PGP Whole Disk Encryption for Linux - 10.1.2 Instruction Manual

PGP WDE for Linux

User's Guide

Version Information

PGP Whole Disk Encryption for Linux User's Guide. Version 10.1.2. Released March 2011.

Copyright Information

Copyright © 1991-2011 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of
Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant
Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a
registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered
trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and
Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple
Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm,
implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a
license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP
Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would
like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (https://support.pgp.com). PGP Corporation
may have patents and/or pending patent applications cov
documentation does not give you any license to these patents.

ering subject matter in this software or its documentation; the furnishing of this software or

Acknowledgments

This product includes or may include:

-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with
developed by zlib (http://www.zlib.net
under the MIT License found at http://www.opensource.org/licenses/mit-license.html
freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (http://jakarta.apache.org/
server (http://www.apache.org/
HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt
binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group
under an Apache 2.0-style license, available at http://www.castor.org/license.html
Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software
License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1
Protocol") used for communications between various PGP products is provided under the Apache license found at

http://www.apache.org/licenses/LICENSE-2.0.txt

under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html
Independent JPEG Group. (http://www.ijg.org/
distributed under the MIT License http://www.opensource.org/licenses/mit-license.
distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt
and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org
implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and
copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. ©
2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. -- NTP version
by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html
OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgi-

bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released

under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at

http://www.opensource.org/licenses/ibmpl.php

BSD-style license, available at http://www.postgresql.org/about/licence
PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a
BSD-style license, available at http://jdbc.postgresql.org/license.html
database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence
version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -

- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the
GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html
is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and
the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and
Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html
downloading files via common network services, is open source software provided under a MIT/X derivate license available at

http://curl.haxx.se/docs/copyright.html

under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING
libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at

http://directory.fsf.org/libs/COPYING.DOC

to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at

). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted

. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a

), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse

. -- Xalan, an open-source software library from the Apache Software

. -- Apache Axis is an implementation of the SOAP ("Simple Object Access

. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released

) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is

html. -- PCRE Perl regular expression compiler, copyrighted and

. -- PostgreSQL, a free software object-relational database management system, is released under a

. -- PostgreSQL JDBC driver, a free Java program used to connect to a

. -- PostgreSQL Regular Expression Library, a free software object-relational

. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released

. Copyright © 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients

permission from the free Info-ZIP implementation,

), web

. -- Castor, an open-source, data-

. -- jpeglib version 6a is based in part on the work of the

. -- BIND Balanced Binary Tree Library

) -- Free BSD

4.2 developed

. Secure shell OpenSSH developed by

. -- 21.vixie-cron is the Vixie

. Copyright © 2006 The JacORB Project. -- TAO (The ACE ORB)

. -- libcURL, a library for

. Copyright (C) 1996, 1997 Theodore Ts'o. --

http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed

under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php
automate a variety of maintenance functions and is provided under the Perl Artistic License, found at

http://www.perl.com/pub/a/language/misc/Artistic.html

rendering, and alpha blending, and is distributed under the license found at

http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/L

reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public
License (LGPL) found at http://www.gnu.org/licenses/lgpl.html
Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at http://developer.yahoo.com/yui/license.html. --

JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the

Apache 2.0 license, available at http://json-lib.sourceforge.net/license.html
available at http://ezmorph.sourceforge.net/license.html
available at http://commons.apache.org/license.html
available at http://commons.apache.org/license.html
common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at

http://www.opensource.org/licenses/mit-license.html. Copyright 2006-2008

Standard Template Library functions and data structures and is distributed under the MIT License found at http://www.opensource.org/licenses/mit-

license.html. Copyright (c) 2005-2009 by Mike Sharov <msharov@users.sourceforge.net>. -- Protocol Buffers (protobuf), Google's data interchange

format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at http://www.opensource.org/licenses/bsd-

license.php. Copyright 2008 Google Inc. All rights reserved.

Additional acknowledgements and legal notices are included as part of the PGP Universal Server.

. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text

ICENSE.txt?revision=288. Copyright (c) 2006 Christoph Pfisterer. All rights

. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.

. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,

. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license,
. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license,
. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a

, Brodie Thiesfield. -- uSTL provides a small fast implementation of common

. -- The Perl Kit provides several independent utilities used to

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau
of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Unsupported Third Party Products

By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by
utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product
("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party
Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with
Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO
SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY
WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET
ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE
UNSUPPORTED THIRD PARTY PRODUCT.

Contents

Introduction 1

About PGP Whole Disk Encryption for Linux 1
Important Terms 2
Audience 3
System Requirements 3
Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-Managed Environment 3

Installing and Uninstalling 5

Installing 5
Uninstalling 6

Licensing 7

Overview 7

--license-authorize 8
Licensing via a Proxy Server 8

Enrolling 11

Overview 11

--enroll 12

--check-enroll 13

The Command-Line Interface 15

Overview 15
Scripting 16
WDE-ADMIN Active Directory Group 16
Passphrases 16

--interactive 17

Before You Encrypt 19

Ensure Disk Health 19
Choose Encryption Options 20
Maintain Power Throughout Encryption 20

i

PGP WDE for Linux User's Guide Contents

The Encryption Process 21

Overview 21
Using --secure 21
Using Individual Commands 22

The PGP BootGuard Screen 25

Overview 25
Authenticating 26
Authenticating if You Have Forgotten Your Passphrase 27
Choosing a Keyboard 28

Generic Commands 29

--help (-h) 29

--version 30

Disk Information Commands 31

--enum 31

--info 32

--show-config 33

--status 33

Boot Bypass Commands 35

--add-bypass 35

--check-bypass 37

--remove-bypass 37

Disk Operation 39

--decrypt 39

--encrypt 40

--resume 41

--secure 42

--stop 43

Disk Management 45

--auth 45

--instrument 46

--uninstrument 46

ii

PGP WDE for Linux User's Guide Contents

User Management Commands 49

--add-user 49

--change-passphrase 50

--change-userdomain 51

--list-user 52

--remove-user 53

--verify-user 53

PGP BootGuard Customization Commands 55

--set-background 55

--set-language 56

--set-sound 57

--set-start 58

--set-text 59

Recovery Token Commands 61

--new-wdrt 61

Local Self Recovery 63

--recovery-configure 64

--recovery-questions 65

--recovery-verify 66

--recovery-remove 67

--recovery-change-passphrase 67
Authenticating if you Have Forgotten Your Passphrase 68

Options 71

Overview 72
"Secure" Options 74

--admin-authorization 74

--admin-passphrase 74

--all 75

--answers-file 75

--auto-start 75

--beep 75

--count 76

--dedicated-mode 76

--disk (-d) 76

--display 77

--domain-name 77

--fast-mode 77

--image 78

--interactive 78

iii

PGP WDE for Linux User's Guide Contents

--keyboard 78

--keyid 78

--license-email 79

--license-name 79

--license-number 79

--license-organization 80

--message 80

--new-domain 80

--new-passphrase 81

--no-beep 81

--partition 81

--passphrase (-p) 82

--questions-file 82

--recovery-token 82

--safe-mode 83

--username 83

Quick Reference 85

Commands 85
Options 87

Troubleshooting 89

Overview 89
Encryption Does Not Begin 89
Encryption Does Not Finish 91
Problems at PGP BootGuard 92

iv

1

Introduction

This guide tells you how to use PGP Whole Disk Encryption for Linux.

In This Chapter

About PGP Whole Disk Encryption for Linux ............................................ 1

Important Terms........................................................................................ 2

Audience.................................................................................................... 3

System Requirements ............................................................................... 3

Using PGP Whole Disk Encryption for Linux in a PGP Universal Server­Managed Environme

nt .............................................................................. 3

About PGP Whole Disk Encryption for Linux

Thank you for using PGP Whole Disk Encryption for Linux, a software product
from PGP Corporation that locks down the entire contents of your Linux system
using PGP Whole Disk Encryption (WDE) technology.

