Skip to the content

Kansas State University

  1. K-State home >
  2. Information Technology Services >
  3. Security >
  4. PGP Whole Disk Encrytion >
  5. PGP Server Set-up and Installation for Administrators

Set-up and Installation for PGP Server Administrators

Table of Contents

How to get the software

The client software should be configured and an installation package generated by the server. Server software is made available as a zip file which contains bootable cd images as well as documentation. To comply with licensing restrictions, we're not publishing the link to download the software on this page. Administrators who have purchased licenses should contact and we will provide you with instructions on how to download the software and get the appropriate license keys.

Top

How to install the client

Top

Server requirements

(For those considering running their own server)

You can find a full list of required server configurations at the Server Requirements page.

Top

Running your own PGP server

If you are trying to decide whether you want to run your own PGP server or allow users to authenticate through the central server, here are a list of Pros and Cons that may help you to make that decision.

Pros

Cons

Controlling your own PGP server allows you tighter control over who has access to recovery keys

You will need to provide your own method for users to recover lost passwords (Central server users can call the IT Helpdesk)

Running your own PGP server gives you the flexibility to purchase and activate additional PGP features

Hardware requirements are restrictive and potentially expensive to purchase or deploy(see above)

You would have the option to integrate with different authentication methods (Central server uses eID)

Users may find it easier to remember thier eID password leading to fewer calls for reset

Top

Default client configuration

Client configuration will be up to the department, but the default internal user policy used on the central server is provided below for reference. If a setting is not mentioned, it can be assumed that the default settings were used.

  • Key Settings
    • Generation
      • Default settings were deemed to be sufficiently secure by SIRT.
    • Management
      • Guarded Key Mode is the only option avaialble on the central server. This option will allow the users to manage their own keys, but keeps a backup on the PGP Universal Server.
    • Options
      • Initial passphrase is set the the user’s eID password at the time of enrollment. Once the hard drive is encrypted, the user has the option to change their passphrase with a minimum of 7 characters on the central server.
  • PGP Desktop Settings
    • General
      • Permissions -- all boxes checked.
      • Keys
        • Always encrypt to user’s key is checked
        • Automatically synchronize keys with servers is checked
        • Automatically set up Key Reconstruction is unchecked
          • Note: Key Reconstruction allows a user to reconstruct their private key using a series of questions and answers without intervention from a server administrator. It was decided that users of the central server will need to contact the IT Helpdesk upon loss of their password.
      • Enable silent enrollment is checked on the central server. This simplifies the installation process.
    • Licensing
      • This information should be provided to you by the PGP License Administrator for the K-State campus. When you get your licensing infomation, you will have a server key and a WDE key. The WDE information goes here.
    • Messaging & Keys
      • The messaging features are not licensed and are not being used on the central server, so the only thing that should be checked on this page is the Key Management box that allows the user to locally manage keys
    • File & Disk
      • PGP Zip, PGP Virtual Disk, and PGP Shredder are all made available on the default client configuration.
    • Netshare
      • Netshare features are not licensed and are not being used on the central server.
    • WDE
      • User-initiated Whole Disk Encryption Permissions
        • The default configuration on the central server allows users to encrypt and decrypt both internal and removable disks, so all boxes are checked in this section.
          • Note: Any removable disk that’s encrypted in this manner can only be accessed on a computer with PGP Desktop installed.
      • Windows Single Sign-On is allowed and enabled be default on the default configuration.
      • The default configuration automatically encrypts the Boot disk at installation.
      • Force power failure safety is enabled on the default configuration and is highly recommended. It takes a little bit longer to encrypt the drive with this option, but if it’s not checked and the computer loses power during encryption, all data is effectively lost.
      • Enable Whole Disk Recovery Tokens is checked for all central server configurations and is highly recommended. This is the method through which data can be recovered when passwords are lost.
    • WDE BootGuard Customization
      • It’s recommended that you provide users with customized text that informs them how to gain access if they forget their password.
      • The central server text reads... “Forgot your password? Please contact the K-State IT Helpdesk at (785) 532-7722.”
      • The central server is utilizing a customized boot screen to help identify the encrypted resource as belonging to K-State.
        • Note: Customized backgrounds are not displayed on the Mac OS client
      • Audio cues are disabled by default, but can be enabled manually on the client if necessary
  • Directory Syncronization (button below Internal User Policy page)
    • It’s recommended that you use some dirctory synchronization option for your users. Any system that supports LDAP should be able to integrate with PGP. The central server is using the Microsoft Active Directory provided by K-State Central Computing, which is synchronized with the KEAS eID system. Active Directory is being used rather than authenticating directly to KEAS so that we could take advantage of groups available in Active Directory. Groups will allow you to chose which internal user policy is applied to an installation based on group membership. The alternative to LDAP authentication is email enrollment. This method is documented in the PGP Universal Server Administrator’s guide.
  • Download Client (button below Internal User Policy page)
    • This is where you will go to download a customized client installer that points back to your universal server. Here you have the option to embed a policy into the installer so that installation can be performed offline. Mail server binding should be left as default since we are not using PGP’s email services.

Top

Firewall configuration

(which ports need to be open for the client to talk to the server)

  • Clients must be able to access the management server via HTTPS on port 443; allow traffic in both directions.
  • The management server must be able to make LDAP and LDAPS queries on ports 389 and 636, respectively, to the LDAP server you are using for directory synchronization.
  • If you are using email enrollment, no LDAP connectivity is required internally, but external LDAP access may be required to support other PGP WDE functionality; key lookups or file/folder encryption, for example.
  • The management server needs Internet access on port 80 for updates and licensing. Only outbound access on port 80 is required. Licensing can be done manually without Internet connectivity, but requires use of authorization file provided to you when you get your license keys.
  • The management server needs FTP or SCP access on ports 21 or 22, respectively, for delivery of backups to an appropriate location. Regular backups are important to support the ability to recover from unexpected failure of the PGP Universal Server. We strongly recommend you set up regular schedule of backups of the data on your PGP Universal Server.
  • You will be configuring the PGP Universal Server you are using as a management server via its web-based administrative interface using HTTPS on port 9000, so this port needs to be open only to those individuals allowed to administer your Universal Server.
  • Notification emails from the management server to administrators of the PGP Universal Server are sent via SMTP on port 25, so that port should be open between the PGP Universal Server and the mail server that will accept email from administrators.

Top

How to get technical support from PGP

An extensive knowledge base and community forum are available at http://support.pgp.com or you can access the PGP documentation online.

There are also manuals online to assist with:

Phone support is only available to 2 contacts on campus.
If you'd like to schedule a call, coordinate with either:
Josh McCune

532-2598
 or Anthony Cobb

532-4348

Top

Additional resources: