Information Technology Unit

Encryption

Understanding Encryption

As data security needs expand, encryption is increasingly becoming a primary solution for securing high risk data.  Encryption is just what it sounds like: scrambling data into a code which can only be unlocked by authorized users.  There are many ways to encrypt data, but UIC and the College of Pharmacy recommend PGP Encryption.

 

Who needs encryption?

Anyone with Sensitive or High Risk data:

“Sensitive information is defined as information that if disclosed or modified without authorization would have severe or serious adverse effect on the operations, assets, or reputation of the University, or the University’s obligations concerning information privacy.” (Source: Office for the Protection of Research Subjects)

Anything covered by federal and state legislation, such as:

HIPAA (Health Insurance Portability and Accountability Act)

FERPA (Family Educational Rights and Privacy Act)

PHI: Protected Health Information

Payroll, personnel, and financial information

 

PGP: What is it and how does it work?

Pretty Good Privacy (PGP) provides secure encryption to protect sensitive data on laptops, PCs, or removable media.  The UIC license for PGP centers on PGP Whole Disk Encryption (PGP WDE) which securely encrypts the entire contents of laptops, desktops, external drives, or USB flash drives, including boot sectors, system, and swap files.  After installing PGP Desktop on a computer, PGP Whole Disk Encryption will automatically encrypt its hard drive.   After the hard disk is encrypted, the licensed user must login to PGP before the computer loads the operation system.  After authentication and the computer boots, PGP's encryption is always on, automatically protecting data.

User Experience:

As a product suite, PGP Desktop, and PGP encryption are mostly transparent to the user, depending upon usage.  Some users will not notice an appreciable difference in their experience, others will have to adopt new practices and learn new features.

The most immediate change users will notice is the PGP Bootguard screen which they will encounter each time they boot their computer.  On Windows, the Bootguard login will take users directly to their Windows account, bypassing the Windows login screen.  On Mac OS, the Bootguard login takes users to the Mac OS login screen, where they will have to login to their Mac OS account with their Mac login password.

Performance:

Because PGP encrypts and decrypts files as the user accesses them this will slightly impact performance.  Generally this is a three percent or less reduction in computer speed. This should be unnoticeable in newer computers.  Systems should be evaluated against PGP’s recommended system specs before PGP is installed.  Deleting files will be slightly slower as well because the PGP Shredder component re-writes the space where the deleted files were stored.

 

PGP Components

PGP Whole Disk Encryption (PGP WDE):

You can use PGP WDE to lock down the contents of your system or an external or USB flash drive. Boot sectors, system files, and swap files are all encrypted. Whole disk encrypting your boot drive means you do not have to worry if your computer is lost or stolen: to access your data, an attacker would need your PGP WDE "passphrase", provided that the computer is not already booted.

PGP Zip:

Allows you to create an encrypted, compressed, portable archive from any combination of files and folders. PGP Desktop must be installed on a system to create or open a PGP Zip archive. You can use a PGP Zip archive to send data to other people securely or to back it up securely.  Users receiving the encrypted archive do not necessarily need PGP installed on their system depending upon the options you choose at the time you create the file.  Unlike Virtual Disks (below) there is no way to recover a PGP Zip passphrase if it is lost or forgotten.

PGP Virtual Disk:

Allows you to define part of a hard drive space as an encrypted virtual disk volume that you mount with its own drive letter. When a PGP Virtual Disk is mounted (open) you can use it and the data in it like you would use any other drive. But when the volume is not mounted, all the data on the volume is protected.  Currently this is the best way to store data on external drives.  As opposed to PGP Zip archives, passphrases are fully recoverable.

PGP Shredder:

Completely destroys files and folders that you delete so that even file recovery software cannot recover them. When you delete a file using the Recycle Bin (on Windows systems) or Trash (on Mac OS X systems), it is not actually deleted; just the directory information pointing to it is deleted. PGP Shredder, however, immediately overwrites file's data multiple times.

 

Questions to ask before you encrypt:

-          Is the computer a Mac or running Linux?  Proceed carefully.  Macs and Linux require special considerations and setup.

-          Does the computer have a RAID array?  RAID arrays require special considerations and setup.

-          Does the computer feature any non-standard disks, dynamic disks, etc.?  It’s likely these will not be supported.

-          Is the computer running multiple operating systems or set for dual boot?  Dual-boot systems require special considerations.

-          Does the computer meet minimum system requirements?  Windows 2000 (SP4) or greater is required.

-          Is my disk supported?  Refer to the table below.

 

Supported Disk Types

Unsupported Disk Types

Desktop or laptop disks, including solid-state drives (either partitions, or the entire disk).

 

Note: Beginning with version 10 of PGP Desktop, PGP Whole Disk Encryption is supported on Windows Server 2003 SP2, Windows Server 2008 SP1 & SP2, and Windows Server 2008 R2. PGP WDE supports internal system RAID-1 and RAID-5. Software RAID is not supported.