For more information about PGP WDE, see the:

 PGP Desktop User's Guide
 PGP WDE Quick Start Guide
 PGP WDE Data Sheet (available via the PGP WDE page on the PGP

Co

oration website)

rp

PGP Whole Disk Encryption for Linux gives you access to PGP WDE

onality using a command-line interface.

functi

The encryption algorithm used by PGP Whole Disk Encryption for Linux is AES-

256. The hashing algo

Warning: Once you unlock a disk, its files are available to you—as well as

anyone else who can physically use your system. Your files are unlocked until
you lock them again by shutting down your system.

rithm is SHA-1. You cannot change these.

1

PGP WDE for Linux User's Guide Introduction

Important Terms

Understanding the following terms will help make it easier to use PGP Whole
Disk Encryption for Linux:

 PGP Whole Disk Encryption (PGP WDE): a technology that encrypts the

entire con
USB thumb drives can all be whole disk encrypted.

 PGP Whole Disk Encryption for Linux: a software product from PGP

Corporatio
allowing you to lock down the entire contents of your Linux system.

 command line: the interface to PGP Whole Disk Encryption for Linux

functi
options are accessed via the command-line interface.

 passphrase user: a user who can authenticate to an encrypted disk using

a passphra

 public-key user: a user who can authenticate to an encrypted disk using

the passphrase to the

tents of a disk; boot disks, partitions, and non-boot disks such as

n that brings PGP WDE technology to the Linux platform,

onality. All PGP Whole Disk Encryption for Linux commands and

se.

corresponding private key.

 encrypt: the process of "scrambling" data so that it is not usable unless you

perly authenticate.

pro

 decrypt: the process of "unscrambling" encrypted data.
 master boot record (MBR): software on a disk that is "in front" of the

parti

tion table; that is, it is implemented during the startup process before

the operating system itself. The instructi

ons in the MBR tells the system

how to boot.

 instrument: a part of the process of whole disk encrypting a disk/partition

where th

e Linux

MBR is replaced with the PGPMBR.

 PGPMBR: an MBR from PGP Corporation that implements the PGP

BootGuard. Once a disk is i

nstrumented, even if it is not fully encrypted,

subsequent startups will bring up PGP BootGuard.

 PGP BootGuard: the screen that appears after instrumenting a disk that

requires
authentication is
operating system will not lo

proper authentication for the boot process to continue. If proper

not provided, the boot process will not continue; the

ad and the system will not be usable.

 uninstrument: removing the PGPMBR and replacing it with the original

Linux MBR (which was saved when the

disk was instrumented).

 whole disk recovery token (WDRT): an additional passphrase for a whole

disk encrypte

d disk that is passed to the appropriate PGP Universal Server

if the disk is part of a PGP Universal-managed environment.

 PGP Universal Server: a management console for securing data from PGP

Corporation.

2

PGP WDE for Linux User's Guide Introduction

 managed user: someone using PGP Whole Disk Encryption for Linux in a

PGP Universal Server-managed environment. Managed users receive
policies and settings from their PGP Universal Server.

 enroll: the process of a user in a PGP Universal Server-managed

nment contacting their PGP Universal Server so that they can receive

enviro
applicable policies and settings.

 standalone user: someone using PGP Whole Disk Encryption for Linux

with no asso

ciated PGP Universal Server. Standalone users establish their

own policies and settings.

 recovery: the process of restoring access to a disk/partition that has been

whole disk en

crypted but now cannot be decrypted.

Audience

This User's Guide is for anyone who is going to be using PGP Whole Disk
Encryption for Linux to perform PGP WDE functions on their Linux system.

System Requirements

The system requirements for PGP Whole Disk Encryption for Linux are:

 Ubuntu 8.04 and 9.04 (32-bit versions) and Red Hat Enterprise

Linux/CentO

S 5.2 and 5.3 (32-bit versions), Ubuntu 8.04 and 9.04 (64-bit

versions), Red Hat Enterprise Linux 5.2 and 5.3 (64-bit versions)

Note: CentOS is free, open source software based on Red Hat Enterprise

Linux. For the purposes of supporting PGP Whole Disk Encryption for Linux,
the two are functionally equivalent.

