PGP Full Disk Encryption Training Manual
Client: Habib Bank Limited
Version 1.0
Dated: September, 30, 2014
1|Page
Document Control
Title:
PGP Full Disk Encryption Training Manual
Version:
1.1
Date of Issue:
Sept 30, 2014
Author:
Syed Haider Hussain
2|Page
TABLE OF CONTENTS
1.
Introduction
4
2.
Roll out plan
4
3.
Prerequisite
4
4.
Software Installation Guidelines
5
5.
Enrollment
11
6.
Recovery Options
11
7.
Contingency Plan
14
3|Page
PGP Full Disk Encryption Process (Auto Encryption)
1. Introduction
Full disk encryption increases the security of information stored on a laptop significantly and will
also help to keep our critical data absolutely confidential. Full disk encryption effectively
mitigates against unauthorized access on laptops, data Breach or theft and provides strong
security for confidential and sensitive data.
In order to achieve this objective, we have initiated an activity of installing an encryption agent
on all HBL laptops to provide full disk encryption. This document will provide the deployment
strategy and step by step process to install Symantec PGP software on laptops.
2. Roll out plan
As a good security practice, PGP Corporation recommends testing PGP WDE on a small group of
computers to ensure that PGP WDE is not in conflict with any software on the computer before
rolling it out to a large number of computers. This is particularly useful in environments that use
a standardized Corporate Operating Environment (COE) image.
3. Prerequisite
Prerequisite for PGP Full Disk Encryption application installation and drive encryption.
 Following OS on Windows platform are supported by Symantec Desktop Client managed by
EMS.
i. Microsoft Windows 8, 8.1 Enterprise (32- and 64-bit versions)
ii. Microsoft Windows 8, 8.1 Pro (32- and 64-bit editions)
iii. Microsoft Windows 7 (all 32- and 64-bit editions, including Service Pack 1)
iv. Microsoft Windows Vista (all 32- and 64-bit editions, including Service Pack 2)
v. Microsoft Windows XP Home Edition (Service Pack 2 or 3)
vi. Microsoft Windows XP Professional 64-bit (Service Pack 2)
vii. Microsoft Windows XP Professional 32-bit (Service Pack 2 or 3)
Note: The above operating systems are supported only when all of the latest hot fixes and security
patches from Microsoft have been applied.
 Laptop/Desktop should be registered on domain and user should log-in through domain I.D (e.g.
domestic\haider.hussain)
 Take Operating system image backup in external drive.
4|Page
 System partition should be basic, PGP full disk encryption Single Sign-On functionality does not
support dynamic partition.
 Encrypting laptop/desktop Communication should be smooth with Encryption Management
Server and Domain Controller
4. Software Installation Guidelines
Before the start of installation, it is much needed to ensure that all the pre-requisite are met by
the laptop where encryption is done. A checklist is formed that will be followed by a support
staff to initiate the installation and enrollment of the software. Please refer ‘Annexure 1’, which
is mandatory to be filled for each laptop.
Below is detailed step by step guide to install Symantec PGP software on laptops.
When we run the setup, we get Symantec License agreement screen. Accept license agreement
and click next.
PGP Setup asks for Release Notes display. Select do not display the Release Notes and click
“Next”.
5|Page
Setup will start the installation process as shown in screen shot below.
After copying software files, setup will make required changes on the endpoint.
6|Page
Once Setup is complete, you would be asked to reboot the system. To have PGP policies applied,
you should press “Yes” and system will reboot.
PGP uses self-signed certificates by default and HBL can use their own certificates issued by HBL
PKI setup for that. This error shows that the certificate cannot be validated by CA. Press “Allow”.
7|Page
New windows will popup asking for authentication credentials. Use access credentials as per the
policies configured on EMS.
After successful Application installation and user enrollment, change user group on Encryption
Management Server “Everyone “to “HBL_Pro_AE “and restart system
8|Page
After rebooting, system will show following window for drive encryption / single sign on and ask
for passphrase, provide domain user passphrase which was provided for user enrollment.
9|Page
In this windows, PGP Desktop will ask security questions as configured on EMD through policies.
These questions can be used for self-recovery in case of passphrase lost.
10 | P a g e
5. Enrollment
If you face any error during the enrollment, click start menu and type “run”
Type “%update%
Go to PGP Corporation > PGP and delete PGPpolicy and PGPpref files, then enrollment process
will start again.
6. Recovery Options
If a user forgets the password there are plenty of options to get through from Boot guard
screen.
I.
Use Local Self Recovery Wizard
II.
WDE administrator local user account
III.
Whole Disk Recovery Token
Local Self Recovery
All the users has to answer 5 security questions at the time of enrollment to PGP Universal Server, go to
forgot password option at Boot Guard screen and answer all the questions to get through the boot
guard screen.
PGPWDE Command Line
The following commands will help diagnose and decrypt the disk. Other commands can be
listed by typing pgpwde --help.
1. To begin working with the PGPWDE command line tool, open a command prompt and
change to the PGP installation directory (default directory shown) C:\Program Files\PGP
Corporation\PGP desktop.
2. To list all installed hard disks in the system type: pgpwde --enum. Entering this
command displays a list of disks which the following steps reference.
3. Type pgpwde --status --disk 1. In the command, substitute the PGP WDE disk number listed
in the previous step for the number 1 if it is different. The output of this command tells you
whether the disk is still encrypted.
If the disk is not encrypted, "Disk <number> is not instrumented by bootguard" will be the
output.
If the disk is encrypted, the output will display:
11 | P a g e
"Disk <number> is instrumented by Bootguard."
The total number of sectors.
