PGP Whole Disk Encryption(now Symantec Drive Encryption) was chosen by SIRT to be the standard encryption software for K-State. It was evaluated extensively as a part of the data classification policy that requires encryption of all confidential university data when stored on mobile devices, such as laptops. Use of this encryption software ensures that data on a stolen or misplaced laptop can't be accessed by unauthorized individuals.
PGP Whole Disk Encryption protects the entire hard drive by using public-key encryption and makes it unreadable to anyone who does not have the proper key. The drive can be configured to open with multiple keys, which allows for use by multiple people. Each person can have their own unique key which is encrypted using a password of their choosing. An additional key is stored on the PGP management server so the server administrator can recover the data in case all the other keys are lost.
If your computer or mobile device contains necessary confidential data, the data classification policy requires that you encrypt it. If the data is unnecessary, then you should remove it.
There are actually three different answers to this question depending on which of the following groups you belong in. If you're not sure which of these applies to you, you should contact your department's security contact.
Group 1 - Departments using the central PGP server and having iTAC install clients:
The central server is online and available for production use and installation can occur whenever arrangements can be made with iTAC and the Technology Service Center.
Group 2 - Departments using the central PGP server and installing clients internally:
The central server is online and available for production use, client installations can be scheduled through your department security contact or IT support personnel
Group 3 - Departments running their own PGP server and installing clients internally:
You should be contacted by your department's PGP contact in order to set up the client install when your department's PGP server is operational.
Due to the low-level operation of this software and the fact that all data on the hard drive is being encrypted we are suggesting that everyone take the following steps to ensure that the operation of their system continues after the install. If the iTAC Technology Service Center is performing your install, they will be taking care of all of these for you.
Any assistance needed with the product after installation should be requested from departmental support personnel or the iTAC Help Desk (532-7722).
Users of the central server can call the iTAC Help Desk(532-7722) to obtain a recovery token upon verification of identity. The recovery token (28 alpha-numeric characters) can be used to decrypt the hard drive and boot the OS. Once the OS is loaded, your password can be reset using the PGP Desktop user interface. After a recovery token has been used, as soon as the computer is able to communicate with the server, a new recovery token will be generated and stored on the server for future use. If you use a departmental or college PGP server instead of the central one, check with their departmental IT support personnel for recovery procedures.
During setup, the system must must have access to the Internet or the campus network in order to authenticate to the PGP key-server (the address is embedded in the installer and is later added to the Windows Registry or Mac User Preferences). When you come to the point in the installation that you enter your K-State eID as enrollment credentials, they are sent to the key-server which checks against LDAP. Once you have successfully authenticated, the server will send some configuration information to the client and also create an entry under your eID that will include information about the computer you are encrypting.
Unless your eID credentials are used to login to the system, they are only used to create a Whole Disk Recovery Token (WDRT) with the server; the user name and password for the local user are separate and aren'’t sent to the server. Instead, an encrypted hash of the local password is cached in the PGP client once it’s used to login to Windows. So if you change a password, it will be updated only after it is used; not when the password is changed. This means that if the user chooses to restart immediately after changing their password, the old password must be used on the PGP Bootguard screen and the single sign-on feature (Windows) won’'t log them in because Windows is expecting the new password. To prevent this situation from occurring, the user should probably choose to logout then login after a password change. The cached password should update immediately and the new password will work with the PGP Bootguard screen.
If multiple users plan to use a Windows system with PGP, ensure that all of the users set unique passwords. If multiple users have the same password, then PGP will assume that the last user to login is the one authenticating.
Installation of the PGP Desktop Whole Disk Encryption software will also enable you to create encrypted volumes on any disk attached to the computer. Such volumes can exist on local drives or externally attached storage (flash drives, USB hard drives, etc...) regardless of whether whole disk encryption is used on the device. This will allow you to store encrypted data on an external device without having to encrypt the entire device.
You will also have access to the PGP shredder, which will prevent recovery of deleted files by overwriting the area where they were stored multiple times with random data.
Using PGP Desktop, you can also create PGP encrypted zip files that can be encrypted to particular users' public keys so that they can decrypt them with their own private key and password.
If you are using a computer with a PGP encrypted drive you will need to take special steps to recover.
You have two options in this case:
Remove the drive and connect it to a computer that has PGP Desktop installed as an external drive. You should be prompted for the passphrase to access that drive and you will then be able to access the files on the drive.
Create a WinPE boot disk by going to this customer help page. This will allow you to boot to the Windows PE environment, providing you with console based tools to decrypt a PGP encrypted drive.
PGP Whole Disk Encryption has no impact on your ability to boot into single user or verbose mode, so you may be able to do troubleshooting there. You can also boot in target disk mode and attach it to a computer with PGP desktop installed.
Many helpful commands can be issued to PGP from a command line which provides many opportunities for scripting and remote modification.