PGP Whole Disk Encryption for Linux - 10.2 User's Guide

PGP™ Whole Disk Encryption for
Linux

User's Guide

10.2

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Version 10.2.0. Last updated: July 2011.

Legal Notice

Copyright (c) 2011 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.

THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.

Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

Symantec Home Page (

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

http://www.symantec.com)

Contents

Introduction 1

About PGP Whole Disk Encryption for Linux 1
Important Terms 1
Audience 3
System Requirements 3
Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-Managed Environment 4
Technical Support 4

Contacting Technical Support 4
Licensing and registration 5
Customer service 5
Support agreement resources 6

Installing and Uninstalling

Installing 7
Upgrading 8
Uninstalling 8

7

Licensing 11

Overview 11

--license-authorize 11
Licensing via a Proxy Server 12

Enrolling 15

Overview 15

--enroll 16

--check-enroll 16

Authenticating Users with PGP BootGuard 19

Overview 19
Authenticating 20
Authenticating if you Have Forgotten Your Passphrase 20

Authenticating with a WDRT 21
Authenticating with Local Self Recovery 21

Choosing a Keyboard 22

The Command-Line Interface

Overview 23
Scripting 24
WDE-ADMIN Active Directory Group 24
Passphrases 24

--interactive 25

23

ii Contents

Before You Encrypt 27

Ensure Disk Health 27
Choose Encryption Options 28
Maintain Power Throughout Encryption 28
Finalize Disk Partitions 28

Encrypting a Drive

Using --secure 29
Using Individual Commands 29

29

Generic Commands 31

--help (-h) 31

--version 32

Disk Information Commands 33

--enum 33

--info 34

--show-config 34

--status 35

Boot Bypass Commands 37

--add-bypass 37

--check-bypass 38

--remove-bypass 39

Disk Operation

41

--decrypt 41

--encrypt 42

--resume 43

--secure 43

--stop 44

Disk Management

--auth 45

--instrument 46

--uninstrument 46

User Management Commands

--add-user 49

--change-passphrase 50

--change-userdomain 51

45

49

Contents iii

--list-users 52

--offload (deprecated command) 53

--remove-user 53

--verify-user 54

--username (-u, --user) 55

PGP BootGuard Customization Commands 57

--set-background 57

--set-language 58

--set-sound 59

--set-start 60

--set-text 60

Recovery Token Commands 63

--new-wdrt 63

Local Self Recovery Commands 65

--recovery-configure 65

--recovery-questions 67

--recovery-verify 68

--recovery-remove 68

--recovery-change-passphrase 69

Options 71

Overview 72
"Secure" Options 73

--admin-authorization 73

--admin-passphrase 73

--all 73

--answers-file 74

--auto-start 74

--beep 74

--count 75

--dedicated-mode 75

--disk (-d) 75

--display 75

--domain-name (--domain) 76

--fast-mode 76

--image 76

--interactive 76

--keyboard 77

--keyid 77

--license-email 77

--license-name 77

--license-number 78

--license-organization 78

--message 78

--new-domain 79

iv Contents

--new-passphrase 79

--no-beep 79

--partition 79

--passphrase (-p) 80

--questions-file 80

--recovery-token (--wdrt, --rt) 80

--safe-mode 80

--username (-u, --user) 81

Quick Reference

83

Commands 83
Options 84

Troubleshooting 87

Overview 87
Encryption Does Not Begin 87
Encryption Does Not Finish 89
Problems at PGP BootGuard 90

1

Introduction

This guide tells you how to use PGP Whole Disk Encryption for Linux.

In This Chapter

About PGP Whole Disk Encryption for Linux .............................................................1

Important Terms .............................................................................................................1

Audience ...........................................................................................................................3

System Requirements.....................................................................................................3

Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-Managed

Environment ....................................................................................................................

Technical Support ...........................................................................................................4

4

About PGP Whole Disk Encryption for Linux

Thank you for using PGP Whole Disk Encryption for Linux, a software product from
Symantec Corporation that locks down the entire contents of your Linux system using
PGP Whole Disk Encryption (WDE) technology.

For more information about PGP WDE, see the:

 PGP Desktop User's Guide
 PGP WDE Quick Start Guide
 PGP WDE Data Sheet (available via the PGP WDE page on the PGP Corporation

website)

PGP Whole Disk Encryption for Linux gives you access to PGP WDE functionality using
a command-line interface.

