PGP Whole Disk Encryption for Linux - 10.0.2 User's Guide
PGP WDE for Linux
User's Guide
Version Information
PGP Whole Disk Encryption for Linux User's Guide. Version 10.0.2. Released April 2010.
Copyright Information
Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom
Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a
trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark
of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International
Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of
SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered
and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm,
implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a
license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP
Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would
like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (https://support.pgp.com). PGP Corporation
may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.
Acknowledgments
This product includes or may include:
-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation,
developed by zlib (http://www.zlib.net
the MIT License found at http://www.opensource.org/licenses/mit-license.html
available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (http://jakarta.apache.org/
(http://www.apache.org/
developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt
framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an
Apache 2.0-style license, available at http://www.castor.org/license.html
Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software
License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1
Protocol") used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt
an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html
Independent JPEG Group. (http://www.ijg.org/
distributed under the MIT License http://www.opensource.org/licenses/mit-license.html
distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt
and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org
implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and
copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. ©
2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2
by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html
OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgi-
bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released
under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php
BSD-style license, available at http://www.postgresql.org/about/licence
PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a
BSD-style license, available at http://jdbc.postgresql.org/license.html
database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence
version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -
- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU
Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html
open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the
data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and
Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html
downloading files via common network services, is open source software provided under a MIT/X derivate license available at
http://curl.haxx.se/docs/copyright.html
under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING
libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at
http://directory.fsf.org/libs/COPYING.DOC
communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at
), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML,
). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under
. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a freely
), web server
. -- Castor, an open-source, data-binding
. -- Xalan, an open-source software library from the Apache Software
. -- Apache Axis is an implementation of the SOAP ("Simple Object Access
. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under
. -- jpeglib version 6a is based in part on the work of the
) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
. -- PCRE Perl regular expression compiler, copyrighted and
. -- BIND Balanced Binary Tree Library
) -- Free BSD
developed
. Secure shell OpenSSH developed by
. -- PostgreSQL, a free software object-relational database management system, is released under a
. -- PostgreSQL JDBC driver, a free Java program used to connect to a
. -- PostgreSQL Regular Expression Library, a free software object-relational
. -- 21.vixie-cron is the Vixie
. Copyright © 2006 The JacORB Project. -- TAO (The ACE ORB) is an
. -- libcURL, a library for
. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released
. Copyright (C) 1996, 1997 Theodore Ts'o. --
. Copyright © 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients to
http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed
under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php
automate a variety of maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html
rendering, and alpha blending, and is distributed under the license found at
http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.txt?revision=288
-- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public License
(LGPL) found at http://www.gnu.org/licenses/lgpl.html
Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at http://developer.yahoo.com/yui/license.html. --
JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the Apache
2.0 license, available at http://json-lib.sourceforge.net/license.html
at http://ezmorph.sourceforge.net/license.html
http://commons.apache.org/license.html
http://commons.apache.org/license.html
configuration file format used on Windows, on other platforms. Distributed under the MIT License found at http://www.opensource.org/licenses/mit-
license.html. Copyright 2006-2008, Brodie Thiesfield. -- uSTL provides a small fast implementation of common Standard Template Library functions and
data structures and is distributed under the MIT License found at http://www.opensource.org/licenses/mit-license.html
Mike Sharov <msharov@users.sourceforge.net
the PGP SDK. Distributed under the BSD license found at http://www.opensource.org/licenses/bsd-license.php. Copyright 2008
reserved.
Additional acknowledgements and legal notices are included as part of the PGP Universal Server.
. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license, available at
. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a common
. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text
. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.
. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license, available
. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license, available at
>. -- Protocol Buffers (protobuf), Google's data interchange format, are used to serialize structure data in
. -- The Perl Kit provides several independent utilities used to
. Copyright (c) 2006 Christoph Pfisterer. All rights reserved.
