Symantec PGP Command Line Encryption Evaluation Guide Covers version 10.3 of PGP Command Line Getting Started Installing PGP Command Line is the first step for a Proof-of-Concept, so this document details system requirements and deployment considerations for PGP Command Line. Make sure that you complete the “Steps to Do before Starting Evaluation” checklist on the next page in advance of the evaluation. Also, if you will be purchasing hardware consult the Technical Requirements before completing any other steps so you have time to order and receive the hardware. Also, keep in mind that the Technical Requirements listed in this document are scaled down for an evaluation. Contents PGP Command Line Encryption Checklist .......................................................................................... 3 Notes .................................................................................................................................................. 4 PGP Command Line Encryption Evaluation Architecture .................................................................. 5 Technical Requirements..................................................................................................................... 6 Reference material............................................................................................................................. 13 Test Plan ............................................................................................................................................. 14 . Command Line Encryption Checklist Use the following checklists as an overview of the steps that need to be accomplished for the evaluation. Steps To Do Before Starting Evaluation Using the sample test plan at the end of this document to help you create your own test criteria / plan Prepare a compatible environment. This will include: o Creating a virtual machine for PGP Command Line (or physical hardware). Specific system requirements are located in the Technical Requirements section of this document o Or, PGP Command Line is a small application that does not change system settings or alter system behavior. You could install PGP Command Line on any compatible system for testing. However, it would be recommended that you avoid using production data or systems that already have other encryption software on them for this testing. Here is a link to the trialware page for PGP Command Line. Download the 10.3 version. Evaluation Steps Install PGP Command Line Complete post-installation steps for PGP Command Line: o License PGP Command Line o Generate a cryptographic keypair o Export a public key o Import a public key o Encrypt and decrypt a file o Sign and verify a file Perform desired tests Symantec PGP Command Line Evaluation Guide 3 Notes This document has been written to work for customers, Symantec Sales Engineers, and partner Technical Pre-Sales Engineers This document assumes the reader is knowledgeable about PGP products (has done practice or production installations, has read the documentation and is familiar with the Knowledgebase, etc.) This document assumes the reader has access to Symantec technical publications This evaluation guide assumes the use of a lab environment which is recommended for testing. If production equipment will be used please make sure that a current backup of all related systems is taken and that the current release notes are checked for potential incompatibilities. It is also recommended that no production data is encrypted during this testing. Symantec PGP Command Line Evaluation Guide 4 Technical Requirements All systems that are part of the evaluation should meet or exceed the minimum system requirements defined below. PGP Command Line Requirements Component Specifications Processor 1 GHz or faster processor recommended Memory 1 GB required Hard Disk 2 GB of available hard-disk space Operating System Windows Server 2012 Windows 8 Enterprise Windows 8 Pro Windows Server 2008 Windows Server 2008 R2 Windows 7 Windows Vista Windows Server 2003 Windows XP Pro HP-UX 11i and above (Itanium 2 and similar processors, 64-bit) IBM AIX 5.3 (TL11+) and 6.1 (TL4+, PowerPC) Red Hat Enterprise Linux 5.4, 5.5, 5.8, 6.0 (x86 and x86_64), 6.4 (x86_84) SUSE Linux Enterprise Server 10 SP2 (x86), 11 (x86 and x86_64) Oracle Solaris 9, 10 (SPARC, 32-bit), 11 (SPARC, 64-bit) Oracle Solaris 10 (x86) Oracle Solaris 10, 11 (x86_64) Apple Mac OS X 10.5, 10.6, 10.8.2, 10.8.3 (x86) Other requirements Virtual environments are commonly used for testing PGP Command Line Sandbox Environment: An internal file server: If you are able to choose your test domain name, use “acme.com” for the internal domain Create at least one user account for the users on your server. Symantec PGP Command Line Evaluation Guide 5 Installation and Configuration Steps – Command Line In this section we will briefly discuss the tasks that must be performed to prepare PGP Command Line for the test environment. Other documentation covers this in more detail, including the PGP Command Line User’s Guide, chapter 2. This document will give only the steps necessary to prepare for this evaluation. Please download the most current PGP Command Line User’s Guide to help you complete the tasks referenced here. A chart of PGP Command Line commands can be found here. Other Symantec PGP documentation can be found here. Important information for our environment PGP Command Line hostname IP Address Administrator credentials Symantec PGP Command Line Evaluation Guide 6 Server installation 1) Use the Installing on Windows section of the PGP Command Line User’s Guide on pages 19-21 to complete a Default installation. The installation process typically takes 5-10 minutes. Licensing PGP Command Line 1) Logon to system where PGP Command Line is installed. 2) Open a command prompt. 