K-State PGP Whole Disk Encryption: An install Guide for Mac OSX

This guide will walk you through the steps needed to install and use PGP Whole Disk Encryption software (now Symantec Drive Encryption). The first section will give you what you need to know about PGP before you install it and a list of system requirements. The second section will walk you through the installation and encryption processes. The final section will outline some of the tools that will come with PGP Whole Disk Encryption.

Table of Contents

• What to Know Before You Begin
• System Requirements
• Incompatible Software
• What is Installed?
• PGP Whole Disk Encryption (WDE)
• PGP Virtual Disk
• PGP Zip
• PGP Shredder
• Before You Encrypt
• Ensure That Your Disk Is Supported
• Back Up the Disk
• Ensure the Health of the Disk
• Maintain Power Throughout Encryption
• Installation Process
• Installing PGP Desktop
• Enrolling on the PGP Universal Server
• Encrypting the Hard Drive

Information You Need to Know Before You Begin

Installing PGP Whole Disk Encryption software is a relatively easy process but requires a fair amount of time. You can start the process by executing the install package provided for your particular operating system(OS). Before you start the process, be sure the computer you are attempting to install the software on meets the requirements below.

System Requirements

PGP Desktop Operating Systems:

Apple Mac OS X 10.4.x, 10.5.x (Intel or PowerPC)

PGP WDE Operating Systems:

Mac OS X 10.4.10 or later on Intel-based systems only

Memory (RAM):

512 MB RAM 64 MB hard drive space

Incompatible Software

There are certain other software products that are incompatible PGP and can cause serious problems, including data loss. Please make sure that you do not have the following products installed before installing PGP. For an updated list please visit Symantec's website.

Software that is not compatible:

• CompuTrace in MBR mode: PGP Whole Disk Encryption (now Symantec Drive Encryption) is compatible only with the BIOS configuration of Absolute Software's CompuTrace laptop security and tracking product. Using CompuTrace in MBR mode is not compatible.
• Utimaco Safeguard Easy 3.x:Do not install it on a system with PGP Desktop and do not install PGP Desktop on a system with Utimaco Safeguard Easy 3.x.
• Hard disk encryption products from GuardianEdge Technologies: Encryption Anywhere Hard Disk and Encryption Plus Hard Disk products, formerly known as PC Guardian products, are not compatible with PGP Whole Disk Encryption (now Symantec Drive Encryption).

The following programs will co-exist with PGP Desktop on the same system, but will block the PGP Whole Disk Encryption feature:

• Safeboot Solo
• SecureStar SCPP
• Pointsec

Installation and Encryption

Before You Encrypt

PGP recommends the following in order to prepare your computer for whole disk encryption with their software. To help ensure the security and integrity of your data during and after encryption, it is highly recommended you take the following steps.

Ensure That Your Disk Is Supported

PGP WDE feature protects desktop or laptop disks (either partitions, or the entire disk), external disks, and USB flash disks. Writable CDs and DVDs are NOT supported.

Backup the Disk

Before you encrypt your disk, be sure to backup the disk and securely store it so that you won’t lose any data if your laptop or computer is lost, stolen, or you are unable to decrypt the disk.

Ensure the Health of the Disk

If PGP WDE encounters disk errors during encryption, it will pause the encryption process so you can repair the disk errors. However, it is more efficient to repair errors before you initiate encryption.

To prevent data loss, the encryption process automatically stops if it encounters any errors, such as Cyclic Redundancy Check(CRC) errors or bad sectors. This allows you to correct the errors before the encryption process resumes, which will avoid potential disk corruption or loss of data. The easiest way to avoid these issues is to make sure your disk is healthy before you begin the encryption process.

Before you attempt to use PGP WDE, use a third-party scan disk utility that has the ability to perform a low-level integrity check and repair any inconsistencies with the drive that could lead to CRC errors. These software applications can correct errors that would otherwise disrupt encryption.

*As a best practice, highly fragmented disks should be defragmented before you attempt to encrypt them.

Maintain Power Throughout Encryption

Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power. The computer must be on AC power. If a laptop computer goes on battery power during the initial encryption process (or a later decryption or re-encryption process) PGP WDE pauses its activity. When you restore AC power, the encryption or decryption process resumes automatically. Regardless of the type of computer you are working with, your system must not lose power, or otherwise shut down unexpectedly, during the encryption process.

Do not remove the power cord from the system before the encryption process is over.

The following sections show the installation process step by step. The instructions are arranged in a side-by-side presentation, with an image of what you should see next to written notes and the actions to perform during each step. Clicking on most images will present a larger version.