 512 MB of RAM
 64 MB ha

rd disk space

Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-Managed Environment

If you are using PGP Whole Disk Encryption for Linux in a PGP Universal Server­managed environment, your PGP Universal administrator may have enabled or
disabled certain features. For example, you may be required to encrypt your
drive immediately after enrolling with your PGP Universal Server.

3

PGP WDE for Linux User's Guide Introduction

If you have any questions about features that may be have been automatically
enabled or disabled, contact your PGP Universal administrator.

4

2

Installing

Installing and Uninstalling

This section describes how to install and uninstall PGP Whole Disk Encryption
for Linux.

In This Chapter

Installing..................................................................................................... 5

Uninstalling ................................................................................................ 6

The PGP Whole Disk Encryption for Linux installer is a bsx (Bash Self-eXtracting)
file.

You must have root privileges to install.

Note: The installer file may have a slightly different filename than shown in

the procedure below depending on the platform you are installing onto.

 To install PGP Whole Disk Encryption for Linux

1 Download the installer file, called

pgp_desktop_10.0.1_linux_ub9.04_i386.bsx for U
known lo

2 Begin the installa

3 Follow the on-screen instru
4 Reboot your

cation on your system.

tion process using either of the following methods:

a Make the file an executable (using chmod +x [filename]),

then use

or

b Begin the installation via a shell: bash [filename] Enter

system when the installation is complete.

./[filename] Enter to begin the installation.

ctions.

buntu 9.04, to a

5

PGP WDE for Linux User's Guide Installing and Uninstalling

Uninstalling

Use the built-in uninstaller for the version of Linux you are using to uninstall
PGP Whole Disk Encryption for Linux. You must have root privileges to
uninstall.

Warning: You must decrypt any whole disk encrypted drives before

uninstalling PGP Whole Disk Encryption for Linux or removing any packages.

The packages that are installed are: pgp-libs, pgpwde, pgp-release, and kmod­pgpwde.

6

3

Licensing

This section describes how to license PGP Whole Disk Encryption for Linux.

You must license PGP Whole Disk Encryption for Linux if you are using it
standalone; that is, yo

ironment.

env

You do not need to enroll PGP Whole Disk Encryption for Linux if you are using
it standalone;
environments.

Note: As PGP Whole Disk Encryption for Linux will not operate normally until

licensed, you should license it immediately after installation.

that is only required for PGP Universal Server-managed

u are not in a PGP Universal Server-managed

Overview

In This Chapter

Overview ................................................................................................... 7

--license-authorize...................................................................................... 8

Licensing via a Proxy Server...................................................................... 8

PGP Whole Disk Encryption for Linux requires a valid license to operate. This
section describes how to license your copy of PGP Whole Disk Encryption for
Linux.

PGP Whole Disk Encryption for Linux supports the following licensing
scenari

 Using a License Number. Th

 Through a Proxy Server

os:

is is the normal method to license PGP Whole
Disk Encrypti
working connection to the Internet.

server, use this method to license PGP Whole Disk Encryption for Linux.
You must have your license information and the appropriate proxy server
information.

on for Linux. You must have your license information and a

. If you connect to the Internet through a proxy

The licensing command is --license-authorize.

Once PGP Whole Disk Encryption for Linux is correctly installed and licensed on
your

system, you can encrypt your drive. See The Encryption Process for

complete information.

7

PGP WDE for Linux User's Guide Licensing

--license-authorize

Use --license-authorize to license PGP Whole Disk EncryptionLinux.

The usage format is:

pgpwde --license-authorize --license-name <name> -­license-number <number> [--license-email
<emailaddress>] [--license-organization <org>]

Where:

 --license-authorize is the command to license PGP Whole Disk

Encryption for Linu

 --license-name is the option to specify the user.

