Using Trusted Platform Module (TPM) Authentication with PGP WDE - PGP Desktop 9.x

Article:TECH149444  |  Created: 2009-05-29  |  Updated: 2012-09-25  |  Article URL http://www.symantec.com/docs/TECH149444
Article Type
Technical Solution


Issue




This article describes how to use TPM with PGP Desktop.

 


Solution




PGP Desktop supports using the TrustedPlatform Module as an additional authentication device for PGP Whole Disk Encryption if present on the motherboard and enabled via proper driver installation for your hardware. When use of the TPM is specified prior to encryption, the user can authenticate to the disk only on that particular machine, locking the disk to the machine hardware and thus deterring attacks such as hard disk theft.

 

Note: Using TPM is supported with versions of PGP Desktop 9.7 and above.


This feature works with passphrase users only and is compatible with the PGP WDE Single Sign-On feature.

PGP Whole Disk Encryption is compatible with TPM version 1.1 or 1.2.

Computers that support TPM and are compatible with PGP WDE include the following:

 

  • Hewlett-Packard Compaq nx6325 (Infineon TPM with HP BIOS)
  • Dell D630 (Broadcom TPM)
  • Lenovo ThinkPad T60 (Atmel TPM)
  • Fujitsu LifeBook T2010, (Infineon TPM with Phoenix BIOS)
  • Panasonic Toughbook T5, W5, or Y5 (Infineon TPM with Matsushita BIOS)

Your TPM vendor may implement security features that affect usage of the TPM. Please consult the documentation for your system for information.

 

Caution: If you clear your TPM by resetting it to factory settings, or if your system board containing the TPM is replaced, you will not be able to access your encrypted disk when using the TPM user because your credentials stored on the TPM are no longer accessible. Ensure that you have an alternate method to access your encrypted disk (see the following section on "Special Considerations when using TPM."


Special considerations when using TPM

 

  • Before you encrypt your disk, be sure that you establish ownership of the TPM on your system, configure the TPM, and then reboot your system before starting the encryption process. When you take ownership you set up a passphrase for TPM (separate from PGP Desktop or Windows) that is used to edit the TPM. Establishing ownership allows you to configure and use products with TPM.

     
  • Ensure that you have an alternate method of authenticating to your encrypted disk. If you are using PGP WDE in a PGP Universal Server-managed environment, you can use your Whole Disk Recovery Token (for more information, see Creating a Recovery Token (on page 177)). If you are using PGP WDE in a standalone environment, create a passphrase user as a backup, or create a passphrase user with a USB flash device for two-factor authentication.

 

To use TPM with PGP Whole Disk Encryption

 

  1. Open PGP Desktop then select the PGP Disk Control box.
  2. Click Encrypt Whole Disk or Partition.
  3. In the User Access section, select New Passphrase User. TPM authentication is available using a Windows Password (Single Sign-On) or as a Passphrase user.
  4. Select a user type and then click Next.
  5. Select the radio button next to Use TPM available with you hardware.
  6. Click Next and then enter a password or passphrase for your user.
  7. Click Next.
  8. After the user is created, click the Encrypt button.
  9. Click Yes to confirm.

 

 

 

Note: The authentication through a TPM chip is only supported on Windows XP and the supported Hardware. Additionally, the feature to encrypt to a TPM has been discontinued and will not be further developed. The option to encrypt to a TPM will be removed in one of the future releases.

 



Legacy ID



1448


Article URL http://www.symantec.com/docs/TECH149444


Terms of use for this information are found in Legal Notices