. Copyright (c) 2005-2009 by
Google Inc. All rights
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau
of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
4
Contents
Introduction 1
About PGP Whole Disk Encryption for Linux 1
Important Terms 2
Audience 3
System Requirements 3
Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-Managed Environment 4
Installing and Uninstalling 5
Installing 5
Uninstalling 6
Licensing 7
Overview 7
--license-authorize 8
Licensing via a Proxy Server 8
Enrolling 11
Overview 11
--enroll 12
--check-enroll 13
The Command-Line Interface 15
Overview 15
Scripting 16
WDE-ADMIN Active Directory Group 16
Passphrases 16
--interactive 17
Before You Encrypt 19
Ensure Disk Health 19
Choose Encryption Options 20
Maintain Power Throughout Encryption 20
The Encryption Process 21
Overview 21
Using --secure 21
i
PGP WDE for Linux User's Guide Contents
Using Individual Commands 22
The PGP BootGuard Screen 25
Overview 25
Authenticating 26
Authenticating if You Have Forgotten Your Passphrase 27
Choosing a Keyboard 28
Generic Commands 29
--help (-h) 29
--version 30
Disk Information Commands 31
--enum 31
--info 32
--show-config 33
--status 33
Boot Bypass Commands 35
--add-bypass 35
--check-bypass 36
--remove-bypass 37
Disk Operation 39
--decrypt 39
--encrypt 40
--resume 41
--secure 42
--stop 43
Disk Management 45
--auth 45
--instrument 46
--uninstrument 46
User Management Commands 49
--add-user 49
--change-passphrase 50
--change-userdomain 51
--list-user 52
ii
PGP WDE for Linux User's Guide Contents
--remove-user 53
--verify-user 53
PGP BootGuard Customization Commands 55
--set-background 55
--set-language 56
--set-sound 57
--set-start 58
--set-text 59
Recovery Token Commands 61
--new-wdrt 61
Local Self Recovery 63
--recovery-configure 64
--recovery-questions 65
--recovery-verify 66
--recovery-remove 67
--recovery-change-passphrase 67
Authenticating if you Have Forgotten Your Passphrase 68
Options 71
Overview 72
"Secure" Options 74
--admin-authorization 74
--admin-passphrase 74
--all 75
--answers-file 75
--auto-start 75
--beep 75
--dedicated-mode 76
--disk (-d) 76
--display 76
--domain-name 77
--fast-mode 77
--image 77
--interactive 77
--keyboard 78
--keyid 78
--license-email 78
--license-name 79
--license-number 79
--license-organization 79
--message 80
iii
PGP WDE for Linux User's Guide Contents
--new-domain 80
--new-passphrase 80
--no-beep 80
--partition 81
--passphrase (-p) 81
--questions-file 81
--recovery-token 82
--safe-mode 82
--username 82
Quick Reference 83
Commands 83
Options 85
Troubleshooting 87
Overview 87
Encryption Does Not Begin 88
Encryption Does Not Finish 89
Problems at PGP BootGuard 91
iv
1
Introduction
This guide tells you how to use PGP Whole Disk Encryption for Linux.
In This Chapter
About PGP Whole Disk Encryption for Linux............................................. 1
Important Terms ........................................................................................ 2
Audience ....................................................................................................3
System Requirements ............................................................................... 3
Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-
Managed Environment...............................................................................3
About PGP Whole Disk Encryption for Linux
Thank you for using PGP Whole Disk Encryption for Linux, a software product
from PGP Corporation that locks down the entire contents of your Linux system
using PGP Whole Disk Encryption (WDE) technology.
For more information about PGP WDE, see the:
PGP Desktop User's Guide
PGP WDE Quick Start Guide
PGP WDE Data Sheet (available via the PGP WDE page on the PGP
Corporation website)
PGP Whole Disk Encryption for Linux gives you access to PGP WDE
functionality using a command-line interface.
The encryption algorithm used by PGP Whole Disk Encryption for Linux is AES-
256. The hashing algorithm is SHA-1. You cannot change these.
Warning: Once you unlock a disk, its files are available to you—as well as
anyone else who can physically use your system. Your files are unlocked until
you lock them again by shutting down your system.
1
PGP WDE for Linux User's Guide Introduction
Important Terms
Understanding the following terms will help make it easier to use PGP Whole
Disk Encryption for Linux:
PGP Whole Disk Encryption (PGP WDE): a technology that encrypts the
entire contents of a disk; boot disks, partitions, and non-boot disks such as
USB thumb drives can all be whole disk encrypted.
