PGP Installation

Note: As of 12/8/2009 these directions assume you are working with a non-domain member machine.  We will provide additional details for domain-member machines.

PGP Installation

(document revised 12-24-2013)

Summary of PGP process:

(See full instructions below)

1. Before you can Encrypt any Machines:

  • Request a shared AD account for your LSP Group for PGP enrollment purposes

2. Before you Start Encrypting Someone's Machine:

  • Check that the user has an AD account -- have them fill out the form if they need one
  • Request PGP group membership for the user's AD account
  • Give the user a copy of the SAS Pre-Encryption Infosheet
  • ** Find out if the user has done PGP enrollment in the past.  If they have, ask them if they know/wrote-down the PGP passphrase that they created.  If they don't know their passphrase, talk to DCS about Security Question recovery or "resetting" the user's PGP info on the PGP server.

3. Preparing the Computer for Installation

  • Backup data!!
  • add the local user account & lspadmin to the local file and print sharing group
  • check the netbios name
  • Make sure the filesystem is ok by running "chkdsk /f" on all local drives (E.g. C & D)
  • Check the laptop's screensaver lock policy
  • Ensure that the user's local windows account password is sufficiently strong

4. Installing PGP

  • You don't need the user for this step

5. Enrolling the LSP with PGP

  • You don't need the user for this step
  • You need your group's AD PGP account login info

6. Encrypting

  • You don't need the user for this step
  • After encrypting, test logging in at the grey PGP boot screen as the lspadmin.

7. Enrolling the User with PGP

  • You *will* need the user for this step
  • ** If they had enrolled in PGP in the past, they will be prompted for their passphrase instead of being asked to enroll.
  • Have the user test logging in at the grey PGP boot screen

8. Security Question recovery

  • this section needs to be added

1. Before you can Encrypt any Machines

In order to encrypt a machine you will be taken through a PGP "enrollment" process which requires creating or using a pre-existing PGP key associated with an AD account. 

For a non-domain member machine it is best that you use a shared AD account for your LSP Group for this enrollment process (This account will only be used for enrolling PGP machines).

If your LSP group does not yet have a shared Active Directory account for PGP, request one now using this form: http://www.sas.upenn.edu/computing/help/faculty_staff/forms/ad_request

Please note in the comments field that this is for use in PGP enrollment and note the OU(s) in which this account is intended to be used. These accounts will be named yourOU-PGP (e.g. physics-PGP or ssc-PGP).

2. Before you Start Encrypting Someone's Machine

a)  If the user does not yet have an Active Directory account, please have them request an account using the survey.

? In the comments field, please have the user indicate that the account is for use with PGP.

b)  ? If the user already has an AD account, request PGP group membership by doing xx

? (fill out web form; submit a Footprints task using the "Quick Request" template xx)

c)  Give the user a copy of the SAS Pre-Encryption Infosheet (see below)

3. Preparing the Computer for Installation

a)  If the user does not yet have a local account on the machine that will be encrypted, create one now (Make sure to use their pennkey as the account name).

b)  Add the user's local account to the local file and print sharing group.

c)  Also add the lspadmin account (or whatever local lsp admin account you use) to the local file and print sharing group.

d)  If a temporary netbios/computer name is in place, establish the permanent netbios/computer name.  (Changing the netbios name after encryption can make PGP sad.)

e)  Before starting the installation process, make sure that all data is backed up! You should take a complete image of the machine using Ghost or something equivalent. Please validate this backup and test a small restore (e.g. get some files via Ghost explorer).

In addition to this whole-machine backup, the user should specifically backup up their most critical documents.  If they have just received an Active Directory account, you may want to let them know that they could use the U: drive for this purpose ( <3gb by default).

You should discuss with the user ongoing backups for after encryption.

f)  After everything is backed up, make sure the filesystem is ok by running "chkdsk /f" on all local drives (E.g. C & D).

g)  Put the following local security policies:

* Set screen to lock after 10 minutes

* Make sure that "on resume, password protect" is set.

* Ensure that the user's local windows account password is sufficiently strong (greater than 8 characters with at least three of lower case letters, upper case letters, numbers, and symbols) and isn't written anywhere on the laptop.

4. Installing PGP

?? You will need to have the user of the laptop with you when you enroll them with the PGP server, and if the user has already been using the laptop you may want to have them with you when you prepare for the encryption process.

a)  Log in to the computer using the local LSP admin account. 

b)  Download the PGP installer from the DistStaff share

? (32 bit for Windows XP & Vista; 64 bit for Windows 7)

?

\\sas.upenn.edu\sasc\shares\diststaff\software\pgp

 

c)  Install the PGP software by following the prompts.

Install the PGP Software

d)  After the installation process has completed, you will be prompted to restart the computer. Select yes to restart the computer.

5. Enrolling the LSP with PGP

a)  Log back in as LSPadmin.

b)  About 30-60 seconds after logging in, a window entitled PGP Enrollment will pop up. It may seem like it is not doing anything, but give it some time.

c)  Enter the Active Directory username and password for your group's PGP account here.

PGP Enrollment Window

d)  Select new user and click next.

If this is the first time your Group's PGP Active Directory account has been used for enrollment, you will be prompted to create a new key and key passphrase. 

(This passphrase must be complex, and will need to be securely shared with the other members of your LSP group).

If the group account has been used previously, enter the associated passphrase.

Click Next, Next, Finish.

Select New User

e)  At this point, you may have to re-open PGP.

