NOTE: If your system is dual-boot or features a utility partition (recovery or Dell Media Direct) it is not compatible for PGP Whole Disk Encryption. If you have a Dell Inspiron M1210, Dell E5400 or Dell XPS please call AskIT at 205-996-5555 before attempting to encrypt your machine with PGP.
Please review the list of devices that are incompatible with PGP.
To successfully install and configure PGP, you will need the following:
- Administrative privileges
- An active connection to the Internet
- A physical keyboard - tablets without keyboards are unable to use the software
- One of the following operating systems: Windows 7, Windows Vista, XP Home or Professional 32-bit (SP2/SP3), XP Pro 64-bit (SP2), XP Tablet 2005, Windows 2000 (SP4)
- 512MB RAM
- 64MB hard disk space
Prepare Your Computer
- Back up your data - Prior to downloading or installing any encryption software such as PGP, be sure to back up your data to a trusted source. Devices such as external drives, CDs, DVDs and network drives are recommended for storage of important documents. it would also be a good idea to ensure that your have the ability to reinstall any important software if any data loss should actually occur.
- Defragment - Prior to encryption, you may wish to defragment your computer to speed up the encryption process. To do so, click the Start menu. Point to Programs>Accessories>System Tools, and then click Disk Defragmenter. Click the Analyze button; a report will appear telling you whether or not defragmentation is recommended. If it is, click the Defragment button to begin; if not, close Disk Defragmenter and proceed to the next step.
- Check the disk for disk errors - Under normal operation, many hard drives do not exhibit any signs of corruption or flaws, but when the data on the drive is encrypted, those issues can present a greater problem leading to file corruption, and in some cases complete loss of the operating system. In order to identify and correct these issues before any loss is incurred, SpinRite was purchased for the campus and is available on the IT Software Library site for faculty and staff. The software will assist you in creating a bootable CD that will scan and correct any disk errors. This step is optional, but is also highly recommended.
- Check power and network connections - Before installing, be sure your computer is plugged into a wall outlet and has an active network connection.
Download and Install PGP Software
- Go to the UAB Software Library, located at www.uab.edu/it/software. Locate the appropriate PGP software and click to begin downloading.
- Prior to installation, be sure to close all running programs and save anything you are working on.
- Navigate to where you saved the software and launch the PGP installer. In the PGP Desktop window, select English.
- Read the licensing agreement, select "I Accept" the licensing agreement, and click Next.
- Click Nextagain.
- The installer will start copying files into place.
- Click Yes to reboot. When the computer has rebooted and you log in, the PGP Setup Assistant should automatically appear.
- When prompted for domain credentials, enter your BlazerID and password.
- Select "I am a new user", and click Next.
- Click Next.
- The next box to pop up will be a prompt to create a passphrase user. Enter the username and password you use to log into your system. In many areas of campus, this is also your BlazerID and password with a domain of UAB.
- The program should begin to automatically encrypt the disk in the background while you go about your normal work. Note: Encryption may take up to eight hours. If necessary, you can shut down the computer (Start>Shutdown>Turn off computer), but DO NOT abruptly power off the system.
- When the encryption of the boot drive is complete, the lower icon will become a solid padlock.
- From this point on, prior to booting Windows, you will receive a gray PGP boot screen in which you are prompted to enter the passphrase that you entered during setup. Entering a correct passphrase permits access to the machine and will log you into the Windows operating system through the single sign-on feature.
Although rare, situations have occurred where a hard drive encrypted with PGP does not boot. To assist in recovery of these drives, the creation and use of a PGP Boot Disk is highly recommended.
Please note that each version of PGP requires a boot disk unique to the particular version in use on the client. For example, if you attempt to use a 9.6 recovery disk to decrypt a disk protected with PGP Whole Disk Encryption 9.9 software, any data on the PGP Whole Disk Encrypted 9.9 disk will be unrecoverable.
Create a Recovery Boot Disk
- Download the appropriate ISO file from the Symantec archives:
a) Version 10.x: http://www.symantec.com/business/support/index?page=content&id=TECH152604
b) Version 9.X: http://www.symantec.com/business/support/index?page=content&id=TECH148915
- Burn the ISO to a CD, label it appropriately and store it in a safe place.
Using a Recovery Boot Disk
- Insert your Recovery CD into the computer's CD drive.
- Reboot the computer and boot to the CD.
- When the login screen appears, enter the recovery passphrase for the encrypted drive and press Enter to begin decryption. This operation can take many hours and the system should not be powered off.
- Once the process is complete, the system should start as normal. If the operating system still does not boot, proceed with your operating system repair or data migration process.
Using a Recovery Workstation
If you have the resources or equipment available, the hard drive from the system that will not boot can be accessed by a workstation that has PGP installed on it. Simply connect the device using a USB hard drive bay or adapter, and enter a passphrase associated with the drive. Once the hard drive is mounted to the recovery system, files can be recovered by moving them or by decrypting the hard drive.
- Error messages
- Computer make and model
- Internet connection type
- PGP installer version
- Estimated time of occurrence (if possible)
Common Solutions to Installation Issues
- Verify that you are an administrator of the system on which you are attempting to install PGP.
- Open your web browser and ensure that you have Internet connectivity by opening a website.
- Be sure that you have a current installation package for PGP Desktop. Visit www.uab.edu/it/software for the latest installation files.
- Ensure that you are using your BlazerID and strong password for the PGP Enrollment credentials.
Common Solutions to Password Related Issues
- Verify that Caps Lock is not on while authenticating.
- If you recently changed your account password, you may have to provide the old password until you log in to the system with your new password.
- If the previously mentioned steps do not resolve your issue, you should call the AskIT Help Desk to request a PGP recovery token for the system or portable device. A recovery token is a one-time password that will allow you to bypass PGP, but it will not bypass the operating system password; you are still required to log in.
Common Solutions to Boot/Startup Related Issues
- Ensure that a keyboard is connected to the system. Systems such as tablets without physical keyboards will not be able to authenticate on the PGP boot screen.
- Remove any CDs, DVDs or USB drives from the system. Many of these devices have features that allow them to start before the system hard drive.
- Does the system have multiple operating systems or Dell Media Direct? If so, then you will need to contact your support personnel to assist you with the recovery of your hard drive. Please note that PGP should never be installed on systems with multiple operating systems, as it will render the system inoperable.
- See the PGP Recovery documentation for further support.
- Download the following image from Microsoft and mount or burn the ISO to install the Windows Automatic Install Kit (AIK) [6001.18000.080118-1840-kb3aikl_en.iso]
- Download and extract the latest PGP PE from: https://support.pgp.com/?faq=807
- Download and install a PE Builder such as BartPE: http://www.nu2.nu/pebuilder/#download
- Create a new folder as c:\wde and copy the following files to it from a PGP install:
C:\Program Files\PGP Corporation\PGP Desktop\pgpbootb.bin
C:\Program Files\PGP Corporation\PGP Desktop\pgpbootg.bin
C:\Program Files\PGP Corporation\PGP Desktop\PGPwde.exe
C:\Program Files\PGP Corporation\PGP Desktop\Stage1
- Copy etfsboot.com from “C:\Program Files\Windows AIK\Tools\PETools\x86\boot” to “C:\pebuilder3110a.”
- Open PE Builder, insert a Windows XP SP2/3 CD, set the Media Output to “None,” and build a basic PE. For the purposes of this documentation the default path of “c:\pebuilder3110a\BartPE” is used.
- Open a command prompt and navigate to where you extracted the PGP PE. Type the following: pgppe.exe /winpe c:\pebuilder3110a\BartPE c:\wde
- Navigate to “C:\Program Files\Windows AIK\Tools\x86” via command prompt and type the following: oscdimg –bc:\pebuilder3110a\BartPE\bootsect.bin –n c:\pebuilder3110a\BartPE c:\bartpe.iso
- Burn the bartpe.iso to CD and you can now boot to it and use the pgpwde.exe application from the command prompt.
- Drive Info: pgpwde --enum
- Drive Status: pgpwde --status
- Show users: pgpwde --list-users –d
- Decrypt: pgpwde --decrypt -d
or: pgpwde --decrypt --all -p
- Unlock disk to access files: pgpwde --auth -d
- PGP Technical Note regarding Customizing the WindowsPreinstallation Environment for PGP Whole Disk Encryption
- More commands can be found in the command line documentation:
Mac OS X Lion – FileVault (Whole Disk)
The official Apple support article can be found at: http://support.apple.com/kb/HT4790
When Lion is first installed, the hard drive is separated into a utility partition and an OS partition. Because of the way that PGP works, it is expected to break when partitions are manipulated and therefore users are discouraged from upgrading to Lion if PGP is installed or if the disk is encrypted with any other software.
