maintain Power Throughout Encryption 16
The Encryption Process 17
Overview 17
Using --secure 17
Using Individual Commands 18
i
PGP WDE for Linux User's Guide Contents
The PGP BootGuard Screen 21
Overview 21
Authenticating 22
Authenticating if You Have Forgotten Your Passphrase 23
Choosing a Keyboard 24
Generic Commands 25
--help (-h) 25
--version 26
Disk Information Commands 27
--enum 27
--info 28
--show-config 29
--status 29
Boot Bypass Commands 31
--add-bypass 32
--check-bypass 32
--remove-bypass 33
Disk Operation 35
--decrypt 35
--encrypt 36
--resume 37
--secure 38
--stop 39
Disk Management 41
--auth 41
--instrument 42
--uninstrument 42
ii
PGP WDE for Linux User's Guide Contents
User Management Commands 45
--add-user 45
--change-passphrase 47
--change-userdomain 47
--list-user 48
--remove-user 49
--verify-user 50
PGP BootGuard Customization Commands 51
--set-background 51
--set-language 52
--set-sound 53
--set-start 54
--set-text 55
Recovery Token Commands 57
--new-wdrt 57
Local Self Recovery 59
--recovery-configure 60
--recovery-questions 61
--recovery-verify 62
--recovery-remove 63
--recovery-change-passphrase 64
Options 67
Overview 67
"Secure" Options 68
--admin-passphrase 69
--all 69
--answers-file 69
--auto-start 69
--beep 70
--dedicated-mode 70
--disk (-d) 70
--display 71
--domain-name 71
--fast-mode 71
--image 71
--interactive 72
--keyboard 72
--keyid 73
--message 73
iii
PGP WDE for Linux User's Guide Contents
--new-domain 73
--new-passphrase 74
--no-beep 74
--partition 74
--passphrase (-p) 75
--questions-file 75
--recovery-token 75
--safe-mode 76
--username 76
Quick Reference 77
Commands 77
Options 78
Troubleshooting 81
Overview 81
Encryption Does Not Begin 81
Encryption Does Not Finish 83
Problems at PGP BootGuard 84
iv
Introduction
1
This guide tells you how to use PGP Whole Disk Encryption for Linux.
In This Chapter
About PGP Whole Disk Encryption for Linux.............................................1
Important Terms.........................................................................................1
Audience....................................................................................................3
System Requirements................................................................................3
About PGP Whole Disk Encryption for Linux
Thank you for using PGP Whole Disk Encryption for Linux, a software product
from PGP Corporation that locks down the entire contents of your Linux system
using PGP Whole Disk Encryption (WDE) technology.
For more information about PGP WDE, see the:
PGP Desktop User's Guide
PGP WDE Quick Start Guide
PGP WDE Data Sheet (available via the PGP WDE page on the PGP
PGP Whole Disk Encryption for Linux gives you access to PGP WDE
functionality using a command-line interface.
The encryption algorithm used by PGP Whole Disk Encryption for Linux is AES-
256. The hashing algorithm is SHA-1. You cannot change these.
Warning: Once you unlock a disk, its files are available to you—as well as
anyone else who can physically use your system. Your files are unlocked until
you lock them again by shutting down your system.
Important Terms
Understanding the following terms will help make it easier to use PGP Whole
Disk Encryption for Linux:
Corporation website)
1
PGP WDE for Linux User's Guide Introduction
PGP Whole Disk Encryption (PGP WDE): a technology that encrypts the
entire contents of a disk; boot disks, partitions, and non-boot disks such as
USB thumb drives can all be whole disk encrypted.
PGP Whole Disk Encryption for Linux: a software product from PGP
Corporation that brings PGP WDE technology to the Linux platform,
allowing you to lock down the entire contents of your Linux system.
command line: the interface to PGP Whole Disk Encryption for Linux
functionality. All PGP Whole Disk Encryption for Linux commands and
options are accessed via the command-line interface.
passphrase user: a user who can authenticate to an encrypted disk using
a passphrase.
public-key user: a user who can authenticate to an encrypted disk using
the passphrase to the corresponding private key.
encrypt: the process of "scrambling" data so that it is not usable unless you
properly authenticate.
decrypt: the process of "unscrambling" encrypted data.
master boot record (MBR): software on a disk that is "in front" of the
partition table; that is, it is implemented during the startup process before
the operating system itself. The instructions in the MBR tells the system
how to boot.
instrument: a part of the process of whole disk encrypting a disk/partition
where the Linux MBR is replaced with the PGPMBR.
