PGP WDE for Linux
User's Guide
Version Information
PGP Whole Disk Encryption for Linux User's Guide. Version 10.1.2. Released March 2011.
Copyright Information
Copyright © 1991-2011 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of
Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant
Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a
registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered
trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and
Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple
Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm,
implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a
license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP
Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would
like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (https://support.pgp.com). PGP Corporation
may have patents and/or pending patent applications cov
documentation does not give you any license to these patents.
ering subject matter in this software or its documentation; the furnishing of this software or
Acknowledgments
This product includes or may include:
-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with
developed by zlib (http://www.zlib.net
under the MIT License found at http://www.opensource.org/licenses/mit-license.html
freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (http://jakarta.apache.org/
server (http://www.apache.org/
HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt
binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group
under an Apache 2.0-style license, available at http://www.castor.org/license.html
Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software
License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1
Protocol") used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt
under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html
Independent JPEG Group. (http://www.ijg.org/
distributed under the MIT License http://www.opensource.org/licenses/mit-license.
distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt
and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org
implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and
copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. ©
2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. -- NTP version
by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html
OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgi-
bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released
under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php
BSD-style license, available at http://www.postgresql.org/about/licence
PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a
BSD-style license, available at http://jdbc.postgresql.org/license.html
database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence
version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -
- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the
GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html
is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and
the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and
Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html
downloading files via common network services, is open source software provided under a MIT/X derivate license available at
http://curl.haxx.se/docs/copyright.html
under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING
libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at
http://directory.fsf.org/libs/COPYING.DOC
to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at
). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted
. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a
), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse
. -- Xalan, an open-source software library from the Apache Software
. -- Apache Axis is an implementation of the SOAP ("Simple Object Access
. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released
) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
html. -- PCRE Perl regular expression compiler, copyrighted and
. -- PostgreSQL, a free software object-relational database management system, is released under a
. -- PostgreSQL JDBC driver, a free Java program used to connect to a
. -- PostgreSQL Regular Expression Library, a free software object-relational
. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released
. Copyright © 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients
permission from the free Info-ZIP implementation,
), web
. -- Castor, an open-source, data-
. -- jpeglib version 6a is based in part on the work of the
. -- BIND Balanced Binary Tree Library
) -- Free BSD
4.2 developed
. Secure shell OpenSSH developed by
. -- 21.vixie-cron is the Vixie
. Copyright © 2006 The JacORB Project. -- TAO (The ACE ORB)
. -- libcURL, a library for
. Copyright (C) 1996, 1997 Theodore Ts'o. --
http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed
under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php
automate a variety of maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html
rendering, and alpha blending, and is distributed under the license found at
http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/L
reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public
License (LGPL) found at http://www.gnu.org/licenses/lgpl.html
Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at http://developer.yahoo.com/yui/license.html. --
JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the
Apache 2.0 license, available at http://json-lib.sourceforge.net/license.html
available at http://ezmorph.sourceforge.net/license.html
available at http://commons.apache.org/license.html
available at http://commons.apache.org/license.html
common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright 2006-2008
Standard Template Library functions and data structures and is distributed under the MIT License found at http://www.opensource.org/licenses/mit-
license.html. Copyright (c) 2005-2009 by Mike Sharov <msharov@users.sourceforge.net>. -- Protocol Buffers (protobuf), Google's data interchange
format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at http://www.opensource.org/licenses/bsd-
license.php. Copyright 2008 Google Inc. All rights reserved.
Additional acknowledgements and legal notices are included as part of the PGP Universal Server.
. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text
ICENSE.txt?revision=288. Copyright (c) 2006 Christoph Pfisterer. All rights
. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.
. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,
. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license,
. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license,
. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a
, Brodie Thiesfield. -- uSTL provides a small fast implementation of common
. -- The Perl Kit provides several independent utilities used to
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau
of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
Unsupported Third Party Products
By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by
utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product
("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party
Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with
Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO
SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY
WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET
ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE
UNSUPPORTED THIRD PARTY PRODUCT.
Contents
Introduction 1
About PGP Whole Disk Encryption for Linux 1
Important Terms 2
Audience 3
System Requirements 3
Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-Managed Environment 3
Installing and Uninstalling 5
Installing 5
Uninstalling 6
Licensing 7
Overview 7
--license-authorize 8
Licensing via a Proxy Server 8
Enrolling 11
Overview 11
--enroll 12
--check-enroll 13
The Command-Line Interface 15
Overview 15
Scripting 16
WDE-ADMIN Active Directory Group 16
Passphrases 16
--interactive 17
Before You Encrypt 19
Ensure Disk Health 19
Choose Encryption Options 20
Maintain Power Throughout Encryption 20
i
PGP WDE for Linux User's Guide Contents
The Encryption Process 21
Overview 21
Using --secure 21
Using Individual Commands 22
The PGP BootGuard Screen 25
Overview 25
Authenticating 26
Authenticating if You Have Forgotten Your Passphrase 27
Choosing a Keyboard 28
Generic Commands 29
--help (-h) 29
--version 30
Disk Information Commands 31
--enum 31
--info 32
--show-config 33
--status 33
Boot Bypass Commands 35
--add-bypass 35
--check-bypass 37
--remove-bypass 37
Disk Operation 39
--decrypt 39
--encrypt 40
--resume 41
--secure 42
--stop 43
Disk Management 45
--auth 45
--instrument 46
--uninstrument 46
ii
PGP WDE for Linux User's Guide Contents
User Management Commands 49
--add-user 49
--change-passphrase 50
--change-userdomain 51
--list-user 52
--remove-user 53
--verify-user 53
PGP BootGuard Customization Commands 55
--set-background 55
--set-language 56
--set-sound 57
--set-start 58
--set-text 59
Recovery Token Commands 61
--new-wdrt 61
Local Self Recovery 63
--recovery-configure 64
--recovery-questions 65
--recovery-verify 66
--recovery-remove 67
--recovery-change-passphrase 67
Authenticating if you Have Forgotten Your Passphrase 68
Options 71
Overview 72
"Secure" Options 74
--admin-authorization 74
--admin-passphrase 74
--all 75
--answers-file 75
--auto-start 75
--beep 75
--count 76
--dedicated-mode 76
--disk (-d) 76
--display 77
--domain-name 77
--fast-mode 77
--image 78
--interactive 78
iii
PGP WDE for Linux User's Guide Contents
--keyboard 78
--keyid 78
--license-email 79
--license-name 79
--license-number 79
--license-organization 80
--message 80
--new-domain 80
--new-passphrase 81
--no-beep 81
--partition 81
--passphrase (-p) 82
--questions-file 82
--recovery-token 82
--safe-mode 83
--username 83
Quick Reference 85
Commands 85
Options 87
Troubleshooting 89
Overview 89
Encryption Does Not Begin 89
Encryption Does Not Finish 91
Problems at PGP BootGuard 92
iv
1
Introduction
This guide tells you how to use PGP Whole Disk Encryption for Linux.
In This Chapter
About PGP Whole Disk Encryption for Linux ............................................ 1
Important Terms........................................................................................ 2
Audience.................................................................................................... 3
System Requirements ............................................................................... 3
Using PGP Whole Disk Encryption for Linux in a PGP Universal ServerManaged Environme
nt .............................................................................. 3
About PGP Whole Disk Encryption for Linux
Thank you for using PGP Whole Disk Encryption for Linux, a software product
from PGP Corporation that locks down the entire contents of your Linux system
using PGP Whole Disk Encryption (WDE) technology.
For more information about PGP WDE, see the:
PGP Desktop User's Guide
PGP WDE Quick Start Guide
PGP WDE Data Sheet (available via the PGP WDE page on the PGP
Co
oration website)
rp
PGP Whole Disk Encryption for Linux gives you access to PGP WDE
onality using a command-line interface.
functi
The encryption algorithm used by PGP Whole Disk Encryption for Linux is AES-
256. The hashing algo
Warning: Once you unlock a disk, its files are available to you—as well as
anyone else who can physically use your system. Your files are unlocked until
you lock them again by shutting down your system.
rithm is SHA-1. You cannot change these.
1
PGP WDE for Linux User's Guide Introduction
Important Terms
Understanding the following terms will help make it easier to use PGP Whole
Disk Encryption for Linux:
PGP Whole Disk Encryption (PGP WDE): a technology that encrypts the
entire con
USB thumb drives can all be whole disk encrypted.
PGP Whole Disk Encryption for Linux: a software product from PGP
Corporatio
allowing you to lock down the entire contents of your Linux system.
command line: the interface to PGP Whole Disk Encryption for Linux
functi
options are accessed via the command-line interface.
passphrase user: a user who can authenticate to an encrypted disk using
a passphra
public-key user: a user who can authenticate to an encrypted disk using
the passphrase to the
tents of a disk; boot disks, partitions, and non-boot disks such as
n that brings PGP WDE technology to the Linux platform,
onality. All PGP Whole Disk Encryption for Linux commands and
se.
corresponding private key.
encrypt: the process of "scrambling" data so that it is not usable unless you
perly authenticate.
pro
decrypt: the process of "unscrambling" encrypted data.
master boot record (MBR): software on a disk that is "in front" of the
parti
tion table; that is, it is implemented during the startup process before
the operating system itself. The instructi
ons in the MBR tells the system
how to boot.
instrument: a part of the process of whole disk encrypting a disk/partition
where th
e Linux
MBR is replaced with the PGPMBR.
PGPMBR: an MBR from PGP Corporation that implements the PGP
BootGuard. Once a disk is i
nstrumented, even if it is not fully encrypted,
subsequent startups will bring up PGP BootGuard.
PGP BootGuard: the screen that appears after instrumenting a disk that
requires
authentication is
operating system will not lo
proper authentication for the boot process to continue. If proper
not provided, the boot process will not continue; the
ad and the system will not be usable.
uninstrument: removing the PGPMBR and replacing it with the original
Linux MBR (which was saved when the
disk was instrumented).
whole disk recovery token (WDRT): an additional passphrase for a whole
disk encrypte
d disk that is passed to the appropriate PGP Universal Server
if the disk is part of a PGP Universal-managed environment.
PGP Universal Server: a management console for securing data from PGP
Corporation.
2
PGP WDE for Linux User's Guide Introduction
managed user: someone using PGP Whole Disk Encryption for Linux in a
PGP Universal Server-managed environment. Managed users receive
policies and settings from their PGP Universal Server.
enroll: the process of a user in a PGP Universal Server-managed
nment contacting their PGP Universal Server so that they can receive
enviro
applicable policies and settings.
standalone user: someone using PGP Whole Disk Encryption for Linux
with no asso
ciated PGP Universal Server. Standalone users establish their
own policies and settings.
recovery: the process of restoring access to a disk/partition that has been
whole disk en
crypted but now cannot be decrypted.
Audience
This User's Guide is for anyone who is going to be using PGP Whole Disk
Encryption for Linux to perform PGP WDE functions on their Linux system.
System Requirements
The system requirements for PGP Whole Disk Encryption for Linux are:
Ubuntu 8.04 and 9.04 (32-bit versions) and Red Hat Enterprise
Linux/CentO
S 5.2 and 5.3 (32-bit versions), Ubuntu 8.04 and 9.04 (64-bit
versions), Red Hat Enterprise Linux 5.2 and 5.3 (64-bit versions)
Note: CentOS is free, open source software based on Red Hat Enterprise
Linux. For the purposes of supporting PGP Whole Disk Encryption for Linux,
the two are functionally equivalent.
512 MB of RAM
64 MB ha
rd disk space
Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-Managed Environment
If you are using PGP Whole Disk Encryption for Linux in a PGP Universal Servermanaged environment, your PGP Universal administrator may have enabled or
disabled certain features. For example, you may be required to encrypt your
drive immediately after enrolling with your PGP Universal Server.
3
PGP WDE for Linux User's Guide Introduction
If you have any questions about features that may be have been automatically
enabled or disabled, contact your PGP Universal administrator.
4
2
Installing
Installing and Uninstalling
This section describes how to install and uninstall PGP Whole Disk Encryption
for Linux.
In This Chapter
Installing..................................................................................................... 5
Uninstalling ................................................................................................ 6
The PGP Whole Disk Encryption for Linux installer is a bsx (Bash Self-eXtracting)
file.
You must have root privileges to install.
Note: The installer file may have a slightly different filename than shown in
the procedure below depending on the platform you are installing onto.
To install PGP Whole Disk Encryption for Linux
1 Download the installer file, called
pgp_desktop_10.0.1_linux_ub9.04_i386.bsx for U
known lo
2 Begin the installa
3 Follow the on-screen instru
4 Reboot your
cation on your system.
tion process using either of the following methods:
a Make the file an executable (using chmod +x [filename]),
then use
or
b Begin the installation via a shell: bash [filename] Enter
system when the installation is complete.
./[filename] Enter to begin the installation.
ctions.
buntu 9.04, to a
5
PGP WDE for Linux User's Guide Installing and Uninstalling
Uninstalling
Use the built-in uninstaller for the version of Linux you are using to uninstall
PGP Whole Disk Encryption for Linux. You must have root privileges to
uninstall.
