Symantec PGP Command Line Encryption Evaluation Guide

Symantec PGP Command Line
Encryption Evaluation Guide
Covers version 10.3 of PGP Command Line
Getting Started
Installing PGP Command Line is the first step for a Proof-of-Concept, so this document details
system requirements and deployment considerations for PGP Command Line.
Make sure that you complete the “Steps to Do before Starting Evaluation” checklist on the next page
in advance of the evaluation. Also, if you will be purchasing hardware consult the Technical
Requirements before completing any other steps so you have time to order and receive the
hardware. Also, keep in mind that the Technical Requirements listed in this document are scaled
down for an evaluation.
Contents
PGP Command Line Encryption Checklist .......................................................................................... 3
Notes .................................................................................................................................................. 4
PGP Command Line Encryption Evaluation Architecture .................................................................. 5
Technical Requirements..................................................................................................................... 6
Reference material............................................................................................................................. 13
Test Plan ............................................................................................................................................. 14
.
Command Line Encryption Checklist
Use the following checklists as an overview of the steps that need to be accomplished for the
evaluation.
Steps To Do Before Starting Evaluation
 Using the sample test plan at the end of this document to help you create your own test
criteria / plan
 Prepare a compatible environment. This will include:
o Creating a virtual machine for PGP Command Line (or physical hardware). Specific
system requirements are located in the Technical Requirements section of this
document
o Or, PGP Command Line is a small application that does not change system settings
or alter system behavior. You could install PGP Command Line on any compatible
system for testing. However, it would be recommended that you avoid using
production data or systems that already have other encryption software on them for
this testing.
 Here is a link to the trialware page for PGP Command Line. Download the 10.3 version.
Evaluation Steps
 Install PGP Command Line
 Complete post-installation steps for PGP Command Line:
o License PGP Command Line
o Generate a cryptographic keypair
o Export a public key
o Import a public key
o Encrypt and decrypt a file
o Sign and verify a file
 Perform desired tests
Symantec PGP Command Line Evaluation Guide
3
Notes




This document has been written to work for customers, Symantec Sales Engineers, and partner
Technical Pre-Sales Engineers
This document assumes the reader is knowledgeable about PGP products (has done practice or
production installations, has read the documentation and is familiar with the Knowledgebase, etc.)
This document assumes the reader has access to Symantec technical publications
This evaluation guide assumes the use of a lab environment which is recommended for testing. If
production equipment will be used please make sure that a current backup of all related systems
is taken and that the current release notes are checked for potential incompatibilities. It is also
recommended that no production data is encrypted during this testing.
Symantec PGP Command Line Evaluation Guide
4
Technical Requirements
All systems that are part of the evaluation should meet or exceed the minimum system requirements
defined below.
PGP Command Line Requirements
Component
Specifications
Processor
1 GHz or faster processor recommended
Memory
1 GB required
Hard Disk
2 GB of available hard-disk space
Operating System
Windows Server 2012
Windows 8 Enterprise
Windows 8 Pro
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows Vista
Windows Server 2003
Windows XP Pro
HP-UX 11i and above (Itanium 2 and similar processors, 64-bit)
IBM AIX 5.3 (TL11+) and 6.1 (TL4+, PowerPC)
Red Hat Enterprise Linux 5.4, 5.5, 5.8, 6.0 (x86 and x86_64), 6.4 (x86_84)
SUSE Linux Enterprise Server 10 SP2 (x86), 11 (x86 and x86_64)
Oracle Solaris 9, 10 (SPARC, 32-bit), 11 (SPARC, 64-bit)
Oracle Solaris 10 (x86)
Oracle Solaris 10, 11 (x86_64)
Apple Mac OS X 10.5, 10.6, 10.8.2, 10.8.3 (x86)
Other requirements
Virtual environments are commonly used for testing PGP Command Line
Sandbox Environment:
An internal file server:


If you are able to choose your test domain name, use “acme.com” for the internal domain
Create at least one user account for the users on your server.
Symantec PGP Command Line Evaluation Guide
5
Installation and Configuration Steps – Command Line
In this section we will briefly discuss the tasks that must be performed to prepare PGP Command Line
for the test environment. Other documentation covers this in more detail, including the PGP Command
Line User’s Guide, chapter 2. This document will give only the steps necessary to prepare for this
evaluation.
Please download the most current PGP Command Line User’s Guide to help you complete the tasks
referenced here. A chart of PGP Command Line commands can be found here. Other Symantec PGP
documentation can be found here.
Important information for our environment
PGP Command Line hostname