PGPMBR: an MBR from PGP Corporation that implements the PGP
BootGuard. Once a disk is instrumented, even if it is not fully encrypted,
subsequent startups will bring up PGP BootGuard.
PGP BootGuard: the screen that appears after instrumenting a disk that
requires proper authentication for the boot process to continue. If proper
authentication is not provided, the boot process will not continue; the
operating system will not load and the system will not be usable.
uninstrument: removing the PGPMBR and replacing it with the original
Linux MBR (which was saved when the disk was instrumented).
whole disk recovery token (WDRT): an additional passphrase for a whole
disk encrypted disk that is passed to the appropriate PGP Universal Server
if the disk is part of a PGP Universal-managed environment.
PGP Universal Server: a management console for securing data from PGP
Corporation.
recovery: the process of restoring access to a disk/partition that has been
whole disk encrypted but now cannot be decrypted.
2
PGP WDE for Linux User's Guide Introduction
Audience
This User's Guide is for anyone who is going to be using PGP Whole Disk
Encryption for Linux to perform PGP WDE functions on their Linux system.
System Requirements
The system requirements for PGP Whole Disk Encryption for Linux are:
Ubuntu 8.04 and 9.04 (32-bit versions) and Red Hat Enterprise
Linux/CentOS 5.2 and 5.3 (32-bit versions)
Note: CentOS is free, open source software based on Red Hat Enterprise
Linux. For the purposes of supporting PGP Whole Disk Encryption for Linux,
the two are functionally equivalent.
512 MB of RAM
64 MB hard disk space
3
2
Installing
Installing and Uninstalling
This section describes how to install and uninstall PGP Whole Disk Encryption
for Linux.
In This Chapter
Installing.....................................................................................................5
Uninstalling ................................................................................................6
The PGP Whole Disk Encryption for Linux installer is a bsx (Bash SelfeXtracting) file.
You must have root privileges to install.
Note: The installer file may have a slightly different filename than shown in the
procedure below depending on the platform you are installing onto.
To install PGP Whole Disk Encryption for Linux
1 Download the installer file, called
pgp_desktop_10.0.0_linux_ub9.04_i386.bsx for Ubuntu 9.04, to a
known location on your system.
2 Begin the installation process using either of the following methods:
a Make the file an executable (using chmod +x [filename]),
then use ./[filename] Enter to begin the installation.
or
b Begin the inst allation via a shell: bash [filename] Enter
3 Follow the on-screen instructions.
4 Reboot your system when the installation is complete.
5
PGP WDE for Linux User's Guide Installing and Uninstalling
Uninstalling
Use the built-in uninstaller for the version of Linux you are using to uninstall PGP
Whole Disk Encryption for Linux. You must have root privileges to uninstall.
The packages that are installed are: pgp-libs, pgpwde, pgp-release, and kmodpgpwde.
6
3
Overview
Licensing
This section describes how to license PGP Whole Disk Encryption for Linux.
Note: As PGP Whole Disk Encryption for Linux will not operate normally until
licensed, you should license it immediately after installation.
In This Chapter
Overview....................................................................................................7
--license-authorize .....................................................................................7
Licensing via a Proxy Server .....................................................................8
PGP Whole Disk Encryption for Linux requires a valid license to operate. This
section describes how to license your copy of PGP Whole Disk Encryption for
Linux.
PGP Whole Disk Encryption for Linux supports the following licensing scenarios:
Using a License Number. This is the normal method to license PGP Whole
Disk Encryption for Linux. You must have your license information and a
working connection to the Internet.