The encryption algorithm used by PGP Whole Disk Encryption for Linux is AES-256.
The hashing algorithm is SHA-1. You cannot change these.

Warning: Once you unlock a disk, its files are available to you—as well as anyone else

who can physically use your system. Your files are unlocked until you lock them
again by shutting down your system.

Important Terms

Understanding the following terms will help make it easier to use PGP Whole Disk
Encryption for Linux:

2 Introduction

Important Terms

 PGP Whole Disk Encryption (PGP WDE): a technology that encrypts the entire

contents of a disk; boot disks, partitions, and non-boot disks such as USB thumb
drives can all be whole disk encrypted.

 PGP Whole Disk Encryption for Linux: a software product from Symantec

Corporation that brings PGP WDE technology to the Linux platform, allowing you
to lock down the entire contents of your Linux system.

 command line: the interface to PGP Whole Disk Encryption for Linux

functionality. All PGP Whole Disk Encryption for Linux commands and options are
accessed via the command-line interface.

 passphrase user: a user who can authenticate to an encrypted disk using a

passphrase.

 public-key user: a user who can authenticate to an encrypted disk using the

passphrase to the corresponding private key.

 encrypt: the process of "scrambling" data so that it is not usable unless you

properly authenticate.

 decrypt: the process of "unscrambling" encrypted data.
 master boot record (MBR): software on a disk that is "in front" of the partition

table; that is, it is implemented during the startup process before the operating
system itself. The instructions in the MBR tells the system how to boot.

 instrument: a part of the process of whole disk encrypting a disk/partition where

the Linux MBR is replaced with the PGPMBR.

 PGPMBR: an MBR from Symantec Corporation that implements the PGP

BootGuard. Once a disk is instrumented, even if it is not fully encrypted,
subsequent startups will bring up PGP BootGuard.

 PGP BootGuard: the screen that appears after instrumenting a disk that requires

proper authentication for the boot process to continue. If proper authentication is
not provided, the boot process will not continue; the operating system will not load
and the system will not be usable.

 uninstrument: removing the PGPMBR and replacing it with the original Linux

MBR (which was saved when the disk was instrumented).

 whole disk recovery token (WDRT): an additional passphrase for a whole disk

encrypted disk that is passed to the appropriate PGP Universal Server if the disk is
part of a PGP Universal-managed environment. For PGP Whole Disk Encryption in
an un-managed environment, PGP Whole Disk Encryption displays a WDRT when
the first disk is encrypted.

 PGP Universal Server: a management console for securing data from Symantec

Corporation.

 managed user: someone using PGP Whole Disk Encryption for Linux in a PGP

Universal Server-managed environment. Managed users receive policies and
settings from their PGP Universal Server.

 enroll: the process of a user in a PGP Universal Server-managed environment

contacting their PGP Universal Server so that they can receive applicable policies
and settings.

 standalone user: someone using PGP Whole Disk Encryption for Linux with no

associated PGP Universal Server. Standalone users establish their own policies
and settings.

 recovery: the process of restoring access to a disk/partition that has been whole

disk encrypted but now cannot be decrypted.

Introduction

Audience 3

Audience

This User's Guide is for anyone who is going to be using PGP Whole Disk Encryption for
Linux to perform PGP WDE functions on their Linux system.

System Requirements

PGP Whole Disk Encryption for Linux runs on these platforms:

 Ubuntu 8.04 and 10.04 (32-bit and 64-bit versions)
 Red Hat Enterprise Linux/CentOS 5.4, 5.5, and 6.0 (32-bit and 64-bit versions)

Note: PGP Whole Disk Encryption for Linux runs on the above platforms when all of

the latest hot fixes and security patches have been applied.

Note: CentOS is free, open source software based on Red Hat Enterprise Linux. For

the purposes of supporting PGP Whole Disk Encryption for Linux, the two are
functionally equivalent.

Note: PGP Whole Disk Encryption for Linux no longer runs on these platforms: Red

Hat Enterprise Linux/CentOS 5.2, Red Hat Enterprise Linux/CentOS 5.3, Ubuntu

9.04.

