FAQ - PGP Desktop Whole Disk Encryption

While the PGP Desktop product includes many security functions, including encrypting email, the UIC license for PGP Desktop only covers PGP Whole Disk Encryption -- PGP WDE -- and its related products. When you install PGP Desktop, PGP WDE will automatically begin to encrypt your computer's root hard drive.

• About PGP Desktop and Whole Disk Encryption
• Installing and Upgrading PGP Desktop
• Passwords and Security Questions
• PGP Whole Disk Encryption and PGP Universal Server for Departments

Question 1.1 I want to use PGP Desktop to encrypt my computer. What do I need?

Both you and your computer need to have a license:

• One PGP Whole Disk Encryption license for each computer:
  For each computer that will be encrypted with PGP WDE, you need to buy a PGP Whole Disk Encryption License -- one per computer. It doesn't matter who buys the license, just so long as each computer has a license.
• One PGP Universal Server License for each person who will boot the computer:
  Each person who will be booting any computer that has PGP WDE installed on it must have his or her own Universal Server Licence. This will authorize them to use the ACCC's Universal Server. One PGP Univeral Server License will allow the person to boot any computer -- any number of computers -- that he or she is enrolled with PGP on.
• The UIC netid of the person who buys a PGP Universal Server License from the Webstore is automatically associated with that license. If the license should be associated with someone else, the purchaser should send email to encryption@uic.edu giving us the name and netid of the person(s) who should be associated with the licenses they bought. See PGP Whole Disk Encryption and PGP Universal Server for Departments for more information.
• We will distribute PGP products through the online Webstore.

Question 1.2 I want to use PGP Desktop on two computers. What do I need?

You need a license (only one, for any number of computers) and each of your computers need to have their own licenses, so at least you need:

• Two PGP Whole Disk Encryption licenses, one for each computer.
• One PGP Universal Server License for yourself (and also one for each other person who will boot the computer.)
• We will sell PGP products through the online Webstore.

Question 1.3 Do you use a 3rd-Party defragger on your Windows machine? Then you need to read this.

• PGP Desktop writes its local copy of your password (encrypted, of course) in a specific spot on your disk. If your defragging software moves it, you will not be able to login to your Windows computer. This, I'm pretty sure, happened to me, while I was testing PGP Desktop.
• So, please see 3rd Party Defragmenter improperly moves PGP WDE file causing boot failure.
• You can prevent by opening your defragmentation software and telling it to never defrag the file: C:\PGPWDE01
  The PGPWDE01 file is a hidden systems file in the root directory of your boot disk, so this assumes that your boot disk is your C:\ disk.

Question 1.4 What is PGP Universal Server? Is it a separate product from PGP Whole Disk Encryption?

Answer from PGP, Inc:

PGP Whole Disk Encryption is a full disk encryption solution for Windows, Mac OS X and Linux systems. PGP Whole Disk Encryption can be centrally managed by PGP Universal Server, which is Cent OS (Linux)-based software that can run on most servers. PGP Universal Server provides organizations with a single console to manage multiple encryption applications. IT organizations can manage users, automate administrative activities and establish policies to defend sensitive data and avoid the financial loss, legal ramifications, and brand damage from a data breach.

For more information on PGP Universal Server including technical specifications, please visit http://www.pgp.com/products/universal_server/index.html

• The ACCC runs a campus-wide PGP Universal server that is associated with the ACCC Active Directory. Anyone using PGP Whole Disk Encryption on campus can use the ACCC PGP Universal server, unless departmental policy says otherwise.
• Everyone who boots a computer with PGP Desktop installed must have his or her own PGP Universal server license.
• Each person only needs one PGP Univeral Server License. One license will allow the person to boot any computer -- any number of computers -- that he or she is enrolled with PGP on.
• Note that people do not need a PGP Universal server license to just use a computer protected by PGP Desktop, so long as someone with a PGP Universal Server license boots it.
• Departments and units wishing to run their own PGP Universal server can purchase licenses and software from the ACCC.
• If you buy a PGP Universal Server License from the Webstore, your UIC netid will automatically be associated with that license. If the license(s) should be associated with someone else, please send email to encryption@uic.edu and give us the name and netid of the person(s) who should be associated with the licenses you bought. See PGP Whole Disk Encryption and PGP Universal Server for Departments for more information.