Through a Proxy Server. If you connect to the Internet through a proxy
server, use this method to license PGP Whole Disk Encryption for Linux.
You must have your license information and the appropriate proxy server
information.
The licensing command is --license-authorize.
Once PGP Whole Disk Encryption for Linux is correctly installed and licensed on
your system, you can encrypt your drive. See The Encryption Process for
complete information.
7
PGP WDE for Linux User's Guide Licensing
--license-authorize
Use --license-authorize to license PGP Whole Disk EncryptionLinux.
The usage format is:
pgpwde --license-authorize --license-name <name>
--license-number <number> [--license-email
<emailaddress>] [--license-organization <org>]
Where:
--license-authorize is the command to license PGP Whole Disk
Encryption for Linux.
--license-name is the option to specify the user.
<name> is your name or a descriptive name.
--license-number is the option to enter a license number.
<number> is a valid license number for PGP Whole Disk Encryption for
Linux.
--license-email is the option to enter an email address.
<emailaddress> is a valid email address.
--license-organization is the option to enter an organization.
<org> is the name of your organization.
If you decide not to enter a license email, you may see a warning message but
your license will authorize.
Example:
pgpwde --license-authorize --license-name "Alice
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
--license-organization "Example Corporation"
(When entering this text, it all goes on a single line.)
Licensing via a Proxy Server
If the Internet access of the system hosting PGP Whole Disk Encryption for
Linux is via an HTTP proxy connection, you can still license your copy of PGP
Whole Disk Encryption for Linux directly; you simply need to add the necessary
proxy information.
"
Use --license-authorize to license PGP Whole Disk Encryption for Linux
via a proxy server.
8
PGP WDE for Linux User's Guide Licensing
The usage format is:
pgpwde --license-authorize --license-name <name> --
license-number <number> [--license-email <emailaddress>]
[--license-organization <org>] [--proxy-server
<proxyserver>] [--proxy-username <proxyusername>]
[--proxy-passphrase <proxypass>]
Where:
--license-authorize is the command to license PGP Whole Disk
Encryption for Linux.
--license-name is the option to specify the user.
<name> is your name or a descriptive name.
--license-number is the option to enter a license number.
<number> is a valid license number for PGP Whole Disk Encryption for
Linux.
--license-email is the option to enter an email address.
<emailaddress> is a valid email address.
--license-organization is the option to enter an organization.
<org> is the name of your organization.
--proxy-server is the command to go through a proxy server to access
the Internet.
<proxyserver> is the appropriate proxy server.
--proxy-username is the command to specify a user on the proxy server
when authentication is required.
<proxyusername> is a valid username on the specified proxy server.
9
PGP WDE for Linux User's Guide Licensing
--proxy-passphrase is the option to specify the passphrase of the
specified user when authentication is required.
<proxypass> is the passphrase for the specified user on the proxy server.
Example:
pgpwde --license-authorize --license-name "Alice
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
"
--license-organization "Example Corporation"
--proxy-server "proxyserver.example.com"
--proxy-username "acameron"
--proxy-passphrase 'a_cameron1492sailedblue'
(When entering this text, it all goes on a single line.)
10
The Command-Line
4
Overview
Interface
This section describes the command-line interface used by PGP Whole Disk
Encryption for Linux .
In This Chapter
Overview..................................................................................................11
Scripting...................................................................................................12
Passphrases ............................................................................................12
--interactive ..............................................................................................12
PGP Whole Disk Encryption for Linux uses a command-line interface.
Note: Versions of PGP Whole Disk Encryption for other platforms support
both a graphical user interface and a command line interface. PGP Whole
Disk Encryption for Linux has only a command-line interface.
You enter a valid command at the command prompt and press Enter. PGP
Whole Disk Encryption for Linux responds based on what you entered: with
success (if you entered a valid command) or with an error message (if you
entered an invalid or incorrectly structured command).
All PGP Whole Disk Encryption for Linux commands have a long form: the text
"pgpwde", a space, two hyphens "--", the command name, and options (if
appropriate).
For example:
$pgpwde --help [Enter]
is the command to display the built-in help information. It has no options.
