Jump to a Section:
- PGP Deployment Strategy
- How Different PGP Components Address Different Needs
- PGP In-Depth
- Troubleshooting Tips
- PGPWDE Command Line
PGP Deployment Strategy
- Create a resource account on the UAB domain under your OU (AskIT can assist you with this). You typically want this to represent your department and PGP (e.g. SOPH-PGP or SOM-PGP).
- Login to the laptop and add a PGP account.
- If the laptop is on the UAB domain, add the resource account to the administrators group and proceed through the installation documentation while using that account.
- If the laptop is on a different domain or no domain at all, you can create a new admin and install PGP with that account.
- When you are prompted to enroll with the PGP server, provide the resource or admin account credentials. This creates a recovery token that you can request to gain access to the machine (should you ever find yourself locked out of the system).
- When the installation is complete, you will need to add the user(s) to PGP with their normal login credentials and when the login, they will enter their BlazerID credentials in the enrollment screen (this generates a recovery token in case they ever have password issues).
- Remove the resource account from the administrators group at the end of the process. Removing admin rights from the PGP resource account ensures that if the password for either your domain admin account or PGP resource account is ever compromised, that the account only runs at a user level (additionally, compromised domain admin credentials don’t grant access to every encrypted laptop). To work on the system, you would have to input the PGP password, choose “Logout”, and then enter the admin account credentials.
How Different PGP Components Address Different Needs
PGP Whole Disk Encryption
Encrypts the whole hard drive or USB drive. Removable devices are not readable on a system unless PGP is installed. This option is most useful in cases where blanket encryption is needed.
PGP Virtual Disks
Creates a virtual drive (.pgd) that is only mountable on a system with PGP. A virtual disk can be added to portable drive to provide secure storage for sensitive information without forcing the entire drive to be encrypted. This gives the user the power to use the drive on systems without PGP, thus leaving flexibility intact and providing security for sensitive information because it cannot be accessed without PGP.
PGP Zip Archives
Creates a compressed and encrypted archive of files that in most cases can only be accessed on a system with PGP. If the user has PGP installed on a PC, then they are able to create “Self Decrypting Archives”. This particular archive type allows anyone with the passphrase to extract the secure contents of the file without having PGP installed. Self-decrypting archives are particularly useful when users need to move sensitive data and PGP may not be available at the destination.
During setup, the system must must have access to the Internet or the UAB campus network in order to authenticate on the key-server (the address is embedded in the installer and is later added to the Windows Registry or Mac User Preferences). When you come to the point in the installation that you enter a BlazerID or resources account as enrollment credentials, they are sent to the key-server which checks against LDAP. Once you have successfully authenticated, the server will send some configuration information to the client and also create an entry under your BlazerID that will include information about the computer you are encrypting.
Unless the BlazerID credentials are used to login to the system, they are only used to create a Whole Disk Recovery Token (WDRT) with the server; the user name and password for the local user are separate and aren’t sent to the server. Instead, an encrypted hash of the local password is cached in the PGP client once it’s used to login to Windows. So if you change a password, it will be updated only after it is used; not when the password is changed. This means that if the user chooses to restart immediately after changing their password, the old password must be used on the PGP Bootguard screen and the single sign-on feature (Windows) won’t log them in because Windows is expecting the new password. To prevent this situation from occurring, the user should probably choose to logout then login after a password change. The cached password should update immediately and the new password will work with the PGP Bootguard screen.
If multiple users plan to use a Windows system with PGP, ensure that all of the users set unique passwords. If multiple users have the same password, then PGP will assume that the last user to login is the one authenticating.
On a PC installation of PGP, single sign-on is used and accounts are verified. When you add a passphrase user to PGP, it will require that a strong password is used and that it matches the account password on the machine. If the user doesn’t exist or it has a blank password, you will receive an error message and the user will not be added. The relationship between PGP and Windows accounts is limited to those that exist and adding or removing a user in one location does not change the state of the other location. So if you remove a Windows user account, the entry will still exist and work in PGP but single sign-on will not be possible.