3) Run this command: pgp --license-authorize --license-name "Authorized User" --license-organization "Authorized Company" --license-number "D4LVN-LH6UG-CUNWP-YLMBP-GDR59-PVA" Generate a cryptographic keypair 1) Run the command: pgp --gen-key “MYORGANIZATION response@example.com” --key-type rsa --bits 2048 --passphrase “passphrases are better than passwords” Note: you will need to choose your own name (MYORGANIZATION), email address (response@example.com), key type (rsa), key size (2048), and passphrase (“passphrases are better than passwords”). Sending your public key 1) Run the command: pgp --export MYPUBLICKEY 2) A new file called “MYPUBLICKEY.asc”. Send this file to the business partner that needs to send you encrypted files. Receiving a public key Receiving a public key has several important security steps: a) Save the received public key to a file b) Import the public key c) Fingerprint the public key d) Validate the public key e) Set trust on the public key Improper handling here invalidates the security and potentially allows a hacker (man-in-the-middle) to intercept secure communicates and read them. This is a VITAL security step. This will need to be done for each recipient and repeated as the recipient changes keys. Save the received public key to a file For this section, assume the file is called “consultant.asc” Import the public key 1) Run the command: pgp --import consultant.asc Symantec PGP Command Line Evaluation Guide 7 Verifying the public key 1) Find the key by running this command: pgp --list-keys consultant 2) Provided just one key is listed, run this command to generate a human readable “fingerprint” of the key: pgp --fingerprint consultant –biometric The result is a unique set of words that looks like: 3) Now contact the owner of that key out of band. If you received the email from “fred@gmail.com”, use a phone number obtained separately (not from the signature line, not from the site that also provided the email address, etc.) This might be a separate person who you already know or have met face-to-face and trust. 4) You will ask for their keywords (do not tell them!!!). If those are the same as what you had recorded, then you can be sure that their key was received (and not an attacker’s key.) Trust the public key 1) In order to trust a key, you first need to sign it and then set the trust on it. 2) Sign the key: pgp --sign-key consultant --signer MYORGANIZATION --passphrase “passphrases are better than passwords” 3) Trust the key: pgp --set-trust consultant --trust complete Encrypting a file Assume, for this section, that the file that needs to be encrypted is called “file.txt” and that it needs to go to “consultant”, as previously configured. 1) Run this command: pgp --encrypt file.txt --recipient consultant 2) A file called “file.txt.pgp” should be created – send this to “consultant”. Decrypting a file Assume, for this section, that the file that needs to be decrypted is called “results.txt”. 1) Run this command: pgp --decrypt results.txt.pgp --passphrase “passphrases are not passwords” 2) A file called “results.txt” should be created. Signing a file Assume, for this section, that the file that needs to be signed is called “autograph.txt”. 1) Run this command: pgp --sign autograph.txt --passphrase “passphrases are not passwords” 2) A file called “autograph.txt.pgp” should be created. Symantec PGP Command Line Evaluation Guide 8 Verifying the signature on a file Assume, for this section, that the file that needs to be verified is called “autograph.txt.pgp”. 1) Run this command: pgp --verify autograph.txt.pgp 2) A file called “autograph.txt” should be created with a message that it is a good signature. Congratulations! You have just deployed PGP Command Line Encryption! If you need to test other features please consult with your Symantec representative. Symantec PGP Command Line Evaluation Guide 9 Helpful links and reference material 1) For the Support KB landing page for PGP Command Line, go here. 2) If you want more information about a command in PGP Command Line use the “pgp --help” command. Test Plan & Policy Adjustment A thorough and effective test plan is defined below. Before starting it, you might consider what will make a successful test in your environment. There are most likely compliance and other concerns that are driving your desire to test this software. You might consider defining the following before starting: 1. What are the most important features of this software to our company? a) Business concerns? b) Security concerns? c) Compliance requirements? 2. During testing, what are the results that I must have in order for this to be a success? 3. What is my one to two paragraph written test plan (mission statement for the Evaluation)? This is probably a summary of the answers to questions 1 and 2. 4. What additional Symantec features would I like to see, either as part of this test or as a separate undertaking? 5. What additional encryption features besides file encryption will my company use? Do I need to test these features now? Symantec PGP Command Line Evaluation Guide 10 Symantec PGP Command Line - Test Plan The following test criteria are not intended to represent all requirements for an enterprise file encryption solution, rather to provide some guidance as to commonly tested features. To address specific requirements in your environment please consult with your Symantec Technical Sales Representative to assist in documenting these additional requirements Some of these tests require some subjective grading as far as pass or fail. Test process for Command Line: 1. Send an unencrypted file to an “incoming” folder on a server. 2. Move the file to a “processing” folder on a server. 3. Encrypt the file in that folder. 4. Move the encrypted file to a “pickup” folder. 5. Repeat this process for several files and several different encryption types (key, passphrase, selfdecrypting archive). 6. Optionally, create a script to execute these commands more easily. Symantec PGP Command Line Evaluation Guide 11 Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Symantec Network Access Control, Symantec Sygate Enterprise Protection are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com Symantec PGP Command Line Evaluation Guide 12