(The command prompt, $ in the above example, and [Enter] will no longer be
shown in examples; only the necessary commands and options will be shown.)
A few commands also have a short form: either one hyphen and then a single
letter or two hyphens and two letters.
For example:
-h for help instead of --help
11
PGP WDE for Linux User's Guide The Command-Line Interface
You can mix long forms and short forms in a single command.
Scripting
Passphrases
Short forms are noted where appropriate.
PGP Whole Disk Encryption for Linux commands can easily be inserted into
scripts for automating common tasks, such as encrypting a disk or getting
information about an encrypted disk.
PGP Whole Disk Encryption for Linux commands can easily be added to scripts
written with scripting languages such as Perl or Python.
For consistency, all example passphrases in this guide are shown in single
quotation marks ('). Putting passphrases between single quotation marks
ensures that reserved characters and spaces are interpreted correctly.
If you do not use any reserved characters or spaces in your passphrases, then
you do not have to enclose them in single quotation marks.
On Windows systems, for example, if you have a space in a passphrase, you
must enclose the passphrase in single or double quotation marks when you
enter it. Also, double quotation marks (") as part of the passphrase must be
escaped with a preceding double quotation mark.
--interactive
For example, if you want to use
Thomas "Stonewall" Jackson
as your passphrase, you would have to enter it as
'Thomas ""Stonewall"" Jackson'
on the command line. You need the quotation marks at the beginning and end
for the spaces and you need to escape each double quotation mark used in the
passphrase with another double quotation mark.
Note: If you are having problems entering certain characters in your
passphrases, check the information about how to handle reserved characters
for the operating system or shell interpreter you are using.
You can use --interactive whenever you could use a command that
requires a passphrase be entered on the command line. If you do, you will be
prompted to enter a valid passphrase on a separate line.
12
PGP WDE for Linux User's Guide The Command-Line Interface
Using --interactive makes using PGP Whole Disk Encryption for Linux
more secure by preventing passphrases from being entered in the clear on the
command line. When you use --interactive, the characters you enter are
not displayed.
Note: --interactive is also used in a different way when configuring local
self recovery. See Local Self Recovery for more information.
13
5
Before You Encrypt
When you encrypt an entire disk using PGP Whole Disk Encryption for Linux,
every sector is encrypted using a symmetric key. This includes all files including
operating system files, application files, data files, swap files, free space, and
temp files.
On subsequent reboots, PGP Whole Disk Encryption for Linux prompts you for
the correct passphrase. As long as you correctly authenticate to your PGP
Whole Disk Encryption for Linux-encrypted disk (after you enter the corre ct
passphrase at the PGP BootGuard screen), your files are available. When you
shut down your system, the disk is protected against use by others.
Before encrypting your disk with PGP Whole Disk Encryption for Linux, there are
some important things to do:
Ensure the health of the hard disk.
Choose the encryption options to use.
Make sure to maintain power throughout encryption.
In This Chapter
Ensure Disk Health..................................................................................15
Choose Encryption Options.....................................................................16
Maintain Power Throughout Encryption...................................................16
Ensure Disk Health
PGP Corporation deliberately takes a conservative stance when encrypting
drives, to prevent loss of data. It is not uncommon to encounter Cyclic
Redundancy Check (CRC) errors while encrypting a hard disk.
If PGP Whole Disk Encryption for Linux encounters a hard drive or partition with
bad sectors, it will, by default, pause the encryption process. This pause allows
you to remedy the problem before continuing with the encryption process, thus
avoiding potential disk corruption and lost data.
To avoid disruption during encryption, PGP Corporation recommends that you
start with a healthy disk by correcting any disk errors prior to encrypting.
15
PGP WDE for Linux User's Guide Before You Encrypt
As best practices, before you attempt to encrypt your drive:
use a third-party scan disk utility that has the ability to perform a low-level
integrity check and repair any inconsistencies with the drive that could lead
to CRC errors.
Choose Encryption Options
There are several options you can use during the encryption process itself:
--dedicated-mode: Uses maximum computer power to encrypt faster;
your system is less responsive during encryption.
