Endpoint Encryption

One of the many requirements of PCI is that users should not share a login to any PC / software etc - they should all have their own login details.

We have PGP Desktop on one PC which is used daily to encrypt several files and send them to clients - however this role can be undertaken by any one person in a team of 3.

Currently we just have a single 'Admin' logon on the PC which all users use, and of course all of the clients keys, the settings etc are all set up under this one user.

When I log on with a different username, PGP still loads but it is a 'blank' version - ie no keys, the settings are standard etc.

Is there any way to use the current 'Admin' login as just that - an 'administration only' account where all the  - and have these settings 'pushed' to any user who logs on to this PC

Thanks

Mike

Any other user who starts using PGP will not have access to admin´s keys nor passphrases. So technically , any other user than admin can encrypt/decrypt files or emails.

Just make sure Administrators documents are not accesible for the rest of the users; keyrings are stored there.

Please tell me if you need anything else, otherwise mark this post as solution.

... and have copies of the public keyrings under their profile.

The best way to do this with moderate assurance is to use PGP Universal server to manage keys for these users in Guarded Key Mode - and while this can achieve this for you  there is no way to do this in standalone without setting the profiles up first.

If you need to use PGP Desktop in a multi user env without Universal Server you should consider the following(this is not exhaustive and can be added to quite a bit):

1. Let each user have their own Private Key protected by a strong passphrase - back this up - if these users share a private key* ensure each user has a copy protected by a different passphrase - protect the logs copying them out to another location using syslog agents to send to an external server!

2. Copy the correct public keyrings for each user;

3. Have each user set up with their own profile - even if the admin accesses their profile as long as their are no keyloggers and the machine isn't compromised and the users don't share the passphrase for each key should remain secure;

4. securley store and backup the private key(ideally keys);

5. Sign th eusers keys with the admin key and use this for trusting their keys externally;

6. You can use msconfig to disable PGP Desktop for all but these users - window dressing sure -  but if these users have a feeling that only they should access the app it will seem to be be more secure in thier minds- a lot of the security offered from a control comes from th emindset of those using it;

7. Have a cleary defined set of processes for doing things - i.e. always clear the cache on th eprivate key passphrase if away from the system.

So , long story short  - you must set up users in advance - you can share/copy public keyrings and this is fine, you can share private keys - but you really shouldn't.

So, hopefully some food for thought PCI likes you to have reasonably assured technical controls in place - but process can bridge the gap - after all we all have to trust something.

*This is usually a bad idea - but it happens - dealing with this in the most secure way with the least operational impact is the art - best bet is to put it on a smartcard and lock it in a safe controlled by someone else who doesn't have the PIN toi the smartcard.