On a Mac installation of PGP, single sign-on is not used and the passphrase users in PGP are not tied to any operating system accounts. This is due to the fact that PGP writes to a preference file under the profile that installs PGP and does not add any important configuration info to the main preferences folder or user folders. Because the preferences are different for every user, when a user other than the one that installed PGP attempts to load the software, they are treated as if they are not licensed and that there is no known key-server. This is now corrected by an application and documentation that is added to installer file under “PGP-User Enrollment.app”.
So when you consider the behavior of PGP for Macs version 9.9 you could view each passphrase user as nothing more than a password that will get you past the PGP Bootguard screen.
If the policy (configuration) of your PGP client requires that the primary hard drive is encrypted, the process will begin once you have added a passphrase user and complete the configuration steps. Regardless of whether you start the encryption automatically or manually, the software first creates a Whole Disk Recovery Token on the server under your BlazerID, and then it installs the PGP Bootguard.
On a Windows system installing the Bootguard means that the software creates a backup of the MBR and then installs a PGPMBR in its place. This is the point where dual-boot systems normally break (the other components of PGP don’t cause this).
On an Intel-Mac, the Extensible Firmware Interface (EFI) normally hands off to the GUID Partition Table (GPT). But when a Mac is encrypted with PGP, the EFI is backed up and replaced by one that loads the encryption software. This is also the point where Bootcamp is broken.
From this point on, the PGP Bootguard screen is installed and a valid passphrase must be provided before the drive can be accessed. If the drive is removed or booted in an alternate method, the data can’t be accessed or read unless it is on a machine with PGP and a valid passphrase is used to unlock the device.
If you or a user is ever locked out of a machine for whatever reason, you can call AskIT and they can give you the recovery token for your username on that system. The recovery token is a string of 28 characters (dashes are optional) that will provide access beyond the PGP Bootguard screen but will not let you in the operating system. If you don’t have any passwords to the system that can grant you access as an administrator, then you should consider decrypting the drive with the proper PGP boot disk or from an encrypted workstation and then go through your normal recovery procedures. Once a recovery token is created, an entry is logged on the server and the system is flagged as needing a new WDRT. If you successfully login to the account that the WDRT was for, the client will then attempt to negotiate the creation of a new WDRT with the server (which requires a network connection to the server).
Update the System Time
If the system time is out of date, PGP may not be installed correctly. If you have already installed PGP before updating the system time so that it is automatically synchronized, you may receive error messages such as "This configured PGP install requires an enterprise license," or notice that PGP is not functioning properly. In order to resolve this issue you will need to update the system time and completely reinstall PGP. Follow the steps below to update system time on a Windows machine:
- Open the "Date and Time Properties" by double-clicking on it in the task bar, or by clicking on "Start," selecting "Control Panel" and choosing "Date and Time" (it may be under "Date, Time, Language and Regional options).
- Correct the date and time information, then click "OK" to save changes.
Correcting Networking Issues Caused by PGP
- Install PGP
- Go to C:\Windows\system32\PGPIspRollback.reg
- Right-click the file and choose Merge
- Restart the PC
Completely Resetting PGP (Windows)
CAUTION: DO NOT RESTART THE PC BETWEEN ANY STEPS
- Be sure that the computer is online and can connect to the Internet.
- Exit any running instance of PGP or PGP Services.
- Open regedit and go to HKLM\SOFTWARE\PGP Corporation\PGP. Change PGPSTAMP to be ovid=keys.it.uab.edu&admin=1
- Delete the following folders:
C:\Documents and Settings\All Users\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\Local Settings\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\My Documents\PGP
- Restart PGP by clicking on Start->PGP->PGP Desktop. Be sure you enter your BlazerID credentials on the enrollment screen and select "New User".
Hard Drive Recovery
If you have the drive slaved to a working machine with the same version of PGP Desktop try the following:
- Open a CMD prompt.
- Go to: c:\Program Files\PGP Corporation\PGP Desktop\
- Run pgpwde -enum (this will list all the drives available on your machine, find the drive number for the encrypted drive, the first will be disk 0 (your boot drive) then disk 1, then disk 2 and so on)
- Once you have your disk number, try: pgpwde disk #(one u found) --recover (so if its disk 1 it would be: pgpwde --disk 1 --recover), the pgpwde will search your disk for a backup sector, if it finds one it will restore it.
