Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

PGP Whole Disk Encryption Training

advertisement 
PGP Whole Disk Encryption
Training
Agenda
• WDE Overview
• Licensing
• Universal Server &
Client Basics
• Installation
• Password Recovery
• OS Maintenance
• Support
• Questions
2
Whole Disk Encryption
•
•
•
•
•
•
Protects against: personal
computer loss / theft /
compromise / improper
disposed
Reduces risk of data and loss
of PII (personally identifiable
information)
Protects against loss of
reputation
Encrypts desktops, laptops,
and removable media
Enables business continuity
without disrupting user
productivity
Demonstrates compliance to
regulatory standards
3
Full Disk vs. File Encryption
Unsecured
File Encryption
Encrypts individual files / folders
Requires authentication to decrypt and access files
Full Disk Encryption
Encrypts entire hard drive
Replaces Master Boot Record
with pre-boot environment
Decrypts automatically as files are accessed
4
Notebook with Sensitive Info
• Protected threat: theft or loss
• Whole disk encryption
– Best guarantee of protecting data
– Only protects on that drive (encryption doesn’t
follow the file when it is moved)
– New login prompt on boot
How it Works
• Encrypts entire drive
– Block by block (including unused space)
– Passphrase for key (or token)
• Boot sector replaced with encryption
authentication process
• Drive decrypts and encrypts on read/write
– Key is in memory while running, wiped on
sleep
6
PGP BootGuard
7
Doesn’t protect from'
•
•
•
•
•
Hacking
Malware
Social engineering
Users leaving computer unlocked
Mishandling of sensitive information
8
Disk Encryption Policy
• Restricted
– SSN, CCN, ePHI, PII,
legally/contractually
protected
• Confidential
– Access limited to a
select group of
employees, but not
meeting restricted
definition
• Required
– Portable with restricted
– Desktop with >500
restricted
• Recommended
– Portable with
confidential
– Desktop with <500
restricted
http://policies.emory.edu/5.12
9
Licensing Details
• Emory currently owns 1,501 PGP licenses.
• Many units have already committed to an initial license
purchase.
• Each license is $45.50. Licensed per computer and not per
user.
• Additional licenses may be purchased by sending a
Remedy ticket or an email to securityteaml@listserv.emory.edu containing the following information:
– School/Division/Business Unit name.
– Requestor’s contact information.
– Number of licenses being purchased.
– Smart Key number.
10
Server & Client Basics
• Server
– Linux based soft
appliance provided by
PGP.
– Maintains copies of any
user keys.
– Provides encryption
verification and
auditing.
– Assigns user policies
based on AD group
membership.
• Client
– Most users will never
interact with the client
except to enroll.
– Client communicates
with the server to
report encryption
status, synchronize any
keys, reset recovery
tokens, etc.
– Features can be
enabled or disabled by
policy.
11
Architecture
EHC Domain
Emoryunivad Domain
LDAP Proxy
PGP Server 1
PGP Server 2
F5 Load Balancer VIP
`
Clients
12
Available Features
• WDE
• PGP Shredder – securely erases files.
• PGP Zip – create encrypted zip files and
self-extracting executables.
• PGP Virtual Disk – create virtual encrypted
volumes (similar to TrueCrypt).
13
PGP Policies
• Assigned using LDAP attributes
– We will focus on AD groups
• Per user, not per computer
• Client configuration
– Available features
– Automatic or manual disk encryption
– Can end users create keys
– Can end users encrypt/decrypt other things
14
Administrative Access
• Aladdin USB eTokens
– Windows only
– ~$40 each from CDW
• Add local user manually
• Whole disk recovery tokens
– Retrieved from server
– One-time use
• Admin password (future version)
15
Supported OS’s
• Windows
– 2000, XP, Vista, 7 – both 32 and 64 bit
– Use of PGP on Windows Server is not
recommended
• Mac OS X
– 10.4-10.6
• Linux
– PGP v10 supports some variants of Linux, but
this has not been tested at Emory
16
Installation Overview
• Create policies on PGP server, associated with
(emoryunivad, EHC) AD groups
• Installed via simple Windows MSI or Mac pkg installer
• Run chkdsk.exe /R on Windows clients
• Install on client, let end user “enroll”
• Client grabs policy associated with end user (based on
AD group membership)
• Disk encryption starts automatically (if configured by
policy)
• Additional users can be added to the system as
necessary by adding a new “passphrase user”
17
Installation Caveats
• Active Directory groups must be created
and associated with a policy prior to
deployment. Do you need a delegated
OU?
• The initial encryption process will find bad
sectors if they exist. May also uncover
failing disks. Run chkdsk.exe /R first.
• Make sure that the end user enrolls their
system with the server - don’t user your
credentials.
18
A Word on Groups'
• Be careful not to place users into multiple
groups that control PGP policy enrollment.
• If you’re creating a new group, please include
PGP, your unit, and a descriptive item in the
group name. E.g. EC-PGP-WDE Only, SOMDOM-PGP-All Features.
• Be careful with users that you think might be
using PGP in other schools (think faculty with
dual appointments).
19
Password Recovery
• Unique, one time use recovery token for
forgotten passphrases (Whole Disk Recovery
Tokens)
• See documentation for full WDRT and forgotten
passphrase steps.
20
OS Repair/Upgrades
• Special steps are required to upgrade the
OS on systems encrypted with PGP.
– Decrypt boot drive.
– Uninstall PGP.
– Perform upgrade.
– Reinstall PGP and re-encrypt the boot drive.
• Any operation that makes a change to the
MBR will require special planning.
21
Dual Booting
• OK as long as both OS’ support PGP and
both have PGP Desktop installed. (Ex.
Windows XP & Windows 7 on the same
box)
• If dual booting Windows & Linux, the Linux
partition must remain unencrypted (as of
version 9).
• Neither of these scenarios has been
tested and should probably be avoided if
possible.
22
Getting the Software
• E-mail securityteaml@listserv.cc.emory.edu, or submit a
Remedy ticket with the following
information:
– Full path of the AD group(s) that you will use
to manage PGP policy enrollment.
– Which policy features you want enabled.
• You will receive a reply confirming that
your policy has been configured, along
with a link to download the client software.
23
Where to go for Help
• Submit a Remedy ticket to the UTS Security Team
to:
– Gain access to client installation software
– Request PGP policy changes
– Associate AD groups with policies
– Tier II troubleshooting
– Request WDRT administrator privileges
• Submit a Remedy ticket to the UTS Identity
Management Team to:
– Request a delegated active directory OU
• In Health Care, contact Mike Chilcott or Mickey
McKinney.
24
?
25
Related documents
PGP
PGP
cryptography and network security
cryptography and network security
Reflection and PGP
Reflection and PGP
pgp
pgp
Chapter 4 Reading Questions
Chapter 4 Reading Questions
Lecture 31
Lecture 31
PGP Full Disk Encryption FAQ
PGP Full Disk Encryption FAQ
Download
advertisement