 

Server hardware using software RAID.

Dynamic disks.

Diskettes and CD-RW/DVD-RWs.

Music devices and digital cameras.

External disks.*

USB flash disks*

 

Warning: Windows XP allows basic disks to be converted to dynamic disks, which support some features that basic disks do not. Never perform this conversion on the boot drive of a system that has already been protected using PGP Whole Disk Encryption. This conversion, from a basic-type disk to a dynamic one, renders the drive unusable.

 

* Currently the best way to store data on USB flash and external drives is to create a PGP Virtual Disk.

 

 

PGP Licensing:

Licenses are available free from University of Illinois WebStore.  There are two required licenses:

-          Each computer requires "PGP Whole Disk Encryption License": It doesn't matter who buys the license, just so long as each computer has a license.

-          Each user requires "Universal Server License": Each person who will boot any computer that has PGP WDE installed must have a Universal Server License. This will authorize them to use the ACCC's Universal Server. One PGP Universal Server License will allow the person to boot any computer (any number of computers) on which he or she is enrolled with PGP.

The UIC NetID of the person who buys a PGP Universal Server License from the WebStore is automatically associated with that license. If the license should be associated with someone else, the purchaser should send email to encryption@uic.edu.

 

Pre-installation checkup and tune:

PGP Corporation recommends the following best practices for preparing to encrypt your disk with PGP WDE.  Please follow the recommendations below to protect your data during and after encryption.  Before you encrypt your disk, there are a few tasks you must perform to ensure successful initial encryption of the disk.

 

-          Back up the disk before you encrypt it.

o   Before you encrypt your disk, be sure to back it up so that you won’t lose any data if your laptop or computer is lost, stolen, or you are unable to decrypt the disk

-          Ensure the health of the disk before you encrypt.

o   Before you attempt to use PGP WDE, use a third-party scan disk utility that has the ability to perform a low-level integrity check and repair any inconsistencies with the drive that could lead to CRC errors. Third-party software such as SpinRite or Norton Disk Doctor can correct errors that would disrupt the encryption of the disk.  Windows’ CHKDSK (Check Disk) utility is not sufficient for this type of test.

-          Defragment hard drives

o   As a best practice, highly fragmented disks should be defragmented before you attempt to encrypt the disk.  WARNING: Third party disk defragmenters (such as Defraggler) should not be used on encrypted computers.

-          Create a recovery disk.

o   While the chances are extremely low that a master boot record could become corrupt on a boot disk or partition protected by PGP Whole Disk Encryption, it is possible. Before you encrypt a boot disk or partition using PGP Whole Disk Encryption, create a recovery disk.

-          Keep system powered.

o   Keep it on AC power.  Disable sleep and hibernate.

o   Be certain that you will have AC power for the duration of the encryption process.  Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power.  Do not remove the power cord from the system before the encryption process is over.

-          Uninstall any third party disk defragmenters!

o   Uninstall Defraggler.  Defragment PGP encrypted drives with Windows defrag.

 

Installing PGP

There are essentially three steps to the PGP installation process:

-          Purchase license(s) for each person and computer and download client

-          Install the client & reboot

-          Enroll with PGP server and begin hard drive encryption

 

Download and Install:

-          Download the PGP client from WebStore

-          Double click the install file.  This installs PGP Desktop.

-          When prompted, reboot the PC.

After reboot the user will login into Windows as normal.

 

Enroll with PGP Server:

If the system is connected to the network the user will then be prompted with the PGP Enrollment dialog.  At the "PGP Enrollment" dialog user will enter their ACCC NetID and common password.

 

The PGP Setup Assistant will then prompt for five customizable security questions (Windows only.)  These questions will be used to grant access to the computer in the event you lose or forget your passphrase.  After you create all five questions, drive encryption begins automatically.

 

Encrypting Hard Drive:

Encryption will take possibly as long as 12 to 24 hours. The computer may be usable during this time depending on overall performance.  Encryption can be paused temporarily from the PGP Desktop client and will stop automatically if computer is turned off.

 

Entering PGP passphrase:

Once the drive is finished encrypting, the next time the system reboots, you will see the PGP passphrase screen.  For Windows computer this screen replaces the Windows login screen.  You will always enter your ACCC common password if the computer is on Active Directory.  If the computer is not on AD, the system will first require their common password, but on subsequent restarts will require their local Windows password.  The passphrase will only ever be either your UIC common password or your local Windows password.

 

Living with encryption

A few guidelines to keep in mind for encrypted computers:

-          Systems are most secure when off or hibernating.  Laptops should have “sleep” mode turned off.

-          For systems accessed via Remote Desktop be aware that if the system restarts, you will be unable to connect remotely to the system until a local user enters the PGP passphrase.  To avoid automatic restarts, it’s recommended that you disable Windows Automatic Updates.

-          Troubleshooting disk and OS errors usually requires disk decryption.