Best Practices - PGP Whole Disk Encryption for Linux
|Article:TECH149694|||||Created: 2010-01-07|||||Updated: 2011-06-30|||||Article URL http://www.symantec.com/docs/TECH149694|
Beginning with PGP Desktop 10.0, PGP Whole Disk Encryption is supported on Linux. PGP Whole Disk Encryption for Linux locks down the entire contents of your Linux system using PGP Whole Disk Encryption (WDE) technology.
When you encrypt an entire disk using PGP Whole Disk Encryption for Linux, every sector is encrypted using a symmetric key. This includes all files including operating system files, application files, data files, swap files, free space, and temp files.
Before encrypting your disk with PGP Whole Disk Encryption for Linux, there are some important things to do:
- Ensure the health of the hard disk.
- Choose the encryption options to use.
- Make sure to maintain power throughout encryption.
Ensure Disk Health
PGP Corporation deliberately takes a conservative stance when encrypting drives, to prevent loss of data. It is not uncommon to encounter Cyclic Redundancy Check (CRC) errors while encrypting a hard disk.
If PGP Whole Disk Encryption for Linux encounters a hard drive or partition with bad sectors, it will, by default, pause the encryption process. This pause allows you to remedy the problem before continuing with the encryption process, thus avoiding potential disk corruption and lost data.
To avoid disruption during encryption, PGP Corporation recommends that you start with a healthy disk by correcting any disk errors prior to encrypting.
As a best practice, before you attempt to encrypt your drive, use a third-party scan disk utility that has the ability to perform a low-level integrity check and repair any inconsistencies with the drive that could lead to CRC errors.
The following options are available during the encryption process:
- --dedicated-mode: Uses maximum computer power to encrypt faster; your system is less responsive during encryption.
- --fast-mode: Skips unused sectors, so encryption of the disk is faster.
- --safe-mode: Allows encryption to be resumed without loss of data if power is lost during encryption; encryption takes longer.
Maintain Power Throughout Encryption
Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power. The computer must be on AC power. Do not remove the power cord from the system before the encryption process is over.
Regardless of the type of computer you are working with, your system must not lose power, or otherwise shut down unexpectedly, during the encryption process, unless you use the --safe-mode option. Even if you are using the --safe-mode, it is still better not to lose power during the encryption process.
If loss of power during encryption is a possibilityor if you do not have an uninterruptible power supply for your computerbe sure to use the --safe-mode option.
Article URL http://www.symantec.com/docs/TECH149694