The system requirements for PGP Whole Disk Encryption for Linux are:

 Generic Linux kernel. Kernels modified for PAE, Xen, or RT are not supported.
 512 MB of RAM
 64 MB hard disk space
 Internet access during installation, except on systems that have the required

packages pre-installed or have access to a local repository of packages. For Red
Hat Enterprise Linux/CentOS, the required packages are dkms, gcc, make, and
patch. For Ubuntu, they are dkms, gcc, make, and libc6-dev. Both platforms also
require the development package for the currently running kernel.

PGP Whole Disk Encryption for Linux is compatible with the default Logical Volume
Manager (LVM) installation. That is, for systems using LVM, the /boot directory must
reside on a normal (non-LVM) partition. This constraint can be satisfied by one of two
ways: (a) The root (/) is a normal (non-LVM) partition; or (b) /boot itself is a mount point
for a normal partition.

4 Introduction

Using PGP Whole Disk Encryption for Linux in a PGP Universal Server-Managed Environment

Using PGP Whole Disk Encryption for Linux in a PGP
Universal Server-Managed Environment

If you are using PGP Whole Disk Encryption for Linux in a PGP Universal Server­managed environment, your PGP Universal administrator may have enabled or disabled
certain features. For example, you may be required to encrypt your drive immediately
after enrolling with your PGP Universal Server.

If you have any questions about features that may be have been automatically enabled
or disabled, contact your PGP Universal administrator.

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base. The
Technical Support group works collaboratively with the other functional areas within
Symantec to answer your questions in a timely fashion. For example, the Technical
Support group works with Product Engineering and Symantec Security Response to
provide alerting services and virus definition updates.

Symantec’s support offerings include the following:

 A range of support options that give you the flexibility to select the right amount

of service for any size organization

 Telephone and/or Web-based support that provides rapid response and up-to-the-

minute information

 Upgrade assurance that delivers software upgrades
 Global support purchased on a regional business hours or 24 hours a day, 7 days a

week basis

 Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web site at the
following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreement and
the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support
information at the following URL:

www.symantec.com/business/support/

Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at the
computer on which the problem occurred, in case it is necessary to replicate the
problem.

When you contact Technical Support, please have the following information available:

 Product release level
 Hardware information
 Available memory, disk space, and NIC information
 Operating system
 Version and patch level
 Network topology
 Router, gateway, and IP address information
 Problem description:

 Error messages and log files
 Troubleshooting that was performed before contacting Symantec
 Recent software configuration changes and network changes

Introduction

Technical Support 5

Licensing and registration

If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:

www.symantec.com/business/support/

Customer service

Customer service information is available at the following URL:

www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as the
following types of issues:

 Questions regarding product licensing or serialization
 Product registration updates, such as address or name changes
 General product information (features, language availability, local dealers)
 Latest information about product updates and upgrades
 Information about upgrade assurance and support contracts
 Information about the Symantec Buying Programs
 Advice about Symantec's technical support options
 Nontechnical presales questions
 Issues that are related to CD-ROMs or manuals

6 Introduction

Technical Support

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:

Asia-Pacific and Japan customercare_apac@symantec.com

Europe, Middle-East, Africa

North America, Latin America

semea@symantec.com

supportsolutions@symantec.com

2

Installing

Installing and Uninstalling

This section describes how to install and uninstall PGP Whole Disk Encryption for
Linux.

In This Chapter

Installing........................................................................................................................... 7

Upgrading.........................................................................................................................8

Uninstalling ..................................................................................................................... 8

Warning: When upgrading an existing installation of PGP Whole Disk Encryption
that runs on Ubuntu 8.04, decrypt the system's disks before starting the upgrade.
When installation is complete, re-encrypt the disks. This warning applies only to
systems with partially or fully encrypted system disks. Failure to follow these
instructions will result in the loss of encrypted data.

Your PGP Universal Server administrator supplies a PGP Whole Disk Encryption for
Linux installer that is suitable for your operating system. This installer is a bsx (Bash
Self-eXtracting) file. The file name has the format
pgp_desktop_version_platformAndVersion_hardware.bsx, where:

 version is the PGP Universal Server version, for example 10.2.0.
 platformAndVersion is the operating system and operating system version, for

example linux_ub or linux_el6.

 hardware is x86_64 or i386.

For example pgp_desktop_10.2.0_linux_ub10.04_i386.bsx is for 32-bit Ubuntu

10.04.

You must have root privileges to install.

Note: The installer file may have a slightly different filename than shown in the

procedure below depending on the platform you are installing onto.