PGP Whole Disk Encryption for Linux: a software product from PGP
Corporation that brings PGP WDE technology to the Linux platform,
allowing you to lock down the entire contents of your Linux system.
command line: the interface to PGP Whole Disk Encryption for Linux
functionality. All PGP Whole Disk Encryption for Linux commands and
options are accessed via the command-line interface.
passphrase user: a user who can authenticate to an encrypted disk using a
passphrase.
public-key user: a user who can authenticate to an encrypted disk using
the passphrase to the corresponding private key.
encrypt: the process of "scrambling" data so that it is not usable unless you
properly authenticate.
decrypt: the process of "unscrambling" encrypted data.
master boot record (MBR): software on a disk that is "in front" of the
partition table; that is, it is implemented during the startup process before
the operating system itself. The instructions in the MBR tells the system
how to boot.
instrument: a part of the process of whole disk encrypting a disk/partition
where the Linux MBR is replaced with the PGPMBR.
PGPMBR: an MBR from PGP Corporation that implements the PGP
BootGuard. Once a disk is instrumented, even if it is not fully encrypted,
subsequent startups will bring up PGP BootGuard.
PGP BootGuard: the screen that appears after instrumenting a disk that
requires proper authentication for the boot process to continue. If proper
authentication is not provided, the boot process will not continue; the
operating system will not load and the system will not be usable.
uninstrument: removing the PGPMBR and replacing it with the original
Linux MBR (which was saved when the disk was instrumented).
whole disk recovery token (WDRT): an additional passphrase for a whole
disk encrypted disk that is passed to the appropriate PGP Universal Server
if the disk is part of a PGP Universal-managed environment.
PGP Universal Server: a management console for securing data from PGP
Corporation.
2
PGP WDE for Linux User's Guide Introduction
managed user: someone using PGP Whole Disk Encryption for Linux in a
PGP Universal Server-managed environment. Managed users receive
policies and settings from their PGP Universal Server.
enroll: the process of a user in a PGP Universal Server-managed
environment contacting their PGP Universal Server so that they can receive
applicable policies and settings.
standalone user: someone using PGP Whole Disk Encryption for Linux
with no associated PGP Universal Server. Standalone users establish their
own policies and settings.
recovery: the process of restoring access to a disk/partition that has been
whole disk encrypted but now cannot be decrypted.
Audience
This User's Guide is for anyone who is going to be using PGP Whole Disk
Encryption for Linux to perform PGP WDE functions on their Linux system.
System Requirements
The system requirements for PGP Whole Disk Encryption for Linux are:
Ubuntu 8.04 and 9.04 (32-bit versions) and Red Hat Enterprise
Linux/CentOS 5.2 and 5.3 (32-bit versions), Ubuntu 8.04 and 9.04 (64-bit
versions), Red Hat Enterprise Linux 5.2 and 5.3 (64-bit versions)
Note: CentOS is free, open source software based on Red Hat Enterprise
Linux. For the purposes of supporting PGP Whole Disk Encryption for Linux,
the two are functionally equivalent.
512 MB of RAM
64 MB hard disk space
3
PGP WDE for Linux User's Guide Introduction
Using PGP Whole Disk Encryption for Linux in a PGP
Universal Server-Managed Environment
If you are using PGP Whole Disk Encryption for Linux in a PGP Universal Servermanaged environment, your PGP Universal administrator may have enabled or
disabled certain features. For example, you may be required to encrypt your
drive immediately after enrolling with your PGP Universal Server.
If you have any questions about features that may be have been automatically
enabled or disabled, contact your PGP Universal administrator.
4
2
Installing
Installing and Uninstalling
This section describes how to install and uninstall PGP Whole Disk Encryption
for Linux.
In This Chapter
Installing.....................................................................................................5
Uninstalling ................................................................................................6
The PGP Whole Disk Encryption for Linux installer is a bsx (Bash Self-eXtracting)
file.
You must have root privileges to install.
Note: The installer file may have a slightly different filename than shown in
the procedure below depending on the platform you are installing onto.
To install PGP Whole Disk Encryption for Linux
1 Download the installer file, called
pgp_desktop_10.0.1_linux_ub9.04_i386.bsx for Ubuntu 9.04, to a
known location on your system.
2 Begin the installation process using either of the following methods:
a Make the file an executable (using chmod +x [filename]),
then use ./[filename] Enter to begin the installation.
or
b Begin the installation via a shell: bash [filename] Enter
3 Follow the on-screen instructions.
4 Reboot your system when the installation is complete.
5
PGP WDE for Linux User's Guide Installing and Uninstalling
Uninstalling
Use the built-in uninstaller for the version of Linux you are using to uninstall PGP
Whole Disk Encryption for Linux. You must have root privileges to uninstall.
