PGP Guide for Campus Administrators

Jump to a Section:

PGP Deployment Strategy

  1. Create a resource account on the UAB domain under your OU (AskIT can assist you with this). You typically want this to represent your department and PGP (e.g. SOPH-PGP or SOM-PGP).
  2. Login to the laptop and add a PGP account.
    1. If the laptop is on the UAB domain, add the resource account to the administrators group and proceed through the installation documentation while using that account.
    2. If the laptop is on a different domain or no domain at all, you can create a new admin and install PGP with that account.
  3. When you are prompted to enroll with the PGP server, provide the resource  or admin account credentials. This creates a recovery token that you can request to gain access to the machine (should you ever find yourself locked out of the system).
  4. When the installation is complete, you will need to add the user(s) to PGP with their normal login credentials and when the login, they will enter their BlazerID credentials in the enrollment screen (this generates a recovery token in case they ever have password issues).
  5. Remove the resource account from the administrators group at the end of the process. Removing admin rights from the PGP resource account ensures that if the password for either your domain admin account or PGP resource account is ever compromised, that the account only runs at a user level (additionally, compromised domain admin credentials don’t grant access to every encrypted laptop). To work on the system, you would have to input the PGP password, choose “Logout”, and then enter the admin account credentials.


How Different PGP Components Address Different Needs

PGP Whole Disk Encryption
Encrypts the whole hard drive or USB drive. Removable devices are not readable on a system unless PGP is installed. This option is most useful in cases where blanket encryption is needed.

PGP Virtual Disks
Creates a virtual drive (.pgd) that is only mountable on a system with PGP. A virtual disk can be added to portable drive to provide secure storage for sensitive information without forcing the entire drive to be encrypted. This gives the user the power to use the drive on systems without PGP, thus leaving flexibility intact and providing security for sensitive information because it cannot be accessed without PGP.

PGP Zip Archives
Creates a compressed and encrypted archive of files that in most cases can only be accessed on a system with PGP. If the user has PGP installed on a PC, then they are able to create “Self Decrypting Archives”. This particular archive type allows anyone with the passphrase to extract the secure contents of the file without having PGP installed. Self-decrypting archives are particularly useful when users need to move sensitive data and PGP may not be available at the destination.


PGP In-Depth

Installation
During setup, the system must must have access to the Internet or the UAB campus network in order to authenticate on the key-server (the address is embedded in the installer and is later added to the Windows Registry or Mac User Preferences). When you come to the point in the installation that you enter a BlazerID or resources account as enrollment credentials, they are sent to the key-server which checks against LDAP. Once you have successfully authenticated, the server will send some configuration information to the client and also create an entry under your BlazerID that will include information about the computer you are encrypting.

Passwords
Unless the BlazerID credentials are used to login to the system, they are only used to create a Whole Disk Recovery Token (WDRT) with the server; the user name and password for the local user are separate and aren’t sent to the server. Instead, an encrypted hash of the local password is cached in the PGP client once it’s used to login to Windows. So if you change a password, it will be updated only after it is used; not when the password is changed. This means that if the user chooses to restart immediately after changing their password, the old password must be used on the PGP Bootguard screen and the single sign-on feature (Windows) won’t log them in because Windows is expecting the new password. To prevent this situation from occurring, the user should probably choose to logout then login after a password change. The cached password should update immediately and the new password will work with the PGP Bootguard screen.
If multiple users plan to use a Windows system with PGP, ensure that all of the users set unique passwords. If multiple users have the same password, then PGP will assume that the last user to login is the one authenticating.

Accounts

  • Windows
    On a PC installation of PGP, single sign-on is used and accounts are verified. When you add a passphrase user to PGP, it will require that a strong password is used and that it matches the account password on the machine. If the user doesn’t exist or it has a blank password, you will receive an error message and the user will not be added. The relationship between PGP and Windows accounts is limited to those that exist and adding or removing a user in one location does not change the state of the other location. So if you remove a Windows user account, the entry will still exist and work in PGP but single sign-on will not be possible.

  • Mac
    On a Mac installation of PGP, single sign-on is not used and the passphrase users in PGP are not tied to any operating system accounts. This is due to the fact that PGP writes to a preference file under the profile that installs PGP and does not add any important configuration info to the main preferences folder or user folders. Because the preferences are different for every user, when a user other than the one that installed PGP attempts to load the software, they are treated as if they are not licensed and that there is no known key-server. This is now corrected by an application and documentation that is added to installer file under “PGP-User Enrollment.app”.

So when you consider the behavior of PGP for Macs version 9.9 you could view each passphrase user as nothing more than a password that will get you past the PGP Bootguard screen.

Encryption

If the policy (configuration) of your PGP client requires that the primary hard drive is encrypted, the process will begin once you have added a passphrase user and complete the configuration steps. Regardless of whether you start the encryption automatically or manually, the software first creates a Whole Disk Recovery Token on the server under your BlazerID, and then it installs the PGP Bootguard.

  • Windows
    On a Windows system installing the Bootguard means that the software creates a backup of the MBR and then installs a PGPMBR in its place. This is the point where dual-boot systems normally break (the other components of PGP don’t cause this).

  • Mac
    On an Intel-Mac, the Extensible Firmware Interface (EFI) normally hands off to the GUID Partition Table (GPT). But when a Mac is encrypted with PGP, the EFI is backed up and replaced by one that loads the encryption software. This is also the point where Bootcamp is broken.