Question 1.5 Will my computer be different after I install PGP Desktop and the PGP Whole Disk Encryption runs?

Yes, but much less than you might think.

• When you boot your computer, you will have to login using the PGP Bootguard screen.
  • On Windows, the Bootguard login will take you directly to your Windows account, bypassing the Windows login screen. You will have to login with the Bootguard screen when the computer wakes up from hibernation also.
  • On Mac OS, the Bootguard login will take you to the Mac OS login screen, where you will have to login to your Mac OS account with your Mac login password.
• The following questions have information on other changes.

Question 1.6 Will I be able to use my computer if I am not connected to the UIC network? How about to the Internet?

• Yes to both.
• But you don't want to do that too often. The major point in using PGP Whole Disk Encryption as it is set up at UIC is:
  • that the ACCC (or your department) can set encryption policies remotely and
  • that PGP WDE checks in with the server periodically so there is a record to confirm that you are actually using encryption. This will be useful if your laptop is every lost or stolen.

Question 1.7 Does PGP Whole Disk Encryption affect how I my programs will run? My ADSM backups?

• No. After you have logged with the PGP Bootguard screen, all your files and applications, including email, ADSM backups, and network connections are unaffected.

Question 1.8 Will my computer be slower once it's encrypted?

• There may be a (3% or less) reduction in computer speed. This should be unnoticable in newer computers.
• Deleting files on your computer may be a bit slower because the PGP Shredder will make sure the files are completely removed by actually writing over the space on disk that the files were stored.

Question 1.9 What can I use PGP Whole Disk Encryption to do? How?

The PGP Corp Quick Start for PGP Whole Disk Encryption PDFs have a really good introduction to using the parts of PGP Desktop that are included in the UIC PGP Desktop license.

• pgpWholeDiskMac_100_quickstart_en.pdf: PGP Whole Disk Encryption Mac Quick Start
  
  
• pgpWholeDiskWin_100_quickstart_en.pdf: PGP Whole Disk Encryption Windows Quick Start

Question 1.10 If my hard drive is encrypted, will others have to decrypt files I send to them?

• No. After you log in, PGP Desktop automatically decrypts your files as you use them. Any files that you use or send or backup will not be encrypted. (For good or bad.)
• See a Quick Start Guide for more information.

Question 1.11 Can I use PGP Desktop to encrypt files I send to the other people?

• Yes. You can use PGP Desktop to create encrypted PGP Zipfiles. But note that there is no way to recover the data in a PGP Zip file if you forget its password.
• You can also encrypt files on removable disk drives, such as USB flash drives. However, PGP Desktop-encrypted external drives can only be used on machines with PGP Desktop installed.
• See a Quick Start Guide for more information.

Question 1.12 Can I encrypt extermal drives such as USB thumb drive or external hard drive using PGP?

• Yes you can use PGP to encrypt most types of external hard drives and thumb drives.
• The only caveat is that PGP Desktop-encrypted external drives can only be used on machines with PGP Desktop installed.
• PGP WDE should not be used for floppies, CDs, and DVDs.
• See a Quick Start Guide for more information.

Question 1.13 Is there some way to protect files on my computer while I'm using it?

• Yes, you can use PGP Virtual Disk volumes to protect the sensitive data on your computer, and only mount the virtual disk when you actually need to use that data.
• PGP Virtual Disk volumes will continue to protect your data even after you boot your computer if you only mount them when you are actually using the data.
• See a Quick Start Guide for more information.

Question 1.14 Is PGP compatible with my antivirus software?

