The guidance is for members of the UAB campus community who wish to use cloud applications and services available on the Web, including file storage, Web conferencing and content hosting.
While recognizing that cloud services can fill a need in certain areas, UAB IT reminds all UAB employees to use appropriate due diligence when entering into agreements, especially with cloud providers. UAB employees should not store sensitive/restricted information in a cloud service without University-approved agreements in place.
UAB employees cannot subscribe to cloud services to store sensitive or classified data (see UAB Data Protection and Security Policy for what UAB defines as sensitive data) without an appropriate agreement directly with UAB — and employees cannot be reimbursed for such cloud subscriptions without an affirming statement that the data stored is not sensitive.
Over the coming months, additional information will be released, including guidelines for specific cloud services.
More information about the cloud guidance can be found here.
UAB Hospital employees should refer to guidance from HSIS with regard to using cloud services.
Monthly Training Newsletters
UAB IT is now providing information security training materials to inform university faculty, staff and students about computer threats. Each month a newsletter will be released focusing on new and different cyber security threats. Contact the UAB IT Information Security office for more specific training options that can increase the protection of your information systems.
August 2013 - Protecting Your Passwords
September 2013 - Encryption - Protecting Sensitive Information
October 2013 - see links below for National Cyber Security Month publications
November 2013 - Data Protection
December 2013 - Permanently Erasing Data
January 2014 - Wifi Security
Link to Week 1 Article
Link to Week 2 Article
Link to Week 3 Article
Link to Week 4 Article
If you experience any issues with PGP, please report them to the help desk, AskIT, by email at AskIT@uab.edu" target="_blank">AskIT@uab.edu, or by phone at 205-996-5555. Please be sure to provide the following information:
- Error messages
- Computer make and model
- Internet connection type
- PGP installer version
- Estimated time of occurrence (if possible)
Common Solutions to Installation Issues
- Verify that you are an administrator of the system on which you are attempting to install PGP.
- Open your web browser and ensure that you have Internet connectivity by opening a website.
- Be sure that you have a current installation package for PGP Desktop. Visit www.uab.edu/it/software for the latest installation files.
- Ensure that you are using your BlazerID and strong password for the PGP Enrollment credentials.
Common Solutions to Password Related Issues
- Verify that Caps Lock is not on while authenticating.
- If you recently changed your account password, you may have to provide the old password until you log in to the system with your new password.
- If the previously mentioned steps do not resolve your issue, you should call the AskIT Help Desk to request a PGP recovery token for the system or portable device. A recovery token is a one-time password that will allow you to bypass PGP, but it will not bypass the operating system password; you are still required to log in.
Common Solutions to Boot/Startup Related Issues
- Ensure that a keyboard is connected to the system. Systems such as tablets without physical keyboards will not be able to authenticate on the PGP boot screen.
- Remove any CDs, DVDs or USB drives from the system. Many of these devices have features that allow them to start before the system hard drive.
- Does the system have multiple operating systems or Dell Media Direct? If so, then you will need to contact your support personnel to assist you with the recovery of your hard drive. Please note that PGP should never be installed on systems with multiple operating systems, as it will render the system inoperable.
- See the PGP Recovery documentation for further support.
Drive Wiping Procedures
When erasing sensitive data, you should always make sure that the data cannot be recovered. To securely wipe a disk drive, you can use an application called Darik's Boot and Nuke (DBAN). This software should be used any time a computer is decommissioned or repurposed.
Follow the steps below:
- Download DBAN at: http://dban.sourceforge.net/
- Use DBAN to create a bootable DBAN CD, and then boot your computer using this CD.
- At the "boot:" prompt, press Enter to start DBAN in interactive mode.
- Press "M" (Method). On the "Wipe Method" screen, use the arrow keys to navigate to DoD 5220.22-M, and press the Spacebar to save your selection and return to the Disks and Partitions menu.
- If only one disk is present in your computer, select the topmost option that appears in the Disks and Partitions menu and then press the Spacebar. The selection box will display "[wipe]" to indicate what will be securely erased.
- If you see "[****]" it means that the section of the disk you selected will also be wiped.
- If you see "[----]" it means that you have already selected a section of the disk for wiping. You should uncheck your selection and instead wipe the entire disk.
- Press the F10 key to begin the secure erase process. As soon as you press F10, data erasure will begin.
The "Statistics" box in the top right-hand corner of the screen will display an estimate of the time remaining on the disk wiping process.