Warning: You must decrypt any whole disk encrypted drives before
uninstalling PGP Whole Disk Encryption for Linux or removing any packages.
The packages that are installed are: pgp-libs, pgpwde, pgp-release, and kmodpgpwde.
6
3
Licensing
This section describes how to license PGP Whole Disk Encryption for Linux.
You must license PGP Whole Disk Encryption for Linux if you are using it
standalone; that is, yo
ironment.
env
You do not need to enroll PGP Whole Disk Encryption for Linux if you are using
it standalone;
environments.
Note: As PGP Whole Disk Encryption for Linux will not operate normally until
licensed, you should license it immediately after installation.
that is only required for PGP Universal Server-managed
u are not in a PGP Universal Server-managed
Overview
In This Chapter
Overview ................................................................................................... 7
--license-authorize...................................................................................... 8
Licensing via a Proxy Server...................................................................... 8
PGP Whole Disk Encryption for Linux requires a valid license to operate. This
section describes how to license your copy of PGP Whole Disk Encryption for
Linux.
PGP Whole Disk Encryption for Linux supports the following licensing
scenari
Using a License Number. Th
Through a Proxy Server
os:
is is the normal method to license PGP Whole
Disk Encrypti
working connection to the Internet.
server, use this method to license PGP Whole Disk Encryption for Linux.
You must have your license information and the appropriate proxy server
information.
on for Linux. You must have your license information and a
. If you connect to the Internet through a proxy
The licensing command is --license-authorize.
Once PGP Whole Disk Encryption for Linux is correctly installed and licensed on
your
system, you can encrypt your drive. See The Encryption Process for
complete information.
7
PGP WDE for Linux User's Guide Licensing
--license-authorize
Use --license-authorize to license PGP Whole Disk EncryptionLinux.
The usage format is:
pgpwde --license-authorize --license-name <name> -license-number <number> [--license-email
<emailaddress>] [--license-organization <org>]
Where:
--license-authorize is the command to license PGP Whole Disk
Encryption for Linu
--license-name is the option to specify the user.
<name> is your name or a descriptive name.
--license-number is the option to enter a license number.
<number> is a valid license number for PGP Whole Disk Encryption for
Linu
x.
x.
--license-email is the
<emailaddress> is a valid email address.
--license-organization is the option to enter an organization.
<org> is the name of your organization.
If you decide not to enter a license email, you may see a warning message but
your license
will authorize.
Example:
pgpwde --license-authorize --license-name "Alice
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
--license-organization "Example Corporation"
(When entering this text, it all goes on a single line.)
Licensing via a Proxy Server
If the Internet access of the system hosting PGP Whole Disk Encryption for
Linux is via an HTTP proxy connection, you can still license your copy of PGP
Whole Disk Encryption for Linux directly; you simply need to add the necessary
proxy information.
option to enter an email address.
"
Use --license-authorize to license PGP Whole Disk Encryption for Linux
via a prox
y server.
8
PGP WDE for Linux User's Guide Licensing
The usage format is:
pgpwde --license-authorize --license-name <name> -license-number <number> [--license-email
<emailaddress>] [--license-organization <org>] [-proxy-server <proxyserver>] [--proxy-username
<proxyusername>] [--proxy-passphrase <proxypass>]
Where:
--license-authorize is the command to license PGP Whole Disk
Encryption for Linu
x.
--license-name is the option to specify the user.
<name> is your name or a descriptive name.
--license-number is the option to enter a license number.
<number> is a valid license number for PGP Whole Disk Encryption for
Linu
x.
--license-email is the
option to enter an email address.
<emailaddress> is a valid email address.
--license-organization is the option to enter an organization.
<org> is the name of your organization.
--proxy-server is the command to go through a proxy server to access
the Internet.
<proxyserver> is the
appropriate proxy server.
--proxy-username is the command to specify a user on the proxy server
when authentication
is required.
<proxyusername> is a valid username on the specified proxy server.
--proxy-passphrase is the option to specify the passphrase of the
speci
fied user when authentication is required.
<proxypass> is the passphrase for the specified user on the proxy server.
Example:
pgpwde --license-authorize --license-name "Alice
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
"
--license-organization "Example Corporation"
--proxy-server "proxyserver.example.com"
--proxy-username "acameron"
--proxy-passphrase 'a_cameron1492sailedblue'
(When entering this text, it all goes on a single line.)
9
4
Enrolling
This section describes how to enroll PGP Whole Disk Encryption for Linux.
You must enroll PGP Whole Disk Encryption for Linux if you are using it in a
PGP Universal Server-managed environm
ent.
Overview
You do not need to license PGP Whole Disk Encryption for Linu
Universal Server-managed environment, as the license is included in the
installer.
Note: As PGP Whole Disk Encryption for Linux will not operate normally until
you enroll, you should enroll immediately after installation.
x in a PGP
In This Chapter
Overview ................................................................................................. 11
--enroll ...................................................................................................... 12
--check-enroll............................................................................................ 13
You must enroll with a PGP Universal Server before you can use any PGP
Whole Disk Encryption for Linux features in a PGP Universal Server-managed
environment.
When enrollment is complete, PGP Whole Disk Encryption for Linux will receive
policies and setti
to the PGP Universal Server that can be seen by the PGP Universal
administrator.
ngs from its PGP Universal Server. It will also send information
Note: You must initiate enrollment on your own. You will not be prompted to
do so.
Enrollment uses LDAP credentials. The username and passphrase required for
both enrolling and checking enrollment status are the username and passphrase
of the user on the LDAP server.
If enrollment is unsuccessful, contact your
assistance.
11
PGP Universal administrator for
PGP WDE for Linux User's Guide Enrolling
You can check the enrollment status of a client using the --check-enroll
command. When successful, this command will note that the client is enrolled
and will download the latest policies and settings. If unsuccessful, this means
that the client must enroll again because of a change of policies or settings on
the PGP Universal Server.
--enroll
Once PGP Whole Disk Encryption for Linux is co
rrectly installed on your system
and you have enrolled, you can encrypt your drive. Refer to The Encryption
Process for complete information.
Use --enroll to enroll PGP Whole Disk Encryption for Linux.
Entering a username and passphrase on the command line are op
tional. If you
do not enter them, you will be prompted for them.
Note: --enroll is preceded by pgpenroll instead of the usual pgpwde.
The usage format is:
pgpenroll --enroll [--username <user>] [--passphrase
<phrase>]
Where:
--enroll is the command to enroll with a PGP Universal Server.
--username specifies a username for an operation (optional).
<user> is the username (on the LDAP server) of the user being enrolled.
--passphrase specifies the passphrase for an operation (optional).
<phrase> is the passphrase (on the LDAP server) of the user being
enrolled.
Examples:
pgpenroll --enroll --username "Alice Cameron"
--passphrase 'Frodo@Baggins22'
This example shows user Alice Cameron enrolling PGP Whole Disk
Encrypti
on for Linu
x. The username and passphrase she is using are her
credentials on her organization's LDAP server.
pgpenroll --enroll
This example shows a user enrolling PGP Whole
Disk Encryptio
n for Linux.
Because the username and passphrase are not supplied on the command
line, the enrolling user will be prompted for them.
12
PGP WDE for Linux User's Guide Enrolling
--check-enroll
Use --check-enroll to check the enrollment status of a client.
Note: --check-enroll is preceded by pgpenroll instead of the usual
pgpwde.
If the enrollment check fails, contact your PGP Universal administrator for
instructions.
The usage format is:
pgpenroll --check-enroll [--username <user>]
[--passphrase <phrase>]
Where:
--enroll is the command to check the enrollment status of a client.
--username specifies a username (on the LDAP server) for an operation.
<user> is the username of the user whose enrollment status is being
che
--passphrase specifies the passphrase for an operation.
<phrase> is the passphrase (on the LDAP server) of the user whose
enrollment status is
Example:
pgpenroll --check-enroll --username "Alice Cameron"
--passphrase 'Frodo@Baggins22'
This example shows the enrollment status of Alice Cameron bei
checked.
cked.
being checked.
ng
13
The Command-Line
5
Overview
Interface
This section describes the command-line interface used by PGP Whole Disk
Encryption for Linux .
In This Chapter
Overview ................................................................................................. 15
Scripting................................................................................................... 16
WDE-ADMIN Active Directory Group...................................................... 16
Passphrase
--interactive .............................................................................................. 17
PGP Whole Disk Encryption for Linux uses a command-line interface.
s............................................................................................. 16
Note: Versions of PGP Whole Disk Encryption for other platforms support
both a graphical user interface and a command line interface. PGP Whole
Disk Encryption for Linux has only a command-line interface.
You enter a valid command at the command prompt and press Enter. PGP
Whole Disk Encryption for Linux responds based on what you entered: with
success (if you entered a valid command) or with an error message (if you
entered an invalid or incorrectly structured command).
All PGP Whole Disk Encryption for Linux commands have a long form: the text
"pgpwde", a space, two h
appr
opriate).
For example:
$pgpwde --help [Enter]
is the command to display the built-in help information. It has no options.
(The command prompt, $ in the above example, and [Enter] will no longer be
shown in e
A few commands also have a short form: either one hyphen and then a single
letter or two
For example:
xamples; only the necessary commands and options will be shown.)
hyphens and two letters.
yphens "
15
--", the command name, and options (if
PGP WDE for Linux User's Guide The Command-Line Interface
-h for help instead of --help
--aa for administrative authorization instead of --adminauthorization
You can mix long forms and short forms in a single command.
Short forms are noted w
re appropriate.
he
Scripting
PGP Whole Disk Encryption for Linux commands can easily be inserted into
scripts for automating common tasks, such as encrypting a disk or getting
information about an encrypted disk.
PGP Whole Disk Encryption for Linux commands can easily be added to scripts
written with scrip
ting languages such as Perl or Python.
WDE-ADMIN Active Directory Group
If you are an administrator of PGP Whole Disk Encryption for Linux clients in a
PGP Universal environment and using Active Directory, you can create a special
Active Directory group to allow you to run commands on your managed PGP
Whole Disk Encryption for Linux clients without knowing the passphrase of a
user on the encrypted disk.
This special Active Directory group, which must be called WDE-ADMIN, must
be a security gro
up, not a distribution group.
Passphrases
Using the --admin-authorization option is useful for running
administrative tasks in
an enterprise.
Refer to the PGP Universal Administrator's Guide for more information about
creating and using th
e WDE-ADMIN Active Directory group.
For consistency, all example passphrases in this guide are shown in single
quotation marks ('). Putting passphrases between single quotation marks
ensures that reserved characters and spaces are interpreted correctly.
If you do not use any reserved characters or spaces in
your passphrases, then
you do not have to enclose them in single quotation marks.
On Windows systems, for example, if you have
a space in a passphrase, you
must enclose the passphrase in single or double quotation marks when you
enter it. Also, double quotation marks (") as part of the passphrase must be
escaped with a preceding double quotation mark.
16
PGP WDE for Linux User's Guide The Command-Line Interface
For example, if you want to use
Thomas "Stonewall" Jackson
as your passphrase, you would have to enter it as
'Thomas ""Stonewall"" Jackson'
on the command line. You need the quotation marks at the beginning and end
for
aces and you need to escape each double quotation mark used in the
the sp
passphrase with another double quotation mark.
Note: If you are having problems entering certain characters in your
passphrases, check the information about how to handle reserved characters
for the operating system or shell interpreter you are using.
--interactive
You can use --interactive whenever you could use a command that
requires a passphrase be entered on the command line. If you do, you will be
prompted to enter a valid passphrase on a separate line.
Using --interactive makes using PGP Whole Disk Encryption for Linux
more secure by pre
command line. When you use
venting passphrases from being entered in the clear on the
--interactive, the characters you enter are
not displayed.
Note: --interactive is also used in a different way when configuring local
self recovery. See Local Self Recovery for more information.
17
6
Before You Encrypt
When you encrypt an entire disk using PGP Whole Disk Encryption for Linux,
every sector is encrypted using a symmetric key. This includes all files including
operating system files, application files, data files, swap files, free space, and
temp files.
On subsequent reboots, PGP Whole Disk Encryption for Linux prompts you for
the correc
Whole Disk Encryption for Linux-encrypted disk (after you enter the correct
passphrase at the PGP BootGuard screen), your files are available. When you
shut down your system, the disk is protected against use by others.
Before encrypting your disk with PGP Whole Disk Encryption for Linux, there
are some im
t passphrase. As long as you correctly authenticate to your PGP
portant things to do:
Ensure the heal
Choose the encryption options to use.
Make sure to maintain power throughout encryption.
In This Chapter
Ensure Disk Health .................................................................................. 19
Choose Encryption Options..................................................................... 20
Maintain Power Throughout Encryption.................................................. 20
Ensure Disk Health
PGP Corporation deliberately takes a conservative stance when encrypting
drives, to prevent loss of data. It is not uncommon to encounter Cyclic
Redundancy Check (CRC) errors while encrypting a hard disk.