Warning: You must decrypt any whole disk encrypted drives before
uninstalling PGP Whole Disk Encryption for Linux or removing any packages.
The packages that are installed are: pgp-libs, pgpwde, pgp-release, and kmodpgpwde.
6
3
Licensing
This section describes how to license PGP Whole Disk Encryption for Linux.
You must license PGP Whole Disk Encryption for Linux if you are using it
standalone; that is, you are not in a PGP Universal Server-managed
environment.
You do not need to enroll PGP Whole Disk Encryption for Linux if you are using
it standalone; that is only required for PGP Universal Server-managed
environments.
Note: As PGP Whole Disk Encryption for Linux will not operate normally until
licensed, you should license it immediately after installation.
Overview
In This Chapter
Overview.................................................................................................... 7
--license-authorize ...................................................................................... 8
Licensing via a Proxy Server ...................................................................... 8
PGP Whole Disk Encryption for Linux requires a valid license to operate. This
section describes how to license your copy of PGP Whole Disk Encryption for
Linux.
PGP Whole Disk Encryption for Linux supports the following licensing scenarios:
Using a License Number. This is the normal method to license PGP Whole
Disk Encryption for Linux. You must have your license information and a
working connection to the Internet.
Through a Proxy Server. If you connect to the Internet through a proxy
server, use this method to license PGP Whole Disk Encryption for Linux.
You must have your license information and the appropriate proxy server
information.
The licensing command is --license-authorize.
Once PGP Whole Disk Encryption for Linux is correctly installed and licensed on
your system, you can encrypt your drive. See The Encryption Process for
complete information.
7
PGP WDE for Linux User's Guide Licensing
--license-authorize
Use --license-authorize to license PGP Whole Disk Encryption for Linux.
The usage format is:
pgpwde --license-authorize --license-name <name>
--license-number <number> [--license-email
<emailaddress>] [--license-organization <org>]
Where:
--license-authorize is the command to license PGP Whole Disk
Encryption for Linux.
--license-name is the option to specify the user.
<name> is your name or a descriptive name.
--license-number is the option to enter a license number.
<number> is a valid license number for PGP Whole Disk Encryption for
Linux.
--license-email is the option to enter an email address.
<emailaddress> is a valid email address.
--license-organization is the option to enter an organization.
<org> is the name of your organization.
If you decide not to enter a license email, you may see a warning message but
your license will authorize.
Example:
pgpwde --license-authorize --license-name "Alice
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
--license-organization "Example Corporation"
(When entering this text, it all goes on a single line.)
Licensing via a Proxy Server
If the Internet access of the system hosting PGP Whole Disk Encryption for
Linux is via an HTTP proxy connection, you can still license your copy of PGP
Whole Disk Encryption for Linux directly; you simply need to add the necessary
proxy information.
"
Use --license-authorize to license PGP Whole Disk Encryption for Linux
via a proxy server.
8
PGP WDE for Linux User's Guide Licensing
The usage format is:
pgpwde --license-authorize --license-name <name>
--license-number <number> [--license-email
<emailaddress>] [--license-organization <org>] [--proxyserver <proxyserver>] [--proxy-username <proxyusername>]
[--proxy-passphrase <proxypass>]
Where:
--license-authorize is the command to license PGP Whole Disk
Encryption for Linux.
--license-name is the option to specify the user.
<name> is your name or a descriptive name.
--license-number is the option to enter a license number.
<number> is a valid license number for PGP Whole Disk Encryption for
Linux.
--license-email is the option to enter an email address.
<emailaddress> is a valid email address.
--license-organization is the option to enter an organization.
<org> is the name of your organization.
--proxy-server is the command to go through a proxy server to access
the Internet.
<proxyserver> is the appropriate proxy server.
--proxy-username is the command to specify a user on the proxy server
when authentication is required.
<proxyusername> is a valid username on the specified proxy server.
--proxy-passphrase is the option to specify the passphrase of the
specified user when authentication is required.
<proxypass> is the passphrase for the specified user on the proxy server.
Example:
pgpwde --license-authorize --license-name "Alice
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
"
--license-organization "Example Corporation"
--proxy-server "proxyserver.example.com"
--proxy-username "acameron"
--proxy-passphrase 'a_cameron1492sailedblue'
(When entering this text, it all goes on a single line.)
