PGP Desktop

Your data deserves protection. The UIC license for PGP Desktop provides easy to use and secure encryption to protect sensitive data on your laptop or desktop computers. Laptops are easily lost, and even desktop computers can be stolen. PGP Desktop also includes a secure shredder, to really delete files you want to delete. A major motivation for using PGP WDE is to fulfill HIPAA requirements. PGP Endpoint, which offered additional encryption of data on removable storage and portable devices, is no longer available. We are testing its replacement and will make it available as soon as possible.

• Why You Want to Use PGP Desktop
• -- A Bit about PGP, Public and Private Keys, and How PGP Encryption Works
• What Am I Installing?
• --Added Security is Necessary When the Computer is Running
• --How to Support Computers Running PGP WDE
• Licensing and Cost
• PGP and Email
• Supported Operating Systems for PGP Whole Disk Encryption (PGP WDE)
• PGP Corp's User Documentation (PDF Files)
• Some General Notes
• Installing
• --Before You Install

You may have heard of PGP -- Pretty Good Privacy -- in the context of encrypting electronic mail and email attachments, and digitally signing email messages. That is not what the UIC license for PGP Desktop is for. PGP Desktop provides easy to use and secure encryption to protect sensitive data on your laptop, PC, or removable media. Laptops and flash drives are easily lost, and even desktop computers can be stolen. PGP Desktop also includes a secure shredder, to really delete files you want to delete.

The UIC license for PGP centers on PGP Whole Disk Encryption, PGP WDE, which securely encrypts the entire contents of your laptop or desktop, including boot sectors, system, and swap files. After you install PGP Desktop on your computer, PGP Whole Disk Encryption will automatically run on its hard drive. After your hard disk is encrypted, you must login to PGP before you can boot the computer. Operating system login bypass tricks won't work.

After you authenticate and your computer boots, PGP's encryption is always on, automatically protecting your data. But it is also transparent. This "transparency" means that your computer works exactly as it always did after you boot, but it also means that the files you use are not protected when your computer is on, after you authenticate with PGP. So there are three additional things you need to do to protect your computer:

1. Turn your computer off when you are transporting it, so that it will be protected from booting without logging into PGP.
   
   
2. Make sure you turn password protection on for when your computer goes to sleep. This does not provide the protection that PGP Bootguard does, but it will keep casual intruders from accessing your computer while it is asleep. (Note that if you use Hibernate on Windows machines rather than Sleep, PGP WDE will protect your computer when it wakes. However, not all Windows computers support or are set up so that they can Hibernate. (You can tell see whether Hibernate is a Shutdown option in the Start menu; Search in Help and Support on Windows for "hibernate" for more information.)
   
   
3. Use PGP Virtual Volumes to protect sensitive date on your disk. Use PGP Desktop to create PGP Virtual Volumes, and store your data these PGP-encrypted virtual volumes on your hard disk. These volumes will provide an added layer of security to protect sensitive data while your system is powered on.

The ACCC is running a PGP Universal Key Server, in which your PGP key is protected with your UIC Active Directory ID and password, which is your UIC netid and your ACCC common password.

PGP, Pretty Good Privacy, is a "public key cryptosystem." (Also known as PKC.) In PGP, each person has two "keys": a "public key" that you give to other people, and a "private key" that only you know. You use public keys to encrypt messages and files for others or to add users to PGP Virtual Disk volumes. You use your private key to decrypt files and messages that are encrypted with your public key. We have a newsletter article, Pretty Good Privacy, that explains how encryption with keys works and introduces the PGP PKC. The article was written ten years ago; the "The Answers Are..." section is out of date, but the way things work is the same.

The good news is that you don't have to know anything about how PGP, PGP Keys, or even PGP Whole Disk Encryption works to use PGP Desktop. The ACCC's PGP Universal Server will even keep your PGP Universal keys for you.

You might need to have other people's PGP public keys, though, if you want to encrypt a PGP Zip archive for someone else or use PGP Viewer to encrypt or decrypt files. Using PGP Whole Disk Encryption explains how to search for and save other people's public keys.

The software that you install is called PGP Desktop, but the UIC license for PGP Desktop includes only the PGP Whole Disk Encryption (PGP WDE) parts of PGP Desktop. The PGP Corporation's PGP Whole Disk Encryption Quick Start Guides:

• PGP Whole Disk Encryption Mac Quick Start
  
• PGP Whole Disk Encryption Windows Quick Start

have instructions on how to use these parts of PGP Desktop:

PGP Whole Disk Encryption (PGP WDE) You can use PGP WDE to lock down the entire contents of your system or an external or USB flash drive. Boot sectors, system files, and swap files are all encrypted. Whole disk encrypting your boot drive means you do not have to worry if your computer is lost or stolen: to access your data, an attacker would need your PGP WDE "passphrase", provided that the computer is not already booted.