--fast-mode: Skips unused sectors, so encryption of the disk is faster.
--safe-mode: Allows encryption to be resumed without loss of data if
power is lost during encryption; encryption takes longer.
Maintain Power Throughout Encryption
Because encryption is a CPU-intensive process, encryption cannot begin on a
laptop computer that is running on battery power. The computer must be on AC
power. Do not remove the power cord from the system before the encryption
process is over.
Regardless of the type of computer you are working with, your system must not
lose power, or otherwise shut down unexpectedly, during the encryption process,
unless you use the --safe-mode option. Even if you are using the --safe-
mode option, it is still better not to lose power during the encryption process.
If loss of power during encryption is a possibility—or if you do not have an
uninterruptible power supply for your computer—be sure to use the --safe-
mode option.
These options are also described with the --encrypt command.
16
6
Overview
The Encryption Process
This section describes the two methods for whole disk encrypting a drive.
In This Chapter
Overview..................................................................................................17
Using --secure..........................................................................................17
Using Individual Commands....................................................................18
To PGP Whole Disk Encrypt a drive requires several things: the drive must be
instrumented, there must be at least one authorized user on the drive, and the
drive must be encrypted.
There are two ways to PGP Whole Disk Encrypt a drive:
Using --secure
using a single command, --secure: this one command does all three of
the above actions. It instruments the drive, creates an authorized user, and
encrypts the drive. This command is most useful when you have just
installed PGP Whole Disk Encryption for Linux and thus have not
instrumented any drives, created any authorized users, or encrypted any
drives.
using multiple commands: for scenarios where you do not need all three
things required to PGP Whole Disk Encrypt at drive, or if you just prefer
using individual commands, you can use --instrument, --add-user,
and finally --encrypt to PGP Whole Disk Encrypt a drive.
The --secure command instruments the drive, creates an authorized user, and
encrypts the drive, all using a single command.
Note: PGP Whole Disk Encryption for Linux must be correctly installed and
licensed before you can use --secure.
Refer to Disk Operation for more information about the --secure command.
17
PGP WDE for Linux User's Guide The Encryption Process
To PGP Whole Disk Encrypt a drive using a single command
1 Access a command prompt on your system.
2 Enter the text for the --secure command on a single line.
For example:
pgpwde --secure --disk 0 --username "Alice Cameron" --
passphrase 'Frodo*1*Baggins22' --all --fast-mode
3 Press Enter. PGP Whole Disk Encryption for Linux begins to PGP Whole
Disk Encrypt the drive.
You can check the progress of the encryption process using the --status
command. Run the command and check the highwater mark; it will continue to
get larger as the encryption process continues.
Using Individual Commands
For scenarios where you do not need to instrument a drive, add a user, and
encrypt the drive all at the same time or if you just prefer using individual
commands, you can run the three needed commands individually.
The three commands and the order in which you need to run them are:
--instrument: replaces the Linux MBR with the PGPMBR.
--add-user: adds an authorized user to the drive.
--encrypt: encrypts the drive.
18
PGP WDE for Linux User's Guide The Encryption Process
To PGP Whole Disk Encrypt a drive using individual commands
1 Access a command prompt on your system.
2 Enter the text for the --instrument command on a single line, then press
Enter.
For example:
pgpwde --instrument --disk 0
This example instruments the boot drive. You can use the --status
command to make sure the drive was instrumented.
3 Enter the text for the --add-user command on a single line, then press
Enter.
For example:
pgpwde --add-user --disk 0 --username "Alice Cameron" --
passphrase 'Frodo@Baggins22'
This example adds a user named Alice Cameron to the boot drive. You can
use the --verify-user command to make sure the user was created.
4 Enter the text for the --encrypt command on a single line, then press
Enter.
For example:
pgpwde --encrypt --disk 0 --passphrase 'Frodo@Baggins22'
--all --safe-mode
This example encrypts all partitions of the boot drive in safe mode.
You can check the progress of the encryption process using the --status
command. Run the command and check the highwater mark; it will continue
to get larger as the encryption process continues.
19
Loading...