Please Note: There is a known incompatibility with Sophos and FileVault on Mac OS X 10.5.x. If you are using FileVault please do not install Sophos Antivirus at this time.
Prior to enabling FileVault the following considerations should be observed:
Although FileVault has a very low failure rate; it is recommended that users create a backup of documents and files prior to enabling FileVault. This backup will provide a means of recovery in the event that anything should happen.
- Time Machine:
Under normal operation Time Machine will backup information in the user's Home folder while the user is logged in. Once FileVault is enabled however, Time Machine will back up a user's Home folder only after the user logs out and recovery of individual files becomes difficult. It is for this reason that Time Machine's backup potential is reduced and is not recommended for use with FileVault. If an alternate backup solution is required, iBackup provides a freeware solution that allows on-demand and scheduled backup and recovery of individual files while you are logged in. http://www.apple.com/downloads/macosx/system_disk_utilities/ibackup.html
- Free Space:
When FileVault is enabled the user's Home folder is copied (not moved) to a protected space and the original is not deleted until the end of the process. This means that prior to enabling FileVault, the free space on the hard drive should be equal to or greater than the size of the Home folder. This free space requirement is also necessary in the event that FileVault is disabled. If you do not have this amount of free space available, then it may be necessary to offload some of the files in your home directory to an external device before beginning the process and then migrate the files over to the protected Home file once the process is complete.
- Open your System Preferences panel and click Security (circled in red below).
- On the General tab, select the items below to ensure maximum security.
- On the Firewall tab, select "Allow only essential services" to prevent unauthorized users from accessing your computer remotely.
- On the FileVault tab, click the button labeled "Set Master Password".
- On this screen you will set a Master Password that can unlock FileVault protected accounts. This is a feature that is designed to provide recovery for accounts. Set this password as something you won't forget, but ensure that it is different from your user account password. Do not lose or forget this password; this password cannot be recovered or reset once it is set.
- You will now be prompted for the password affiliated with your current user account.
- After your password is accepted you will be prompted to confirm that you want to turn on FileVault. On this screen, be sure to check the option to "Use secure erase". Once you click "Turn On FileVault" the computer will not be accessible for 1-2 hours depending on hardware.
UAB IT has a procedure for secure media destruction of discs, CDs, DVDs, tapes and hard drives.
Departmental IT personnel should call AskIT or submit a ticket to AskIT requesting an appointment for secure media destruction, then fill out a UAB Secure Media Destruction Custody Form with the ticket number. AskIT staff will make an appointment for you to bring the media and the form to the AskIT help desk in Cudworth Hall (CEC 225).
- The individual transferring the media to UAB IT's AskIT help desk is required to verify all media listed on the forms is present.
- All media must be listed on forms and numbered.
- Media not numbered or listed on forms will not be accepted.
- All fields on forms must be completed.
- Each form must accompany the related media.
Once in the possession of AskIT, the media is stored securely until it is picked up by UAB IT staff for transport to the destruction site. The media is delivered to the Waste Holding Facility to be destroyed using the metal shredder or incinerator as appropriate. UAB IT personnel are required to witness the destruction of media and record this on the form you submit. The form will be attached to the work order created with AskIT.
Jump to a Section:
- PGP Deployment Strategy
- How Different PGP Components Address Different Needs
- PGP In-Depth
- Troubleshooting Tips
- PGPWDE Command Line
PGP Deployment Strategy
- Create a resource account on the UAB domain under your OU (AskIT can assist you with this). You typically want this to represent your department and PGP (e.g. SOPH-PGP or SOM-PGP).
- Login to the laptop and add a PGP account.
- If the laptop is on the UAB domain, add the resource account to the administrators group and proceed through the installation documentation while using that account.
- If the laptop is on a different domain or no domain at all, you can create a new admin and install PGP with that account.
- When you are prompted to enroll with the PGP server, provide the resource or admin account credentials. This creates a recovery token that you can request to gain access to the machine (should you ever find yourself locked out of the system).
- When the installation is complete, you will need to add the user(s) to PGP with their normal login credentials and when the login, they will enter their BlazerID credentials in the enrollment screen (this generates a recovery token in case they ever have password issues).
- Remove the resource account from the administrators group at the end of the process. Removing admin rights from the PGP resource account ensures that if the password for either your domain admin account or PGP resource account is ever compromised, that the account only runs at a user level (additionally, compromised domain admin credentials don’t grant access to every encrypted laptop). To work on the system, you would have to input the PGP password, choose “Logout”, and then enter the admin account credentials.