- If it restores the sector, then do: pgpwde --disk # --decrypt --passphrase “enter within double-quotes”
- To determine whether the drive is still instrumented (MBR Swapped) run: pgpwde –status –disk #
- If the disk is instrumented, run: pgpwde --uninstrument --disk #
Verbose Logging on PGP
- Open the registry with regedit
- Browse to HKEY_CURRENT_USER->SOFTWARE->PGP CORPORATION->UNIVERSAL
- Create a new "KEY" in here called "Debug"
- Inside HKEY_CURRENT_USER->SOFTWARE->PGP CORPORATION->UNIVERSAL->Debug, create a DWORD value called "LoggingLevel"
- Give the "LoggingLevel" entry a HEX value of "3FFFF"
- Right click your pgptray icon and choose Exit PGP Services.
- Click Start->Programs->StartUp->pgptray.exe
- Open PGP Desktop and select Tools>View Log. Set “View Level” to Verbose.
- If the application is crashing prior to launch, click Start->Run and type "%appdata%"
- Once you have your Application Data folder up, open "PGP Corporation", then open "PGP".
- You should see "PGPlog.txt" with debug logging data in it.
PGPWDE Command Line
Many helpful commands can be issued to PGP from a command line which provides many opportunities for scripting and remote modification.
The PGP WDE command line utility is installed at C:\Program Files\PGP Corporation\PGP Desktop\pgpwde.exe on Windows machines and "pgpwde --help" will produce a basic listing of commands. For a more complete listing of commands and explanation see the PGP Windows Command Line Guide at: https://supportimg.pgp.com/guides/PGPwdeWinCmdline_991_usersguide_en.pdf
The PGP WDE command line utility on a Mac can be accessed by opening a terminal window and typing "pgpwde
NOTE: If your system is dual-boot or features a utility partition (recovery or Dell Media Direct) it is not compatible for PGP Whole Disk Encryption. If you have a Dell Inspiron M1210, Dell E5400 or Dell XPS please call AskIT at 205-996-5555 before attempting to encrypt your machine with PGP.
Please review the list of devices that are incompatible with PGP.
To successfully install and configure PGP, you will need the following:
- Administrative privileges
- An active connection to the Internet
- A physical keyboard - tablets without keyboards are unable to use the software
- One of the following operating systems: Windows 7, Windows Vista, XP Home or Professional 32-bit (SP2/SP3), XP Pro 64-bit (SP2), XP Tablet 2005, Windows 2000 (SP4)
- 512MB RAM
- 64MB hard disk space
Prepare Your Computer
- Back up your data - Prior to downloading or installing any encryption software such as PGP, be sure to back up your data to a trusted source. Devices such as external drives, CDs, DVDs and network drives are recommended for storage of important documents. it would also be a good idea to ensure that your have the ability to reinstall any important software if any data loss should actually occur.
- Defragment - Prior to encryption, you may wish to defragment your computer to speed up the encryption process. To do so, click the Start menu. Point to Programs>Accessories>System Tools, and then click Disk Defragmenter. Click the Analyze button; a report will appear telling you whether or not defragmentation is recommended. If it is, click the Defragment button to begin; if not, close Disk Defragmenter and proceed to the next step.
- Check the disk for disk errors - Under normal operation, many hard drives do not exhibit any signs of corruption or flaws, but when the data on the drive is encrypted, those issues can present a greater problem leading to file corruption, and in some cases complete loss of the operating system. In order to identify and correct these issues before any loss is incurred, SpinRite was purchased for the campus and is available on the IT Software Library site for faculty and staff. The software will assist you in creating a bootable CD that will scan and correct any disk errors. This step is optional, but is also highly recommended.
- Check power and network connections - Before installing, be sure your computer is plugged into a wall outlet and has an active network connection.
Download and Install PGP Software
- Go to the UAB Software Library, located at www.uab.edu/it/software. Locate the appropriate PGP software and click to begin downloading.
- Prior to installation, be sure to close all running programs and save anything you are working on.
- Navigate to where you saved the software and launch the PGP installer. In the PGP Desktop window, select English.
- Read the licensing agreement, select "I Accept" the licensing agreement, and click Next.
- Click Nextagain.
- The installer will start copying files into place.
- Click Yes to reboot. When the computer has rebooted and you log in, the PGP Setup Assistant should automatically appear.