From this point on, the PGP Bootguard screen is installed and a valid passphrase must be provided before the drive can be accessed. If the drive is removed or booted in an alternate method, the data can’t be accessed or read unless it is on a machine with PGP and a valid passphrase is used to unlock the device.

Recovery Tokens
If you or a user is ever locked out of a machine for whatever reason, you can call AskIT and they can give you the recovery token for your username on that system. The recovery token is a string of 28 characters (dashes are optional) that will provide access beyond the PGP Bootguard screen but will not let you in the operating system. If you don’t have any passwords to the system that can grant you access as an administrator, then you should consider decrypting the drive with the proper PGP boot disk or from an encrypted workstation and then go through your normal recovery procedures. Once a recovery token is created, an entry is logged on the server and the system is flagged as needing a new WDRT. If you successfully login to the account that the WDRT was for, the client will then attempt to negotiate the creation of a new WDRT with the server (which requires a network connection to the server).


Troubleshooting Tips

Update the System Time

If the system time is out of date, PGP may not be installed correctly. If you have already installed PGP before updating the system time so that it is automatically synchronized, you may receive error messages such as "This configured PGP install requires an enterprise license," or notice that PGP is not functioning properly. In order to resolve this issue you will need to update the system time and completely reinstall PGP. Follow the steps below to update system time on a Windows machine:

  1. Open the "Date and Time Properties" by double-clicking on it in the task bar, or by clicking on "Start," selecting "Control Panel" and choosing "Date and Time" (it may be under "Date, Time, Language and Regional options).
  2. Correct the date and time information, then click "OK" to save changes.

Correcting Networking Issues Caused by PGP

  1. Install PGP
  2. Go to C:\Windows\system32\PGPIspRollback.reg
  3. Right-click the file and choose Merge
  4. Restart the PC

Completely Resetting PGP (Windows)

 

CAUTION: DO NOT RESTART THE PC BETWEEN ANY STEPS

  1. Be sure that the computer is online and can connect to the Internet.
  2. Exit any running instance of PGP or PGP Services.
  3. Open regedit and go to HKLM\SOFTWARE\PGP Corporation\PGP. Change PGPSTAMP to be ovid=keys.it.uab.edu&admin=1
  4. Delete the following folders:
    C:\Documents and Settings\All Users\Application Data\PGP Corporation
    C:\Documents and Settings\%userprofile%\Application Data\PGP Corporation
    C:\Documents and Settings\%userprofile%\Local Settings\Application Data\PGP Corporation
    C:\Documents and Settings\%userprofile%\My Documents\PGP
  5. Restart PGP by clicking on Start->PGP->PGP Desktop. Be sure you enter your BlazerID credentials on the enrollment screen and select "New User".

Hard Drive Recovery
If you have the drive slaved to a working machine with the same version of PGP Desktop try the following:

  1. Open a CMD prompt.
  2. Go to: c:\Program Files\PGP Corporation\PGP Desktop\
  3. Run pgpwde -enum (this will list all the drives available on your machine, find the drive number for the encrypted drive, the first will be disk 0 (your boot drive) then disk 1, then disk 2 and so on)
  4. Once you have your disk number, try: pgpwde disk #(one u found) --recover (so if its disk 1 it would be: pgpwde --disk 1 --recover), the pgpwde will search your disk for a backup sector, if it finds one it will restore it.
  5. If it restores the sector, then do: pgpwde --disk # --decrypt --passphrase “enter within double-quotes”
  6. To determine whether the drive is still instrumented (MBR Swapped) run: pgpwde –status –disk #
  7. If the disk is instrumented, run: pgpwde --uninstrument --disk #

Verbose Logging on PGP

  1. Open the registry with regedit
  2. Browse to HKEY_CURRENT_USER->SOFTWARE->PGP CORPORATION->UNIVERSAL
  3. Create a new "KEY" in here called "Debug"
  4. Inside HKEY_CURRENT_USER->SOFTWARE->PGP CORPORATION->UNIVERSAL->Debug, create a DWORD value called "LoggingLevel"
  5. Give the "LoggingLevel" entry a HEX value of "3FFFF"
  6. Right click your pgptray icon and choose Exit PGP Services.
  7. Click Start->Programs->StartUp->pgptray.exe
  8. Open PGP Desktop and select Tools>View Log. Set “View Level” to Verbose.
  9. If the application is crashing prior to launch, click Start->Run and type "%appdata%"
  10. Once you have your Application Data folder up, open "PGP Corporation", then open "PGP".
  11. You should see "PGPlog.txt" with debug logging data in it.


PGPWDE Command Line

Many helpful commands can be issued to PGP from a command line which provides many opportunities for scripting and remote modification.

Windows
The PGP WDE command line utility is installed at C:\Program Files\PGP Corporation\PGP Desktop\pgpwde.exe on Windows machines and "pgpwde  --help" will produce a basic listing of commands. For a more complete listing of commands and explanation see the PGP Windows Command Line Guide at: https://supportimg.pgp.com/guides/PGPwdeWinCmdline_991_usersguide_en.pdf

Mac
The PGP WDE command line utility on a Mac can be accessed by opening a terminal window and typing "pgpwde ". Issuing "pgpwde  --help" will produce a basic listing of commands. For a more complete listing of commands and explanation see the Mac Command Line Guide at: https://supportimg.pgp.com/guides/PGPwdeMacCmdline_991_usersguide_en.pdf

Last modified on September 28, 2012