File Share Encryption

I plan to install Symantec Drive Encryption 10.3 (Previously PGP Whole Disk Encryption). What is the best practice for setting up the software?

(1) I see in Article:TECH202665 that Elcomsoft could read the encryption key if the hibernate file is not encrypted. Does this mean the Windows 7 operating system partition must be encrypted? If possible, I would like to avoid encrypting the Windows 7 system partition because that makes recovery difficult if the partition cannot boot up. My data is stored in a separate partition which will be encrypted.

(2) Does Symantec Drive Encryption (SDE) 10.3 make use of the TPM module in the laptop? How to enable it to use TPM?

(3) I read that using the SDE 10.3 recovery disk to decrypt the hard drive takes substantially longer because it is a 16-bit program. Is there a 32-bit recovery program to decrypt the hard drive?

(4) What is the recommended hard drive cloning program for image copy of an encrypted hard drive? I plan to clone the hard drive for backup purpose.

(5) I read that the single user license for SDE 10.3 includes one year essential support. Is this license perpetual even though I do not plan to renew the support after one year? Where can I renew the support service online?

Thank you.

1)  If the system partition is not encrypted, it would be vulnerable to anything that a normal Windows installation would be vulnerable to.  That may include, but is not limited to, simply booting from a Linux Live disk, and copying the key data from your documents folder.  There are a multitude of methods to try to circumvent the Windows authentication.  

That being said, there should not be a way to obtain the passphrase for the private key unless that passphrase is cached, and you can set the passphrase to only be cached for a limited time, or for your Windows session.  If you have a sufficiently hard-to-guess passphrase, it should still offer decent security even if the key data was compromised.

You can also look at using a token or smart card for key storage.  If you store the private key on the token, then encrypt the drive to that keypair, you would need the token as well as the passphrase (or PIN) to unlock the partition.  Since the private key is on the token, it must be physically present to authenticate.
List of compatible tokens: http://www.symantec.com/docs/TECH148839

2)  We do not currently support TPM.  It was only offered for Windows XP on a limited number of systems, and has since been discontinued.

3)  The standard drive encryption recovery iso will operate in 16-bit mode.  See the following for more information:
http://www.symantec.com/docs/HOWTO92296

Faster options include building a WinPE disk (http://www.symantec.com/docs/TECH200751) or slaving the drive to another system that also runs Symantec Encryption Desktop.

4)  Imaging of an encrypted drive is not supported.  We recommend running incremental backups while Windows is running and the drive is unlocked, which should yield unencrypted backup data.  While it is unsupported, I have seen cases of backup solutions that have been successful if they can do a bit-by-bit copy and restore.  If you run into issues with the backup or restore process, however, Symantec will not be able to help.

5)  The license is perpetual.  The support contract has to be renewed to either get help with the product for any reason, or obtain the latest maintenance packs/bug fixes.  Renewals can be handled here:
http://www.symantec.com/products-solutions/licensing/renewals/
or you can call Customer Care at 1-800-721-3934 and they can help get you pointed in the right direction.

I hope this helps, and let me know if you have any additional questions.

Thank you for your comments.

The followings are further query on your reply.

(1) I have Partition Wizard which can image a live running disk after I login to Windows 7. Will this image work since I run it after I logged in to Windows?

(2) I could not find the renewal for Symantec Drive Encryption in the renewal website you provided.

(3) Future upgrades of Symantec Drive Encryption. Let's say if there is a new version 10.5. Do I need to decrypt the hard drive and uninstall version 10.3 before installing the new version 10.5? If not, what is the procedure for upgrade?

Thank you.

1)  I haven't seen the tool used on an encrypted drive, so it would most likely be a trial-and-error test.  If it uses volume shadow copy, it will probably not work.  If it is making a backup image with delta updates, it will also probably not work.  If it is doing a full file-based backup or cloning the drive bit-for-bit, it might work.

I would also advise against using any of the partition tools that software has when you have an encrypted disk or partition.  Changing any partition information may damage the PGP information and access list for the drive/partition, resulting in data loss.

2)  From the link I gave above, there is a Renewals phone number.  I believe to renew online, you must do so through your MySymantec account (if you have one), and it will redirect you there if you click "Licensing Portal" on the right.  You can also click FileConnect to enter your current serial number and see what downloads you currently have available.

3)  Future upgrades are performed simply by installing the new version over the top of the old version.  There should be no need to decrypt.  As always, you should back up your keyring files and make sure you have backups of your data before an upgrade as a precaution.