• Yes, if you are using the ACCC's Symantec Endpoint Protection (Version 11+). And using PGP WDE does not make antivirus software unnecessary!
• And most likely still yes, if you use another antivirus software.

Question 1.15 Does the ADSM backup service work with PGP?

• Yes. However, the backed-up files on the ADSM server are not encrypted.
• Note: You should run a full backup before you install PGP Desktop.

Question 1.16 Can I upgrade my operating system after I install PGP Desktop?

• Absolutely, before you install PGP Desktop: The PGP install instructions for both Macs and Windows say to fully update your operating system before you install PGP Desktop.
• After you install PGP Desktop, major OS upgrades require special handling. The MacOS readme file says this: "Upgrading the Mac OS X software: If you are upgrading your computer to a new major release of Mac OS X (such as from 10.5.x to 10.6.x), be sure to uninstall any previous versions of PGP Desktop before upgrading to the new version of Mac OS X. Be sure to back up your keys and keyrings before uninstalling. Note that if you have used PGP Whole Disk Encryption, [which here at UIC, you will have,] you will need to decrypt your disk before you can uninstall PGP Desktop. Once you have upgraded your version of Mac OS X, you can then reinstall PGP Desktop." I wouldn't doubt that you need to uninstall before you do an OS upgrade for any operating system.
• You can, however, and should, install incremental operating system upgrades and patches on your computer running PGP Desktop and PGP WDE. I have done this on both my Macs and Windows machines with PGP WDE running without any problems.

Question 1.17 Can I still put my PGP WDE-encrypted machine into hibernation or standby?

• The best/easiest solution to protect your laptop that is running PGP WDE when you are transporting it or it is out of your control is to shut it down.
• However, for Windows, if you use Hibernate rather than Sleep when you turn your computer off, PGP WDE will protect your computer when it wakes. Not all Windows computers support or are set up so that they can Hibernate. To tell whether yours is, check to see whether Hibernate is a Shutdown option in the Start menu. Even if it isn't, you might be able to turn it on. Search in Windows' Help and Support for "hibernate" for more information. My Windows 7 machine has a lot of good information in the topic: Hibernation: frequently asked questions.

Question 1.18 Can I create backup images of Whole Disk Encrypted Drives?

• Yes, but it's complicated. See HOW TO: Create backup images of Whole Disk Encrypted Drives or Files

Question 1.19 What happens if my computer or Bootguard fails? Can I still access the data on the disk?

• Yes. You can remove the disk from a failed machine and connect it to another machine that has PGP Desktop installed. You will prompted to enter the disk's passphrase to unlock it, then after it's unlocked you can access the data.
• It the problem is that Bootguard has failed, rather than the entire computer, you can use a PGP Whole Disk Encryption Recovery Disk Image disk to boot the computer.

Question 1.20 Do RDP (Remote Desktop Protocol) remote logins work with PGP Whole Disk Encryption?

• Yes.
• But, if the computer is off, or if it's locked and at the bootguard screen, you can't log in. Someone has to be physically present at the computer to enter the PGP Bootguard passphrase.
• Or you can have a remote console server attached to the computer to use to enter the passphrase.
• The point is that you cannot enter the passphrase remotely.
• But continue reading....

Question 1.21 I'm remotely installing new software on a computer using PGP WDE and it requires a reboot. Is there some way to do that?

• Normally, someone has to be at the computer to enter the PGP Bootguard passphrase.
• But, there is an option to be used with extreme caution: There is a way to tell a machine to reboot and bypass the bootguard screen when it comes back up.
  • See Feature Clarification: Whole Disk Encryption (WDE) Bypass Feature for a discussion of the use of this feature.
  • The PGP documentation on the Whole Disk Encryption Bypass Feature: https://supportimg.pgp.com/guides/PGPWDEBypass.pdf (PDF)
  • "This feature can be useful for system maintenance when a reboot is necessary and bypassing the normal PGP Bootguard screen is desired such as performing remote maintenance on a system so that the system automatically reboots without the need for entering the passphrase at PGP Bootguard.
    