If PGP Whole Disk Encryption for Linux encounters a hard drive or partition with
bad sectors, it will, by default, pause the encryption process. This pause allo
you to remedy the problem before continuing with the encryption process, thus
avoiding potential disk corruption and lost data.
th of the hard disk.
ws
To avoid disruption during encryption, PGP Corporati
start with a healthy disk by correcting any disk errors prior to encrypting.
As best practices, before you attempt to
19
encrypt your drive:
on recommends that you
PGP WDE for Linux User's Guide Before You Encrypt
use a third-party scan disk utility that has the ability to perform a low-level
integrity check and repair any inconsistencies with the drive that could lead
to CRC errors.
Choose Encryption Options
There are several options you can use during the encryption process itself:
--dedicated-mode: Uses maximum computer power to encrypt faster;
your
system is less responsive during encryption.
--fast-mode: Skips unused sectors, so encryption of th
--safe-mode: Allows encryption to be resumed without loss of data if
power is lo
st during encryption; encryption takes longer.
These options are also described with the --encrypt command.
Maintain Power Throughout Encryption
Because encryption is a CPU-intensive process, encryption cannot begin on a
laptop computer that is running on battery power. The computer must be on AC
power. Do no
process is over.
Regardless of the type of computer you
not lose power, or otherwise shut down unexpectedly, during the encryption
process, unless you use the
--safe-mode option, it is still better not to lose power during the encryption
p
ess.
roc
If loss of power during encryption is a possibility—or if you do not have an
uninterru
option.
mode
t remove the power cord from the system before the encryption
are workin
--safe-mode option. Even if you are using the
ptible power supply for your computer—be sure to use the --safe-
g with, yo
e disk is faster.
ur system must
20
7
The Encryption Process
This section describes the two methods for whole disk encrypting a drive.
In This Chapter
Overview ................................................................................................. 21
Using --secure.......................................................................................... 21
Using Individual Commands.................................................................... 22
Overview
Using --secure
To PGP Whole Disk Encrypt a drive requires several things: the drive must be
instrumented, there must be at least one authorized user on the drive, and the
drive must be encrypted.
There are two ways to PGP Whole Disk Encrypt a drive:
using a single command, --secure: this one command does all three of
the abov
encrypts the drive. This command is most useful when you have just
installed PGP Whole Disk Encryption for Linux and thus have not
instrumented any drives, created any authorized users, or encrypted any
drives.
using multiple commands: for scenarios where you do not need all three
things require
using individual commands, you can use
and finally
The --secure command instruments the drive, creates an authorized user,
and encrypts the drive, all using a single command.
e actions. It instruments the drive, creates an authorized user, and
d to PGP Whole Disk Encrypt at drive, or if you just prefer
--instrument, --add-user,
--encrypt
to PGP Whole Disk Encrypt a drive.
Note: PGP Whole Disk Encryption for Linux must be correctly installed and
licensed before you can use --secure.
Refer to Disk Operation for more information about the --secure command.
21
PGP WDE for Linux User's Guide The Encryption Process
To PGP Whole Disk Encrypt a drive using a single command
1 Access a command p
2 Enter the text for the --secure command on a
For example:
pgpwde --secure --disk 0 --username "Alice Cameron"
--passphrase 'Frodo*1*Baggins22' --all --fast-mode
3 Press Enter. PGP Wh
Disk Encrypt the drive.
You can check the progress of the encryption process using the --status
command. Run the command
get larger as the encryption process continues.
Using Individual Commands
For scenarios where you do not need to instrument a drive, add a user, and
encrypt the drive all at the same time or if you just prefer using individual
commands, you can run the three needed commands individually.
The three commands and the order in which you need to run them are:
--instrument: replaces the Linux MBR with the PGPMBR.
rompt on your system.
single line.
ole Disk Encryption for Linux begins to PGP Whole
and check the highwater mark; it will continue to
--add-user: adds an authorized user to the drive.
--encrypt: encrypts the drive.
To PGP Who
le Disk En
1 Access a command p
2 Enter the text for the --instrument co
crypt a drive using individual commands
rompt on your system.
mmand on a single line, then
press Enter.
For e
xample:
pgpwde --instrument --disk 0
This example instruments the boot drive. You can use the --status
command to make sure the dri
3 Enter the text for the --add-user command o
ve was instrumented.
n a single line, then press
Enter.
For example:
pgpwde --add-user --disk 0 --username "Alice Cameron"
--passphrase 'Frodo@Baggins22'
This example adds a user named Alice Cameron to the boot drive. You can
use the --verify-user command to make sure the user was created.
22
PGP WDE for Linux User's Guide The Encryption Process
4 Enter the text for the --encrypt command on a single line, then press
Enter.
For example:
pgpwde --encrypt --disk 0 --passphrase
'Frodo@Baggins22' --all --safe-mode
This example encrypts all partitions of
the boot drive in safe mode.
You can check the progress of the encryption process using the --status
command. Run the command
and check the highwater mark; it will
continue to get larger as the encryption process continues.
23
The PGP BootGuard
8
Overview
Screen
This section describes actions you can take at the PGP BootGuard screen.
In This Chapter
Overview ................................................................................................. 25
Authenticating.......................................................................................... 26
Authenticating if You Have Forgotten Your Passphrase ......................... 27
Choosing a Keyboard............................................................................... 27
Your computer boots up in a different way once you use PGP Whole Disk
Encryption for Linux to protect the boot disk—or a secondary fixed disk—on
your system. On power-up, the first thing you see is the PGP BootGuard log-in
screen asking for your passphrase. When you properly authenticate, PGP Whole
Disk Encryption for Linux decrypts the disk.
When you use a PGP WDE-encrypted disk, it is decrypted
automatically as needed. With most modern computers, after the disk is
completely encrypted, there is no noticeable slowdown of your activities.
Once you unlock a disk or partition, its files ar
anyone else who can physically use your system. Your files are unlocked until
you lock them again by shutting down your computer.
When you shut down a system with an encrypted boot disk or partition, or if
you remove an encrypted removabl
or partition remain encrypted and fully protected—data is never written to the
disk or partition in an unencrypted form. Proper authentication (passphrase,
token, or private key) is required to make the files accessible again.
On the PGP BootGuard log-in screen you can:
Authenticate an encrypted boot or second
system.
View information abo
Authenticate if you have forgo
Choose your keyboard layout.
ut the disks or partitions on your system.
25
e disk from the system, all files on the disk
tten your passphrase.
e available to you—as well as
ary disk or partition on the
and opened
PGP WDE for Linux User's Guide The PGP BootGuard Screen
Authenticating
The PGP BootGuard log-in screen prompts you for the proper passphrase for a
protected disk or partition for one of two reasons:
If your boot disk or partition is protected using PGP Whole Disk Encryption
for Linu
x, you must authenticate correctly for your system to start up. This
is required because the operating system files that control system startup
are encrypted, and must be decrypted before they can be used to start up
the system.
If a secondary fixed disk or partition is
protected using PGP Whole Disk
Encryption for Linux, you can authenticate at startup so that you don’t have
to authenticate later when you need to use files on the secondary disk or
partition. Because the files on the secondary (non-boot) disk or partition are
not required for startup, you are not required to authenticate at startup.
Note: The PGP BootGuard log-in screen accepts the authentication
information from any user configured for an encrypted disk or partition. For
example, if you have two users configured for a boot disk or partition and two
different users configured for a secondary fixed disk or partition on the same
system, any of the four configured users can use their passphrase to
authenticate on the PGP BootGuard log-in screen at startup, even the two
users configured on the secondary disk or partition.
To authenticate at the PGP BootGuard log-in screen
1 Start or restart the system that has a disk or pa
rtition protected by PGP
Whole Disk Encryption for Linux. On startup, the PGP BootGuard log-in
screen is displayed.
2 Type a valid passphrase and press Enter.
Caution: The PGP BootGuard log-in screen assumes you are using one of
the supported keyboard layouts when you type your passphrase. If you
used a different keyboard layout to create the passphrase for a disk or
partition protected by PGP Whole Disk Encryption for Linux, you could
have problems authenticating because the mappings between the
keyboard layouts may be different.
To see the characters you type, press Tab before you begin typing.
3 If you ente
red a valid passphrase, the PGP BootGuard log-in screen goes
away and the system boots normally.
If you typed an invalid passphrase, an e
rror message is displayed. Try
typing the passphrase again.
26
PGP WDE for Linux User's Guide The PGP BootGuard Screen
Authenticating if You Have Forgotten Your Passphrase
If you have forgotten your passphrase and cannot authenticate to the PGP
BootGuard screen, you can authenticate using local self recovery if you have
previously configured it.
Note: Local self recovery must be configured in advance.
See Local Self Recovery for information about using the command line or a text
file to configure the local self recovery questions.
To authenticate at the PGP BootGua
rd screen using local self recovery
1 On the PGP BootGuard screen, use the arrow keys to select Forgot
Passphrase in the lower ri
rs, showing the first local self recovery question.
appea
ght corner, then press Enter. A new screen
2 Enter the answer to the first question, then press Enter. The second
que
stion app
ears.
3 Enter the answer to the second question, then press Enter. The third
que
stion app
ears.
4 Enter the answer to the third question, then press Enter. The fourth
question app
ears.
5 Enter the answer to the fourth question, then press Enter. The fifth and
last question app
ears.
6 Enter the answer to the fifth question, then press Enter.
If you ente
red three or more of the que
stions correctly, the PGP BootGuard
screen goes away and the system boots normally.
If you did not enter three or more questions correctly, you are given
anot
her chance.
If you subsequently remember your original passphrase, you can continue using
it. Using local
self recovery does not remove your passphrase.
If you do not believe you will ever remember your original passphrase, you can
e your passphrase after authenticating to PGP BootGuard using the
chang
recovery-change-passphrase
to conti
ing the local self recovery questions to authenticate to PGP
nue us
command. This means that you do not have
--
BootGuard. Using this command does remove your original passphrase, so it
will not work if you remember it later.
27
PGP WDE for Linux User's Guide The PGP BootGuard Screen
Choosing a Keyboard
The PGP BootGuard screen lets you change your keyboard layout.
Note: Different keyboard layouts can have different mappings between
characters, potentially causing problems when you enter your passphrase to
authenticate. Select the keyboard layout that most closely maps to the
keyboard you are using, then make sure to use that same layout each time
you authenticate.
To select a keyboard layout at the PGP BootGuard screen
1 On the PGP BootGuard screen, use the arrow keys to select Keyboard in
the lower rig
layouts i
2 Use the arrow keys to select the desired keyboard layout, then press
Enter. The text u
reflect th
ht corner, then press Enter. A list of supported keyboard
s displayed.
nder the list of supported keyboard layouts changes to
e new keyboard layout.
3 Press Tab to mo
ve focus to the Go Back command, then press Enter.
28
9
Generic Commands
PGP Whole Disk Encryption for Linux generic commands are:
--help (-h), which shows basic help information for PGP Whole Disk
Encryption for Linu
--version, which shows version information for PGP Whole Disk
Encryption for Linu
In This Chapter
--help (-h) .................................................................................................. 29
--version ................................................................................................... 30
x.
x.
--help (-h)
The --help command provides a brief description of the commands and
options available in PGP Whole Disk Encryption for Linux.
The long form usage format is:
pgpwde --help
The short form usage format is:
pgpwde -h
Example:
pgpwde --help
PGP WDE command line tool.
Usage: pgpwde --action [--options]
ACTIONS
-h --help Print this help
and so on.
This example shows the response to the --help command.
29
PGP WDE for Linux User's Guide Generic Commands
--version
The --version command displays information about the version of PGP
Whole Disk Encryption for Linux you are using.
The usage format is:
pgpwde --version
Example:
pgpwde --version
PGP WDE, Version 10. 1
Copyright (C) 2010 PGP Corporation
Request sent to Version was successful
This example shows the response to the --version command.
30
Disk Information
10
Commands
PGP Whole Disk Encryption for Linux includes several commands that provide
information about the disks on a system and their status:
--enum: Tells you about the disks on the system, including disk
designa
--status: Gives you PGP WDE information about a disk on the system.
--show-config: Gives you PGP BootGuard information about a disk on
the system.
--info: Gives you general information about a disk on the system.
In This Chapter
--enum...................................................................................................... 31
--info......................................................................................................... 32
--show-config ........................................................................................... 33
--status..................................................................................................... 33
tion.
--enum
The --enum command displays disk designations (for example, Disk 0 as the
boot disk), which is used in other PGP Whole Disk Encryption for Linux
commands.
The usage format is:
pgpwde --enum
Where:
--enum displays information about the disks o
Example:
pgpwde --enum
Total number of installed fixed/removable storage
device (excluding floppy and CDROM): 1
Disk 0 has 2 online volumes
31
n your system.
PGP WDE for Linux User's Guide Disk Information Commands
volume /dev/hda1 is on partition 1 with offset 63
volume /dev/hda5 is on partition 5 with offset
64260063
Request sent to Enumerate was successful
This example shows that the system has one disk, Disk 0, with two online
volumes.
Disk 0 is the boot disk in most cases.
--info
The --info command provides general status information for the specified
disk.
Note: Use the --status command for PGP WDE-specific information about
a disk.
Information you can see about a disk using --info includes:
model information.
total number of secto
rs on the disk.