<name> is your name or a descriptive name.

 --license-number is the option to enter a license number.

<number> is a valid license number for PGP Whole Disk Encryption for

Linu

x.

x.

 --license-email is the

<emailaddress> is a valid email address.

 --license-organization is the option to enter an organization.

<org> is the name of your organization.

If you decide not to enter a license email, you may see a warning message but
your license

will authorize.

Example:

pgpwde --license-authorize --license-name "Alice
Cameron"

--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"

--license-email "acameron@example.com

--license-organization "Example Corporation"

(When entering this text, it all goes on a single line.)

Licensing via a Proxy Server

If the Internet access of the system hosting PGP Whole Disk Encryption for
Linux is via an HTTP proxy connection, you can still license your copy of PGP
Whole Disk Encryption for Linux directly; you simply need to add the necessary
proxy information.

option to enter an email address.

"

Use --license-authorize to license PGP Whole Disk Encryption for Linux
via a prox

y server.

8

PGP WDE for Linux User's Guide Licensing

The usage format is:

pgpwde --license-authorize --license-name <name> -­license-number <number> [--license-email
<emailaddress>] [--license-organization <org>] [-­proxy-server <proxyserver>] [--proxy-username
<proxyusername>] [--proxy-passphrase <proxypass>]

Where:

 --license-authorize is the command to license PGP Whole Disk

Encryption for Linu

x.

 --license-name is the option to specify the user.

<name> is your name or a descriptive name.

 --license-number is the option to enter a license number.

<number> is a valid license number for PGP Whole Disk Encryption for

Linu

x.

 --license-email is the

option to enter an email address.

<emailaddress> is a valid email address.

 --license-organization is the option to enter an organization.

<org> is the name of your organization.

 --proxy-server is the command to go through a proxy server to access

the Internet.

<proxyserver> is the

appropriate proxy server.

 --proxy-username is the command to specify a user on the proxy server

when authentication

is required.

<proxyusername> is a valid username on the specified proxy server.

 --proxy-passphrase is the option to specify the passphrase of the

speci

fied user when authentication is required.

<proxypass> is the passphrase for the specified user on the proxy server.

Example:

pgpwde --license-authorize --license-name "Alice
Cameron"

--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"

--license-email "acameron@example.com

"

--license-organization "Example Corporation"

--proxy-server "proxyserver.example.com"

--proxy-username "acameron"

--proxy-passphrase 'a_cameron1492sailedblue'

(When entering this text, it all goes on a single line.)

9

4

Enrolling

This section describes how to enroll PGP Whole Disk Encryption for Linux.

You must enroll PGP Whole Disk Encryption for Linux if you are using it in a
PGP Universal Server-managed environm

ent.

Overview

You do not need to license PGP Whole Disk Encryption for Linu
Universal Server-managed environment, as the license is included in the
installer.

Note: As PGP Whole Disk Encryption for Linux will not operate normally until
you enroll, you should enroll immediately after installation.

x in a PGP

In This Chapter

Overview ................................................................................................. 11

--enroll ...................................................................................................... 12

--check-enroll............................................................................................ 13

You must enroll with a PGP Universal Server before you can use any PGP
Whole Disk Encryption for Linux features in a PGP Universal Server-managed
environment.

When enrollment is complete, PGP Whole Disk Encryption for Linux will receive
policies and setti
to the PGP Universal Server that can be seen by the PGP Universal
administrator.

ngs from its PGP Universal Server. It will also send information

Note: You must initiate enrollment on your own. You will not be prompted to

do so.

Enrollment uses LDAP credentials. The username and passphrase required for
both enrolling and checking enrollment status are the username and passphrase
of the user on the LDAP server.

If enrollment is unsuccessful, contact your
assistance.

11

PGP Universal administrator for

PGP WDE for Linux User's Guide Enrolling

You can check the enrollment status of a client using the --check-enroll
command. When successful, this command will note that the client is enrolled
and will download the latest policies and settings. If unsuccessful, this means
that the client must enroll again because of a change of policies or settings on
the PGP Universal Server.