    Use the Bypass option only when necessary. When the bypass option is used, the machine can be rebooted directly to the Windows logon prompt without requiring a passphrase to be typed at the Bootguard screen. This works well when performing windows maintenance, such as applying patches, and so on. Aside from system maintenance or testing, this option is a security risk and should not be used."

Question 1.22 I'm having trouble. Where do I go for more help?

The PGP Corp Quick Start for PGP Whole Disk Encryption PDFs have a really good introduction to using the parts of PGP Desktop that are included in the UIC PGP Desktop license.

• pgpWholeDiskMac_100_quickstart_en.pdf: PGP Whole Disk Encryption Mac Quick Start
  
  
• pgpWholeDiskWin_100_quickstart_en.pdf: PGP Whole Disk Encryption Windows Quick Start
  
  
• If they don't help, send email to encryption@uic.edu.

Question 2.1 I use Windows 64-bit; can I use PGP Whole Disk Encryption?

• Yes. PGP WDE supports the 64-bit versions of Windows XP, Vista, and Windows 7.

Question 2.2 I use Macintosh OS X, can I use PGP Whole Disk Encryption?

• Yes, but only on Intel Macintosh computers.

Question 2.3 Can I use the built-in Macintosh or Windows encryption instead?

• No, but it is not because they don't work.
• But the major point reason to use PGP Whole Disk Encryption as it is set up at UIC is:
  • PGP allows the ACCC (or your department) to set encryption policies remotely, ensuring that your machine is secure, and
  • that your PGP WDE checks in with the server periodically so there is a record to confirm that you are actually using encryption. This will be useful if your laptop is every lost or stolen.

Question 2.4 What do I need to do before I install PGP Desktop?

• The PGP install instructions for both Macs and Windows say to fully update your operating system before you install PGP Desktop.
• Also, PGP Corporation recommends, as a best practice, that you back up your data before encrypting your disk.
• See also best practices to use prior to performing PGP Whole Disk Encryption.

Question 2.5 Can I change PGP Desktop's Options?

• No, it apparently is a feature of the UIC PGP Desktop installations that you can't change the Options (Windows) or Preferences (Macs) of PGP Desktop.

Question 2.6 How long will it take for PGP Desktop to encrypt my hard disk?

• I'm sorry, but this takes a long time. I have encrypted machines with 300 GB hard drives that took upwards of 12 hours to encrypt. Your time will vary, of course, depending on the size of your hard drive and the speed of your computer.
• While PGP says that you can use the computer while the encryption process is taking place, it does make the computer slower, so my advise is to start the process in the afternoon and let it run overnight.
• It would be counterproductive for your computer or hard drive to go to sleep or hibernate while PGP is encrypting your disk. Change your power settings so this doesn't happen.

Question 2.7 I installed PGP Desktop on one account on my computer. What if there are other accounts on the computer that are being used?

• Any additional accounts on the computer whose owners should be able to boot the computer should be enrolled in PGP. (Or if any PGP Desktop features are to be used on those accounts.)
• The owner of each of accounts that will boot or use PGP Desktop must have his or her own Universal Server license and must login through the PGP enrollment software while the machine is online so that they can be registered (enrolled) with the PGP Universal Server.
• Everyone who boots a computer with PGP Desktop installed must have his or her own PGP Universal server license
• See Adding Additional Users on Shared Machines for more information.

Question 2.8 What if there are multiple people who can use a computer who are not authorized to boot the computer? Will these additional users need a PGP license even if they never boot the computer?

• No, they don't.
• People only need a PGP Universal Server license if they're going to enroll with the PGP server, and if they don't need to boot any machine or use any PGP Desktop features, they don't really need to enroll.
• People using accounts like this should just ignore the PGP prompt that pops up when they log in.