To install PGP Whole Disk Encryption for Linux

1 Download the installer file to a known location on your system.
2 Open a terminal window, and change the current directory to the directory with

the installer file.

3 Extract and install PGP Whole Disk Encryption for Linux as follows:

8 Installing and Uninstalling

Upgrading

 For Ubuntu, type the following command. When prompted, supply the root

password.

sudo bash pgp_desktop_10.2.0_linux_ub10.04_i386.bsx

 For Red Hat Enterprise Linux, type the following commands. When

prompted, supply the root password.

su - root

bash pgp_desktop_10.2.0_linux_ub10.04_i386.bsx

4 Read and accept the license agreement.
5 Reboot your system when the installation is complete.

Note: If the installer shows the message "Checking if dkms is installed ...no", then
download and install DKMS from http://linux.dell.com/dkms/

http://linux.dell.com/dkms/) and then continue from Step 2 in the previous

(
instructions.

Note: If the installer shows the message "Checking if kernel headers are found ...no",
then re-install the kernel headers package and then continue from Step 2 in the
previous instructions.

Note: Installing PGP Whole Disk Encryption for Linux on a virtual image of Red Hat
Enterprise Linux 6 involves additional considerations. If you use VMWare
WorkStation to create the image, then configure the image with the "I will install
later" option. This setting ensures that the installer can allocate a sufficiently large
boot sector. If you instead use the default installation (Easy Install), the virtual image
allocates only 50MBytes of space for the boot partition. That allocation is inadequate
for successful installation.

Upgrading

Uninstalling

If you already have PGP Whole Disk Encryption for Linux installed on your computer,
then you can upgrade your installation of the product with a later version of PGP Whole
Disk Encryption for Linux. The installer installs PGP Whole Disk Encryption on top of
your existing installation. For instructions on installing, see Installing.

Warning: When upgrading an existing installation of PGP Whole Disk Encryption
that runs on Ubuntu 8.04, decrypt the system's disks before starting the upgrade.
When installation is complete, re-encrypt the disks. This warning applies only to
systems with partially or fully encrypted system disks. Failure to follow these
instructions will result in the loss of encrypted data.

To uninstall PGP Whole Disk Encryption for Linux, use a package manager of your
choosing to uninstall the following packages:

 pgp-libs

Installing and Uninstalling

Uninstalling 9

 pgpwde
 pgp-release
 pgpwde-kmod-source

You must have root privileges to uninstall.

Warning: You must decrypt any whole disk encrypted drives before uninstalling PGP

Whole Disk Encryption for Linux or removing any packages.

3

Licensing

This section describes how to license PGP Whole Disk Encryption for Linux.

You must license PGP Whole Disk Encryption for Linux if you are using it standalone;
that is, you are not in a PGP Universal Server-managed environment.

You do not need to enroll PGP Whole Disk Encryption for Linux if you are using it
standalone; that is only required for PGP Universal Server-managed environments.

Note: As PGP Whole Disk Encryption for Linux will not operate normally until

licensed, you should license it immediately after installation.

In This Chapter

Overview ......................................................................................................................... 11

--license-authorize ........................................................................................................11

Licensing via a Proxy Server .......................................................................................12

Overview

PGP Whole Disk Encryption for Linux requires a valid license to operate. This section
describes how to license your copy of PGP Whole Disk Encryption for Linux.

PGP Whole Disk Encryption for Linux supports the following licensing scenarios:

 Using a License Number. This is the normal method to license PGP Whole Disk

Encryption for Linux. You must have your license information and a working
connection to the Internet.

 Through a Proxy Server. If you connect to the Internet through a proxy server, use

this method to license PGP Whole Disk Encryption for Linux. You must have your
license information and the appropriate proxy server information.

The licensing command is --license-authorize.

After PGP Whole Disk Encryption for Linux is correctly installed and licensed on your
system, you can encrypt your drive. See Encrypting a Drive (page

--license-authorize

Use --license-authorize to license PGP Whole Disk EncryptionLinux.

The usage format is:

29).

12 Licensing

Licensing via a Proxy Server

pgpwde --license-authorize --license-name <name> --license­number <number> [--license-email <emailaddress>] [--license­organization <org>]

Where:

 --license-authorize is the command to license PGP Whole Disk Encryption

for Linux.

 --license-name is the option to specify the user.

<name> is your name or a descriptive name.

 --license-number is the option to enter a license number.

<number> is a valid license number for PGP Whole Disk Encryption for Linux.

 --license-email is the option to enter an email address.

<emailaddress> is a valid email address.

 --license-organization is the option to enter an organization.

<org> is the name of your organization.

If you decide not to enter a license email, you may see a warning message but your
license will authorize.

Example:

pgpwde --license-authorize --license-name "Alice Cameron"

--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"

--license-email "

acameron@example.com"

--license-organization "Example Corporation"

(When entering this text, it all goes on a single line.)

Licensing via a Proxy Server

If the Internet access of the system hosting PGP Whole Disk Encryption for Linux is via
an HTTP proxy connection, you can still license your copy of PGP Whole Disk
Encryption for Linux directly; you simply need to add the necessary proxy information.

Use --license-authorize to license PGP Whole Disk Encryption for Linux via a
proxy server.

The usage format is:

pgpwde --license-authorize --license-name <name> --license­number <number> [--license-email <emailaddress>] [--license­organization <org>] [--proxy-server <proxyserver>] [--proxy­username <proxyusername>] [--proxy-passphrase <proxypass>]

Where:

 --license-authorize is the command to license PGP Whole Disk Encryption

for Linux.

 --license-name is the option to specify the user.

<name> is your name or a descriptive name.

 --license-number is the option to enter a license number.

Licensing via a Proxy Server

Licensing

13

<number> is a valid license number for PGP Whole Disk Encryption for Linux.

 --license-email is the option to enter an email address.

<emailaddress> is a valid email address.

 --license-organization is the option to enter an organization.

<org> is the name of your organization.

 --proxy-server is the command to go through a proxy server to access the

Internet.

<proxyserver> is the appropriate proxy server.

 --proxy-username is the command to specify a user on the proxy server when

authentication is required.

<proxyusername> is a valid username on the specified proxy server.

 --proxy-passphrase is the option to specify the passphrase of the specified

user when authentication is required.

<proxypass> is the passphrase for the specified user on the proxy server.

Example:

pgpwde --license-authorize --license-name "Alice Cameron"

--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"

--license-email "

acameron@example.com"

--license-organization "Example Corporation"

--proxy-server "proxyserver.example.com"

--proxy-username "acameron"

--proxy-passphrase 'a_cameron1492sailedblue'

(When entering this text, it all goes on a single line.)

4

Enrolling

This section describes how to enroll PGP Whole Disk Encryption for Linux.

You must enroll PGP Whole Disk Encryption for Linux if you are using it in a PGP
Universal Server-managed environment.

You do not need to license PGP Whole Disk Encryption for Linux in a PGP Universal
Server-managed environment, as the license is included in the installer.

Note: As PGP Whole Disk Encryption for Linux will not operate normally until you
enroll, you should enroll immediately after installation.

In This Chapter

Overview ......................................................................................................................... 15

--enroll ............................................................................................................................16

--check-enroll.................................................................................................................16

Overview

Enroll with a PGP Universal Server before using any PGP Whole Disk Encryption for
Linux features in a PGP Universal Server-managed environment.

When enrollment is complete, PGP Whole Disk Encryption for Linux will receive
policies and settings from its PGP Universal Server. It will also send information to the
PGP Universal Server that can be seen by the PGP Universal administrator.

Note: You must initiate enrollment on your own. You will not be prompted to do so.

Note: With the exception of licensing and enrollment commands, un-enrolled users

cannot use any PGP Whole Disk Encryption commands. Such un-enrolled users
cannot even use informational commands such as pgpwde --version and pgpwde

--help.

Enrollment uses LDAP credentials. The username and passphrase required for both
enrolling and checking enrollment status are the username and passphrase of the user
on the LDAP server.

If enrollment is unsuccessful, contact your PGP Universal administrator for assistance.

You can check the enrollment status of a client using the --check-enroll command.
When successful, this command will note that the client is enrolled and will download
the latest policies and settings. If unsuccessful, this means that the client must enroll
again because of a change of policies or settings on the PGP Universal Server.

Once PGP Whole Disk Encryption for Linux is correctly installed on your system and
you have enrolled, you can encrypt your drive. See Encrypting a Drive (page

29).

16 Enrolling

--enroll

--enroll

Use --enroll to enroll PGP Whole Disk Encryption for Linux.

Entering a username and passphrase on the command line are optional. If you do not
enter them, you will be prompted for them.

