Video Screencast Help

PGP Universal server authentication

Created: 24 Jan 2013 • Updated: 29 Jan 2013 | 3 comments
This issue has been solved. See solution.

Why is there no AD integration with the PGP universal server administrators authentication? This goes back to my rant in a previous post regarding having only one Disk Administrative passphrase for PGPWDE. We have many administrator worldwide as well as regional help desk personnel, we now have to change passphrases every time an admin leaves the company? This becomes a management nightmare.

Is there anything Symantec is doing to code a change so that we can start using AD accounts instead of one hard coded passphrase?

Discussion Filed Under:

Comments 3 CommentsJump to latest comment

Alex_CST's picture

The hardcoded passphrase will remain as far as I can see - it's your skeleton key to all machines.

 

There is an AD group - WDE-ADMIN which you can place help desk personnel which will bypass the bootguard - will this not work?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

3L3M3NT's picture

Thanks for responding Alex

The bypass command works well within windows. I'm more concerned about the recovery of the data when a hard drive goes caput. We use a Bart-PE type boot disk that has the PGP-WDE recovery utility files built into it. When I use the pgpwde -- disk 0 --auth -p (passphrase) command ... I can only use the PGP WDE users’ account passphrase or the built in skeleton key passphrase. I was hoping that there would be a WDE-ADMIN group key built in so that we could use the accounts and passphrases of all the Administrator / Help Desk people in that AD group in order to manage WDE offline... this is not working and I'm sure there is no design for this yet. It would be nice to have.

There is also a bug with PGP-WDE. When I log in to the windows system with an account that is not on the PGP WDE encryption policy, then reboot the machine and continue to boot to the PGPWDE recovery CD.. I can't no longer unlock the drive using the built in skeleton key or the original PGP users key. The funny thing is that when I use the PGPWDE –list-user –disk 0 –aa command, it list the ADK, the PGP user and the PGP-administrator account. Nothing works until I reboot, boot up to windows with the PGP users credentials and then reboot again and continue booting to the recovery CD. I can only then unlock the drive with all built in accounts. This might be a major recovery issue down the road because not all admins using this bypass command will be on the PGP WDE policy, only in the WDE-ADMIN AD group.. Any chance of fixing this problem? Can someone else test this and see if they have the same issue? I’m using the 10.3 version.. Had the same issue on 10.2.1 as well. Thanks

Alex_CST's picture

I guess that is feasible, I don't see why that isn't doable in future releases, as it isn't a feature now.  There is an "Ideas" section on these forums where you add feature requests to future releases, and if its deemed a good and plausible function, it would get added.  Perhaps a WDE-RECOVERY AD group that you add your required personnel into in the event of requiring access in an offline scenario.  

Security Ideas Group: https://www-secure.symantec.com/connect/security/ideas

There are of course lots of security concerns behind this and would have to be fully logged and documented as soon as that machine gains access to the PGP Universal server again, otherwise it would be a very big security hole if it doesnt get logged.

 

As for this bug, wait until a Tech Support person looks at this thread, they will be able to investigate the bug and report it if its reproducable in their environments.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

SOLUTION