PGP Bootguard is the name of the part of PGP Desktop that allows you to login to your computer after PGP WDE has encrypted your computer's hard drive.

PGP Virtual Disk volumes allows you to define part of your hard drive space as an encrypted virtual disk volume that you mount with its own drive letter. When a PGP Virtual Disk is mounted -- open-- you can use it and the data in it like you would use any other drive. But when the volume is not mounted, all the data on the volume is protected with PGP Bootguard.

PGP Zip allows you to create an encrypted, compressed, portable archive from any combination of files and folders. PGP Desktop must be installed on a system to create or open a PGP Zip archive. You can use a PGP Zip archive to send data to other people securely or to back it up securely.

PGP Shredder completely destroys files and folders that you delete so that even file recovery software cannot recover them. When you delete a file using the Recycle Bin (on Windows systems) or Trash (on Mac OS X systems), it is not actually deleted; just the directory information pointing to it is deleted. PGP Shredder, however, immediately overwrites file's data multiple times.

The ACCC runs a PGP Universal Server for UIC. The PGP Universal Server provides central administration of PGP encryption applications, creation and delivery of configuration policy, reporting and logging, and management of PGP private and public keys.

The UIC license for PGP Desktop does not include PGP Desktop Email (which encrypts, signs, decrypts, and verifies email and Instant Messages) or, for Windows, PGP NetShare (for sharing protected files). PGP Viewer and PGP Zip, respectively, which we do have, can help with these tasks.

Because the ACCC PGP Universal Server manages the campus's public and private keys, our PGP Desktop does not come with PGP Key Management.

PGP Endpoint, which offered additional encryption of data on removable storage and portable devices, is no longer available. We are testing its replacement and will make it available as soon as possible.

The biggest problem with PGP WDE is even though the data on your hard drive is encrypted, after you login with PGP Bootguard, your data is freely accessible. Making sure that everyone uses a login password and has that password activated when the computer wakes up from sleep or the screensaver can help with that problem.

However, on Windows, if you use Hibernate rather than Sleep, when your computer turns itself off, PGP WDE will protect your computer when it wakes. But not all Windows computers support or are set up so that they can Hibernate. To tell whether yours is, check to see whether Hibernate is a Shutdown option in the Start menu. Even if it isn't, you might be able to turn it on. Search in Window's Help and Support for "hibernate" for more information.

But the best/easiest solution to protect your laptop when you are transporting it or it is out of your control is to shut it down.

It is also a good idea to use PGP Virtual Disk volumes to protect the sensitive data on your computer, and only mount the virtual disk when you actually need to use that data. PGP Virtual Disk volumes will continue to protect your data even after you boot your computer if you only mount them when you are actually using the data.

A major motivation for using PGP WDE is to fulfill HIPPA requirements; there are many considerations in deploying it in a group environment. This article: Deploying PGP Whole Disk Encryption in Mac OS talks about the problems with remote servicing and installing OS updates and the like on a group of machines with PGP WDE installed on them. Not all of the article is applicable to departmental support people; some of it applies more to the ACCC. Also, don't worry about the Mac OS; there is a lot for people supporting other OSes also. It is about a project of installing PGP WDE in a medical center for HIPPA, which makes it of particular interest.

A typical computer using PGP will need two things that the ACCC sells (at no cost as of July 1, 2011) through the online Webstore:

• PGP Universal Server license, 1 per person
• PGP WDE, 1 per machine

Everyone who will boot a computer that uses PGP WDE must have his or her own PGP Universal Server license, but each person's license will allow them to boot any -- all -- computers that he or she uses that has PGP WDE installed on it. Which explains the "1 per person". The "1 per machine" is more obvious; you need a license for PGP WDE for each machine that you install it on.

At a glance this might seem clear, but when you get to machines with multiple users, or people buying multiple licenses at the same time, things can get confusing. Both of these questions, and more, are answered PGP Desktop Frequently Asked Questions page. If you have questions on how to license or install PGP Desktop and Whole Disk Encryption, please check it out.

PGP Endpoint, which offered additional encryption of data on removable storage and portable devices, is no longer available. We are testing its replacement and will make it available as soon as possible.

PGP Desktop does have integrated email functions, but our license doesn't include that. However, the PGP Viewer is installed with our PGP Desktop; it decrypts, verifies, and displays encrypted or signed files. So if you save an encrypted or signed email message as a file, you can decrypt or verify the saved file with PGP Viewer. PGP Viewer also has the option to copy the decrypted, plaintext version of the message back into your email inbox, provided it is an email program that PGP Desktop supports. (Go to PGP Corp's PGP Desktop Professional page, click on Technical Specifications on the gray bar in the center, then scroll down on the Technical Specifications page to see the list of supported email clients for Windows.)