Installing PGP Desktop

Double-click on the PGP.pkg icon this will start the installer.
Click "Continue" to continue...
Click "Continue" to continue...
	You can read the Release Notes at this time; they are also available from the application menu after the installation is complete. Click "Continue" to continue.
	Select "Continue" on the License Agreement screen to continue.
	Select "Agree" to continue the installation process.
You must now select a destination to install the application. This does not necessarily need to be the same disk that will be encrypted. For most people there will only be one Volume displayed. Select "Continue" to continue the installation.
Click "Install" to continue. No modifications or changes should be done to the installation on this screen.
	You must type your computer login password on this screen. The account must have the ability to install software. This process is the same as any other OSX application installation. Click "OK" to continue after typing your password.
The actual installation of files will now proceed. When all files are installed, a dialog box will appear indicating that the machine needs to be rebooted. Click "Continue Installation" to proceed.
The screen should display the installation progress.
	If you get this “Invalid Authentication Certificate” warning, click “Always Allow”
Save any open documents, close any open programs, and then click the "Restart" button to reboot your machine. When the machine comes back up, log in to the machine as normal.
Enrolling on the PGP Universal Server These steps are done the first time that a user logs into a machine after PGP Desktop has been installed. If there are several users on the machine, this process will be performed as each user logs in to the machine. This process must be done while connected to the K-State network.
After you have logged back into the machine, you will need to navigate to your "Applications" folder. You will notice a "PGP Shredder" and "PGP" icons. Double-click on the "PGP" icon to start PGP Desktop.
	The PGP Enrollment Assistant will now be displayed. Enter your K-State eID and password and click "Continue." Note that the “domain authentication credentials” as used at K-State for this screen are the user’s K-State eID credentials and not any department-specific Windows, AD, or Novell domain credentials.
	This window is the start of the assistant which creates a PGP key. This key is used for email, virtual disks, and PGP Zip files only. Click "Continue." Note: If you have run the Enrollment Assistant in the past with the same PGP user name, the Enrollment Assistant will copy your existing key from the Universal Server onto the machine and will not run the Key Generation assistant at all.
You need to enter a passphrase to use to protect your private key. The passphrase must be at least seven characters long and can consist of letters (either case), numbers, and punctuation. The "Passphrase Quality" indicates the quality (difficulty of guessing) of the passphrase. Once you have entered the passphrase in each of the boxes, click "Create" to continue. The "Passphrase Quality" must be at least 80% before it will be accepted.
A Quick Note on Passphrase Quality Passphrases are the passwords that PGP uses to protect the keys that protect emails and other forms of data. Treat the passphrase like you would any user password. Try and make it simple to remember but hard for others to guess. Here are a few tips on making good passwords and passphrases: Do use a minimum of 7 characters. Do use a mix of upper and lowercase letters, punctuation and numbers. Don't use words found in any dictionary or proper names of any kind. Don't use personal information such as birthdates, names of family members or pets, and address information, unless you modify them considerably.
This screen is displayed if the Enrollment Assistant cannot locate a PGP key ring. Unless you have created PGP keys in the past and stored them someplace other than the normal location (~/Documents/PGP/), simply keep the default selection and click "Continue" to continue.
The key is generated and an encrypted copy is sent to the Universal Server for safekeeping. If you use multiple machines, the Enrollment Assistant will copy this key from the Universal Server when you run the Enrollment Assistant so that all machines you use will have the same PGP key installed. This screen is for informational purposes only in telling you where your keys will be stored. Click "Finish" to end the set-up of PGP Desktop. The next step is to encrypt the hard drive. Your hard drive should begin encrypting automatically at this point.
Encryption Status
	Expand the “PGP Disk” section on the menu on the left and select your Hard Disk underneath it.
	The lower part of the screen shows a progress bar as the disk is encrypted. The window can be closed, if desired, without affecting the encryption process. If you need to pause the encryption process, click the "Stop" button. The options to "Cancel," "Pause," or "Decrypt" will then be displayed. The user you have added that can access the encrypted disk shows below.
Once the encryption process has finished, the Status will say--"Encrypted-AES 256 bits" to show that the disk is encrypted.
Your Disk is now encrypted and you may exit the PGP Desktop application.

PGP Tools

The PGP Desktop product contains a suite of encryption tools. Here is a quick list of the features added after the PGP product is installed.

PGP Whole Disk Encryption (WDE)

You can use this feature to protect the entire contents of your system and/or an external hard drive or USB flash drive that you specify. Boot sectors, system files, and swap files are all encrypted. Encrypting your entire drive(s) means you do not have to worry if your computer is lost or stolen: to access your data, an attacker would need the appropriate passphrase to gain access to the data.

PGP Virtual Disk

This feature uses part of your hard drive space as an encrypted virtual disk volume with its own drive letter. You can create additional users for a volume so that people you authorize can also access the volume. A PGP Virtual Disk is the perfect place for storing your sensitive files; it is as if you have stored them in a safe. When the door of the safe is open (when the volume is mounted), you can change files stored in it, take files out of it, and move files into it. When the door of the safe is closed (when the volume is unmounted), all the data on the volume is protected.

PGP Zip

This feature allows you to create and manipulate encrypted Zip files. These archives can be constructed so that only the intended recipients can access the contents, so that anyone who knows the pass phrase can access the contents (optionally on a system that does not have PGP Desktop installed), or the contents can simply be “signed” to permit the recipients to validate that the contents have not been changed.

PGP Shredder

Completely destroys files and folders so that even file recovery software cannot recover them. Deleting a file using the Apple Trash Bin does not actually delete it; rather, the file remains on your drive and eventually gets overwritten. Until the file is overwritten, an attacker can easily recover the file sitting in the trash bin. PGP Shredder, in contrast, immediately overwrites files multiple times. This is so effective that even sophisticated disk recovery software cannot recover these files. This feature can also completely wipe free space on your drives so your deleted data is truly unrecoverable.

Originally adapted by the University of Kansas from "OSU Windows User Guide for PGP Desktop"(v1.2), with permission from The Ohio State University, Columbus, Ohio 43210