How Different PGP Components Address Different Needs
PGP Whole Disk Encryption
Encrypts the whole hard drive or USB drive. Removable devices are not readable on a system unless PGP is installed. This option is most useful in cases where blanket encryption is needed.
PGP Virtual Disks
Creates a virtual drive (.pgd) that is only mountable on a system with PGP. A virtual disk can be added to portable drive to provide secure storage for sensitive information without forcing the entire drive to be encrypted. This gives the user the power to use the drive on systems without PGP, thus leaving flexibility intact and providing security for sensitive information because it cannot be accessed without PGP.
PGP Zip Archives
Creates a compressed and encrypted archive of files that in most cases can only be accessed on a system with PGP. If the user has PGP installed on a PC, then they are able to create “Self Decrypting Archives”. This particular archive type allows anyone with the passphrase to extract the secure contents of the file without having PGP installed. Self-decrypting archives are particularly useful when users need to move sensitive data and PGP may not be available at the destination.
During setup, the system must must have access to the Internet or the UAB campus network in order to authenticate on the key-server (the address is embedded in the installer and is later added to the Windows Registry or Mac User Preferences). When you come to the point in the installation that you enter a BlazerID or resources account as enrollment credentials, they are sent to the key-server which checks against LDAP. Once you have successfully authenticated, the server will send some configuration information to the client and also create an entry under your BlazerID that will include information about the computer you are encrypting.
Unless the BlazerID credentials are used to login to the system, they are only used to create a Whole Disk Recovery Token (WDRT) with the server; the user name and password for the local user are separate and aren’t sent to the server. Instead, an encrypted hash of the local password is cached in the PGP client once it’s used to login to Windows. So if you change a password, it will be updated only after it is used; not when the password is changed. This means that if the user chooses to restart immediately after changing their password, the old password must be used on the PGP Bootguard screen and the single sign-on feature (Windows) won’t log them in because Windows is expecting the new password. To prevent this situation from occurring, the user should probably choose to logout then login after a password change. The cached password should update immediately and the new password will work with the PGP Bootguard screen.
If multiple users plan to use a Windows system with PGP, ensure that all of the users set unique passwords. If multiple users have the same password, then PGP will assume that the last user to login is the one authenticating.
On a PC installation of PGP, single sign-on is used and accounts are verified. When you add a passphrase user to PGP, it will require that a strong password is used and that it matches the account password on the machine. If the user doesn’t exist or it has a blank password, you will receive an error message and the user will not be added. The relationship between PGP and Windows accounts is limited to those that exist and adding or removing a user in one location does not change the state of the other location. So if you remove a Windows user account, the entry will still exist and work in PGP but single sign-on will not be possible.
On a Mac installation of PGP, single sign-on is not used and the passphrase users in PGP are not tied to any operating system accounts. This is due to the fact that PGP writes to a preference file under the profile that installs PGP and does not add any important configuration info to the main preferences folder or user folders. Because the preferences are different for every user, when a user other than the one that installed PGP attempts to load the software, they are treated as if they are not licensed and that there is no known key-server. This is now corrected by an application and documentation that is added to installer file under “PGP-User Enrollment.app”.
So when you consider the behavior of PGP for Macs version 9.9 you could view each passphrase user as nothing more than a password that will get you past the PGP Bootguard screen.
If the policy (configuration) of your PGP client requires that the primary hard drive is encrypted, the process will begin once you have added a passphrase user and complete the configuration steps. Regardless of whether you start the encryption automatically or manually, the software first creates a Whole Disk Recovery Token on the server under your BlazerID, and then it installs the PGP Bootguard.
On a Windows system installing the Bootguard means that the software creates a backup of the MBR and then installs a PGPMBR in its place. This is the point where dual-boot systems normally break (the other components of PGP don’t cause this).
On an Intel-Mac, the Extensible Firmware Interface (EFI) normally hands off to the GUID Partition Table (GPT). But when a Mac is encrypted with PGP, the EFI is backed up and replaced by one that loads the encryption software. This is also the point where Bootcamp is broken.
From this point on, the PGP Bootguard screen is installed and a valid passphrase must be provided before the drive can be accessed. If the drive is removed or booted in an alternate method, the data can’t be accessed or read unless it is on a machine with PGP and a valid passphrase is used to unlock the device.