The PGP Desktop Quick Start Guide has instructions; see PGP Corp's User Documentation (PDF Files). Note that is the PGP Desktop Quick Start Guide, not the quick start guide for PGP Whole Disk Encryption.

But, and this is a big but, it appears that PGP Desktop and PGP Viewer (as we have it, I think) will only work with PGP Universal Server keys. I have tried to use PGP Viewer with email that had been signed with PGP keys that are held on the MIT PGP public server, for example, and it couldn't find the keys. PGP Viewer did process email and PGP Zip files that were encrypted with PGP Desktop; even email from the support people at PGP Corp, who are not on our PGP Universal Server.

To fill in this gap, I installed GnuPG and Enigmail for the Mozilla Thunderbird email program on my Windows 7 machine, and this software worked along with PGP Viewer to allow me to use PGP signatures, encryption, and decryption on both types of PGP keys. GnuPG is Gnu freeware; see GPG / PGP modules and plug-ins for links to modules, add-ons, and plug-ins like Enigmail for various Windows, Mac, and Linux mail client. These add-ons make it easy the GnuPG. Most of them are freeware. (Note that GnuPG asked me to make another key pair when I installed it; it didn't see my Universal keys.)

Note: PGP states that these OSes "are supported only when all of the latest hot fixes and security patches ... have been applied."

Microsoft Windows

Windows 7 (all 32- and 64-bit editions)
Windows Vista (all 32- and 64-bit editions, including Service Pack 1 and 2)
Microsoft Windows XP Tablet PC Edition 2005 (requires attached keyboard)
Windows XP Home Edition (Service Pack 2 or 3)
Windows XP Professional 64-bit (Service Pack 2)
Windows XP Professional 32-bit (Service Pack 2 or 3)
Microsoft Windows 2000 (Service Pack 4)

512 MB of RAM and 64 MB hard disk space

Windows Server

Windows Server 2008 SP 1 and 2 (32- and 64-bit editions)
Windows Server 2008 R2 (32- and 64-bit editions)
Windows Server 2003 (Service Pack 1 and 2)
Windows Server 2003 SP 2 (32- and 64-bit editions)

512 MB of RAM and 64 MB hard disk space

Mac OS® X

Apple Mac OS X, 10.5.x or 10.6.x , on Intel-based Macs only

512 MB of RAM and 64 MB hard disk space

Linux

Ubuntu 8.04 and 9.04 (32-bit versions)
Red Hat Enterprise Linux/CentOS 5.2 and 5.3 (32-bit versions)

Note: PGP Whole Disk Encryption for Linux is command line only.

PGP Corp's documentation is really, really good. If you have any questions, take a look at these. In particular, if you want to know how PGP Desktop and PGP WDE works, take a look at the User's Guides below. The ACCC runs a PGP Universal Server to manage PGP Desktop on campus; you'll need to know that while you read the PGP manuals. Also note that the UIC license for PGP Desktop is only for the PGP Whole Disk Encryption parts.

• pgpWholeDiskMac_100_quickstart_en.pdf: PGP Whole Disk Encryption Mac Quick Start
  
  
• pgpDesktopMac_100_readme_en.pdf: PGP Desktop for Macs Readme
  
  
• pgpDesktopMac_100_usersguide_en.pdf: PGP Desktop for Macs User's Guide
  
  
• pgpDesktopMac_100_quickstart_en.pdf: PGP Desktop for Macs Quick Start
  
  
• pgpWholeDiskWin_100_quickstart_en.pdf: PGP Whole Disk Encryption Windows Quick Start
  
  
• pgpDesktopWin_100_readme_en.pdf: PGP Desktop for Windows Readme
  
  
• pgpDesktopWin_100_usersguide_en.pdf: PGP Desktop for Windows User's Guide
  
  
• pgpDesktopWin_100_quickstart_en.pdf: PGP Desktop for Windows Quick Start

• The ACCC runs a PGP Universal Server for PGP Desktop.
  • This is why you use your UIC netid when you register with the PGP server and your ACCC common password as your passphrase.
  • The ACCC PGP Whole Disk Encryption policy requires that PGP Desktop automatically start PGP Whole Disk Encryption on your hard drive after registration.
  • The Universal Server keeps recovery tokens for PGP WDE disks; if you forget your password, send email to ??? for information.
    
    
• Upgrading the OS after WDE: The Mac OS readme file says this: "Upgrading the Mac OS X software: If you are upgrading your computer to a new major release of Mac OS X (such as from 10.5.x to 10.6.x), be sure to uninstall any previous versions of PGP Desktop before upgrading to the new version of Mac OS X. Be sure to back up your keys and keyrings before uninstalling. Note that if you have used PGP Whole Disk Encryption, you will need to decrypt your disk before you can uninstall PGP Desktop. Once you have upgraded your version of Mac OS X, you can then reinstall PGP Desktop." I wouldn't doubt that you need to uninstall before you do an OS upgrade for all OSes.
  