A Highwater value (number of sectors encrypted).
Whether the current key is valid.
Type pgpwde --list-user --disk 1. This provides the user information contained on the disk. This
will help in multi-user environments to determine which user passphrase was used for Drive
Encryption.
Type pgpwde --decrypt --disk 1 --passphrase {MYPASSWORDHERE}. This will start the
decryption process. To view progress, type the status command listed in step 3 and note the
Highwater number. This number will get smaller and smaller as the number of sectors
encrypted decreases.
Using Recovery Disk Images (bootg.iso or bootg.img)
Warning: Use of the recovery disks should be used as the last step when attempting
recovery. Should there be a power loss while decrypting with the recovery disk, the result to
the disk could be fatal and non-recoverable. It is also highly recommended to use the latest
recovery disk available for the version you are running.
Recovery Images can be obtained by following the links below:
Windows
I.
II.
III.
IV.
V.
VI.
VII.
PGP Desktop 9.0.x - 9.7.x for Windows Recovery Disk Images
http://www.symantec.com/docs/TECH156339
PGP Desktop 9.8.x - 9.12.x for Windows Recovery Disk Images
http://www.symantec.com/docs/TECH148915
PGP Desktop 10.0.x and 10.1.x for Windows Recovery Disk Images
http://www.symantec.com/docs/TECH152604
PGP Desktop 10.2.x for Windows Recovery Disk
Imageshttp://www.symantec.com/docs/TECH176201
Symantec Drive Encryption 10.3 for Windows Recovery Disk Images
http://www.symantec.com/docs/TECH199905
Symantec Drive Encryption 10.3.1 for Windows Recovery Disk Images
http://www.symantec.com/docs/TECH210465
Symantec Drive Encryption 10.3.2 for Windows Recovery Disk Images
http://www.symantec.com/docs/TECH214378
12 | P a g e
Mac OS X
I.
II.
III.
IV.
V.
VI.
PGP Desktop 10.1.x for Mac OS X Recovery Disk Images
http://www.symantec.com/docs/TECH152610
PGP Desktop 10.2.0 for Mac OS X Recovery Disk Images
http://www.symantec.com/docs/TECH176187
PGP Desktop 10.2.1 for Mac OS X Recovery Disk Images
http://www.symantec.com/docs/TECH197687
Symantec Drive Encryption for Mac OS X Recovery Disk Images
10.3.0http://www.symantec.com/docs/TECH199906
Symantec Drive Encryption for Mac OS X Recovery Disk Images
10.3.1http://www.symantec.com/docs/TECH210464
Symantec Drive Encryption for Mac OS X Recovery Disk Images
10.3.2http://www.symantec.com/docs/TECH214377
Caution: Users with extended partitions on their hard disks that were encrypted should ONLY
use the latest available Recovery disk for your version. Prior versions could cause these
partitions to no longer be visible to Windows after fully decrypting the disk.
Once you have started to decrypt a disk or partition using a recovery CD, do not stop the
decryption process. Depending on the size of the disk being decrypted, this process can take a
long time. A faster way to decrypt the drive is to use another system that has the same version
of Encryption Desktop\PGP Desktop installed on it.
To create a recovery CD
I.
II.
III.
IV.
V.
VI.
VII.
VIII.
IX.
X.
13 | P a g e
Make sure Encryption Desktop\PGP Desktop for Windows and Roxio Easy Media
Creator or Roxio Easy CD Creator (or other software that can create a CD from an
ISO image) are installed on your system.
Open Roxio Easy Media Creator or Roxio Easy CD Creator and choose to create a
Data CD Project.
Select File > Record CD from CD Image. The Record CD from Hard Disk Image
screen appears.
Select Files of Type > ISO Image Files (ISO).
Navigate to the PGP Desktop directory. The default directory is C:\Program
Files\PGP Corporation\PGP Desktop\.
Select bootg.iso and click Open. The Record CD Setup screen appears.
Insert a blank, recordable CD into a CD-Rom drive on your system.
On the Record CD Setup screen, click Start Recording. The Record CD from CD
Image Progress screen appears as the ISO file is burned to the CD-Rom.
When the file is burned to the CD-Rom, click OK. The recovery disk is now ready
for use.
Remove the recovery disk from the drive and label it appropriately.
Use the Recovery Disk with the following instructions if experiencing blue screen failures at
boot up:
1. Boot the system with the recovery disk.
2. Do not continue with the normal sequence of entering a passphrase.
3. Go to the "advanced" panel.
4. This message "PGPWDE record inconsistency on 1 disk(s) was found and fixed" might be
displayed. If this message is seen, the BSOD (blue screen failure) will be fixed.
5. Return back to the previous screen and continue to boot from the recovery CD. Rebooting
without the Recovery Disk in the drive also works.
Use the Recovery Disk with the following instructions should the system not boot into
Windows for any other reasons:
I.
II.
III.
IV.
V.
VI.
The Symantec Encryption Desktop for Windows User's Guide provides instructions for
creating recovery disks.
Boot the system with the recovery disk.
When prompted, press any key to continue. Drive Encryption Recovery searches for user
records and prompts to press any key when the records are found.
Press any key to continue.
On the PGP Boot Guard screen, enter the passphrase and user name, if required.
Press D to decrypt the drive. Drive Encryption Recovery starts decrypting your disk.
Note: Decrypting using a Recovery disk might take considerably more time than it does from
within Windows.
7. Contingency Plan
It is strongly recommended that before encrypting a disk, be sure to back it up on a secure
machine. In case if users have any issues during the encryption process data can be easily
restored from that machine.
14 | P a g e