- When prompted for domain credentials, enter your BlazerID and password.
- Select "I am a new user", and click Next.
- Click Next.
- The next box to pop up will be a prompt to create a passphrase user. Enter the username and password you use to log into your system. In many areas of campus, this is also your BlazerID and password with a domain of UAB.
- The program should begin to automatically encrypt the disk in the background while you go about your normal work. Note: Encryption may take up to eight hours. If necessary, you can shut down the computer (Start>Shutdown>Turn off computer), but DO NOT abruptly power off the system.
- When the encryption of the boot drive is complete, the lower icon will become a solid padlock.
- From this point on, prior to booting Windows, you will receive a gray PGP boot screen in which you are prompted to enter the passphrase that you entered during setup. Entering a correct passphrase permits access to the machine and will log you into the Windows operating system through the single sign-on feature.
Although rare, situations have occurred where a hard drive encrypted with PGP does not boot. To assist in recovery of these drives, the creation and use of a PGP Boot Disk is highly recommended.
Please note that each version of PGP requires a boot disk unique to the particular version in use on the client. For example, if you attempt to use a 9.6 recovery disk to decrypt a disk protected with PGP Whole Disk Encryption 9.9 software, any data on the PGP Whole Disk Encrypted 9.9 disk will be unrecoverable.
Note: If you do not remember the recovery passphrase, please contact the help desk, AskIT, by email AskIT@uab.edu, or by phone, 205-996-5555.
Create a Recovery Boot Disk
- Download the appropriate ISO file from the Symantec archives:
a) Version 10.x: http://www.symantec.com/business/support/index?page=content&id=TECH152604
b) Version 9.X: http://www.symantec.com/business/support/index?page=content&id=TECH148915
- Burn the ISO to a CD, label it appropriately and store it in a safe place.
Using a Recovery Boot Disk
- Insert your Recovery CD into the computer's CD drive.
- Reboot the computer and boot to the CD.
- When the login screen appears, enter the recovery passphrase for the encrypted drive and press Enter to begin decryption. This operation can take many hours and the system should not be powered off.
- Once the process is complete, the system should start as normal. If the operating system still does not boot, proceed with your operating system repair or data migration process.
Using a Recovery Workstation
If you have the resources or equipment available, the hard drive from the system that will not boot can be accessed by a workstation that has PGP installed on it. Simply connect the device using a USB hard drive bay or adapter, and enter a passphrase associated with the drive. Once the hard drive is mounted to the recovery system, files can be recovered by moving them or by decrypting the hard drive.
If you experience any issues with PGP, please report them to the help desk, AskIT, by email at AskIT@uab.edu, or by phone at 205-996-5555. Please be sure to provide the following information:
- Error messages
- Computer make and model
- Internet connection type
- PGP installer version
- Estimated time of occurrence (if possible)
Common Solutions to Installation Issues
- Verify that you are an administrator of the system on which you are attempting to install PGP.
- Open your web browser and ensure that you have Internet connectivity by opening a website.
- Be sure that you have a current installation package for PGP Desktop. Visit www.uab.edu/it/software for the latest installation files.
- Ensure that you are using your BlazerID and strong password for the PGP Enrollment credentials.
Common Solutions to Password Related Issues
- Verify that Caps Lock is not on while authenticating.
- If you recently changed your account password, you may have to provide the old password until you log in to the system with your new password.
- If the previously mentioned steps do not resolve your issue, you should call the AskIT Help Desk to request a PGP recovery token for the system or portable device. A recovery token is a one-time password that will allow you to bypass PGP, but it will not bypass the operating system password; you are still required to log in.
Common Solutions to Boot/Startup Related Issues
- Ensure that a keyboard is connected to the system. Systems such as tablets without physical keyboards will not be able to authenticate on the PGP boot screen.
- Remove any CDs, DVDs or USB drives from the system. Many of these devices have features that allow them to start before the system hard drive.
- Does the system have multiple operating systems or Dell Media Direct? If so, then you will need to contact your support personnel to assist you with the recovery of your hard drive. Please note that PGP should never be installed on systems with multiple operating systems, as it will render the system inoperable.
- See the PGP Recovery documentation for further support.