PGP Whole Disk Encryption
Training
Agenda
• WDE Overview
• Licensing
• Universal Server & Client Basics
• Installation
• Password Recovery • OS Maintenance
Whole Disk Encryption
• Protects against: personal computer loss / theft / compromise / improper disposed
• Reduces risk of data and loss of PII (personally identifiable information)
• Protects against loss of reputation
• Encrypts desktops, laptops, and removable media
• Enables business continuity without disrupting user
productivity
• Demonstrates compliance to regulatory standards
Full Disk vs. File Encryption
Unsecured
File Encryption
Encrypts individual files / folders
Encrypts entire hard drive Encrypts individual files / folders
Requires authentication to decrypt and access files
Notebook with Sensitive Info
• Protected threat: theft or loss • Whole disk encryption
– Best guarantee of protecting data
– Only protects on that drive (encryption doesn’t follow the file when it is moved)
follow the file when it is moved) – New login prompt on boot
How it Works
• Encrypts entire drive
– Block by block (including unused space) – Passphrase for key (or token)
• Boot sector replaced with encryption authentication process
authentication process
• Drive decrypts and encrypts on read/write
– Key is in memory while running, wiped on sleep
Doesn’t protect from'
• Hacking • Malware
• Social engineering
• Users leaving computer unlocked • Users leaving computer unlocked • Mishandling of sensitive information
• Restricted
– SSN, CCN, ePHI, PII, legally/contractually protected
• Confidential
• Required
– Portable with restricted
– Desktop with >500 restricted
• Recommended
Disk Encryption Policy
• Confidential
– Access limited to a select group of
employees, but not meeting restricted definition
• Recommended
– Portable with confidential
– Desktop with <500 restricted
• Emory currently owns 1,501 PGP licenses.
• Many units have already committed to an initial license purchase.
• Each license is $45.50. Licensed per computer and not per user.
• Additional licenses may be purchased by sending a
Licensing Details
• Additional licenses may be purchased by sending a Remedy ticket or an email to
[email protected] containing the following information: – School/Division/Business Unit name.
– Requestor’s contact information.
• Server
– Linux based soft
appliance provided by PGP.
– Maintains copies of any user keys.
• Client
– Most users will never interact with the client except to enroll.
– Client communicates with the server to
Server & Client Basics
user keys.
– Provides encryption verification and
auditing.
– Assigns user policies based on AD group membership.
with the server to report encryption
status, synchronize any keys, reset recovery
tokens, etc.
– Features can be
enabled or disabled by policy.
Architecture
LDAP Proxy
EHC Domain Emoryunivad Domain
F5 Load Balancer VIP
Available Features
• WDE
• PGP Shredder – securely erases files.
• PGP Zip – create encrypted zip files and self-extracting executables.
• PGP Virtual Disk – create virtual encrypted volumes (similar to TrueCrypt).
PGP Policies
• Assigned using LDAP attributes
– We will focus on AD groups
• Per user, not per computer • Client configuration
– Available features
– Automatic or manual disk encryption – Can end users create keys
Administrative Access
• Aladdin USB eTokens
– Windows only
– ~$40 each from CDW
• Add local user manually
• Whole disk recovery tokens
– Retrieved from server – One-time use
Supported OS’s
• Windows
– 2000, XP, Vista, 7 – both 32 and 64 bit – Use of PGP on Windows Server is not
recommended
• Mac OS X • Mac OS X
– 10.4-10.6
• Linux
Installation Overview
• Create policies on PGP server, associated with (emoryunivad, EHC) AD groups
• Installed via simple Windows MSI or Mac pkg installer
• Run chkdsk.exe /R on Windows clients
• Install on client, let end user “enroll”
• Client grabs policy associated with end user (based on
• Client grabs policy associated with end user (based on AD group membership)
• Disk encryption starts automatically (if configured by policy)
• Additional users can be added to the system as necessary by adding a new “passphrase user”
Installation Caveats
• Active Directory groups must be created and associated with a policy prior to
deployment. Do you need a delegated OU?
• The initial encryption process will find bad • The initial encryption process will find bad
sectors if they exist. May also uncover failing disks. Run chkdsk.exe /R first.
A Word on Groups'
• Be careful not to place users into multiple
groups that control PGP policy enrollment.
• If you’re creating a new group, please include
PGP, your unit, and a descriptive item in the group name. E.g. EC-PGP-WDE Only, group name. E.g. EC-PGP-WDE Only, SOM-DOM-PGP-All Features.
• Be careful with users that you think might be
using PGP in other schools (think faculty with dual appointments).
Password Recovery
• Unique, one time use recovery token for
forgotten passphrases (Whole Disk Recovery Tokens)
• See documentation for full WDRT and forgotten passphrase steps.
OS Repair/Upgrades
• Special steps are required to upgrade the OS on systems encrypted with PGP.
– Decrypt boot drive. – Uninstall PGP.
– Perform upgrade. – Perform upgrade.
– Reinstall PGP and re-encrypt the boot drive.
• Any operation that makes a change to the MBR will require special planning.
Dual Booting
• OK as long as both OS’ support PGP and both have PGP Desktop installed. (Ex.
Windows XP & Windows 7 on the same box)
• If dual booting Windows & Linux, the Linux • If dual booting Windows & Linux, the Linux
partition must remain unencrypted (as of version 9).
Getting the Software
[email protected], or submit a Remedy ticket with the following
information:
– Full path of the AD group(s) that you will use – Full path of the AD group(s) that you will use
to manage PGP policy enrollment.
– Which policy features you want enabled.
• You will receive a reply confirming that your policy has been configured, along
Where to go for Help
• Submit a Remedy ticket to the UTS Security Team to:
– Gain access to client installation software
– Request PGP policy changes
– Associate AD groups with policies
– Associate AD groups with policies
– Tier II troubleshooting
– Request WDRT administrator privileges • Submit a Remedy ticket to the UTS Identity