--enroll

Once PGP Whole Disk Encryption for Linux is co

rrectly installed on your system
and you have enrolled, you can encrypt your drive. Refer to The Encryption
Process for complete information.

Use --enroll to enroll PGP Whole Disk Encryption for Linux.

Entering a username and passphrase on the command line are op

tional. If you

do not enter them, you will be prompted for them.

Note: --enroll is preceded by pgpenroll instead of the usual pgpwde.

The usage format is:

pgpenroll --enroll [--username <user>] [--passphrase
<phrase>]

Where:

 --enroll is the command to enroll with a PGP Universal Server.
 --username specifies a username for an operation (optional).

<user> is the username (on the LDAP server) of the user being enrolled.

 --passphrase specifies the passphrase for an operation (optional).

<phrase> is the passphrase (on the LDAP server) of the user being

enrolled.

Examples:

 pgpenroll --enroll --username "Alice Cameron"

--passphrase 'Frodo@Baggins22'

This example shows user Alice Cameron enrolling PGP Whole Disk
Encrypti

on for Linu

x. The username and passphrase she is using are her

credentials on her organization's LDAP server.

 pgpenroll --enroll

This example shows a user enrolling PGP Whole

Disk Encryptio

n for Linux.
Because the username and passphrase are not supplied on the command
line, the enrolling user will be prompted for them.

12

PGP WDE for Linux User's Guide Enrolling

--check-enroll

Use --check-enroll to check the enrollment status of a client.

Note: --check-enroll is preceded by pgpenroll instead of the usual

pgpwde.

If the enrollment check fails, contact your PGP Universal administrator for
instructions.

The usage format is:

pgpenroll --check-enroll [--username <user>]
[--passphrase <phrase>]

Where:

 --enroll is the command to check the enrollment status of a client.
 --username specifies a username (on the LDAP server) for an operation.

<user> is the username of the user whose enrollment status is being
che

 --passphrase specifies the passphrase for an operation.

<phrase> is the passphrase (on the LDAP server) of the user whose

enrollment status is

Example:

pgpenroll --check-enroll --username "Alice Cameron"

--passphrase 'Frodo@Baggins22'

This example shows the enrollment status of Alice Cameron bei
checked.

cked.

being checked.

ng

13

The Command-Line

5

Overview

Interface

This section describes the command-line interface used by PGP Whole Disk
Encryption for Linux .

In This Chapter

Overview ................................................................................................. 15

Scripting................................................................................................... 16

WDE-ADMIN Active Directory Group...................................................... 16

Passphrase

--interactive .............................................................................................. 17

PGP Whole Disk Encryption for Linux uses a command-line interface.

s............................................................................................. 16

Note: Versions of PGP Whole Disk Encryption for other platforms support

both a graphical user interface and a command line interface. PGP Whole
Disk Encryption for Linux has only a command-line interface.

You enter a valid command at the command prompt and press Enter. PGP
Whole Disk Encryption for Linux responds based on what you entered: with
success (if you entered a valid command) or with an error message (if you
entered an invalid or incorrectly structured command).

All PGP Whole Disk Encryption for Linux commands have a long form: the text
"pgpwde", a space, two h
appr

opriate).

For example:

$pgpwde --help [Enter]

is the command to display the built-in help information. It has no options.

(The command prompt, $ in the above example, and [Enter] will no longer be
shown in e

A few commands also have a short form: either one hyphen and then a single
letter or two

For example:

xamples; only the necessary commands and options will be shown.)

hyphens and two letters.

yphens "

15

--", the command name, and options (if

PGP WDE for Linux User's Guide The Command-Line Interface

-h for help instead of --help

--aa for administrative authorization instead of --admin­authorization

You can mix long forms and short forms in a single command.

Short forms are noted w

re appropriate.

he

Scripting

PGP Whole Disk Encryption for Linux commands can easily be inserted into
scripts for automating common tasks, such as encrypting a disk or getting
information about an encrypted disk.