The usage format is:
pgpwde --info --disk <number>
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
Examples:
pgpwde --info --disk 0
Disk information for disk 0.
Model Number: ST910021AS
Total number of sectors on disk: 192426569
Request sent to Display disk information was successful
This example shows the model number
ctors for a boot disk.
and se
pgpwde --info --disk 1
Disk information for disk 1.
Model Number: SanDisk U3 Titanium USB 2.18
Total number of sectors on disk: 4001425
Request sent to Display disk information was successful
This example shows the model number and
32
sectors for a
USB thumb drive.
PGP WDE for Linux User's Guide Disk Information Commands
--show-config
The --show-config command displays information about how PGP
BootGuard is configured on an encrypted disk.
No information displays if the command is run on a disk that is not encrypted by
PGP WDE.
sage format is:
The u
pgpwde --show-config --disk <number>
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
Examples:
pgpwde --show-config --disk 0
Login Message:
--status
Display Startup Screen: No
Use Audio Prompts: No
User lockout: Disabled
Allow user decrypt: Yes
Show configuration information completed
This example shows the PGP BootGuard information for a boot disk that is
ys if the disk is not encrypted.
encrypted. An error di
spla
The --status command provides PGP WDE-specific status information for the
specified disk.
(Use the --info command for general information about a disk.)
Information you can see about a disk using --status includes:
whether or not th
whether or not th
e disk is instrumented.
e disk is whole disk encrypted.
the number of sectors on the disk.
the highwater mark (the number of encrypted sectors on the disk).
33
PGP WDE for Linux User's Guide Disk Information Commands
Note: If you are encrypting or decrypting a disk, and you want to check
progress, you can run --status periodically and check the high water mark;
this number increases as encryption progresses or decreases as decryption
progresses.
The usage format is:
pgpwde --status --disk <number>
Where:
--disk is the option specifying to which disk on the system the
information applies.
<number> is the disk number on the system.
Examples:
pgpwde --status --disk 0
Disk disk0 is instrumented by bootguard.
Current key is valid.
Whole disk encrypted
Total sectors: 192426569 highwatermark: 192426569
Request sent to Disk status was successful
by PG
In this example, Disk 0 is instrumented
P BootGuard, the current key
used for authentication is valid, the disk is encrypted, the total number of
sectors on the disk is 192426569, and the high water mark (the number of
sectors encrypted) is 192426569.
pgpwde --status --disk 1
Disk disk 1 is not instrumented by bootguard.
Request sent to Disk status was successful
In this example, disk 1 is not instrumented by PGP BootGuard.
34
11
Boot Bypass Commands
The boot bypass feature lets you reboot a system one or more times without
having to authenticate at the PGP BootGuard screen.
Caution: Using the boot bypass feature weakens the protection provided by
PGP Whole Disk Encryption. Pay extra attention to the physical security of
systems when a bypass restart count exists. Use the --remove-bypass
command to remove any unnecessary remaining bypass restarts.
Boot bypass is generally used for remote deployment or upgrade scenarios
when one or more reboots is required; patch management, for example.
By default, boot bypass is disabled for a system. You must use the --add-
bypass
Note: All three boot bypass commands apply to the boot disk only, even if
you specify another disk on the command line.
command to enable bypass restarts.
--add-bypass
The Boot Bypass commands are:
--add-bypass: Enables the specified disk for boot bypass.
--check-bypass: Checks to see if the specified disk is enabled for boot
byp
--remove-bypass: Removes boot bypass from a disk where it is
enabled.
ass.
In This Chapter
--add-bypass............................................................................................. 35
--check-bypass ......................................................................................... 37
--remove-bypass ...................................................................................... 37
The --add-bypass command lets you enable one or more bypass restarts for
a system.
35
PGP WDE for Linux User's Guide Boot Bypass Commands
You can set the number of bypass restarts for a system to any value from 0 to
4,294,967,295. Setting the count to 0 (zero) disables bypass restarts. Setting
the count from 1 to 4,294,967,295 allows that many bypass restarts, as long as
the count is not higher than the preference set on the PGP Universal Server.
In a PGP Universal-managed enviro
nment, the PGP administrator can establish
a preference on the PGP Universal Server that limits the number of bypass
restarts that can be established using
--add-bypass.
The preference is called wdeMaximumBypassRestarts. Setting the
prefe
rence to 0 (zero) disables boot bypass. Setting the preference to a value
from 1 to 4,294,967,295 allows that many bypass restarts. If the preference
does not exist on the PGP Universal Server, the value is set to 1, allowing one
bypass restart for each system.
If you enter a number on the command line that is greater than the preference
on the PGP Unive
rsal Server, an error will be returned. The error message does
not display the value configured for the preference.
The usage format is:
pgpwde --add-bypass --disk <number> --count
<bypassrestarts> --admin-authorization | --adminpassphrase <phrase>
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--count specifies that bypass restarts are being configured the boot disk
on the system
.
<bypassrestarts> is the desired number of bypass restarts.
--admin-authorization specifies that the command is being
performed by
a member of the WDE-ADMIN Active Directory group.
--admin-passphrase specifies that the passphrase of an authorized
user on the encrypted disk will be used to authenticate.
<phrase> is the p
assphrase of an authorized
user on the disk.
Example:
pgpwde --add-bypass --disk 0 --count 4 --admin-
passphrase 'bilbo@baggins42'
This example shows that four bypass restarts was added to the boot disk
on th
e system
using the passphrase of an authorized user on the disk.
36
PGP WDE for Linux User's Guide Boot Bypass Commands
--check-bypass
The --check-bypass command tells you if boot bypass is configured for the
specified boot disk. If configured, it also displays the original and remaining
bypass restart counts.
The usage format is:
pgpwde --check-bypass --disk <number> --admin-authorization | -
-admin-passphrase <phrase>
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--admin-authorization specifies that the command is being
perfo
rmed by
--admin-passphrase specifies that the passphrase of an authorized
user on the encrypted disk will be used to authenticate.
a member of the WDE-ADMIN Active Directory group.
<phrase> is the passphrase of an authorized
Examples:
pgpwde --check-bypass --disk 0 --admin-passphrase
pgpwde --check-bypass --disk 0 --admin-passphrase
--remove-bypass
The --remove-bypass command removes boot bypass from the system,
including the original and remaining bypass restart counts.
The usage format is:
Where:
user on the disk.
'bilbo@baggins42'
This example shows that Disk 0 is configured for boot bypass via the
pre
nce of the "Bypass User."
se
'bilbo@baggins42'
This example shows that Disk 0 is not configured for boot bypass.
pgpwde --remove-bypass --disk <number> --admin-authorization |
--admin-passphrase <phrase>
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
37
PGP WDE for Linux User's Guide Boot Bypass Commands
--admin-authorization specifies that the command is being
performed by a member of the WDE-ADMIN Active Directory group.
--admin-passphrase specifies that the passphrase of an authorized
user on the encrypted disk will be used to authenticate.
<phrase> is the passphrase of an authorized
user on the disk.
Example:
pgpwde --remove-bypass --disk 0 --admin-passphrase
'bilbo@baggins42'
Remove bypass completed
This example shows the removal of boot bypass from a disk.
38
12
Disk Operation
The disk operation commands are:
--decrypt: Decrypts the specified disk.
--encrypt: Encrypts the specified disk.
--resume: Resumes a halted encrypt or decrypt process.
--secure: Encrypts a disk to a specified user and passphrase.
--stop: Halts an encrypt or decrypt process.
In This Chapter
--decrypt
--decrypt................................................................................................... 39
--encrypt................................................................................................... 40
--resume................................................................................................... 41
--secure .................................................................................................... 42
--stop........................................................................................................ 43
The --decrypt command starts the process of decrypting an encrypted disk.
If the disk is still being encrypted, you need to stop the encryption process
using --stop befo
If you begin to decrypt an encrypted disk, you can pause the d
re-start the decrypt process, but you cannot stop the decrypt and then encrypt
just the portion that was decrypted. If you being to decrypt an encrypted drive,
you must
Note: If you are decrypting a disk, and you want to check progress, you can
run --status periodically and check the lowwater and highwater marks.
The usage format is:
fully decrypt it before you can re-encrypt it.
re you can begin to decrypt it.
ecrypt and then
pgpwde --decrypt --disk <number> --admin-authorization |
--passphrase <phrase> --all --partition <partnumber>
39
PGP WDE for Linux User's Guide Disk Operation
Where:
--decrypt specifies that the disk is to be decrypted.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--admin-authorization specifies that the command is being
perfo
rmed by
a member of the WDE-ADMIN Active Directory group.
--passphrase specifies the passphrase for an operation.
--encrypt
<phrase> is the passphrase of an authorized
user on the disk.
--all specifies that all partitions should be decrypted.
--partition specifies that only the listed partition should be decrypted.
<partnumber> is the partition to be decrypted.
Example:
pgpwde --decrypt --disk 0 --all --passphrase
"Frodo*1*Baggins22"
This example shows all partitions of a boot disk being decrypted.
The --encrypt command begins the process of whole disk encrypting a disk.
To use the --encrypt command, the drive to be encrypted must be
instrumented and h
ave at least one configured user. The --secure command
instruments the drive, adds a user, and encrypts the drive using just one
command.
Once the encryption process has started, you can stop it using --stop.
Three options are available for encrypting:
--dedicated-mode: Uses maximum computer power to encrypt faster;
y
system is less responsive during encryption.
our
--fast-mode: Skips unused sectors, so encryption of th
e disk is faster.
--safe-mode: Allows encryption to be resumed without loss of data if
power is lo
st during encryption; encryption takes longer.
The usage format is:
pgpwde --encrypt --disk <number> --passphrase <phrase>
| --keyid <keyid> --all --partition <partnumber>
--dedicated-mode --fast-mode --safe-mode
Where:
--encrypt specifies that the disk is to be encrypted.
40
PGP WDE for Linux User's Guide Disk Operation
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--passphrase specifies the passphrase for an operation.
<phrase> is the passphrase of an auth
user on the disk.
orized
--keyid specifies a user by key ID for an operation.
<keyid> is the key ID of an authorized user on the disk.
--all specifies that all partitions should be decrypted.
--partition specifies that only the listed partition should be encrypted.
<partnumber> is the partition to be encrypted.
--dedicated-mode specifies that dedicated mode (uses maximum
comp
power to encrypt faster) be used in the encryption process.
uter
--fast-mode specifies that fast mode (skipping unused sectors) be used
in the encryption process.
--safe-mode
without lo
specifies that safe mode (encryption can be resumed
ss of data if power is lost) be used in the encryption process.
Example:
pgpwde --encrypt --disk 0 --passphrase
'Frodo*1*Baggins22' --safe-mode --all
This example shows encryption of all partitions of
a boot disk being started
using safe mode. Authentication is provided by an authorized user.
--resume
The --resume command resumes a stopped process, either encrypting or
decrypting a disk.
The usage format is:
pgpwde --resume --disk <number> --passphrase <phrase>
Where:
--resume specifies that a stopped process is to be resumed.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--passphrase specifies the passphrase for an operation.
<phrase> is the passphrase of an auth
orized
user on the disk.
Example:
pgpwde --resume --disk 0 --passphrase 'Frodo@Baggins44'
41
PGP WDE for Linux User's Guide Disk Operation
--secure
This example shows a stopped process being resumed on the boot disk.
The --secure command encrypts a disk to a specified user and passphrase.
It does three things that can also be done se
parately: it instruments the disk,
adds a passphrase user, and encrypts the disk.
The usage format is:
pgpwde --secure --disk <number> --username <name>
--passphrase <phrase> --keyid <keyid> --all --partition
<partnumber> --dedicated-mode --fast-mode --safe-mode
Where:
--secure specifies that: a disk is to be instrumented, a passphrase user
created, and the disk encrypted.
--disk
specifies the disk to which the operation applies.
<number> is the disk number on the system.
--username specifies a passphrase user on the disk is to be created.
<name> is the name of the passphrase user being created.
--passphrase specifies a passphrase is to be created.
<phrase> is the passphrase of the user being added to the disk.
--keyid specifies a user by key ID for an operation.
<keyid> is the key ID of an authorized user on the disk.
--all specifies that all partitions should be encrypted.
--partition specifies that only the listed partition should be encrypted.
<partnumber> is the partition to be encrypted.
--dedicated-mode specifies that dedicated mode (uses maximum
comp
uter
power to encrypt faster) be used in the encryption process.
--fast-mode specifies that fast mode (skipping unused sectors) be used
in the encryption process.
--safe-mode
without lo
specifies that safe mode (encryption can be resumed
ss of data if power is lost) be used in the encryption process.
Example:
pgpwde --secure --disk 0 --username "Alice Cameron"
--passphrase 'Frodo*1*Baggins22' --all --safe-mode
This example shows a boot disk being secured (instrumented and
encrypted, with a ne
w passphrase user).
42
PGP WDE for Linux User's Guide Disk Operation
--stop
The --stop command stops the current process, either encrypting or
decrypting a disk.
The usage format is:
pgpwde --stop --disk <number>
Where:
--stop specifies the current process is to be stopped.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
Example:
pgpwde --stop --disk 0
This example shows the encryption or decryption process on disk 0 being
stopp
ed.
43
13
Disk Management
The disk management commands are:
--auth: Lets you authenticate to an encrypted disk.
--instrument: Installs PGP WDE configuration information on specified
disk.
--uninstrument: Removes WDE configuration from specified disk.
In This Chapter
--auth........................................................................................................ 45
--instrument ............................................................................................. 46
--uninstrument ......................................................................................... 46
--auth
The --auth command lets you authenticate to an encrypted disk.
The usage format is:
pgpwde --auth --disk <number> --passphrase <phrase>
Where:
--auth specifies you are authenticating to an encrypted disk.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--passphrase specifies the passphrase for an operation.
<phrase> is the passphrase of an auth
Example:
pgpwde --auth --disk 0 --passphrase 'Sam&Gamgee44'
This example shows a user on an encrypted disk authenticating to the boot
disk, disk 0.
user on the disk.
orized
45
PGP WDE for Linux User's Guide Disk Management
--instrument
The --instrument command replaces the Linux MBR with the PGPMBR.
Instrumenting the disk or partition is the first step in the process of securing a
disk; it is follow
These three actions can be done individually, in that order, or all at once using
--secure command.
the
The usage format is:
pgpwde --instrument --disk <number>
Where:
--instrument specifies that a disk or partition is to be instrumented.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
Example:
ed by adding a passphrase user and then encrypting the disk.
--uninstrument
pgpwde --instrument --disk 0
This example shows a boot disk being instrumented.
The --uninstrument command replaces the PGPMBR with the original
(saved) Linux MBR. The removes the requirement to authenticate at the PGP
BootGuard screen when starting the system.
Uninstrumenting a disk is normally done as part o
f the decryption process, so
this command is not normally used on its own.
Caution: You can only uninstrument a disk that has been instrumented but
nothing else. You cannot uninstrument an encrypted disk.
The usage format is:
pgpwde --uninstrument --disk <number>
Where:
--uninstrument specifies specifies that a disk or partition is to be
uninstrume
nted.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
46
PGP WDE for Linux User's Guide Disk Management
Example:
pgpwde --uninstrument --disk 0
This example shows a boot disk being uninstrumented.
47
User Management
14
Commands
The user management commands are:
--add-user: Adds user to disk or group.
--change-passphrase: Changes passphrase of specified user or group.
--change-userdomain: Changes authentication domain of specified
u
or group.
ser
--list-user: Lists authorized users on an encrypted disk.
--remove-user: Removes user from specified disk or group.
--verify-user: Verifies passphrase of user or group.
In This Chapter
--add-user................................................................................................. 49
--change-passphrase................................................................................ 50
--change-userdomain ............................................................................... 51
--list-user .................................................................................................. 52
--remove-user........................................................................................... 53
--verify-user .............................................................................................. 53
--add-user
The --add-user command adds an authorized user to the encrypted disk.
The usage format is:
pgpwde --add-user --disk <number> --domain-name
<domain> --passphrase <phrase> --username <user> -admin-passphrase <pass> | --recovery-token <string>
Where:
--add-user specifies that you are adding an authorized user to a disk.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
49
PGP WDE for Linux User's Guide User Management Commands
--username specifies a username for an operation.
<user> is the username of the user being added.
--domain-name specifies the name of the domain to which the user
au
cates. The default is the login domain.
thenti
<domain> is the domain to which the user authenticates.
--passphrase specifies the passphrase for an operation.
<pass> is the passphrase the user being added will use to authenticate.
--username
specifies a username for an operation.
<user> is the username of the user being added.
--admin-passphrase specifies that the passphrase of an authorized
user on the encrypted disk will be used to authenticate the
adding
of the
new user account.
<phrase> is the passphrase of an authorized
user on the disk.
--recovery-token specifies that the disk's recovery token (WDRT) will
be used for authentic
ation.
<string> is the WDRT string.
Example:
pgpwde --add-user --disk 0 --username "Alice Cameron" -
-passphrase 'Frodo@Baggins22' --admin-passphrase
'Sam&Gamgee44'
This example shows a new passphrase use
r, Alice
Cameron, being added
to a boot disk with a passphrase of Frodo@Baggins22. The passphrase
(Sam&Gamgee44) of an existing user on the disk is used to authenticate.
pgpwde --add-user --disk 0 --username "Alice Cameron" -
-domain EXAMPLECORP --passphrase 'Frodo@Baggins22' -admin-passphrase 'Sam&Gamgee44'
This example shows a new user, in domain EXAMPLECORP, being added
to a boot disk.
--change-passphrase
The --change-passphrase command lets you change the passphrase of a
passphrase user on an encrypted disk.
The usage format is:
pgpwde --change-passphrase --disk <number> --username
<user> --new-passphrase <newpass> --passphrase <phrase>
50
PGP WDE for Linux User's Guide User Management Commands
Where:
--change-passphrase specifies that you are changing the passphrase
of a passphrase u
ser.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--username specifies the existing user whose passphrase is being
changed.
<user> is the username of the existing user whose passphrase is being
changed.
--new-passphrase specifies that you are changing an existing
passphrase to a new pa
ssphrase.
<newpass> is the text of the new passphrase.
--passphrase specifies the existing passphrase.
<phrase> is the passphrase that is being changed.
Example:
pgpwde --change-passphrase --disk 0 --username "Alice
Cameron" --new-passphrase 'Sam&Gamgee44' --passphrase
'Frodo@Baggins22'
This example shows an existing passphrase user on an encrypted disk
ch
anging thei
--change-userdomain
The --change-userdomain command lets you change the user domain to
which an authorized user authenticates.
This command is useful for organizations going throug
The usage format is:
pgpwde --change-userdomain --disk <number> --new-domain
<domain> --username <user>
Where:
--change-userdomain specifies that you are changing the user domain
to which an auth
--disk specifies the disk to which the operation applies.
r passphrase.
h a domain migration.
orized user on the drive authenticates.
<number> is the disk number on the system.
--new-domain specifies the new domain to which the user will
authen
ticate.
<domain> is the name of the new authentication domain.
51
PGP WDE for Linux User's Guide User Management Commands
--username specifies a username for the operation.
<user> is the username of an existing user who is being removed.
Example:
pgpwde --change-userdomain --disk 0 --new-domain
EXAMPLECORP --username "Alice Cameron"
This example shows the authentication domain of user Alice Cameron
being ch
ange
d to EXAMPLECORP.
--list-user
The --list-user command lists those users who are authorized users on the
specified encrypted disk.
The usage format is:
pgpwde --list-user --disk <number>
Where:
--list-user specifies that you are listing authorized users on a disk.
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
Example:
pgpwde --list-user --disk 0
Total of 1 users:
User 0: Name: Alice Cameron Type: Symmetric domain:
EXAMPLECORP
System Record Information:
Serial Number: 1
Disk ID: EXAMPLECORP.MSHOME.Alice Cameron.
Disk UUID: 32eca196-7d16-4f83-9159-f7228af85594
Group UUID: 32eca196-7d16-4f83-9159-f7228af85594
Request sent to List users on disk was successful
This example shows the users who can authenticate to the specified boot
disk.
52
PGP WDE for Linux User's Guide User Management Commands
--remove-user
The --remove-user command removes a user who is currently authorized on
the encrypted disk.
The usage format is:
pgpwde --remove-user --disk <number> --username <user>
--admin-passphrase <pass>
Where:
--remove-user specifies that you are removing an authorized user on
the disk.
--verify-user
--disk spe
cifies the disk to which the operation applies.
<number> is the disk number on the system.
--username specifies a username for the operation.
<user> is the username of an existing user who is being removed.
--admin-passphrase specifies that the passphrase of an authorized
user on the encrypted disk will be used to authenticate the removal
user
.
<phrase> is the passphrase of an authorized
user on the disk.
of the
Example:
pgpwde --remove-user --disk 0 --username "Alice
Cameron" --admin-passphrase 'Sam&Gamgee44'
This example shows user Alice Cameron being removed from the boot
disk.
The --verify-user command verifies the passphrase of a user who is an
authorized user on an encrypted disk.
The usage format is:
pgpwde --verify-user --disk <number> --passphrase
<phrase> --username <user> | --keyid <keyid>
Where:
--verify-user specifies that you are verifying the passphrase of an
ized user.
author
--disk specifies to which disk on the system the information applies.
<number> is the disk number on the system.
53
PGP WDE for Linux User's Guide User Management Commands
--passphrase specifies the passphrase for an operation.
<phrase> is the passphrase of an authorized
user on the disk.
--username specifies a username for an operation.
<user> is the username of an authorized user account on the disk.
--keyid specifies a user by key ID for an operation.
<keyid> is the key ID of an authorized user on the disk.
Example:
pgpwde --verify-user --disk 0 --passphrase
'Frodo@Baggins44' --username "Alice Cameron"
Successfully verified user Alice Cameron
This example shows passphrase user Alice Cameron's passphrase being
ve
via her username.
rified
pgpwde --verify-user --disk 0 --passphrase
'Frodo@Baggins44' --keyid 0x12345678
Successfully verified user Alice Cameron
This example shows PGP key user Alice Cameron's passphrase b
eing
verified via the key ID of her PGP key.
54
PGP BootGuard
15
Customization Commands
PGP Whole Disk Encryption for Linux includes commands for modifying the
default PGP BootGuard screen.
The PGP BootGuard customization commands are:
--set-background: Lets you specify a custom PGP BootGuard screen
background.
--set-language: Lets you sp
ay and keyboard.
displ
--set-sound: Enables or disables audio prompts on the PGP BootGuard
screen.
--set-start: Lets
background.
--set-text: Lets
authen
tication screen.
you specify a custom PGP BootGuard startup screen
you specify a text message for the PGP BootGuard
In This Chapter
ecify a language for the PGP BootGuard
--set-background ...................................................................................... 55
--set-language .......................................................................................... 56
--set-sound ............................................................................................... 57
--set-start.................................................................................................. 58
--set-text................................................................................................... 59
--set-background
The --set-background command lets you specify a custom background
image for the PGP BootGuard authentication screen.
Custom background images must be created according to the following
spec
XPM files only.
Image size of 640 by 4
ifications:
80.
55
PGP WDE for Linux User's Guide PGP BootGuard Customization Commands
Palette of 15 colors only, including black (one color is reserved for fonts).
You do not have to use all 15 colors in the image.
8-bit RGB only (cannot be
16-bit RGB). You can verify you are using 8 bit by
looking at the XPM header using a text editor: 8-bit values appear as
#285A83 (one hex triplet), 16-bit values appears as #28285A5A8383 (two
hex triplets).
Note: If you specify an image that does not meet these requirements, a
default text-only screen will be used.
Graphics applications that support the XPM file format include Graphic
Converter on Mac OS X, GIMP on Mac OS X/FreeBSD and UNIX/LINUX, and
the Convert command on Linux.
The new background image will display when the PGP BootGuard
authen
tication screen next appears.
The usage format is:
pgpwde --set-background --disk <number> --image <file>
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--image specifies the image file to use as the custom background.
<file> is the name of the XPM file.
--set-language
Example:
pgpwde --set-background --disk 0 --image "corplogo.xpm"
This example shows an image file, corplogo.xpm, being set as the
backgroun
d image for the PGP Bo
otGuard authentication screen.
The --set-language command lets you specify the languages that will be
used by PGP BootGuard for display and for the keyboard.
You can specify one language and one display from the list of sup
ported
languages. You are not required to use the same language for both.
Options not specified are not changed. So if you speci
fy a new language for
text, the existing keyboard setting is not changed. The response to the --set-
language
for bot
command shows both the previous settings and the new settings,
h display and keyboard.
Changes will take effect on the next system startup.
56
PGP WDE for Linux User's Guide PGP BootGuard Customization Commands
The usage format is:
pgpwde --set-language --disk <number> --display <view>
--keyboard <type>
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--display specifies the language to be used for viewing.
<view> is desired language ID for the display: default (keep existing
lang
uage), de, en,
es, fr, or jp.
--keyboard specifies the language to be used for typing text.
<type> is the desired language for the keyboard: default (keep existing
language), de, en,
en-gb, es, fr, or jp.
Example:
pgpwde --set-language --disk 0 --display jp --keyboard
jp
--set-sound
Boot language is set to Keyboard=en Display=en
Boot language now set to Keyboard=jp Display=en
This example shows Japanese being specified for both display and
rd in PGP BootGuard.
yboa
ke
The --set-sound command lets you enable or disable the use of audio clues
for actions that occur during the PGP BootGuard authentication process. Audio
clues are disabled by default.
Audio clues can help vision-impaired users more easily navigate the PGP
Boot
Guard authentication process.
When enabled, the system will play audible tone combinations during the PGP
BootGu
ard authentication process. Each tone combination begins with a middle
sound and is followed by either a higher tone, another middle tone, or a lower
tone.
The three combinations are:
Ready for passphrase/pin entry: When the system is first ready for
passph
rase/pin
entry, the middle-middle tone combination plays.
