Skip to the content

Kansas State University

K-State PGP Whole Disk Encryption: An install Guide for Mac OSX

This guide contains information related to the installation and usage of the PGP Desktop product at The University of Kansas. PGP Desktop is the foundation application for the PGP Whole Disk Encryption product as well as various complementary utilities. The first section contains information that should be read and understood before any installation is attempted. The next section walks the user through the process of installing the software and encrypting the hard drive. The final section describes how to use the other portions of the software package. Parts of this document are taken in whole or in part from the PGP Desktop 9.9 Quick Start Guide and PGP Desktop 9.9 User’s Guide; these parts have been customized for the basic environment within the University.

Table of Contents

Information You Need to Know Before You Begin

Installing the PGP Desktop product is a simple process. Users can initiate the process by executing the install package for their operating system. This package can be stored locally, on removable media or even via a network share. Be sure the computer you are attempting to install the software on meets the following requirements.

System Requirements


PGP Desktop Operating Systems:

Apple Mac OS X 10.4.x, 10.5.x (Intel or PowerPC)


PGP WDE Operating Systems:

Mac OS X 10.4.10 or later on Intel-based systems only


Memory (RAM):

512 MB RAM 64 MB hard drive space

Incompatible Software


Certain other disk protection software products are incompatible with PGP WDE and can cause serious disk problems, up to and including loss of data. Please note the following known interoperability issues, and please review the PGP Desktop Release Notes for the latest updates to this list.

Software that is not compatible:

  • CompuTrace in MBR mode: PGP Whole Disk Encryption is compatible only with the BIOS configuration of Absolute Software's CompuTrace laptop security and tracking product. Using CompuTrace in MBR mode is not compatible.
  • Utimaco Safeguard Easy 3.x:Do not install it on a system with PGP Desktop and do not install PGP Desktop on a system with Utimaco Safeguard Easy 3.x.
  • Hard disk encryption products from GuardianEdge Technologies: Encryption Anywhere Hard Disk and Encryption Plus Hard Disk products, formerly known as PC Guardian products, are not compatible with PGP Whole Disk Encryption.

The following programs will co-exist with PGP Desktop on the same system, but will block the PGP Whole Disk Encryption feature:

  • Safeboot Solo
  • SecureStar SCPP
  • Pointsec

What is Installed?


The PGP Desktop product contains a suite of encryption tools. Here is a quick list of the features added after the PGP product is installed.

PGP Whole Disk Encryption (WDE)

You can use this feature to protect the entire contents of your system and/or an external hard drive or USB flash drive that you specify. Boot sectors, system files, and swap files are all encrypted. Encrypting your entire drive(s) means you do not have to worry if your computer is lost or stolen: to access your data, an attacker would need the appropriate passphrase to gain access to the data.

PGP Virtual Disk

This feature uses part of your hard drive space as an encrypted virtual disk volume with its own drive letter. You can create additional users for a volume so that people you authorize can also access the volume. A PGP Virtual Disk is the perfect place for storing your sensitive files; it is as if you have stored them in a safe. When the door of the safe is open (when the volume is mounted), you can change files stored in it, take files out of it, and move files into it. When the door of the safe is closed (when the volume is unmounted), all the data on the volume is protected.

PGP Zip

This feature allows you to create and manipulate encrypted Zip files. These archives can be constructed so that only the intended recipients can access the contents, so that anyone who knows the pass phrase can access the contents (optionally on a system that does not have PGP Desktop installed), or the contents can simply be “signed” to permit the recipients to validate that the contents have not been changed.

PGP Shredder

Completely destroys files and folders so that even file recovery software cannot recover them. Deleting a file using the Apple Trash Bin does not actually delete it; rather, the file remains on your drive and eventually gets overwritten. Until the file is overwritten, an attacker can easily recover the file sitting in the trash bin. PGP Shredder, in contrast, immediately overwrites files multiple times. This is so effective that even sophisticated disk recovery software cannot recover these files. This feature can also completely wipe free space on your drives so your deleted data is truly unrecoverable.

Before You Encrypt


PGP Corporation recommends the following best practices for preparing to encrypt your disk with PGP WDE. Please follow the recommendations below to protect your data during and after encryption.

Ensure That Your Disk Is Supported

PGP WDE feature protects desktop or laptop disks (either partitions, or the entire disk), external disks, and USB flash disks. Writable CDs and DVDs are NOT supported.

Backup the Disk

Before you encrypt your disk, be sure to backup the disk and securely store it so that you won’t lose any data if your laptop or computer is lost, stolen, or you are unable to decrypt the disk.

Ensure the Health of the Disk

If PGP WDE encounters disk errors during encryption, it will pause the encryption process so you can repair the disk errors. However, it is more efficient to repair errors before you initiate encryption.

PGP Corporation deliberately takes a conservative stance when encrypting drives, to prevent loss of data. It is not uncommon to encounter Cyclic Redundancy Check (CRC) errors while encrypting a hard disk. If PGP WDE encounters a hard drive or partition with bad sectors, PGP WDE will, by default, pause the encryption process. This pause allows you to remedy the problem before continuing with the encryption process, thus avoiding potential disk corruption and lost data. To avoid disruption during encryption, PGP Corporation recommends that you start with a healthy disk by correcting any disk errors prior to encrypting.

Before you attempt to use PGP WDE, use a third-party scan disk utility that has the ability to perform a low-level integrity check and repair any inconsistencies with the drive that could lead to CRC errors. These software applications can correct errors that would otherwise disrupt encryption.