Note: --enroll is preceded by pgpenroll instead of the usual pgpwde.

The usage format is:

pgpenroll --enroll [--username <user>] [--passphrase <phrase>]

Where:

 --enroll is the command to enroll with a PGP Universal Server.
 --username specifies a username for an operation (optional).

<user> is the username (on the LDAP server) of the user being enrolled.

--check-enroll

 --passphrase specifies the passphrase for an operation (optional).

<phrase> is the passphrase (on the LDAP server) of the user being enrolled.

Examples:

 pgpenroll --enroll --username "Alice Cameron"

--passphrase 'Frodo@Baggins22'

This example shows user Alice Cameron enrolling PGP Whole Disk Encryption for
Linux. The username and passphrase she is using are her credentials on her
organization's LDAP server.

 pgpenroll --enroll

This example shows a user enrolling PGP Whole Disk Encryption for Linux.
Because the username and passphrase are not supplied on the command line, the
enrolling user will be prompted for them.

Use --check-enroll to check the enrollment status of a client.

Note: --check-enroll is preceded by pgpenroll instead of the usual pgpwde.

If the enrollment check fails, contact your PGP Universal administrator for
instructions.

The usage format is:

pgpenroll --check-enroll [--username <user>] [--passphrase
<phrase>]

Where:

 --enroll is the command to check the enrollment status of a client.

Enrolling

--check-enroll

17

 --username specifies a username (on the LDAP server) for an operation.

<user> is the username of the user whose enrollment status is being checked.

 --passphrase specifies the passphrase for an operation.

<phrase> is the passphrase (on the LDAP server) of the user whose enrollment

status is being checked.

Example:

pgpenroll --check-enroll --username "Alice Cameron"

--passphrase 'Frodo@Baggins22'

This example shows the enrollment status of Alice Cameron being checked.

5

Authenticating Users with PGP BootGuard

This section describes actions you can take at the PGP BootGuard screen.

In This Chapter

Overview ......................................................................................................................... 19

Authenticating...............................................................................................................20

Authenticating if you Have Forgotten Your Passphrase ........................................20

Choosing a Keyboard ....................................................................................................22

Overview

Your computer boots up in a different way once you use PGP Whole Disk Encryption for
Linux to protect the boot disk—or a secondary fixed disk—on your system. On power-up,
the first thing you see is the PGP BootGuard log-in screen asking for your username,
passphrase, and domain. The screen also provides other ways to authenticate yourself,
without requiring a passphrase. When you properly authenticate, PGP Whole Disk
Encryption for Linux decrypts the disk.

When you use a PGP WDE-encrypted disk, it is decrypted and opened automatically as
needed. With most modern computers, after the disk is completely encrypted, there is
no noticeable slowdown of your activities.

After you unlock a disk or partition, its files are available to you—as well as anyone else
who can physically use your system. Your files are unlocked until you lock them again
by shutting down your computer.

When you shut down a system with an encrypted boot disk or partition or if you remove
an encrypted removable disk from the system, all files on the disk or partition remain
encrypted and fully protected—data is never written to the disk or partition in an
unencrypted form. Proper authentication (passphrase, token, private key, or WDRT) is
required to make the files accessible again.

On the PGP BootGuard log-in screen you can:

 Authenticate an encrypted boot or secondary disk or partition on the system.
 View information about the disks or partitions on your system.
 Authenticate if you have forgotten your passphrase.
 Choose your keyboard layout.

20 Authenticating Users with PGP BootGuard

Authenticating

Authenticating

The PGP BootGuard log-in screen prompts you for the proper passphrase for a
protected disk or partition for one of two reasons:

 If your boot disk or partition is protected using PGP Whole Disk Encryption for

Linux, you must authenticate correctly for your system to start up. This is
required because the operating system files that control system startup are
encrypted, and must be decrypted before they can be used to start up the system.

 If a secondary fixed disk or partition is protected using PGP Whole Disk

Encryption for Linux, you can authenticate at startup so that you don’t have to
authenticate later when you need to use files on the secondary disk or partition.
Because the files on the secondary (non-boot) disk or partition are not required for
startup, you are not required to authenticate at startup.