IP Address

Administrator credentials
Symantec PGP Command Line Evaluation Guide
6
Server installation
1) Use the Installing on Windows section of the PGP Command Line User’s Guide on pages 19-21 to
complete a Default installation. The installation process typically takes 5-10 minutes.
Licensing PGP Command Line
1) Logon to system where PGP Command Line is installed.
2) Open a command prompt.
3) Run this command:
pgp --license-authorize --license-name "Authorized User" --license-organization "Authorized
Company" --license-number "D4LVN-LH6UG-CUNWP-YLMBP-GDR59-PVA"
Generate a cryptographic keypair
1) Run the command:
pgp --gen-key “MYORGANIZATION response@example.com” --key-type rsa --bits 2048 --passphrase
“passphrases are better than passwords”
Note: you will need to choose your own name (MYORGANIZATION), email address
(response@example.com), key type (rsa), key size (2048), and passphrase (“passphrases are better
than passwords”).
Sending your public key
1) Run the command:
pgp --export MYPUBLICKEY
2) A new file called “MYPUBLICKEY.asc”. Send this file to the business partner that needs to send you
encrypted files.
Receiving a public key
Receiving a public key has several important security steps:
a) Save the received public key to a file
b) Import the public key
c) Fingerprint the public key
d) Validate the public key
e) Set trust on the public key
Improper handling here invalidates the security and potentially allows a hacker (man-in-the-middle) to
intercept secure communicates and read them. This is a VITAL security step. This will need to be done
for each recipient and repeated as the recipient changes keys.
Save the received public key to a file
For this section, assume the file is called “consultant.asc”
Import the public key
1) Run the command:
pgp --import consultant.asc
Symantec PGP Command Line Evaluation Guide
7
Verifying the public key
1) Find the key by running this command:
pgp --list-keys consultant
2) Provided just one key is listed, run this command to generate a human readable “fingerprint” of
the key:
pgp --fingerprint consultant –biometric
The result is a unique set of words that looks like:
3) Now contact the owner of that key out of band. If you received the email from
“fred@gmail.com”, use a phone number obtained separately (not from the signature line, not
from the site that also provided the email address, etc.) This might be a separate person who
you already know or have met face-to-face and trust.
4) You will ask for their keywords (do not tell them!!!). If those are the same as what you had
recorded, then you can be sure that their key was received (and not an attacker’s key.)
Trust the public key
1) In order to trust a key, you first need to sign it and then set the trust on it.
2) Sign the key:
pgp --sign-key consultant --signer MYORGANIZATION --passphrase “passphrases are better than
passwords”
3) Trust the key:
pgp --set-trust consultant --trust complete
Encrypting a file
Assume, for this section, that the file that needs to be encrypted is called “file.txt” and that it needs to
go to “consultant”, as previously configured.
1) Run this command:
pgp --encrypt file.txt --recipient consultant
2) A file called “file.txt.pgp” should be created – send this to “consultant”.
Decrypting a file
Assume, for this section, that the file that needs to be decrypted is called “results.txt”.
1) Run this command:
pgp --decrypt results.txt.pgp --passphrase “passphrases are not passwords”
2) A file called “results.txt” should be created.
Signing a file
Assume, for this section, that the file that needs to be signed is called “autograph.txt”.
1) Run this command:
pgp --sign autograph.txt --passphrase “passphrases are not passwords”
2) A file called “autograph.txt.pgp” should be created.
Symantec PGP Command Line Evaluation Guide
8
Verifying the signature on a file
Assume, for this section, that the file that needs to be verified is called “autograph.txt.pgp”.
1) Run this command:
pgp --verify autograph.txt.pgp
2) A file called “autograph.txt” should be created with a message that it is a good signature.
Congratulations! You have just deployed PGP Command Line Encryption!
If you need to test other features please consult with your Symantec representative.
Symantec PGP Command Line Evaluation Guide
9
Helpful links and reference material
1) For the Support KB landing page for PGP Command Line, go here.
2) If you want more information about a command in PGP Command Line use the “pgp --help”
command.
Test Plan & Policy Adjustment
A thorough and effective test plan is defined below. Before starting it, you might consider what will
make a successful test in your environment. There are most likely compliance and other concerns that
are driving your desire to test this software. You might consider defining the following before starting:
1. What are the most important features of this software to our company?
a) Business concerns?
b) Security concerns?
c) Compliance requirements?
2. During testing, what are the results that I must have in order for this to be a success?
3. What is my one to two paragraph written test plan (mission statement for the Evaluation)? This is
probably a summary of the answers to questions 1 and 2.
4. What additional Symantec features would I like to see, either as part of this test or as a separate
undertaking?
5. What additional encryption features besides file encryption will my company use? Do I need to test
these features now?
Symantec PGP Command Line Evaluation Guide
10
Symantec PGP Command Line - Test Plan
The following test criteria are not intended to represent all requirements for an enterprise file
encryption solution, rather to provide some guidance as to commonly tested features. To address
specific requirements in your environment please consult with your Symantec Technical Sales
Representative to assist in documenting these additional requirements
Some of these tests require some subjective grading as far as pass or fail.
Test process for Command Line:
1. Send an unencrypted file to an “incoming” folder on a server.
2. Move the file to a “processing” folder on a server.
3. Encrypt the file in that folder.
4. Move the encrypted file to a “pickup” folder.
5. Repeat this process for several files and several different encryption types (key, passphrase, selfdecrypting archive).
6. Optionally, create a script to execute these commands more easily.
Symantec PGP Command Line Evaluation Guide
11
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo,
Symantec Network Access Control, Symantec Sygate Enterprise Protection are trademarks or
registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.
Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be reproduced in
any form by any means without prior written authorization of Symantec Corporation and its licensors,
if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION
SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE
FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN
THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
http://www.symantec.com
Symantec PGP Command Line Evaluation Guide
12