If you or a user is ever locked out of a machine for whatever reason, you can call AskIT and they can give you the recovery token for your username on that system. The recovery token is a string of 28 characters (dashes are optional) that will provide access beyond the PGP Bootguard screen but will not let you in the operating system. If you don’t have any passwords to the system that can grant you access as an administrator, then you should consider decrypting the drive with the proper PGP boot disk or from an encrypted workstation and then go through your normal recovery procedures. Once a recovery token is created, an entry is logged on the server and the system is flagged as needing a new WDRT. If you successfully login to the account that the WDRT was for, the client will then attempt to negotiate the creation of a new WDRT with the server (which requires a network connection to the server).
Update the System Time
If the system time is out of date, PGP may not be installed correctly. If you have already installed PGP before updating the system time so that it is automatically synchronized, you may receive error messages such as "This configured PGP install requires an enterprise license," or notice that PGP is not functioning properly. In order to resolve this issue you will need to update the system time and completely reinstall PGP. Follow the steps below to update system time on a Windows machine:
- Open the "Date and Time Properties" by double-clicking on it in the task bar, or by clicking on "Start," selecting "Control Panel" and choosing "Date and Time" (it may be under "Date, Time, Language and Regional options).
- Correct the date and time information, then click "OK" to save changes.
Correcting Networking Issues Caused by PGP
- Install PGP
- Go to C:\Windows\system32\PGPIspRollback.reg
- Right-click the file and choose Merge
- Restart the PC
Completely Resetting PGP (Windows)
CAUTION: DO NOT RESTART THE PC BETWEEN ANY STEPS
- Be sure that the computer is online and can connect to the Internet.
- Exit any running instance of PGP or PGP Services.
- Open regedit and go to HKLM\SOFTWARE\PGP Corporation\PGP. Change PGPSTAMP to be ovid=keys.it.uab.edu&admin=1
- Delete the following folders:
C:\Documents and Settings\All Users\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\Local Settings\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\My Documents\PGP
- Restart PGP by clicking on Start->PGP->PGP Desktop. Be sure you enter your BlazerID credentials on the enrollment screen and select "New User".
Hard Drive Recovery
If you have the drive slaved to a working machine with the same version of PGP Desktop try the following:
- Open a CMD prompt.
- Go to: c:\Program Files\PGP Corporation\PGP Desktop\
- Run pgpwde -enum (this will list all the drives available on your machine, find the drive number for the encrypted drive, the first will be disk 0 (your boot drive) then disk 1, then disk 2 and so on)
- Once you have your disk number, try: pgpwde disk #(one u found) --recover (so if its disk 1 it would be: pgpwde --disk 1 --recover), the pgpwde will search your disk for a backup sector, if it finds one it will restore it.
- If it restores the sector, then do: pgpwde --disk # --decrypt --passphrase “enter within double-quotes”
- To determine whether the drive is still instrumented (MBR Swapped) run: pgpwde –status –disk #
- If the disk is instrumented, run: pgpwde --uninstrument --disk #
Verbose Logging on PGP
- Open the registry with regedit
- Browse to HKEY_CURRENT_USER->SOFTWARE->PGP CORPORATION->UNIVERSAL
- Create a new "KEY" in here called "Debug"
- Inside HKEY_CURRENT_USER->SOFTWARE->PGP CORPORATION->UNIVERSAL->Debug, create a DWORD value called "LoggingLevel"
- Give the "LoggingLevel" entry a HEX value of "3FFFF"
- Right click your pgptray icon and choose Exit PGP Services.
- Click Start->Programs->StartUp->pgptray.exe
- Open PGP Desktop and select Tools>View Log. Set “View Level” to Verbose.
- If the application is crashing prior to launch, click Start->Run and type "%appdata%"
- Once you have your Application Data folder up, open "PGP Corporation", then open "PGP".
- You should see "PGPlog.txt" with debug logging data in it.
PGPWDE Command Line
Many helpful commands can be issued to PGP from a command line which provides many opportunities for scripting and remote modification.
The PGP WDE command line utility is installed at C:\Program Files\PGP Corporation\PGP Desktop\pgpwde.exe on Windows machines and "pgpwde --help" will produce a basic listing of commands. For a more complete listing of commands and explanation see the PGP Windows Command Line Guide at: https://supportimg.pgp.com/guides/PGPwdeWinCmdline_991_usersguide_en.pdf
The PGP WDE command line utility on a Mac can be accessed by opening a terminal window and typing "pgpwde