9
4
Enrolling
This section describes how to enroll PGP Whole Disk Encryption for Linux.
You must enroll PGP Whole Disk Encryption for Linux if you are using it in a PGP
Universal Server-managed environment.
You do not need to license PGP Whole Disk Encryption for Linux in a PGP
Universal Server-managed environment, as the license is included in the
installer.
Note: As PGP Whole Disk Encryption for Linux will not operate normally until
you enroll, you should enroll immediately after installation.
In This Chapter
Overview
Overview.................................................................................................. 11
--enroll ......................................................................................................12
--check-enroll............................................................................................ 13
You must enroll with a PGP Universal Server before you can use any PGP Whole
Disk Encryption for Linux features in a PGP Universal Server-managed
environment.
When enrollment is complete, PGP Whole Disk Encryption for Linux will receive
policies and settings from its PGP Universal Server. It will also send information
to the PGP Universal Server that can be seen by the PGP Universal
administrator.
Note: You must initiate enrollment on your own. You will not be prompted to
do so.
Enrollment uses LDAP credentials. The username and passphrase required for
both enrolling and checking enrollment status are the username and passphrase
of the user on the LDAP server.
If enrollment is unsuccessful, contact your PGP Universal administrator for
assistance.
11
PGP WDE for Linux User's Guide Enrolling
You can check the enrollment status of a client using the --check-enroll
command. When successful, this command will note that the client is enrolled
and will download the latest policies and settings. If unsuccessful, this means
that the client must enroll again because of a change of policies or settings on
the PGP Universal Server.
Once PGP Whole Disk Encryption for Linux is correctly installed on your system
and you have enrolled, you can encrypt your drive. Refer to The Encryption
Process for complete information.
--enroll
Use --enroll to enroll PGP Whole Disk Encryption for Linux.
Entering a username and passphrase on the command line are optional. If you
do not enter them, you will be prompted for them.
Note: --enroll is preceded by pgpenroll instead of the usual pgpwde.
The usage format is:
pgpenroll --enroll [--username <user>] [--passphrase
<phrase>]
Where:
--enroll is the command to enroll with a PGP Universal Server.
--username specifies a username for an operation (optional).
<user> is the username (on the LDAP server) of the user being enrolled.
--passphrase specifies the passphrase for an operation (optional).
<phrase> is the passphrase (on the LDAP server) of the user being
enrolled.
Examples:
pgpenroll --enroll --username "Alice Cameron"
--passphrase 'Frodo@Baggins22'
This example shows user Alice Cameron enrolling PGP Whole Disk
Encryption for Linux. The username and passphrase she is using are her
credentials on her organization's LDAP server.
pgpenroll --enroll
This example shows a user enrolling PGP Whole Disk Encryption for Linux.
Because the username and passphrase are not supplied on the command
line, the enrolling user will be prompted for them.
12
PGP WDE for Linux User's Guide Enrolling
--check-enroll
Use --check-enroll to check the enrollment status of a client.
Note: --check-enroll is preceded by pgpenroll instead of the usual
pgpwde.
If the enrollment check fails, contact your PGP Universal administrator for
instructions.
The usage format is:
pgpenroll --check-enroll [--username <user>]
[--passphrase <phrase>]
Where:
--enroll is the command to check the enrollment status of a client.
--username specifies a username (on the LDAP server) for an operation.
<user> is the username of the user whose enrollment status is being
checked.
--passphrase specifies the passphrase for an operation.
<phrase> is the passphrase (on the LDAP server) of the user whose
enrollment status is being checked.
Example:
pgpenroll --check-enroll --username "Alice Cameron"
--passphrase 'Frodo@Baggins22'
This example shows the enrollment status of Alice Cameron being
checked.
13
The Command-Line
5
Overview
Interface
This section describes the command-line interface used by PGP Whole Disk
Encryption for Linux .
In This Chapter
Overview.................................................................................................. 15
Scripting ...................................................................................................16
WDE-ADMIN Active Directory Group ......................................................16
Passphrases............................................................................................. 16
--interactive ..............................................................................................17
PGP Whole Disk Encryption for Linux uses a command-line interface.
Note: Versions of PGP Whole Disk Encryption for other platforms support
both a graphical user interface and a command line interface. PGP Whole Disk
Encryption for Linux has only a command-line interface.