PGP Whole Disk Encryption for Linux commands can easily be added to scripts
written with scrip

ting languages such as Perl or Python.

WDE-ADMIN Active Directory Group

If you are an administrator of PGP Whole Disk Encryption for Linux clients in a
PGP Universal environment and using Active Directory, you can create a special
Active Directory group to allow you to run commands on your managed PGP
Whole Disk Encryption for Linux clients without knowing the passphrase of a
user on the encrypted disk.

This special Active Directory group, which must be called WDE-ADMIN, must
be a security gro

up, not a distribution group.

Passphrases

Using the --admin-authorization option is useful for running
administrative tasks in

an enterprise.

Refer to the PGP Universal Administrator's Guide for more information about
creating and using th

e WDE-ADMIN Active Directory group.

For consistency, all example passphrases in this guide are shown in single
quotation marks ('). Putting passphrases between single quotation marks
ensures that reserved characters and spaces are interpreted correctly.

If you do not use any reserved characters or spaces in

your passphrases, then

you do not have to enclose them in single quotation marks.

On Windows systems, for example, if you have

a space in a passphrase, you
must enclose the passphrase in single or double quotation marks when you
enter it. Also, double quotation marks (") as part of the passphrase must be
escaped with a preceding double quotation mark.

16

PGP WDE for Linux User's Guide The Command-Line Interface

For example, if you want to use

Thomas "Stonewall" Jackson

as your passphrase, you would have to enter it as

'Thomas ""Stonewall"" Jackson'

on the command line. You need the quotation marks at the beginning and end
for

aces and you need to escape each double quotation mark used in the

the sp

passphrase with another double quotation mark.

Note: If you are having problems entering certain characters in your

passphrases, check the information about how to handle reserved characters
for the operating system or shell interpreter you are using.

--interactive

You can use --interactive whenever you could use a command that
requires a passphrase be entered on the command line. If you do, you will be
prompted to enter a valid passphrase on a separate line.

Using --interactive makes using PGP Whole Disk Encryption for Linux
more secure by pre
command line. When you use

venting passphrases from being entered in the clear on the

--interactive, the characters you enter are

not displayed.

Note: --interactive is also used in a different way when configuring local

self recovery. See Local Self Recovery for more information.

17

6

Before You Encrypt

When you encrypt an entire disk using PGP Whole Disk Encryption for Linux,
every sector is encrypted using a symmetric key. This includes all files including
operating system files, application files, data files, swap files, free space, and
temp files.

On subsequent reboots, PGP Whole Disk Encryption for Linux prompts you for
the correc
Whole Disk Encryption for Linux-encrypted disk (after you enter the correct
passphrase at the PGP BootGuard screen), your files are available. When you
shut down your system, the disk is protected against use by others.

Before encrypting your disk with PGP Whole Disk Encryption for Linux, there
are some im

t passphrase. As long as you correctly authenticate to your PGP

portant things to do:

 Ensure the heal
 Choose the encryption options to use.
 Make sure to maintain power throughout encryption.

In This Chapter

Ensure Disk Health .................................................................................. 19

Choose Encryption Options..................................................................... 20

Maintain Power Throughout Encryption.................................................. 20

Ensure Disk Health

PGP Corporation deliberately takes a conservative stance when encrypting
drives, to prevent loss of data. It is not uncommon to encounter Cyclic
Redundancy Check (CRC) errors while encrypting a hard disk.

If PGP Whole Disk Encryption for Linux encounters a hard drive or partition with
bad sectors, it will, by default, pause the encryption process. This pause allo
you to remedy the problem before continuing with the encryption process, thus
avoiding potential disk corruption and lost data.

th of the hard disk.

ws

To avoid disruption during encryption, PGP Corporati
start with a healthy disk by correcting any disk errors prior to encrypting.

As best practices, before you attempt to

19

encrypt your drive:

on recommends that you

PGP WDE for Linux User's Guide Before You Encrypt

 use a third-party scan disk utility that has the ability to perform a low-level

integrity check and repair any inconsistencies with the drive that could lead
to CRC errors.