  
• You can and should apply incremental upgrades to your operating system after you run PGP WDE; the above caution is only for major OS releases. I've installed many, many upgrades on my Windows Vista machine, for example, and none have made any difference to PGP Desktop.
  
  
• Hibernation vs Standby In Windows, Hibernate mode writes an image of your computer’s entire main memory storage to a file on your hard drive, but not your PGP passphrase. PGP Corporation recommends that you always use Hibernate rather than Standby because Hibernate turns your computer off and you have to login again at the PGP Bootguard login window. But not all Windows computers support or are set up so that they can Hibernate. To tell whether yours is, check to see whether Hibernate is a Shutdown option in the Start menu. Even if it isn't, you might be able to turn it on. Search in Help and Support on Windows for "hibernate" for more information. (My Windows 7 machine has what you need to know in Hibernation: frequently asked questions.)
  
  
• In case of fried disks: You should keep track of exactly what version of PGP Desktop you have, in case your encrypted disk is damaged and will not boot. Don't do anything to the disk before you decrypt it! Here is how:
  • You can take the disk out of the computer that it is in and put it in another computer running the exact same version of PGP Desktop and use that computer's PGP Desktop to decrypt the disk.
  • Or, you can recover the files on the disk using a PGP recovery CD for the exact version of PGP Desktop you used to encrypt the disk: PGP Whole Disk Encryption Recovery Disk Image(s) - PGP Desktop 10
    
    
• Have a question? Got a problem? See the PGP Desktop's Whole Disk Encryption FAQ. If your answer isn't there, ask the folks at encryption@uic.edu.

Installing is easy, but it can go wrong, and fixing installation problems is not necessarily easy. Please read the notes on the install page before you install.

After you install PGP Desktop, PGP Whole Disk Encryption of your hard drive will begin automatically.

Warning: The actual whole disk encryption will take a long time -- 12, 24, or more hours, depending on how much you have on your hard drive. You can use the computer while PGP WDE is encrypting your disk, and you can pause the encryption to put your computer to sleep or to turn it off. But make sure you use proper OS methods to do turn it off or put it to sleep -- use the Start menu on Windows or the Apple menu on Macs. You do not want to mess with PGP Desktop's installation or whole disk encryption.

I have installed PGP Desktop on four actual machines: two Macs, a MacBook Pro running Snow Leopard and an iMac running Leopard, and two Windows machines: a Lenovo laptop running Vista and a Lenovo desktop running Windows XP. I have also installed PGP Desktop many times on two VMware Fusion virtual machines, one running Windows 7 and one running Windows XP. So I have installed PGP Desktop many times, and I have run into some trouble.

Here are some cautionary notes, some from PGP Corp and some from me:

• The PGP install instructions for both Macs and Windows say to fully update your operating system before you install PGP Desktop.
  
  
• Also, PGP Corporation recommends, as a best practice, that you back up your data before encrypting your disk.
  
  
• It apparently is a feature of the UIC PGP Desktop installations that you can't change the Options (Windows) or Preferences (Macs) of PGP Desktop.
  
  
• When you install PGP Desktop, the userid is yournetid (try ad\yournetid on Windows if just your netid doesn't work), and the password is your ACCC common password. For example, Ada Byron, whose netid is adabyron, would use adabyron along with her ACCC password.
  
  
• You can add additional users if you need to allow someone else to be able to boot your computer that has PGP Desktop and PGP WDE, but PGP Corp., and common sense, says to keep additional users to a minimum. See Adding Additional Users on Shared Machines for more information.
  
  
• After you install PGP Desktop, you will only need your PGP Desktop "Passphrase" to boot your computer or to use PGP Desktop. Your initial passphrase is your ACCC password.
  
  
• On Windows only, when the computer is not in Active Directory: On PGP Desktop installations on Windows, where your PGP login is a Single Signon User that will take you directly into your user account on Windows, your PGP login passphrase will change after your reboot your computer. When this happens, you will use your Windows user account password to login at the PGP Desktop login to boot your computer.
  
  
• If your Windows computer is in Active Directory or if you are using PGP Desktop on Mac OS, this change in PGP Passphrase does not happen. On Macs, I assume that this is because PGP logins are not associated with Mac OS accounts. The PGP WDE login doesn't take you directly into your account; when you restart using their passphrase, you will go to the main Mac OS login screen.
  
  
• The Mac and Windows versions of PGP Desktop are different. The Mac version was developed completely from scratch for Mac OS, and at this point it doesn't include all the features of the Windows versions. (PGP Desktop support of Macs is fairly new; it used to be Windows only.)
  
  
• Also see: Best Practices: PGP WDE - PGP Desktop 10 -- Best practices to use prior to performing PGP Whole Disk Encryption.