Successful authentication: If the authentication attempt was successful,
the middle-high tone combination plays. The system then continues
ting.
boo
57
PGP WDE for Linux User's Guide PGP BootGuard Customization Commands
Unsuccessful authentication: If the authentication attempt was
unsuccessful, the middle-low tone combination plays. The PGP BootGuard
authentication screen displays and the passphrase field is cleared for
another authentication attempt.
--set-start
The tone combinations cannot be customized; you can only de
cide whether to
enable audio clues or disable them.
Changes will take effect on the next system startup.
The usage format is:
pgpwde --set-sound --disk <number> --beep | --no-beep
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--beep enables audio clues.
--no-beep disables audio clues.
Example:
pgpwde --set-sound --disk 0 --beep
Accessibility Sounds set to [ON]
This example shows audio
clues bein
g enabled.
The --set-start command lets you display a custom startup image for PGP
BootGuard that appears before the authentication screen. Press any key to
make the startup screen
disappear.
Custom startup images must be created according to the following
fications:
speci
XPM files only.
Image size of 640 by 4
Palette of 15 colors only, including black (one col
80.
or is reserved for fonts).
You do not have to use all 15 colors in the image.
8-bit RGB only (cannot be
16-bit RGB). You can verify you are using 8 bit by
looking at the XPM header using a text editor: 8-bit values appear as
#285A83 (one hex triplet), 16-bit values appears as #28285A5A8383 (two
hex triplets).
Graphics applications that support the XPM file
format include Graphic
Converter on Mac OS X, GIMP on Mac OS X/FreeBSD and UNIX/LINUX, and
the Convert command on Linux.
58
PGP WDE for Linux User's Guide PGP BootGuard Customization Commands
The new startup image will display on the next system startup (unless bBoot
bypass is used).
The usage format is:
pgpwde --set-start --disk <number> --image <file>
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--set-text
--image specifies the image file to us
e as the
startup screen.
<file> is the name of the XPM file.
Example:
pgpwde --set-start --disk 0 --image "corpsplash.xpm"
This example shows an image file, corpsplash.xpm, being set as the PGP
BootGu
ard startup image.
The --set-text command lets you specify text that will display when the
PGP BootGuard screen appears.
You can disable the display of text by entering no text where the message
would go.
You can e
default te
nter one line of text, up to 80 characters (including spaces). The
xt is: "Forgot your passphrase? Please contact your IT department or
Security Administrator."
Note: Text must go in quotation marks or only the text up to the first space
will display. The quotation marks do not display.
Changes will take effect on the next system startup.
The usage format is:
pgpwde --set-text --disk <number> --message <text>
Where:
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
--message specifies new text for the PGP BootGuard screen.
<text> is the text you want to display. If left empty, no text will display.
59
PGP WDE for Linux User's Guide PGP BootGuard Customization Commands
Examples:
pgpwde --set-text --disk 0 --message "You must change
your login passphrase monthly."
This example shows a new text message fo
r the PGP BootGu
ard screen.
pgpwde --set-text --disk 0 --message
This example shows the display of text for the PGP BootGuard screen
being di
sabled
.
60
Recovery Token
16
Commands
In PGP Universal-managed environments with the appropriate policy, Whole
Disk Recovery Tokens (WDRTs) are created automatically when a disk, partition,
or removable disk is whole disk encrypted. They are sent to the PGP Universal
Server managing security for the disk or partition when they are created.
WDRTs can be used to access the disk or partitio
authentication token is lost.
Once a WDRT is used, it cannot be used ag
generated for the system. All new WDRTs are also automatically sent to the
PGP Universal Server managing the disk when the new WDRT is created.
Because the first WDRT for a system is created automatically, the only
command related to W
The recovery token commands are:
--new-wdrt: Creates a new WDRT after use.
In This Chapter
DRTs is to create a new WDRT.
n in case the passphrase or
ain. A new WDRT must be
--new-wdrt
--new-wdrt ............................................................................................... 61
The --new-wdrt command creates a new WDRT (recovery token) when the
previous WDRT has been used.
The usage format is:
pgpwde --new-wdrt --disk <number> --admin-authorization
| --admin-passphrase <phrase> --recovery-token <string>
Where:
--new-wdrt specif
--disk specifies the disk to which the operation applies.
<number> is the disk number on the system.
ies the creation of a new WDRT.
61
PGP WDE for Linux User's Guide Recovery Token Commands
--admin-authorization specifies that the command is being
performed by a member of the WDE-ADMIN Active Directory group.
--admin-passphrase specifies that the passphrase of an authorized
user on the encrypted disk will be used to authenticate the adding
of the
new user account.
<phrase> is the passphrase of an authorized
user on the disk.
--recovery-token specifies that a recovery token (WDRT) will be
created
to replace the used one.
<string> is the WDRT string.
Example:
pgpwde --new-wdrt --disk 0 --admin-passphrase
'bilbo@baggins44' --recovery-token 'GandalfBilbo+Merry=OneRing'
This example shows a new WDRT being created.
62
17
Local Self Recovery
Local self recovery lets you authenticate to PGP BootGuard even if you have
forgotten your passphrase.
Note: Local self recovery only works if you configure it before you lose your
passphrase; PGP Corporation recommends configuring it immediately after
licensing PGP Whole Disk Encryption for Linux if you plan on using it.
When you configure local self recovery, you create five security questions;
three must be answered correctly to authenticate to PGP BootGuard.
Note: If you are using PGP Whole Disk Encryption for Linux in a PGP
Universal Server-managed environment, your PGP Universal Server
administrator may have disabled the option for local self recovery. Your
administrator may also have specified that local self recovery be configured
during enrollment. In this case, you are prompted to enter the security
questions as as you set up PGP Whole Disk Encryption for Linux.
The local self recovery commands are:
--recovery-configure: Configures the local self reco
--recovery-questions: Displays local self recovery questions.
--recovery-verify: Verifies existing local self recovery questions and
an
--recovery-remove: Removes existing local self recovery que
answers.
--recovery-change-passphrase: Changes a lost passphrase.
swers.
very feature.
stions and
In This Chapter
--recovery-configure................................................................................. 64
--recovery-questions ................................................................................ 65
--recovery-verify ....................................................................................... 66
--recovery-remove.................................................................................... 67
--recovery-change-passphrase................................................................. 67
Authenticating if you Have Forgotten Your Passphrase.......................... 68
63
PGP WDE for Linux User's Guide Local Self Recovery
--recovery-configure
The --recovery-configure command configures local self recovery.
You can configure the required five questions and answers in either of two
ways:
text files: you create two text files; one text file with five questions, each
on sepa
questions, again each on a separate line.
interactively (--interactive): You will be prompted for five questions
and
You can also use --interactive to have PGP Whole Disk Encryption for
Linux interactively prompt for a p
on the command line.
Note: Text files and --interactive are mutually exclusive. Use one
method or the other.
rate lines, and a second text file with five answers to those
their co
rresponding answers.
assphrase. Simply do not enter a passphrase
You will need to be able to correctly answer three of the five questions if you
forget your passphrase and need to authenticate to PGP BootGuard using
--recovery-verify.
The usage format is:
pgpwde --recovery-configure --user <username> -passphrase <phrase> [--disk <disknumber>] [--questionsfile <questions>] [--answers-file <answers>]
[--interactive]
Where:
--recovery-configure specifies that you are configuring local self recovery.
--user spe
cifies which user account is being used.
<username> is the name of the user account.
--passphrase specifies the passphrase for an operation.
<phrase> is the passphrase for specified user account.
--disk specifies disk on the system for which local self recovery is being
c
nf
igured.
o
<disknumber> is the disk number on the system. Disk 0, the boot di
sk,
is the default.
--questions-file specifies the five questions will be in a text file.
<questions> is the path to the text file with the five questions, each on
its own line.
--answers-file specifies the five answers will be in a text file.
64
PGP WDE for Linux User's Guide Local Self Recovery
<answers> is the path to the text file with the five answers, each on its
own line.
--interactive specifies you will be prompted for the five questions and
answers.
Examples:
pgpwde --recovery-configure --user "Alice Cameron"
--passphrase 'bilbo#baggins+Frodo' --disk 0
--interactive
This example shows local self recovery being configured for user Alice
Cameron u
si
ng interactive questions and answers.
pgpwde --recovery-configure --user "Alice Cameron"
--passphrase 'bilbo#baggins+Frodo' --disk 0
--questions-file "/home/user/docs/questions.txt"
--answers-file "/home/user/docs/answers.txt"
This example shows local self recovery being configured for user Alice
Cameron with the fi
ve que
stions and answers in the specified text files.
--recovery-questions
The --recovery-questions command displays configured local self
recovery questions.
Note: --recovery-questions only shows existing questions. You cannot
modify or add questions using this command.
The usage format is:
pgpwde --recovery-questions --user <username> [--disk
<disknumber>]
Where:
--recovery-questions specifies that you are configuring local self
recover
--user specifies which user account is being used.
<username> is the name of the user account.
--disk specifies disk on the system for which local self recovery is being
conf
<disknumber> is the disk number on the system. Disk 0, the boot di
is the default.
Example:
y.
igured.
sk,
pgpwde --recovery-questions --user "Alice Cameron"
--disk 0
65
PGP WDE for Linux User's Guide Local Self Recovery
This example displays the configured local self recovery questions for user
Alice Cameron.
--recovery-verify
The --recovery-verify command lets you verify the configured local self
recovery questions and answers. You can answer the five questions either
using a text file or interactively.
Note: You cannot modify the local self recovery questions using --
recovery-verify.
To authenticate to PGP BootGuard using the configured local self recovery
questions and answers, see Recovering a Lost Passphrase.
The usage format is:
pgpwde --recovery-verify --user <username> [--disk
<disknumber>] [--answers-file <answers>]
[--interactive]
Where:
--recovery-verify specifies that you are verifying existing local self
recover
y questions and answers.
--user specifies which user account is being used.
<username> is the name of the user account.
--disk specifies the disk on the system for which the command is being
performed.
<disknumber> is the di
sk number on the system. Disk 0, the boot di
sk,
is the default.
--answers-file specifies the five answers will be in a text file.
<answers>
is the path to the text file with the five answers, each on its
own line.
--interactive specifies you will be prompted for the five answers and
question
s.
Example:
pgpwde --recovery-questions --user "Alice Cameron"
--disk 0 --answers-file "/home/user/docs/answers.txt"
This example shows user Alice Cameron verifying configured local self
recover
y questions and answers using the file answers.txt.
66
PGP WDE for Linux User's Guide Local Self Recovery
--recovery-remove
The --recovery-remove command removes configured local self recovery
questions and answers.
The usage format is:
pgpwde --recovery-remove --user <username> --passphrase
<phrase> [--disk <disknumber>]
Where:
--recovery-remove specifies that you are removing configured local
self reco
--user specifies which user account is being used.
<username> is the name of the user account.
--passphrase specifies the passphrase for an operation.
<phrase> is the passphrase for specified user account.
very questions and answers.
--disk specifies disk on the system for which local self recovery is being
remo
ved.
<disknumber> is the di
is the default.
Example:
pgpwde --recovery-remove --user "Alice Cameron"
--passphrase 'bilbo#baggins+Frodo' --disk 0
This example removes configured local self recovery questions and
swer
an
s for user Alice Cameron.
--recovery-change-passphrase
The --recovery-change-passphrase command lets you create a new
passphrase when you have forgotten your existing passphrase and
authenticated to PGP BootGuard using local self recovery.
Note: PGP Corporation recommends creating a new passphrase as soon as
you authenticate to PGP BootGuard after forgetting your passphrase and
authenticating using local self recovery.
The usage format is:
sk number on the system. Disk 0, the boot di
sk,
pgpwde --recovery-change-passphrase --user <username>
[--disk <disknumber>] --new-passphrase <newpass>
[--answers-file <answers>]
67
PGP WDE for Linux User's Guide Local Self Recovery
Where:
--recovery-verify specifies that you are authenticating to PGP
BootGuard.
--user spe
cifies which user account is being used.
<username> is the name of the user account.
--disk specifies the disk on the system for which the command is being
performed.
<disknumber> is the di
sk number on the system. Disk 0, the boot di
sk,
is the default.
--new-passphrase specifies the five answers will be in a text file.
<newpass> is the path to the text file with the five answers, each on its
own line.
--answers-file specifies the five answers will be in a text file.
<answers>
is the path to the text file with the five answers, each on its
own line.
Example:
pgpwde --recovery-change-passphrase --user "Alice
Cameron" --disk 0 --new-passphrase
'Bilbo%Baggins$Underhill' --answers-file
"/home/user/docs/answers.txt"
This example shows user Alice Cameron authenticating to PGP BootGuard
usin
g the an
swers in the file answers.txt.
Authenticating if you Have Forgotten Your Passphrase
If you have forgotten your passphrase and cannot authenticate to the PGP
BootGuard screen, you can authenticate using local self recovery if you have
previously configured it.
Note: Local self recovery must be configured in advance.
See Local Self Recovery for information about using the command line or a text
file to configure the local self recovery questions.
