Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Best practise for PGP WDE policies.

Created: 12 Mar 2014 • Updated: 31 Mar 2014 | 11 comments
This issue has been solved. See solution.

Hi,

I have to give the Demo of Symantec PGP Universal Server for Whole Disk Encryption to my client so can anyone help me with the Polcies part that how i can implement the Best policies to do the POC sucessfully.

Operating Systems:

Comments 11 CommentsJump to latest comment

dcats's picture

Hi Rupinder_Sran,

I believe this article will be useful and will give you some guidance: https://www-secure.symantec.com/connect/articles/h...
Please note that it contains only references about data access/recovery.

There are other aspects you need to consider like permissions to encrypt/decrypt, single sign-on (SSO), etc.

HTH,
dcats

R_Sran's picture

Hi Dcats,

It is nice artical but i need the artical on the policies configuration part so if you have any then pl share.

Reg,

Rupinder

Alex_CST's picture

There are no articles on "How to deliver a POC" but when I do demos to clients i demonstrate the following

  • SSO signon.
  • Adding/removing users
  • Displaying rights a user can have (unable to encrypt or decrypt)
  • Bootguard authentication including self recovery and WDRT
  • Disk Administrator passphrase

Coupled with a quick overview of the WDE section of the Universal Server and demo complete.

You obviously need to know the product well in order to deliver a POC :)

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

R_Sran's picture

Yeah you are rite but i am awere of the product but Universal server 3.2 version and i am looking for some more tips so that i can make the POC better.

R_Sran's picture

Hey i have one query.

Suppose there are two users A & B using the same machine and enrolled on it. Machine is encrypted.

Is user A is able to access the personal files of user B that is stored on C or D drive of machine??

Aeschylus's picture

Hello,

Once the user already log in on the machine, the machine was already decrypted. Accesing the personal file of the other user is possible if he/she has an authority on the files/folder. WDE is only encrypting the disk and not the files.

Best Regards,

Aeschylus's picture

On the POC part of the WDE, here are some scenario i've been doing when i'm conducting POC

  • Whole disk encryption process
  • Client configuration and installation
  • Encryption Administration
  • User Enrolment
  • Single Sign On
  • Boot guard Logon
  • Creating test policies for different scenarios
  • Creation of users with limited privileges
  • Using WDRT

Best Regards,

R_Sran's picture

Aeschylus

Thanks for the giving some points for the POC and if user wants to encrypt his files so that another user wont able to access it then he would have to use Virtual disk feature for doing that or there is some other option available.

Reg,

Rupinder

Aeschylus's picture

Hello,

Most probably your best option was Virtual disk. It is perfect place for storing your sensitive files as it uses part of your hard drive space as an encrypted virtual disk volume with its own drive letter. 

You can also check Symantec white paper of Drive Encryption for windows as your referrence.

http://www.google.com.ph/url?sa=t&rct=j&q=&esrc=s&...

Best Regards,

Alex_CST's picture

Either virtual disk or just encrypting files/folders the normal way will both work.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

SOLUTION
Mike Ankeny's picture

Best security practices dictate that if you want sensitive data to only be accessible to one user, that user should not be sharing his system with other users.

That being said, if it is a standalone installation on a non-enterprise-managed system, protection of specific files between two local admin users on a shared system will only be as strong as the passphrase selected for the PGP encryption key or PGP virtual disk.

If the system is managed, permissions should be assigned to prevent each user from accessing the other user's files, even if PGP Virtual Disk is still used. 

The sensitive documents could also be stored on a PGP Virtual Disk on a removable device.  If there is no other way around sharing the system, that would be my recommendation.