(All Programs > PGP > PGP Desktop)

6. Encrypting

a)  Once PGP has been opened, Click on whole disk encryption (PGP Disk -> Encrypt Whole Disk or Partition).

b)  When on the whole disk encryption screen, select "new passphrase user."

c)  Keep the "use Windows password" option selected and click next.

d)  Enter the the LSPadmin local account name and password when prompted (leave the domain name field alone, it will show the netbios name).

Click Next, Click Finish.

Add a Single Sign On User

e)  Start encryption whenever it is convenient, as it could take several hours (click "maximize CPU usage" if you want).

If using a laptop, make sure that it is not running on battery power alone.

Select encrypt in the whole disk encryption menu

? (upper right button; on left click "PGP Disk" then click on "Encrypt Whole Disk."

When the encryption process starts, PGP can be minimized to the tray.

f) When encryption is finished, you can restart your computer.

g) Test logging in at the PGP Desktop boot screen:

You will see a screen that prompts you for either you passphrase or windows password. 

As the screen below indicates there are two acceptable ways to get past this screen. 

- You can provide your PGP passphrase, in which case you will then have to additionally login to windows. 

- Or, if you've setup single-signon properly, you can provide your LSPadmin local account password, and you should get past this screen and be logged into windows automatically. 

?? Please test each of these mechanisms.  (You will need to reboot in between tests.)

PGP Login Screen

7. Enrolling the User with PGP

a)  Have the user login to windows using their local windows account at this point.

b)  After they log in, they will be prompted to enroll with PGP (There might be a 30-60 seconds delay before the window pops up).

Have the user use their Active Directory credentials to do this.

c)  You will now have to create a keys and passphrase for the user. This will be similar to step 5.

?  Select new user and click next.

? This passphrase must be complex.  They should write it down somewhere but won't use it ever again?????

Click Next, Next, Finish.

** they will be prompted to create security questions.

d)  Once the keys have been created you will be prompted to create a single sign on user. Use the user's local login information for this.

e)  You may be prompted to enter the passphrase used for encryption.

Since the LSP has already been added as a single sign-on user, you will actually need to enter the Windows password for the local LSP account.

Local User Single Sign On

g)  PGP will recognize that the drive is already encrypted.

 

Setup Finished

h) To confirm that everything is working properly, have the user log in with their local windows password at the grey PGP boot screen.

Reboot the laptop.

At the grey PGP boot screen have the user log in with their local windows password (they could also use their PGP passphrase, but the windows password is easier to remember).

They should then see the normal windows login screen, where they can login with their local windows password.


i) If the laptop tries to auto-login to the lspadmin windows account, you may see a login error.

Click "Ok/switch user/other user" and then the user can login normally.

One possible fix is to disable PGP's auto-login feature.  The following may or may not work:

http://www.symantec.com/business/support/index?page=content&id=HOWTO42010

(basically, create the following registry key: HKEY_LOCAL_MACHINE>SOFTWARE>PGP Corporation>PGP>DISABLEWDESSO>1)


SAS Pre-Encryption Infosheet (User Agreement)

Introduction

PGP® Whole Disk Encryption (WDE) service is for SAS Faculty and Staff who need to store sensitive data on their computers. WDE is used to protect that data in the event a computer is lost or stolen. It does not protect the data once a user logs in to the computer. At that point, other technical controls such as firewalls are required to protect the data. Please be aware due to the complexity of adding encryption to your computer turnaround times for support issues will be increased.

SAS Computing Responsibilities

1. SAS Computing is responsible for ensuring a valid backup of the user's computer exists before
encryption takes place.
2. SAS Computing will ensure that the users' encryption key is backed up and stored for safekeeping
3. SAS Computing will provide a means for accessing data if the user has forgotten their password.

User Responsibilities

1. Backups: Data backup is always important, but encryption makes it even more crucial. Data
lost due to hard drive failure or human error will not be recoverable via standard data recovery
methods. You are responsible for ensuring that you have a a recent, valid and secure backup of your data.
2. Strong Passwords: Once the PGP password is entered the computer is no longer encrypted. If
the computer's screen is locked or goes to sleep, only the Windows password will be required to obtain access. A strong Windows password will provide additional protection for your data. Additionally, your computer should be turned off and/or restarted when you will be away from it to ensure that the machine is in an encrypted state.
3. Forgotten Passwords: If you forget your password to log in to your computer, you will need to
follow standard procedures in order to get past the PGP password screen:
On Campus: Contact your LSP, and they will be able to get on to your computer and
facilitate a password reset for you
Off Campus: Contact your LSP, and provide requested information to verify your identity.
Your LSP will then work with the PGP Server administrators to generate a password
token to allow you access to your computer. Tokens are good for a single use, and you
will need to work with your LSP to reset your password once you are able to get in to
your machine.
4. Travel Restrictions: Users intending to travel to Cuba, Libya, North Korea, Syria, Sudan, Iran
or Iraq must contact the Office of Research Services for assistance in determining whether an
export license is required for computers with PGP installed, and, if so, assistance in applying for
an export license.
5. Export Controls. Any release of the PGP encryption technology or source code to a foreign
national from Cuba, Libya, North Korea, Syria, Sudan, Iran or Iraq, or an individual on the
denied parties list even while in the United States, may be prohibited under the “deemed
export” rules. Again, you are responsible for contacting Penn’s Office of Research Services for
assistance.
6. Other Restrictions: PGP products may not be used directly or indirectly in the design,
development, fabrication, or use of nuclear, chemical, or biological weapons or missile
technology without US government authorization. Contact the Office of Research Service for
more information.

End-User Acknowledgment


I certify it is necessary for local storage of sensitive data on my computer. I agree to the terms and conditions outlined above and fully understand the implications of having PGP Whole Disk Encryption installed on my computer.