You enter a valid command at the command prompt and press Enter. PGP
Whole Disk Encryption for Linux responds based on what you entered: with
success (if you entered a valid command) or with an error message (if you
entered an invalid or incorrectly structured command).
All PGP Whole Disk Encryption for Linux commands have a long form: the text
"pgpwde", a space, two hyphens "--", the command name, and options (if
appropriate).
For example:
$pgpwde --help [Enter]
is the command to display the built-in help information. It has no options.
(The command prompt, $ in the above example, and [Enter] will no longer be
shown in examples; only the necessary commands and options will be shown.)
A few commands also have a short form: either one hyphen and then a single
letter or two hyphens and two letters.
15
PGP WDE for Linux User's Guide The Command-Line Interface
For example:
-h for help instead of --help
--aa for administrative authorization instead of --adminauthorization
You can mix long forms and short forms in a single command.
Scripting
Short forms are noted where appropriate.
PGP Whole Disk Encryption for Linux commands can easily be inserted into
scripts for automating common tasks, such as encrypting a disk or getting
information about an encrypted disk.
PGP Whole Disk Encryption for Linux commands can easily be added to scripts
written with scripting languages such as Perl or Python.
WDE-ADMIN Active Directory Group
If you are an administrator of PGP Whole Disk Encryption for Linux clients in a
PGP Universal environment and using Active Directory, you can create a special
Active Directory group to allow you to run commands on your managed PGP
Whole Disk Encryption for Linux clients without knowing the passphrase of a
user on the encrypted disk.
This special Active Directory group, which must be called WDE-ADMIN, must
be a security group, not a distribution group.
Passphrases
Using the --admin-authorization option is useful for running
administrative tasks in an enterprise.
Refer to the PGP Universal Administrator's Guide for more information about
creating and using the WDE-ADMIN Active Directory group.
For consistency, all example passphrases in this guide are shown in single
quotation marks ('). Putting passphrases between single quotation marks
ensures that reserved characters and spaces are interpreted correctly.
If you do not use any reserved characters or spaces in your passphrases, then
you do not have to enclose them in single quotation marks.
16
PGP WDE for Linux User's Guide The Command-Line Interface
On Windows systems, for example, if you have a space in a passphrase, you
must enclose the passphrase in single or double quotation marks when you
enter it. Also, double quotation marks (") as part of the passphrase must be
escaped with a preceding double quotation mark.
For example, if you want to use
Thomas "Stonewall" Jackson
as your passphrase, you would have to enter it as
'Thomas ""Stonewall"" Jackson'
on the command line. You need the quotation marks at the beginning and end
for the spaces and you need to escape each double quotation mark used in the
passphrase with another double quotation mark.
Note: If you are having problems entering certain characters in your
passphrases, check the information about how to handle reserved characters
for the operating system or shell interpreter you are using.
--interactive
You can use --interactive whenever you could use a command that
requires a passphrase be entered on the command line. If you do, you will be
prompted to enter a valid passphrase on a separate line.
Using --interactive makes using PGP Whole Disk Encryption for Linux
more secure by preventing passphrases from being entered in the clear on the
command line. When you use --interactive, the characters you enter are
not displayed.
Note: --interactive is also used in a different way when configuring local
self recovery. See Local Self Recovery for more information.
17
6
Before You Encrypt
When you encrypt an entire disk using PGP Whole Disk Encryption for Linux,
every sector is encrypted using a symmetric key. This includes all files including
operating system files, application files, data files, swap files, free space, and
temp files.
On subsequent reboots, PGP Whole Disk Encryption for Linux prompts you for
the correct passphrase. As long as you correctly authenticate to your PGP
Whole Disk Encryption for Linux-encrypted disk (after you enter the correct
passphrase at the PGP BootGuard screen), your files are available. When you
shut down your system, the disk is protected against use by others.
Before encrypting your disk with PGP Whole Disk Encryption for Linux, there are
some important things to do:
Ensure the health of the hard disk.
Choose the encryption options to use.
Make sure to maintain power throughout encryption.
In This Chapter
Ensure Disk Health ..................................................................................19
Choose Encryption Options .....................................................................20
Maintain Power Throughout Encryption .................................................. 20
Ensure Disk Health
PGP Corporation deliberately takes a conservative stance when encrypting
drives, to prevent loss of data. It is not uncommon to encounter Cyclic
Redundancy Check (CRC) errors while encrypting a hard disk.