Choose Encryption Options

There are several options you can use during the encryption process itself:

 --dedicated-mode: Uses maximum computer power to encrypt faster;

your

system is less responsive during encryption.

 --fast-mode: Skips unused sectors, so encryption of th
 --safe-mode: Allows encryption to be resumed without loss of data if

power is lo

st during encryption; encryption takes longer.

These options are also described with the --encrypt command.

Maintain Power Throughout Encryption

Because encryption is a CPU-intensive process, encryption cannot begin on a
laptop computer that is running on battery power. The computer must be on AC
power. Do no
process is over.

Regardless of the type of computer you
not lose power, or otherwise shut down unexpectedly, during the encryption
process, unless you use the

--safe-mode option, it is still better not to lose power during the encryption
p

ess.

roc

If loss of power during encryption is a possibility—or if you do not have an
uninterru

option.

mode

t remove the power cord from the system before the encryption

are workin

--safe-mode option. Even if you are using the

ptible power supply for your computer—be sure to use the --safe-

g with, yo

e disk is faster.

ur system must

20

7

The Encryption Process

This section describes the two methods for whole disk encrypting a drive.

In This Chapter

Overview ................................................................................................. 21

Using --secure.......................................................................................... 21

Using Individual Commands.................................................................... 22

Overview

Using --secure

To PGP Whole Disk Encrypt a drive requires several things: the drive must be
instrumented, there must be at least one authorized user on the drive, and the
drive must be encrypted.

There are two ways to PGP Whole Disk Encrypt a drive:

 using a single command, --secure: this one command does all three of

the abov
encrypts the drive. This command is most useful when you have just
installed PGP Whole Disk Encryption for Linux and thus have not
instrumented any drives, created any authorized users, or encrypted any
drives.

 using multiple commands: for scenarios where you do not need all three

things require
using individual commands, you can use
and finally

The --secure command instruments the drive, creates an authorized user,
and encrypts the drive, all using a single command.

e actions. It instruments the drive, creates an authorized user, and

d to PGP Whole Disk Encrypt at drive, or if you just prefer

--instrument, --add-user,

--encrypt

to PGP Whole Disk Encrypt a drive.

Note: PGP Whole Disk Encryption for Linux must be correctly installed and

licensed before you can use --secure.

Refer to Disk Operation for more information about the --secure command.

21

PGP WDE for Linux User's Guide The Encryption Process

 To PGP Whole Disk Encrypt a drive using a single command

1 Access a command p
2 Enter the text for the --secure command on a

For example:

pgpwde --secure --disk 0 --username "Alice Cameron"

--passphrase 'Frodo*1*Baggins22' --all --fast-mode

3 Press Enter. PGP Wh

Disk Encrypt the drive.

You can check the progress of the encryption process using the --status
command. Run the command
get larger as the encryption process continues.

Using Individual Commands

For scenarios where you do not need to instrument a drive, add a user, and
encrypt the drive all at the same time or if you just prefer using individual
commands, you can run the three needed commands individually.

The three commands and the order in which you need to run them are:

 --instrument: replaces the Linux MBR with the PGPMBR.

rompt on your system.

single line.

ole Disk Encryption for Linux begins to PGP Whole

and check the highwater mark; it will continue to

 --add-user: adds an authorized user to the drive.
 --encrypt: encrypts the drive.

 To PGP Who

le Disk En

1 Access a command p
2 Enter the text for the --instrument co

crypt a drive using individual commands

rompt on your system.

mmand on a single line, then

press Enter.

For e

xample:

pgpwde --instrument --disk 0

This example instruments the boot drive. You can use the --status
command to make sure the dri

3 Enter the text for the --add-user command o

ve was instrumented.

n a single line, then press

Enter.

For example:

pgpwde --add-user --disk 0 --username "Alice Cameron"

--passphrase 'Frodo@Baggins22'

This example adds a user named Alice Cameron to the boot drive. You can
use the --verify-user command to make sure the user was created.

22