Question 2.9 I was setting PGP Desktop for another person and accidentally registered (enrolled) their computer into PGP with my netid and password. Can this be changed to the actual owner of the account?

• Yes. What you did is enroll the computer account into the ACCC's PGP Universal Server using your Universal Server license.
• So what you need to do to rerun the enrollment process in that Windows account that you've already run the enrollment process in. To do this, you need to delete the "PGP Corporation" folder from the following locations:
  • In Windows XP:
    C:\Documents and Settings\username\Application Data
    C:\Documents and Settings\username\Local Settings\Application Data
  • In Windows Vista and Windows 7:
    C:\Users\username\AppData\Roaming
    C:\Users\username\AppData\Local
• The next time you log in with the username account, you will be prompted to enroll again.

Question 2.10 I just got a prompt asking me to upgrade PGP Desktop. What should I do?

• Go ahead and upgrade it. Please.

Question 3.1 What userid and password do I use to Enroll in PGP?

• When you install PGP Desktop, the userid is yournetid (try ad\yournetid on Windows if just your netid doesn't work), and the password is your ACCC common password. For example, Ada Byron, whose netid is adabyron, would use adabyron along with her ACCC password.
• After you install PGP Desktop, you will only need your PGP Desktop "Passphrase" to boot your computer or to use PGP Desktop.

Question 3.2 What is my PGP passphrase?

This depends on what type of computer you are using and on how your computer is set up.

• If you have a Windows computer that is not on the ACCC Active Directory -- that is, you don't use an ACCC Active Directory account to log into it -- then after you install PGP Desktop and encrypt your hard drive, you will have a Single Signon Login, and your PGP passphrase will be your Windows account login password.
  
  
• If you have a Windows computer that is in the ACCC Active Directory, then your PGP passphrase is your ACCC Common password, which is also your ACCC Active Directory password.
  
  
• If you have a Mac, then your PGP passphrase is your ACCC Common password, which is also your ACCC Active Directory password.

Question 3.3 I think I may have answered one of my security questions incorrectly. Is there a way to change these questions/answers after the initial setup?

• You will need permission from the ACCC's PGP management team to do this. Send email to encryption@uic.edu.
• Note that there isn't any way to enter security questions for PGP Desktop on Macs the way the UIC licensing is set up.

Question 3.4 How do I enter Security Questions on Macs?

• Security Questions are five questions that you can answer to reboot your Windows computer if you've forgotten your PGP Desktop passphrase.
• Sorry, PGP WDE at UIC on Macs does not have Security Questions.

Question 3.5 My PGP Passphrase is my Windows account password. Can I change my Windows account password while I'm using PGP Whole Disk Encryption? My ACCC Password?

• Yes, you can change your Windows password. But the first time you reboot your computer after you change your Windows account password, you will still need to use your old Windows account password to login to the PGP WDE Bootguard screen.
• After you reboot and login with your old password, you will get a standard Windows login screen.
• Login with your new Windows password on this screen, and your PGP passwords will be synchronized. PGP syncs its password with the Windows account's password, and the Windows logon triggers the password update.
• And yes, you can also change your ACCC password; it will not affect your PGP WDE at all. This is because PGP only uses your ACCC password once or twice, when and perhaps one again after your initial enrollment with the PGP Universal Server.

Question 3.6 My PGP Passphrase is my ACCC Common password. Can I change my ACCC Common password while I'm using PGP Whole Disk Encryption?

• Yes. But the first time you reboot your computer after you change your ACCC Common password, you will still need to use your old Common password to login to the PGP WDE Bootguard screen.
• After you reboot and login with your old password, you will get a standard Windows login screen.
• Login with your new Common password on this screen, and your PGP passwords will be synchronized. PGP syncs its password with the Windows account's password, and the Windows logon triggers the password update.

Question 3.7 Do I have to connected to the Internet when I enter my PGP Passphrase?

• No. But see Will I be able to use my computer if I am not connected to the UIC network? How about to the Internet? for reasons why you should be when you are using PGP WDE.