If PGP Whole Disk Encryption for Linux encounters a hard drive or partition with
bad sectors, it will, by default, pause the encryption process. This pause allows
you to remedy the problem before continuing with the encryption process, thus
avoiding potential disk corruption and lost data.
To avoid disruption during encryption, PGP Corporation recommends that you
start with a healthy disk by correcting any disk errors prior to encrypting.
As best practices, before you attempt to encrypt your drive:
19
PGP WDE for Linux User's Guide Before You Encrypt
use a third-party scan disk utility that has the ability to perform a low-level
integrity check and repair any inconsistencies with the drive that could lead
to CRC errors.
Choose Encryption Options
There are several options you can use during the encryption process itself:
--dedicated-mode: Uses maximum computer power to encrypt faster;
your system is less responsive during encryption.
--fast-mode: Skips unused sectors, so encryption of the disk is faster.
--safe-mode: Allows encryption to be resumed without loss of data if
power is lost during encryption; encryption takes longer.
Maintain Power Throughout Encryption
Because encryption is a CPU-intensive process, encryption cannot begin on a
laptop computer that is running on battery power. The computer must be on AC
power. Do not remove the power cord from the system before the encryption
process is over.
Regardless of the type of computer you are working with, your system must not
lose power, or otherwise shut down unexpectedly, during the encryption
process, unless you use the --safe-mode option. Even if you are using the -safe-mode option, it is still better not to lose power during the encryption
process.
If loss of power during encryption is a possibility—or if you do not have an
uninterruptible power supply for your computer—be sure to use the --safe-
mode option.
These options are also described with the --encrypt command.
20
7
The Encryption Process
This section describes the two methods for whole disk encrypting a drive.
In This Chapter
Overview.................................................................................................. 21
Using --secure ..........................................................................................21
Using Individual Commands ....................................................................22
Overview
Using --secure
To PGP Whole Disk Encrypt a drive requires several things: the drive must be
instrumented, there must be at least one authorized user on the drive, and the
drive must be encrypted.
There are two ways to PGP Whole Disk Encrypt a drive:
using a single command, --secure: this one command does all three of
the above actions. It instruments the drive, creates an authorized user, and
encrypts the drive. This command is most useful when you have just
installed PGP Whole Disk Encryption for Linux and thus have not
instrumented any drives, created any authorized users, or encrypted any
drives.
using multiple commands: for scenarios where you do not need all three
things required to PGP Whole Disk Encrypt at drive, or if you just prefer
using individual commands, you can use --instrument, --add-user,
and finally --encrypt to PGP Whole Disk Encrypt a drive.
The --secure command instruments the drive, creates an authorized user, and
encrypts the drive, all using a single command.
Note: PGP Whole Disk Encryption for Linux must be correctly installed and
licensed before you can use --secure.
Refer to Disk Operation for more information about the --secure command.
21
PGP WDE for Linux User's Guide The Encryption Process
To PGP Whole Disk Encrypt a drive using a single command
1 Access a command prompt on your system.
2 Enter the text for the --secure command on a single line.
For example:
pgpwde --secure --disk 0 --username "Alice Cameron" -passphrase 'Frodo*1*Baggins22' --all --fast-mode
3 Press Enter. PGP Whole Disk Encryption for Linux begins to PGP Whole
Disk Encrypt the drive.
You can check the progress of the encryption process using the --status
command. Run the command and check the highwater mark; it will continue to
get larger as the encryption process continues.
Using Individual Commands
For scenarios where you do not need to instrument a drive, add a user, and
encrypt the drive all at the same time or if you just prefer using individual
commands, you can run the three needed commands individually.
The three commands and the order in which you need to run them are:
--instrument: replaces the Linux MBR with the PGPMBR.
--add-user: adds an authorized user to the drive.
--encrypt: encrypts the drive.
To PGP Whole Disk Encrypt a drive using individual commands
1 Access a command prompt on your system.
2 Enter the text for the --instrument command on a single line, then press
Enter.
For example:
pgpwde --instrument --disk 0
This example instruments the boot drive. You can use the --status
command to make sure the drive was instrumented.
3 Enter the text for the --add-user command on a single line, then press
Enter.
For example:
pgpwde --add-user --disk 0 --username "Alice Cameron" -passphrase 'Frodo@Baggins22'
This example adds a user named Alice Cameron to the boot drive. You can
use the --verify-user command to make sure the user was created.
22
Loading...