To authenticate at the PGP BootGua
1 On the PGP BootGuard screen, use the arrow keys to select Forgot
Passphrase in the lower ri
rs, showing the first local self recovery question.
appea
ght corner, then press Enter. A new screen
2 Enter the answer to the first question, then press Enter. The second
que
stion app
ears.
68
rd screen using local self recovery
PGP WDE for Linux User's Guide Local Self Recovery
3 Enter the answer to the second question, then press Enter. The third
question appears.
4 Enter the answer to the third question, then press Enter. The fourth
question app
ears.
5 Enter the answer to the fourth question, then press Enter. The fifth and
last question app
ears.
6 Enter the answer to the fifth question, then press Enter.
If you ente
red three or more of the que
stions correctly, the PGP BootGuard
screen goes away and the system boots normally.
If you did not enter three or more questions correctly, you are given
her chance.
anot
If you subsequently remember your original passphrase, you can continue using
it. Using local
self recovery does not remove your passphrase.
If you do not believe you will ever remember your original passphrase, you can
e your passphrase after authenticating to PGP BootGuard using the
chang
--recovery-change-passphrase command. This means that you do not
have to continue u
sing the local self recovery questions to authenticate to PGP
BootGuard. Using this command does remove your original passphrase, so it
will not work if you remember it later.
69
18
Options
This section lists and describes the options you can use with PGP Whole Disk
Encryption for Linux.
71
PGP WDE for Linux User's Guide Options
In This Chapter
Overview ................................................................................................. 72
"Secure" Options...................................................................................... 74
--admin-authorization ............................................................................... 74
--admin-passphrase.................................................................................. 74
--all ........................................................................................................... 75
--answers-file ........................................................................................... 75
--auto-start................................................................................................ 75
--beep....................................................................................................... 75
--count...................................................................................................... 76
--dedicated-mode..................................................................................... 76
--disk (-d) .................................................................................................. 76
--display.................................................................................................... 77
--domain-name......................................................................................... 77
--fast-mode............................................................................................... 77
--image ..................................................................................................... 77
--interactive .............................................................................................. 78
--keyboard ................................................................................................ 78
--keyid ...................................................................................................... 78
--license-email.......................................................................................... 79
--license-name.......................................................................................... 79
--license-number ...................................................................................... 79
--license-organization ............................................................................... 80
--message ................................................................................................ 80
--new-domain........................................................................................... 80
--new-passphrase .................................................................................... 80
--no-beep.................................................................................................. 81
--partition.................................................................................................. 81
--passphrase (-p) ...................................................................................... 81
--questions-file ......................................................................................... 82
--recovery-token ....................................................................................... 82
--safe-mode.............................................................................................. 83
--username............................................................................................... 83
Overview
PGP Whole Disk Encryption for Linux supports the following options:
72
PGP WDE for Linux User's Guide Options
--admin-authorization: Specifies that the command is authorized by
member of the WDE-ADMIN Active Directory group.
--admin-passphrase: Specifies the passphrase of an existing PGP WDE
user.
--all
: Specifies the use of partition mode encryption on all partitions.
--auto-start: Starts encryption immediately.
--base-disk: Specifies the disk number of the original group.
--beep: Enables beep when PGP BootGuard screen appears.
--count: Specifies the number of bypass re
star
ts being configured.
--dedicated-mode: Specifies that dedicated mode be used.
--disk (-d): Specifies the number of the target disk. Zero (0) is boot
disk.
--display: Specifies the PGP BootGuard display language.
--domain-name: Specifies the user authentication domain.
--fast-mode: Specifies that fast mode be used.
--image: Specifies an image file to be used.
--keyboard: Specifies the PGP BootGuard keyboard language.
--keyid: Specifies the key ID of a PGP key.
--license-email: Specifies an email address for the license holder.
--license-name: Specifies the person to whom PGP Whole Disk
Encrypti
on for Linu
x is licensed.
--license-number: Specifies a valid license number for PGP Whole
Disk Encrypti
on for Linux.
--license-organization: Specifies the organization of the license
holder.
--message:
Specifies custom message for PGP BootGuard screen.
--new-domain: Specifies a new domain for a user.
--new-passphrase: Specifies a new passphrase for an existing user.
--no-beep: Disables beep when PGP BootGuard screen appears.
--partition: Specifies a partition for an operation.
--passphrase (-p): Specifies a passphrase for an operation.
--recovery-token: Specifies a whole disk recovery token.
--safe-mode: Specifies that safe mode be used.
--username (-u): Specifies a username for an operation.
73
PGP WDE for Linux User's Guide Options
"Secure" Options
The descriptions of some options in PGP Whole Disk Encryption for Linux
mention that they are "secure," as in "This option is not secure". In this context,
"secure" means that the option’s argument is saved in non-pageable memory
(when that option is available to applications). Options that are not "secure" are
saved in normal system memory.
--admin-authorization
Specifies that the operation is authorized by a member of the WDE-ADMIN
Active Directory group. In other words, by an administrator of PGP WDE clients
in a PGP Universal-managed environment.
No passphrase is required on the command line when using this option.
Instead, the administrator will be authenticated
when the option is used.
against the WDE-ADMIN group
This option can be shortened to --aa.
Example:
pgpwde --add-user --disk 0 --username "Alice Cameron"
--passphrase 'Frodo@Baggins22' --admin-authorization
--recovery-token 'Gandalf-Bilbo+Merry=OneRing'
This example shows a new passphrase user being added to a boot disk
with a
group.
--admin-passphrase
Specifies that the passphrase being used is that of an authorized user of the
encrypted disk.
This option can be shortened to --ap.
Example:
pgpwde --add-user --disk 0 --username "Alice Cameron"
--passphrase 'Frodo@Baggins22' --admin-passphrase
'Sam&Gamgee44
This example shows a new passphrase user bei
passphrase of an existing user on the disk is used to authenticate.
very token by a member of the WDE-ADMIN Active Directory
reco
'
ng added to a boot disk. The
74
PGP WDE for Linux User's Guide Options
--all
Specifies that all partitions should be encrypted.
Example:
pgpwde --encrypt --disk 0 --passphrase
'Frodo*1*Baggins' --all
This example shows encryption of a boot disk being started. All partitions
are to be e
ncrypte
d.
--answers-file
Specifies the path to a text file with five answers, each on a new line of the file.
Example:
--auto-start
--beep
pgpwde --recovery-configure --user "Alice Cameron"
--passphrase 'bilbo#baggins+Frodo' --disk 0
--questions-file "/home/user/docs/questions.txt"
--answers-file "/home/user/docs/answers.txt"
This example shows local self recovery being configured for user Alice
Cameron with the fi
ve que
stions and answers in the specified text files.
Specifies whether or not encryption should begin immediately. Options are Yes
No. The default is No.
or
Example:
pgpwde --verify-user --auto-start Yes --base-disk 0 --disk
1 --passphrase 'Sam&Gamgee44' --username "Jose Medina"
This example shows disk 1 on the syste
m being adde
d to the encrypted
disk group. Encryption will begin immediately.
Specifies that audio clues for actions that occur during the PGP BootGuard
authentication process should be enabled.
The default is audio clues are disabled.
75
PGP WDE for Linux User's Guide Options
Example:
pgpwde --set-sound --disk 0 --beep
Accessibility Sounds set to [ON]
--count
Specifies the number of bypass restarts being configured for the boot disk on a
system.
Only works with the --add-bypass command.
Valid values for --count are 0 through 4,294,967,295.
Setting --count to 0 disables the boot bypass feature on the system.
In a PGP Universal-managed environment, a preference constrains what values
ar
e va
command line that is hi
--dedicated-mode
Specifies that Dedicated Mode should be used for the encryption process.
Dedicated Mode uses maximum computer power to encrypt faster; your
system is less responsive during encryption.
This example shows audio clues bein
g enabled.
lid for --count on the command line; you cannot set a value on the
gher than the value set in the preference.
--disk (-d)
Example:
pgpwde --encrypt --disk 0 --passphrase
'Frodo*1*Baggins22' --dedicated-mode
This example shows encryption of a boot disk being started using
Dedicated Mode.
Specifies the disk to which the operation applies.
Example:
pgpwde --info --disk 0
This example shows general informatio
76
n being requ
ested for disk 0.
PGP WDE for Linux User's Guide Options
--display
Specifies the display language for PGP BootGuard.
Example:
pgpwde --set-language --disk 0 --display jp --keyboard jp
Boot language is set to Keyboard=en Display=en
Boot language now set to Keyboard=jp Display=en
This example shows Japanese being specified for both display and
keyboa
rd in PGP BootGuard.
--domain-name
Specifies an authentication domain. The default is the login domain.
--fast-mode
Example:
pgpwde --add-user --disk 0 --username "Alice Cameron"
--domain EXAMPLECORP --passphrase 'Frodo@Baggins22'
--admin-passphrase 'Sam&Gamgee44'
This example shows a new user, in domain EXAMPLECORP, being added
to a boot disk.
Specifies that Fast Mode should be used for the encryption process. Fast mode
skips unused sectors, so encryption of the disk is faster.
Example:
pgpwde --encrypt --disk 0 --passphrase
'Frodo*1*Baggins' --fast-mode
This example shows encryption of a boot disk being started using fast
mode.
77
PGP WDE for Linux User's Guide Options
--image
Specifies an XPM file to use for an operation.
Example:
pgpwde --set-background --disk 0 --image "corplogo.xpm"
This example shows an image file, corplogo.xpm, being set as the
backgroun
d image for the PGP Boo
tGuard authentication screen.
--interactive
Specifies that questions and answers should be asked and answered
interactively, as opposed to coming from text files.
Example:
--keyboard
--keyid
pgpwde --recovery-questions --user "Alice Cameron"
--disk 0 --interactive
This example shows user Alice Cameron verifying config
ured local self recovery
questions and answers interactively.
Specifies the keyboard language for PGP BootGuard.
Example:
pgpwde --set-language --disk 0 --display jp --keyboard jp
Boot language is set to Keyboard=en Display=en
Boot language now set to Keyboard=jp Display=en
This example shows Japanese being specified for both display and
keyboa
rd in PGP BootGuard.
Specifies the key ID of a PGP key.
Example:
pgpwde --verify-user --disk 0 --passphrase
'Frodo@Baggins44' --keyid 0x12345678
78
PGP WDE for Linux User's Guide Options
Successfully verified user Alice Cameron
--license-email
--license-name
This example shows PGP key user Alice Cameron's passphrase b
eing
verified via the key ID of her PGP key.
Specifies an email address for the license holder.
Example:
pgpwde --license-authorize --license-name "Alice
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
"
--license-organization "Example Corporation"
This example shows the license holder's email address being entered
during licensi
ng.
Specifies the person to whom PGP Whole Disk Encryption for Linux is licensed.
Example:
pgpwde --license-authorize --license-name "Alice Cameron"
--license-number
Specifies a valid license number for PGP Whole Disk Encryption for Linux.
Example:
pgpwde --license-authorize --license-name "Alice
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
"
--license-organization "Example Corporation"
This example shows the license holder's name being entered during
licensing.
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
"
--license-organization "Example Corporation"
This example shows the license number being entered during licensing.
79
PGP WDE for Linux User's Guide Options
--license-organization
Specifies the organization of the license holder.
Example:
pgpwde --license-authorize --license-name "Alice
Cameron"
--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"
--license-email "acameron@example.com
"
--license-organization "Example Corporation"
This example shows the organization of the license holder being entered
during licensi
ng.
--message
--new-domain
Specifies text for the PGP BootGuard screen.
Example:
pgpwde --set-text --disk 0 --message 'You must change your
login passph
rase monthly.'
Custom message Updated
Set custom authentication screen text completed
xample shows a new text message fo
This e
r the PGP BootGu
ard screen.
Specifies a new authentication domain for an authorized user.
Example:
pgpwde --change-userdomain --disk 0 --new-domain
EXAMP
ORP --username "Alice Cameron"
LEC
This example shows the authentication domain of user Alice Cameron
being change
d to EXAMPLECORP.
80
PGP WDE for Linux User's Guide Options
--new-passphrase
Specifies the new passphrase when a passphrase user is changing their
passphrase.
Example:
pgpwde --change-passphrase --disk 0 --username "Alice
Cameron" --new-passphrase 'Sam&Gamgee44' --passphrase
'Frodo@Baggins22'
This example shows an existing passphrase user on an encrypted disk
changing thei
r passphrase.
--no-beep
Specifies that audio clues for actions that occur during the PGP BootGuard
authentication process should be disabled.
--partition
The default is audio clues are disabled.
Example:
pgpwde --set-sound --disk 0 --no-beep
Accessibility Sounds set to [OFF]
This example shows audio
clues bein
g enabled.
Specifies that only the listed partition should be encrypted.
Example:
pgpwde --decrypt --disk 0 --passphrase
'Frodo*1*Baggins22' --partition 3
This example shows partition 3 on the boot disk being decrypted.
81
PGP WDE for Linux User's Guide Options
--passphrase (-p)
Specifies the passphrase of an authorized user on an encrypted disk.