Note: The PGP BootGuard log-in screen accepts the authentication information from

any user configured for an encrypted disk or partition. For example, if you have two
users configured for a boot disk or partition and two different users configured for a
secondary fixed disk or partition on the same system, any of the four configured
users can use their passphrase to authenticate on the PGP BootGuard log-in screen
at startup, even the two users configured on the secondary disk or partition.

To authenticate at the PGP BootGuard log-in screen

1 Start or restart the system that has a disk or partition protected by PGP Whole

Disk Encryption for Linux. On startup, the PGP BootGuard log-in screen is
displayed.

2 Type a valid username and passphrase. For users who have a domain, also type the

domain. Press Enter.

Caution: The PGP BootGuard log-in screen assumes you are using one of the

supported keyboard layouts when you type your passphrase. If you used a
different keyboard layout to create the passphrase for a disk or partition
protected by PGP Whole Disk Encryption for Linux, you could have problems
authenticating because the mappings between the keyboard layouts may be
different.

To see the characters you type, press Tab before you begin typing.

3 If you entered a valid username and passphrase, the PGP BootGuard log-in screen

goes away and the system boots normally.

If you typed an invalid passphrase, an error message is displayed. Try typing the
passphrase again.

Authenticating if you Have Forgotten Your Passphrase

If you have forgotten your passphrase and cannot authenticate to the PGP BootGuard
screen, PGP Whole Disk Encryption offers other ways to authenticate yourself.

Authenticating with a WDRT

You can authenticate yourself by providing a WDRT, also called a recovery token. See
Recovery Token Commands (page 63).

To authenticate at the PGP BootGuard screen using a WDRT

1 Start or restart the system that has a disk or partition protected by PGP Whole

Disk Encryption for Linux. On startup, the PGP BootGuard log-in screen is
displayed.

2 On the PGP BootGuard screen, use the arrow keys to select Forgot Passphrase in

the lower right corner, then press Enter.

3 Select Use WDRT to Log into the System.

If you subsequently remember your original passphrase, you can continue using it.
Using the WDRT does not remove your passphrase.

Authenticating if you Have Forgotten Your Passphrase

Authenticating Users with PGP BootGuard

21

Authenticating with Local Self Recovery

With local self recovery, you can authenticate yourself by correctly answering
preconfigured questions.

Note: Local self recovery must be configured in advance. See Local Self Recovery

Commands (page 65).

To authenticate at the PGP BootGuard screen using local self recovery

1 Start or restart the system that has a disk or partition protected by PGP Whole

Disk Encryption for Linux. On startup, the PGP BootGuard log-in screen is
displayed.

2 On the PGP BootGuard screen, use the arrow keys to select Forgot Passphrase in

the lower right corner, then press Enter.

3 Select Answer My Questions to Log into the System.
4 Enter the answer to the first question, then press Enter. The second question

appears.

5 Enter the answer to the second question, then press Enter. The third question

appears.

6 Enter the answer to the third question, then press Enter. The fourth questions

appears.

7 Enter the answer to the fourth question, then press Enter. The fifth and last

question appears.

8 Enter the answer to the fifth question, then press Enter.

If you entered three or more of the questions correctly, the PGP BootGuard screen
goes away and the system boots normally.

If you did not enter three or more questions correctly, you are given another
chance.

22 Authenticating Users with PGP BootGuard

Choosing a Keyboard

If you subsequently remember your original passphrase, you can continue using it.
Using local self recovery does not remove your passphrase.

If you do not believe you will ever remember your original passphrase, you can change
your passphrase after authenticating to PGP BootGuard using the --recovery-
change-passphrase command. This means that you do not have to continue using
the local self recovery questions to authenticate to PGP BootGuard. Using this
command does remove your original passphrase, so it will not work if you remember it
later.

Choosing a Keyboard

The PGP BootGuard screen lets you change your keyboard layout.

Note: Different keyboard layouts can have different mappings between characters,

potentially causing problems when you enter your passphrase to authenticate. Select
the keyboard layout that most closely maps to the keyboard you are using, then make
sure to use that same layout each time you authenticate.

To select a keyboard layout at the PGP BootGuard screen

1 On the PGP BootGuard screen, use the arrow keys to select Keyboard in the lower

right corner, then press Enter. A list of supported keyboard layouts is displayed.

2 Use the arrow keys to select the desired keyboard layout, then press Enter. The

text under the list of supported keyboard layouts changes to reflect the new
keyboard layout.

3 Press Tab to move focus to the Go Back command, then press Enter.