Question 3.8 What if I forget my PGP Passphrase and the answers to my security questions? Can I still get into my computer?

• Yes. The ACCC's PGP management team can generate a special passphrase that can be used in this circumstance. Send email to encryption@uic.edu/

Question 4.1 What do I need to buy to use PGP WDE on my computer?

• One PGP Whole Disk Encryption license for each computer:
  For each computer that will be encrypted with PGP WDE, you need to buy a PGP Whole Disk Encryption License -- one per computer. It doesn't matter who buys the license, just so long as each computer has a license.
• One PGP Universal Server License for each person:
  Each person who will be booting any computer that has PGP WDE installed on it must have his or her own Universal Server Licence. This will authorize them to use the ACCC's Universal Server. One PGP Univeral Server License will allow the person to boot any computer -- any number of computers -- that he or she is enrolled with PGP on.
• Note that people who (1) will not be booting the computer that has PGP Desktop installed and (2) will not be using any of its features do not need to have a PGP Universal Server license. They should just close the PGP Desktop enrollment utility when they log into their account.

Question 4.2 I have purchased multiple PGP licenses for my department, using my netid and password. How to I get these assigned to the people who are actually going to be using them? I don't want to have to login for everyone!

• When you purchase multiple PGP Universal Server licenses at once, send an email message to encryption@uic.edu with a list of the names and UIC netids of the people that you want them assigned to. (One person per license.)
• We will enroll these people in our PGP Universal Server and they will be able to enroll their own computers into PGP. (See also below, about administrator accounts.)

Question 4.3 We are installing PGP WDE on a number of computers in our department. We want to have a common administrator helpdesk account authorized to boot each of these computers, in addition to the person who will actually be using the computer. How should we do this?

• Do you actually want to have two different Windows accounts on the computer, one for the admin account and one for the user? In this case, it is a good idea to install PGP on each machine under the administrator account, and then enroll the computer's user as an additional account.
• Or there is another option available for administrative access to a group of encrypted machines. The ACCC can set up a PGP group on the server for your group of users, Then we apply a custom policy to that group. We can associate a WDE Administrator password with this policy, and you will be able to use that password to unlock any machine that was encrypted by anyone in your PGP group. This would mean that you wouldn't have to actually set up and enroll an administrator account on each machine. Send an email message to encryption@uic.edu if you are interested in doing this.

Question 4.4 If we have a PGP WDE Administrator group defined on the ACCC Universal server, what if we want to change our administrator password sometime in future? How would the new password be synced with the computers in our group?

• If the administrator password for a group is changed, it will be updated on the individual computers in the group when the that computer's PGP Desktop client downloads policy updates. This is scheduled to happen every 24 hours.
• If a machine is powered off or disconnected from the network for an extended period of time, it won't receive the policy update. Policy updates only occur when the user is logged in to a Windows account that they've enrolled with PGP on; it doesn't run in the background if a machine is sitting at the Windows login screen.

Question 4.5 My installation of PGP involves six computers but only four users. (Three of the users are responsible for two computers each.) Is this an problem? Can netids be tied to more than one computer with PGP installed on it? ?

• Yes, this is fine. Each person who boots a computer using PGP WDE must be enrolled in the PGP Universal Server, but one PGP Universal Server license is good to boot any computer that the person is enrolled on.
• Also, multiple users can be enrolled on the same machine, each with their own Windows/Mac account.

Question 4.6 We have graduate students using PGP WDE-encrypted computers. Can we switch their PGP Universal Server License to someone else when they leave?

• Yes, just send email to encryption@uic.edu giving us the name and netids of the person who is leaving and the one the license should be transferred to.
• Multiple users can enroll on the same machine, so if the new person is using a different account on the computer, all they would have to do is enroll in PGP from that account. If the person who initially encrypted the machine isn't available to unlock it for the new user, we have other means available to unlock the disks.

Need Additional Help?