****As a best practice, highly fragmented disks should be defragmented before you attempt to encrypt them.

Maintain Power Throughout Encryption

Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power. The computer must be on AC power. If a laptop computer goes on battery power during the initial encryption process (or a later decryption or re-encryption process) PGP WDE pauses its activity. When you restore AC power, the encryption or decryption process resumes automatically. Regardless of the type of computer you are working with, your system must not lose power, or otherwise shut down unexpectedly, during the encryption process.

Do not remove the power cord from the system before the encryption process is over.

Installation Process


The following sections show the installation process step by step. The instructions are arranged in a side-by-side presentation, with an image of what you should see next to written notes and the actions to perform during each step. Clicking on most images will present a larger version.

Installing PGP Desktop

Double-click on the PGP.pkg icon this will start the installer.

PGP.pkg

Click "Continue" to continue...

PGP 1

Click "Continue" to continue...

PGP 2
PGP 3

You can read the Release Notes at this time; they are also available from the application menu after the installation is complete. Click "Continue" to continue.

PGP 4

Select "Continue" on the License Agreement screen to continue.

PGP 5

Select "Agree" to continue the installation process.

You must now select a destination to install the application. This does not necessarily need to be the same disk that will be encrypted. For most people there will only be one Volume displayed. Select "Continue" to continue the installation.

PGP 6

Click "Install" to continue. No modifications or changes should be done to the installation on this screen.

PGP 7
PGP 8

You must type your computer login password on this screen. The account must have the ability to install software. This process is the same as any other OSX application installation. Click "OK" to continue after typing your password.

The actual installation of files will now proceed. When all files are installed, a dialog box will appear indicating that the machine needs to be rebooted. Click "Continue Installation" to proceed.

PGP 9

This screen displays the installation progress... just watch it... and enjoy...

PGP 10
PGP 8

If you get this “Invalid Authentication Certificate” warning, click “Always Allow”

Save any open documents, close any open programs, and then click the "Restart" button to reboot your machine. When the machine comes back up, log in to the machine as normal.

PGP 11

Enrolling on the PGP Universal Server

These steps are done the first time that a user logs into a machine after PGP Desktop has been installed. If there are several users on the machine, this process will be performed as each user logs in to the machine.

This process must be done while connected to the K-State network.

After you have logged back into the machine, you will need to navigate to your "Applications" folder. You will notice a "PGP Shredder" and "PGP" icons. Double-click on the "PGP" icon to start PGP Desktop.

PGP 12
PGP 13

The PGP Enrollment Assistant will now be displayed....

Enter your K-State eID and password and click "Continue."

Note that the “domain authentication credentials” as used at K-State for this screen are the user’s K-State eID credentials and not any department-specific Windows, AD, or Novell domain credentials.

PGP 14

This window is the start of the assistant which creates a PGP key. This key is used for email, virtual disks, and PGP Zip files only. Click "Continue."

Note: If you have run the Enrollment Assistant in the past with the same PGP user name, the Enrollment Assistant will copy your existing key from the Universal Server onto the machine and will not run the Key Generation assistant at all.

You need to enter a passphrase to use to protect your private key. The passphrase must be at least seven characters long and can consist of letters (either case), numbers, and punctuation. The "Passphrase Quality" indicates the quality (difficulty of guessing) of the passphrase. Once you have entered the passphrase in each of the boxes, click "Create" to continue.

The "Passphrase Quality" must be at least 80% before it will be accepted.

PGP 15
A Quick Note on Passphrase Quality

Passphrases are the passwords that PGP uses to protect the keys that protect emails and other forms of data. Treat the passphrase like you would any user password. Try and make it simple to remember but hard for others to guess. Here are a few tips on making good passwords and passphrases:

  • Do use a minimum of 7 characters.
  • Do use a mix of upper and lowercase letters, punctuation and numbers.
  • Don't use words found in any dictionary or proper names of any kind.
  • Don't use personal information such as birthdates, names of family members or pets, and address information, unless you modify them considerably.

This screen is displayed if the Enrollment Assistant cannot locate a PGP key ring. Unless you have created PGP keys in the past and store them someplace other than the normal location (~/Documents/PGP/), simply keep the default selection and click "Continue" to continue.

PGP 18

The key is generated and an encrypted copy is sent to the Universal Server for safekeeping. If you use multiple machines, the Enrollment Assistant will copy this key from the Universal Server when you run the Enrollment Assistant so that all machines you use will have the same PGP key installed.

This screen is for informational purposes only in telling you where your keys will be stored. Click "Finish" to end the set-up of PGP Desktop. The next step is to encrypt the hard drive. Your hard drive should begin encrypting automatically at this point.

PGP 19

Encryption Status
PGP 20

Expand the “PGP Disk” section on the menu on the left and select your Hard Disk underneath it.

PGP 25

The lower part of the screen shows a progress bar as the disk is encrypted. The window can be closed, if desired, without affecting the encryption process.

If you need to pause the encryption process, click the "Stop" button. The options to "Cancel," "Pause," or "Decrypt" will then be displayed.

The user you have added that can access the encrypted disk shows below.

Once the encryption process has finished, the Status will say--"Encrypted-AES 256 bits" to show that the disk is encrypted.

PGP 26

Your Disk is now encrypted and you may exit the

PGP Desktop application.

Originally adapted by the University of Kansas from "OSU Windows User Guide for PGP Desktop"(v1.2), with permission from The Ohio State University, Columbus, Ohio 43210