Set-up and Installation for PGP Server Administrators
Table of Contents
How to get the software
The client software should be configured and an installation package generated by the server. Server software is made available as a zip file
which contains bootable cd images as well as documentation. To comply with licensing restrictions, we're not publishing the link to download the
software on this page. Administrators who have purchased licenses should contact
and we will provide you with instructions on how to download the software and get the appropriate license keys.
How to install the client
What operating system are you?
You can find a full list of required server configurations at the Server Requirements page.
Running your own PGP server
If you are trying to decide whether you want to run your own PGP server or allow users to authenticate through the
central server, here are a list of pros and cons that may help you to make that decision.
Controlling your own PGP server allows you tighter control over who has access to recovery keys
You will need to provide your own method for users to recover lost passwords (Central server users can call the IT Helpdesk)
Running your own PGP server gives you the flexibility to purchase and activate additional PGP features
Hardware requirements are restrictive and potentially expensive to purchase or deploy(see above)
You would have the option to integrate with different authentication methods (Central server uses eID)
Users may find it easier to remember their eID password leading to fewer calls for reset
Default client configuration
Client configuration will be up to the department, but the default internal user policy used on the central server
is provided below for reference. If a setting is not mentioned, it can be assumed that the default settings were used.
- Key Settings
- Default settings were deemed to be sufficiently secure by SIRT.
- Guarded Key Mode is the only option available on the central server. This option will allow the users to manage their
own keys, but keeps a backup on the PGP Universal Server.
- Initial passphrase is set the the userís eID password at the time of enrollment. Once the hard drive is encrypted,
the user has the option to change their passphrase with a minimum of 7 characters on the central server.
- PGP Desktop Settings
- Permissions -- all boxes checked.
- Always encrypt to userís key is checked
- Automatically synchronize keys with servers is checked
- Automatically set up Key Reconstruction is unchecked
- Note: Key Reconstruction allows a user to reconstruct
their private key using a series of questions and answers without
intervention from a server administrator. It was decided that users
of the central server will need to contact the IT Helpdesk upon loss
of their password.
- Enable silent enrollment is checked on the central server. This simplifies the installation process.
- This information should be provided to you by the PGP License Administrator for the K-State campus.
When you get your licensing information, you will have a server key and a WDE key. The WDE information
- Messaging & Keys
- The messaging features are not licensed and are not being used on the central server, so the only
thing that should be checked on this page is the Key Management box that allows the user to locally
- File & Disk
- PGP Zip, PGP Virtual Disk, and PGP Shredder are all made available on the default client configuration.
- Netshare features are not licensed and are not being used on the central server.
- User-initiated Whole Disk Encryption Permissions
- The default configuration on the central server allows users to encrypt and
decrypt both internal and removable disks, so all boxes are checked in this section.
- Note: Any removable disk thatís encrypted in this manner
can only be accessed on a computer with PGP Desktop installed.
- Windows Single Sign-On is allowed and enabled be default on the default configuration.
- The default configuration automatically encrypts the Boot disk at installation.
- Force power failure safety is enabled on the default configuration and is highly recommended.
It takes a little bit longer to encrypt the drive with this option, but if itís not checked and the
computer loses power during encryption, all data is effectively lost.
- Enable Whole Disk Recovery Tokens is checked for all central server configurations and is highly
recommended. This is the method through which data can be recovered when passwords are lost.
- WDE BootGuard Customization
- Itís recommended that you provide users with customized text that informs them how to
gain access if they forget their password.
- The central server text reads... ďForgot your password? Please contact the
K-State IT Helpdesk at (785) 532-7722.Ē
- The central server is utilizing a customized boot screen to help identify the encrypted
resource as belonging to K-State.
- Note: Customized backgrounds are not displayed on the Mac OS client
- Audio cues are disabled by default, but can be enabled manually on the client if necessary
- Directory Synchronization (button below Internal User Policy page)
- Itís recommended that you use some directory synchronization option for your users. Any system
that supports LDAP should be able to integrate with PGP. The central server is using the Microsoft
Active Directory provided by K-State Central Computing, which is synchronized with the KEAS eID
system. Active Directory is being used rather than authenticating directly to KEAS so that
we could take advantage of groups available in Active Directory. Groups will allow you to chose
which internal user policy is applied to an installation based on group membership. The alternative
to LDAP authentication is email enrollment. This method is documented in the PGP Universal Server
- Download Client (button below Internal User Policy page)
- This is where you will go to download a customized client installer that points back to your universal
server. Here you have the option to embed a policy into the installer so that installation can be performed
offline. Mail server binding should be left as default since we are not using PGPís email services.
(which ports need to be open for the client to talk to the server)
- Clients must be able to access the management server via HTTPS on port 443; allow traffic in both directions.
- The management server must be able to make LDAP and LDAPS queries on ports 389 and 636, respectively, to the
LDAP server you are using for directory synchronization.
- If you are using email enrollment, no LDAP connectivity is required internally, but external LDAP access may be
required to support other PGP WDE functionality; key lookups or file/folder encryption, for example.
- The management server needs Internet access on port 80 for updates and licensing. Only outbound access on port 80 is
required. Licensing can be done manually without Internet connectivity, but requires use of authorization file provided to
you when you get your license keys.
- The management server needs FTP or SCP access on ports 21 or 22, respectively, for delivery of backups to an appropriate
location. Regular backups are important to support the ability to recover from unexpected failure of the PGP Universal Server.
We strongly recommend you set up regular schedule of backups of the data on your PGP Universal Server.
- You will be configuring the PGP Universal Server you are using as a management server via its web-based administrative
interface using HTTPS on port 9000, so this port needs to be open only to those individuals allowed to administer your Universal Server.
- Notification emails from the management server to administrators of the PGP Universal Server are sent via SMTP on port 25, so
that port should be open between the PGP Universal Server and the mail server that will accept email from administrators.
How to get technical support from PGP
An extensive knowledge base and community forum are available
There are also manuals online to assist with:
Phone support is only available to 2 contacts on campus.
If you'd like to schedule a call, coordinate with either: