Skip to the content

Kansas State University

PGP Whole Disk Encryption Frequently Asked Questions

What is PGP?

PGP Whole Disk Encryption(now Symantec Drive Encryption) was chosen by SIRT to be the standard encryption software for K-State. It was evaluated extensively as a part of the data classification policy that requires encryption of all confidential university data when stored on mobile devices, such as laptops. Use of this encryption software ensures that data on a stolen or misplaced laptop can't be accessed by unauthorized individuals.

PGP Whole Disk Encryption protects the entire hard drive by using public-key encryption and makes it unreadable to anyone who does not have the proper key. The drive can be configured to open with multiple keys, which allows for use by multiple people. Each person can have their own unique key which is encrypted using a password of their choosing. An additional key is stored on the PGP management server so the server administrator can recover the data in case all the other keys are lost.

Do I need it?

If your computer or mobile device contains necessary confidential data, the data classification policy requires that you encrypt it. If the data is unnecessary, then you should remove it.

When will I get it?

There are actually three different answers to this question depending on which of the following groups you belong in. If you're not sure which of these applies to you, you should contact your department's security contact.

Group 1 - Departments using the central PGP server and having iTAC install clients:
The central server is online and available for production use and installation can occur whenever arrangements can be made with iTAC and the Technology Service Center.

Group 2 - Departments using the central PGP server and installing clients internally:
The central server is online and available for production use, client installations can be scheduled through your department security contact or IT support personnel

Group 3 - Departments running their own PGP server and installing clients internally:
You should be contacted by your department's PGP contact in order to set up the client install when your department's PGP server is operational.

What do I need to do before installation?

Due to the low-level operation of this software and the fact that all data on the hard drive is being encrypted we are suggesting that everyone take the following steps to ensure that the operation of their system continues after the install. If the iTAC Technology Service Center is performing your install, they will be taking care of all of these for you.

  1. Back-up all of your data on the computer. Even if iTAC is performing the install it's still recommended that you keep recent back-ups of all of your data in a secure location. Keep in mind that if you backup any confidential K-State data you will need to encrypt your backup as well.

  2. Test your hard drive by running scan disk if you are using Windows:
    • Open "My Computer"
    • Right-click the local disk that you want to check and select "Properties"
    • click the "Tools" tab
    • Under Error-checking, click "Check Now"
    • Select the "Scan for and attempt recovery of bad sectors" check box
    • Click "Start"
  3. Run disk defragmentation if you are using Windows:
    • Click on the "Start Menu"
    • Select "All Programs"
    • Open the "Accessories" folder
    • Open the "System Tools" Folder
    • Click on "Disk Defragmenter"
    • Click "Defragment Disk"

How do I get help after the installation?

Any assistance needed with the product after installation should be requested from departmental support personnel or the iTAC Help Desk (532-7722).

What do I do if I forget my password?

Users of the central server can call the iTAC Help Desk(532-7722) to obtain a recovery token upon verification of identity. The recovery token (28 alpha-numeric characters) can be used to decrypt the hard drive and boot the OS. Once the OS is loaded, your password can be reset using the PGP Desktop user interface. After a recovery token has been used, as soon as the computer is able to communicate with the server, a new recovery token will be generated and stored on the server for future use. If you use a departmental or college PGP server instead of the central one, check with their departmental IT support personnel for recovery procedures.

How do I change my PGP password?

During setup, the system must must have access to the Internet or the campus network in order to authenticate to the PGP key-server (the address is embedded in the installer and is later added to the Windows Registry or Mac User Preferences). When you come to the point in the installation that you enter your K-State eID as enrollment credentials, they are sent to the key-server which checks against LDAP. Once you have successfully authenticated, the server will send some configuration information to the client and also create an entry under your eID that will include information about the computer you are encrypting.

Unless your eID credentials are used to login to the system, they are only used to create a Whole Disk Recovery Token (WDRT) with the server; the user name and password for the local user are separate and aren'’t sent to the server. Instead, an encrypted hash of the local password is cached in the PGP client once it’s used to login to Windows. So if you change a password, it will be updated only after it is used; not when the password is changed. This means that if the user chooses to restart immediately after changing their password, the old password must be used on the PGP Bootguard screen and the single sign-on feature (Windows) won’'t log them in because Windows is expecting the new password. To prevent this situation from occurring, the user should probably choose to logout then login after a password change. The cached password should update immediately and the new password will work with the PGP Bootguard screen.

If multiple users plan to use a Windows system with PGP, ensure that all of the users set unique passwords. If multiple users have the same password, then PGP will assume that the last user to login is the one authenticating.

  • Windows
    On a PC installation of PGP, single sign-on is used and accounts are verified. When you add a user to PGP, it will require that a strong password is used and that it matches the account password on the machine. If the user doesn’t exist or it has a blank password, you will receive an error message and the user will not be added. The relationship between PGP and Windows accounts is limited to those that exist and adding or removing a user in one location does not change the state of the other location. So if you remove a Windows user account, the entry will still exist and work in PGP but single sign-on will not be possible.

  • Mac
    On a Mac installation of PGP, single sign-on is not used and the passphrase users in PGP are not tied to any operating system accounts. This is due to the fact that PGP writes to a preference file under the profile that installs PGP and does not add any important configuration info to the main preferences folder or user folders. Because the preferences are different for every user, when a user other than the one that installed PGP attempts to load the software, they are treated as if they are not licensed and that there is no known key-server. This is now corrected by an application and documentation that is added to installer file under “PGP-User”. So when you consider the behavior of PGP for Macs version 9.9 you could view each passphrase user as nothing more than a password that will get you past the PGP Bootguard screen.

What else is included with the PGP software?

Installation of the PGP Desktop Whole Disk Encryption software will also enable you to create encrypted volumes on any disk attached to the computer. Such volumes can exist on local drives or externally attached storage (flash drives, USB hard drives, etc...) regardless of whether whole disk encryption is used on the device. This will allow you to store encrypted data on an external device without having to encrypt the entire device.

You will also have access to the PGP shredder, which will prevent recovery of deleted files by overwriting the area where they were stored multiple times with random data.

Using PGP Desktop, you can also create PGP encrypted zip files that can be encrypted to particular users' public keys so that they can decrypt them with their own private key and password.

What do I do if my computer no longer boots?

If you are using a computer with a PGP encrypted drive you will need to take special steps to recover.

  • Windows

    You have two options in this case:

    1. Remove the drive and connect it to a computer that has PGP Desktop installed as an external drive. You should be prompted for the passphrase to access that drive and you will then be able to access the files on the drive.

    2. Create a WinPE boot disk by going to this customer help page. This will allow you to boot to the Windows PE environment, providing you with console based tools to decrypt a PGP encrypted drive.

  • Mac

    PGP Whole Disk Encryption has no impact on your ability to boot into single user or verbose mode, so you may be able to do troubleshooting there. You can also boot in target disk mode and attach it to a computer with PGP desktop installed.

How do I reach the Command Line for PGP WDE?

Many helpful commands can be issued to PGP from a command line which provides many opportunities for scripting and remote modification.

  • Windows
    The PGP WDE command line utility is installed at C:\Program Files\PGP Corporation\PGP Desktop\pgpwde.exe on Windows machines and "pgpwde --help" will produce a basic listing of commands. For a more complete listing of commands and explanation see the PGP Windows Command Line Guide.

  • Mac
    The PGP WDE command line utility on a Mac can be accessed by opening a terminal window and typing "pgpwde <commands>". Issuing "pgpwde --help" will produce a basic listing of commands. For a more complete listing of commands and explanation see the Mac Command Line Guide.

Additional resources: