PGP WDE Administrator Key Usage - PGP Universal Server 3.0

Article:TECH149646  |  Created: 2009-11-25  |  Updated: 2011-02-05  |  Article URL http://www.symantec.com/docs/TECH149646
Article Type
Technical Solution


Issue




This article details PGP WDE Administrator Key usage.

The PGP WDE Administrator Key provides access for administrators to user's systems which are PGP Whole Disk Encrypted.

If you need to perform maintenance or other tasks on a user's system, the PGP Whole Disk Encryption administrator key allows an administrator to login without having to request the user's passphrase. Use the PGP Whole Disk Encryption administrator key to log in to a user's system at the PGP WDE BootGuard screen using two-factor authentication (with a smart card or token).


Solution




The benefits of using two-factor authentication to access a user's system are:

  • Each administrator has a unique token that allows access to systems encrypted with PGP Whole Disk Encryption.
  • Because both the smart card or token and a PIN are required to access the system, security is maintained if the smart card or token is lost or stolen.
  • If an administrator leaves the company, the PGP Universal Server administrator can change the key in PGP Universal Server for that group, and all clients are updated automatically. Clients are updated at PGP Desktop tray startup and every 24 hours.
Note: If you have systems that have been encrypted with PGP WDE, you do not need to re-encrypt those disks in order to add the PGP WDE Administrator key. The key will be pushed down to the clients during the next policy update.

To Create a PGP WDE Administrator Key

  1. Create a key using PGP Desktop. Do not specify a preferred keyserver for this key. If you do specify a keyserver on the key, you will need to upload and publish the key to the specified keyserver.
  2. Configure the key in a PGP Universal Server internal user group policy.

    Note: If you want all PGP Whole Disk Encryption installations to be accessible through the same key, upload the same key to all internal user groups. Refer to the WDE section of Configuring PGP Desktop Settings in the PGP Universal Server Administrator Guide for details on adding the key to an internal user group policy.

  3. Log into the PGP Universal Server administrative interface.
  4. Select Consumers > Consumer Policy then click the desired policy.
  5. Click the Desktop button next to PGP Desktop.
  6. Select the Disk Encryption tab and place a check mark in the box next to Encrypt Windows WDE disks and PGP Virtual Disks to a Disk Administrator Key.
  7. Click Import to add the public key for administrator key.
  8. Click Save.
  9. Copy the key to a smart card or token using PGP Desktop. The same key can be copied to multiple tokens. Each token should have its own unique PIN.

To Use a PGP WDE Administrator Key

  1. Start the system to be accessed.
  2. At the PGP BootGuard screen, insert the smart card or token containing the PGP WDE Administrator's Key and type in the PIN.
  3. Press Enter or CTRL+ENTER. The PGP BootGuard login is authenticated and the system begins to load Windows.
  4. At the Windows login dialog box, type your Windows administrator user name and password to access the system.


Legacy ID



1794


Article URL http://www.symantec.com/docs/TECH149646


Terms of use for this information are found in Legal Notices