Example:
pgpwde --add-user --disk 0 --username "Alice Cameron"
--passphrase 'Frodo@Baggins22' --admin-passphrase
'Sam&Gamgee44'
Add user completed
This example shows a new passphrase user being added to a boot disk
with a passp
is being used to sp
disk will use to access it.
hrase of Frodo@Baggins22. In this example, --passphrase
ecify the passphrase that the new user of the encrypted
--questions-file
Specifies the path to a text file with five questions, each on a new line of the
file.
Example:
pgpwde --recovery-configure --user "Alice Cameron"
This example shows local self recovery being configured for user Alice Cameron
with the five
--recovery-token
Specifies that a recovery token (WDRT) be created.
Example:
--passphrase 'bilbo#baggins+Frodo' --disk 0 --questions-file
"/home/user/docs/questi
ons.txt" --answers-file
"/home/user/docs/answers.txt"
questions and answers in the specified text files.
pgpwde --add-user --disk 0 --username "Alice Cameron"
--passphrase 'Frodo@Baggins22' --admin-passphrase
'Sam&Gamgee44'
--recovery-token 'Gandalf-Bilbo+Merry=OneRing'
This example shows a new passphrase user being added to a boot disk
wit
h an as
sociated recovery token.
82
PGP WDE for Linux User's Guide Options
--safe-mode
Specifies that Safe Mode should be used for the encryption process. Safe
Mode allows encryption to be resumed without loss of data if power is lost
during encryption; encryption takes longer.
Example:
pgpwde --encrypt --disk 0 --passphrase
'Frodo*1*Baggins22' --safe-mode
This example shows encryption of a boot disk being started using safe
mode.
--username
Identifies an authorized user of an encrypted disk by their username.
Example:
pgpwde --change-passphrase --disk 0 --username "Alice
Camer
on" --new-passphrase 'Sam&Gamgee44' --passphrase
'Frodo@Baggins22'
This ex
changing thei
ample shows an existing passphrase user on an encrypted disk
r passphrase. They are identified by their username.
83
A
Commands
Quick Reference
This section lists and briefly describes all PGP Whole Disk Encryption for Linux
commands and options.
In This Chapter
Commands .............................................................................................. 85
Options .................................................................................................... 87
General
--help (-h) Shows basic help information for PGP Whole Disk Encryption for Linux.
--version (-V) Shows PGP Whole Disk Encryption for Linux version information.
--license-authorize Licenses PGP Whole
--enroll Enrolls PGP Whole Disk Encryption for Linux with a PGP Universal Server.
--check-enroll Checks enrollment status of PGP Whol
Disk Information
--enum Lists system disks and volumes.
--info Lists general system disk information.
--show-config Displays PGP BootGuard confi
--status Displays PGP WDE-related status of disk.
User Management
--add-user Adds user to disk.
--change-passphrase Changes passphrase of speci
--change-userdomain Changes authentication domain of specified user.
--list-user Lists authorized users on
Disk Encryptio
fied user.
an encrypted di
n for Linux.
guration i
e Disk Encryp
nformation.
sk.
tion for Linux.
--remove-user Removes user from specified disk.
--verify-user Verifies passphrase of user.
85
PGP WDE for Linux User's Guide Quick Reference
Disk Management
--auth Authenticates to an encrypted disk.
--instrument Installs WDE configuration info
--uninstrument Removes WDE configu
ration from specified disk.
rmation on specified disk.
Disk Operation
--decrypt Decrypts the specified disk.
--encrypt Encrypts the specified disk.
--resume Resumes halted encryp
t or decrypt pr
ocess.
--secure Encrypts a disk to a specified user and passphrase.
--stop Halts encrypt or decrypt process.
Boot Bypass Commands
--add-bypass Sets disk for one-time authentication bypass.
--check-bypass Checks disk to see if au
thentication bypass is set.
--remove-bypass Removes authentication bypass from disk.
PGP BootGuard Customization Commands
--set-background Sets custom PGP BootGuard screen background.
--set-language Sets PGP BootGuard display and keyboard languages.
--set-sound Sets PGP BootGuard audio prompt.
--set-start Sets custom PGP Boo
--set-text Sets PGP BootGuard authentic
tGuard startup screen b
ation screen text message.
ackground.
Recovery Token
--new-wdrt Creates a new WDRT after use.
Local Self Recovery
--recovery-configure Sets up the local self recovery feature.
--recovery-questions Displays configured local self re
covery questions.
--recovery-verify Verifies configured local self recovery questions.
--recovery-remove Removes configured local self recovery questions and answers.
--recovery-change-passphrase Changes a user passphrase via local self recovery.
86
PGP WDE for Linux User's Guide Quick Reference
Options
The PGP Whole Disk Encryption for Linux options are:
--admin-authorization: Specifies that the command is authorized by
member of th
--admin-passphrase: Specifies the passphrase of an existing PGP WDE
user.
e WDE-ADMIN Active Directory group.
--all
: Specifies the use of partition mode encryption on all partitions.
--answers-file: Specifies the path to a text file with five answers.
--auto-start: Starts encryption immediately.
--beep: Enables beep when PGP BootGuard screen appears.
--count: Specifies the number of bypass re
star
ts being configured.
--dedicated-mode: Specifies that dedicated mode be used.
--disk (-d): Specifies the number of the target disk. Zero (0) is boot
disk.
--display: Specifies the PGP BootGuard display language.
--domain-name: Specifies the user authentication domain.
--fast-mode: Specifies that fast mode be used.
--image: Specifies an image file to be used.
--interactive: Specifies questions and answers be asked and
an
ed interactively, not from text files.
swer
--keyboard: Specifies the PGP BootGuard keyboard language.
--keyid: Specifies the key ID of a PGP key.
--license-email: Specifies an email address for the license holder.
--license-name: Specifies the person to whom PGP Whole Disk
Encrypti
on for Linu
x is licensed.
--license-number: Specifies a valid license number for PGP Whole
Disk Encrypti
on for Linux.
--license-organization: Specifies the organization of the license
holder.
--message:
Specifies custom message for PGP BootGuard screen.
--new-domain: Specifies a new domain for a user.
--new-passphrase: Specifies a new passphrase for an existing user.
--no-beep: Disables beep when PGP BootGuard screen appears.
87
PGP WDE for Linux User's Guide Quick Reference
--partition: Specifies a partition for an operation.
--passphrase (-p): Specifies a passphrase for an operation.
--proxy-passphrase: Specifies the passphrase of the specified user
on th
e prox
y server.
--proxy-server: Specifies a proxy server to go through to license PGP
Whole Disk Encryptio
n for Linux.
--proxy-username: Specifies a user on the proxy server.
--questions-file: Specifies the path to a text file with five questions.
--recovery-token: Specifies a whole disk recovery token.
--safe-mode: Specifies that safe mode be used.
--username (-u): Specifies a username for an operation.
88
B
Troubleshooting
This section describes how PGP Whole Disk Encryption for Linux can be used
to troubleshoot problems you might encounter when whole disk encrypting
drives.
In This Chapter
Overview ................................................................................................. 89
Encryption Does Not Begin ..................................................................... 89
Encryption Does Not Finish..................................................................... 91
Problems at PGP BootGuard ................................................................... 92
Overview
The troubleshooting tips in this appendix assume:
PGP Whole Disk Encrypti
The software
Before troubleshoot problems with PGP Whole Disk Encryption for Linux, PGP
Corporatio
issue you are experiencing:
The PGP Whole Disk Encryption for Linux Release Notes include the latest
The PGP Desktop User's Guide includes more information about how to
n recommends checking existing resources for information about the
information avail
system requirements and known incompatibilities.
prepare a dr
encryption.
is licensed to support PGP Whole Disk Encryption for Linux.
ive for encryption, how to encrypt it, and how to use it after
Encryption Does Not Begin
While the vast majority of drives can be encrypted without a problem, on some
occasions you may find a drive where the encryption process does not start.
on for Linux is correctly installed on the system.
able about PGP Whole Disk Encryption for Linux, including
89
PGP WDE for Linux User's Guide Troubleshooting
Perform the following steps:
1 Review the PGP Whole Disk Encryption for Linux Release Notes for issues
that could be blockin
g encryption.
Potential issues include unsupported operating systems and software
incompatibilities. If any issues are found, make the appropriate changes
and then attempt encryption again.
If encryption still will not begin, you can use PGP Whole Di
sk Encryption for
Linux to learn more information.
1 First, determine th
e boot drive on the system using the --enum command.
pgpwde --enum
The response will be something like:
Total number of installed fixed/removable storage
device (excluding floppy and CDROM): 1
Disk 0 has 1 online volumes:
volume C is on partition 2 with offset 80325
Enumerate disks completed
This example shows that the system has one disk, Disk 0, which is drive
letter C an
d is the boo
The boot dr
t disk. You now know:
ive can be whole disk encrypted, as it is Disk 0. Only boot
disks that are Disk 0 can be whole disk encrypted.
That Disk 0 is the boot di
sk (which you need to know for subsequent
commands).
2 Next, check the status of the boot drive using the --status c
pgpwde --status --disk 0
ommand.
Disk disk 0 is not instrumented by bootguard.
Disk status completed
This example shows the response for a disk that is not whole disk
, the disk is not instrumented by PGP BootGuard.
encrypted; th
at is
If a disk is encrypted or even partially encrypted, the response would be
something like:
pgpwde --status --disk 0
Disk disk 0 is instrumented by bootguard.
Current key is valid.
Whole disk encrypted
Total sectors: 192426569 highwater mark: 192426569
Disk status completed
90
PGP WDE for Linux User's Guide Troubleshooting
This response or something similar would mean that the encryption
process started but then stopped again. For information on dealing with a
drive where encryption does not finish, refer to Encryption Does Not Finish.
If the problem continues, you will need to get further assistance.
The PGP Support forums are user community forums hosted by PGP
Corpor
ation and monitored by PGP Corporation personnel. Check the PGP
Whole Disk Encryption forums for more information.
To access the PGP Support forums, please visit PGP Support
(http://forum.pgp.com).
The P
GP Support Knowledge Base and PGP Tech
able to assist you with your issue.
To access the PGP Support Knowledge Base or request PGP Technical
Support, please visi
(https://support.pgp.com). Note that you may access portions of the
PGP Suppor
t Knowledge Base without a suppo
however, you must have a valid support agreement to request PGP
Technical Support.
Encryption Does Not Finish
Once encryption has started, most drives finish encryption normally. On some
occasions, however, the encryption process may stop on its own. The cause is
generally a problem with the drive being encrypted.
nical Support may also be
t PGP Support Portal Web Site
rt agreement;
If the system being encrypted loses power during the process, encryption will
automaticall
Mode option (
If you were us
y stop. Depending on whether or not you were using the Safe
--safe-mode), you have two options:
ing Safe Mode, simply get the system back up and restart
encryption. It should resume near the point where power was lost.
If you were not using Sa
portion of th
e drive that was encrypted, and then restart encryption.
The best practice for a drive where encryption sto
fe Mode, get the system back up, decrypt the
pped automatically is to
decrypt the partially encrypted drive, check it for problems, then start encryption
again. Be sure to
before chec
fully decrypt any drive on which encryption was started
king it for problems.
Note: Refer to the PGP Desktop User's Guide for extensive information
about preparing a drive for encryption.
If encryption stops before finishing (without losing power), perform the
following steps:
1 Decrypt the portion of the drive that was encrypted.
2 When the dr
--status command.
the
ive is fully decrypted, check the status of the boot drive using
91
PGP WDE for Linux User's Guide Troubleshooting
pgpwde --status --disk 0
Disk disk 0 is not instrumented by bootguard.
Disk status completed
This example shows the response for a disk that has been fully decrypted.
If the response to the --status command shows the drive still partially
encrypted, make sure the dri
ve is fully decrypted.
3 Next, check the health of the drive; make the ch
anges necessary to ensure
the health of the drive.
4 Review the PGP Whole Disk Encryption for Linux Release Notes for issues
that could b
e affecting encryption. If any applicable issues are found, make
the appropriate changes.
5 When all change
6 Begin the encryp
If the problem continues, you will need to get further assistance:
s have been made, reboot the system.
tion process again.
The PGP Support forums are user community forums hosted by PGP
Corpor
ation and monitored by PGP Corporation personnel. Check the PGP
Whole Disk Encryption forums for more information.
To access the PGP Support forums, please visit PGP Support
(http://forum.pgp.com).
The P
GP Support Knowledge Base and PGP Tech
nical Support may also be
able to assist you with your issue.
To access the PGP Support Knowledge Base or request PGP Technical
Support, please visi
t PGP Support Portal Web Site
(https://support.pgp.com). Note that you may access portions of the
PGP Suppor
t Knowledge Base without a suppo
rt agreement;
however, you must have a valid support agreement to request PGP
Technical Support.
Problems at PGP BootGuard
On rare occasions, a drive may successfully encrypt but PGP BootGuard may
prevent access to the system.
Most cases involving problems at the PGP BootGuard screen involve entering
the passphrase corre
It's easy to spot a problem involving entering your passphrase: you enter what
you belie
ve is the correct passphrase and press Enter; PGP BootGuard displays
an error message in
ctly.
stead of giving you access to your system.
92
Loading...