Best Practices: PGP Whole Disk Encryption for Windows (PGP WDE) - PGP Desktop 9

Article:TECH149216  |  Created: 2008-10-22  |  Updated: 2011-03-18  |  Article URL http://www.symantec.com/docs/TECH149216
Article Type
Technical Solution


Issue




This article details some of the best practices when performing PGP Whole Disk Encryption with PGP Desktop 9.x.

 


Solution




PGP Corporation recommends the following best practices for preparing to encrypt your disk with PGP WDE. Please follow the recommendations below to protect your data during and after encryption. Before you encrypt your disk, there are a few tasks you must perform to ensure successful initial encryption of the disk.

1. Determine whether your target disk is supported.
PGP WDE feature protects desktop or laptop disks (either partitions, or the entire disk), external disks, and USB flash disks. CD-RW/DVD-RWs and servers are not supported.

Supported Disk Types

  • Desktop or laptop disks (either partitions, or the entire disk).
  • External disks, excluding music devices and digital cameras.
  • USB flash disks.
Warning: Do not use PGP Whole Disk Encryption to encrypt server hardware. PGP WDE is not supported on Windows 2000 Server or Windows 2003 Server.


Unsupported Disk Types

  • Many types of server hardware, including RAID disk drives.
  • Dynamic disks.
  • Diskettes and CD-RW/DVD-RWs.

2. Back up the disk before you encrypt it.
Before you encrypt your disk, be sure to back it up so that you wont lose any data if your laptop or computer is lost, stolen, or you are unable to decrypt the disk.

3. Ensure the health of the disk before you encrypt it.
It is not uncommon to encounter Cyclic Redundancy Check (CRC) errors while encrypting a hard disk. In stand-alone installations of PGP Desktop, if PGP WDE encounters a hard drive or partition with bad sectors, PGP WDE will, by default, pause the encryption process. This pause allows you to remedy the problem before continuing with the encryption process, thus avoiding potential disk corruption and lost data.

In PGP Universal Server managed environments, if PGP WDE encounters a hard drive or partition with bad sectors, PGP WDE will log an event in the server logs and continue disk encryption.

Before you attempt to use PGP WDE, use a third-party scan disk utility that has the ability to perform a low-level integrity check and repair any inconsistencies with the drive that could lead to CRC errors. Third-party software such as SpinRite or Norton Disk Doctor can correct errors that would disrupt the encryption of the disk.

 

Note: As a best practice, highly fragmented disks should be defragmented before you attempt to encrypt the disk.


4. Create a recovery disk.
While the chances are extremely low that a master boot record could become corrupt on a boot disk or partition protected by PGP Whole Disk Encryption, it is possible. Before you encrypt a boot disk or partition using PGP Whole Disk Encryption, create a recovery disk.

For more information on how to create a recovery disk for PGP WDE, see this article.

5. Be certain that you will have AC power for the duration of the encryption process.
Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power.

Do not remove the power cord from the system before the encryption process is over. If loss of power during encryption is a possibilityor if you do not have an uninterruptible power supply for your computerconsider choosing the Power Failure Safety option.

6. Run a pilot test to ensure software compatibility.
As a good security practice, PGP Corporation recommends testing PGP WDE on a small group of computers to ensure that PGP WDE is not in conflict with any software on the computer before rolling it out to a large number of computers. This is particularly useful in environments that use a standardized Corporate Operating Environment (COE) image.

The following software is not compatible with PGP WDE:

 

  • Faronics Deep Freeze (any edition)
  • Utimaco Safeguard Easy 3.x
  • Absolute Software's CompuTrace laptop security and tracking product. PGP Whole Disk Encryption is compatible only with the BIOS configuration of CompuTrace. Using CompuTrace in MBR mode is not compatible.
  • Hard disk encryption products from GuardianEdge Technologies: Encryption Anywhere Hard Disk and Encryption Plus Hard Disk products, formerly known as PC Guardian products.

The following programs co-exist with PGP Whole Disk Encryption on the same system, but will block the PGP Whole Disk Encryption feature:

 

  • Safeboot Solo
  • SecureStar SCPP

7. Perform Disk Recovery on Decrypted Disks.
Where possible, as a best practice, if you need to perform any disk recovery activities on a disk protected with PGP Whole Disk Encryption (WDE), PGP Corporation recommends that you first decrypt the disk. Do this by Disk > Decrypt in PGP Whole Disk Encryption, using your prepared PGP WDE Recovery Disk, or by connecting the hard disk via a USB cable to a second system and decrypting from that system's PGP Whole Disk Encryption software. Once the disk is decrypted, proceed with your recovery activities.

 



Legacy ID



1068


Article URL http://www.symantec.com/docs/TECH149216


Terms of use for this information are found in Legal Notices