In the Lion operating system Apple’s FileVault has been upgraded to a full disk encryption solution, as opposed to the protected Home directory that was used in previous versions of the operating system. To enable FileVault, open the System Preferences application and click on the Security & Privacy menu.
If you decide to turn on FileVault, you will first receive a recovery token that can unlock the drive in the event that your password doesn’t work. The recovery key should either be stored in a safe place, or sent to Apple for safe keeping.
If you choose to send the whole disk recovery key to Apple, you must create three security questions that are used by Apple to encrypt your recovery key. The answers are case sensitive so be sure to type them just as you would remember them.
Immediately after the recovery token options are set, the system will reboot and a valid passphrase will be required in order to unlock the drive and start the operating system. When you sign back in to Mac OS, you will receive a dialog like the one below that attempts to estimate the time remaining on the drive encryption.
Retrieving your recovery key from Apple
If you forget your login password for an OS X Lion FileVault-encrypted drive, and you had chosen to store your recovery key with Apple, you may contact AppleCare and request retrieval of your recovery key. Typing in the wrong login password three times will produce a note under the password field which states, "If you forgot your password, you can… …reset it using your recovery key."
Click the triangle-button next to that message to reveal the Recovery Key text field (which replaces the password text field) and AppleCare contact information, along with your computer's Serial Number and a Record Number. You will need to provide these two pieces of information in order for AppleCare to retrieve your recovery key.
Upon successful retrieval and entry of your recovery key, you will be prompted to change your login password. After changing your login password, it is also recommended that you change your FileVault recovery key and upload the new one to Apple.
Changing your recovery key
In the Security & Privacy system preference, under the FileVault tab, click "Turn Off FileVault…" to disable FileVault. After FileVault is off, FileVault will begin to decrypt your drive. Once decryption is complete, you'll be able to click the "Turn On FileVault…" button. Doing so will allow you to enable unlock-capable users, will show you a new recovery key and will give you the option of sending this new key to Apple. The old key sent to Apple will not be able to unlock your newly-encrypted disk. If you need to retrieve your recovery key from Apple, only the new one will be retrieved based on the Serial Number and Record Number displayed to you in the login window.
Migrating a FileVault-protected Home from an earlier version of Mac OS X
If you are using FileVault in Mac OS X v10.6 Snow Leopard, you can install OS X Lion and continue to use your FileVault-encrypted home directory in the same way you did in Snow Leopard. OS X Lion considers your earlier version of FileVault encryption to be "Legacy FileVault". With a Legacy FileVault encrypted home directory, opening the Security & Privacy preference pane will cause the following dialog to appear, alerting you that "You're using an old version of FileVault":
You may continue to use OS X Lion with Legacy FileVault, but you cannot enable Legacy FileVault for other user accounts in OS X Lion. If you turn off Legacy FileVault, the Legacy FileVault tab will disappear and you can then choose to enable OS X Lion's FileVault 2 (disk encryption).
Encrypting Time Machine
Time Machine works properly on Lion, but more importantly it allows you to encrypt the backup. Once a drive has been prepared and encrypted in Lion, it can’t be mounted on any operating system that’s older than Lion because of the encryption.
PGP Whole Disk Encryption software (or FileVault for Macs) is designed to provide an additional layer of security for your data. Encryption is required for laptops used for UAB Business, and it is highly recommended for desktops in theft-prone areas. PGP software essentially "locks down" your hard drive, making the data accessible only to you and those you authorize. The disk encryption, in conjunction with logon and screensaver passwords, protects UAB data if the computer is lost or stolen.
- Encrypting with Mac OS X FileVault 10.7 (Lion)
- Encrypting with Mac OS X FileVault 10.6 or Below
- PGP Whole Disk Encryption: Windows Installation Instructions
- PGP Whole Disk Encryption: Mac OS Installation Instructions
- Linux Encrypted File System: Fedora
- Linux Encrypted File System: Ubuntu
- Linux Encrypted File System: Ubuntu (advanced configuration)
- Microsoft BitLocker on Windows 8
Additional PGP Documentation:
- PGP Client License Troubleshooting
- Adding and Removing Users in PGP Desktop
- Portable Drives
- Virtual Disks
- Zip Encrypted Archives
- Reporting Issues
- Drive Recovery
- PGP Guide for Campus Administrators
- Windows XP Preinstallation Environment (PE) for PGP Whole Disk Encryption
- Devices Incompatible with PGP