Video Screencast Help

UNiversal server 3.2MP3 WDE and Desktop 10.2 migration

Created: 14 Dec 2011 | 3 comments

Hi Folks,

After seeing a another post about using SKM and a symmantec employee asking for more info to help out I thought I'd share my upgrade queries...

I rolled out PGP US 2.10 and desktop 9.10 a few years ago, without the proper testing and time being put into properly knowing what I was doing.  This being the case... the only feature we use PGP US/Desktop for is WDE, no email/netshare etc. 

When we originally rolled it out we soon discovered it seemed to be geared towards a single device per user set-up which is not what we have.  We have quite a few "hot desk" departments where people log into whatever deivce they can (you can imagine the headache when they were all set-up as single sign on users and change password every month having issues with what password is synched to the "grey screen").  To get round this we set-up shared passphrases so a whole department has the same passphrase, not ideal but the only option we could find.  We then found out about key reconstruction and set that up so when other users who were noramlly on one device had a device rebuilt or moved device we could get them to answer the questions rather than having to delete and start again. 

So we have finally got some time and have decided to upgrade to US 3.2 and Desktop 10.2 and hopefully get SKM working with Local self recovery passwords to hopefully avoid the daily use of WDRT's left right and centre.  All the waffle above sets the scene hopefully for the question..... All our users are currently set-up as GKM, if I amend the policy for users to use SKM instead would they automatically switch (wihout having to re-enroll etc)?  After a couple of years I predict 0% of them would know/remember their private key password and I'm a bit dubious of what effects it could have.

Also anyone else got a work around for the shared passphrase option we use?

Thanks for anyones time!

Phil

Comments 3 CommentsJump to latest comment

Sarah Mays's picture

switching keymodes requires the end user to re-enter their PGP key passphrase.. it might be easier to delete individuals from the universal server and have them re-enroll. disks dont need to be decrypted to re-enroll users in PGP Desktop. 

there's a new feature in pgp universal server 3.x that allows you to setup a "WDE Admin" account via policy. so whenever a user using this policy has a disk encrypted it automattically adds a WDE Admin passphrase user to the disk. You could use differnt consumer polices to accomplish this shared passphrase scenario, then have LDAP/AD sync each user to the appropriate consumer policy.

One thing to keep in mind is that since consumer policies determine which WDE admin user gets created and updated, that these are user polcies and not machine polcies. If you frequently administer these systems (or other PGP users from differnt groups log into the system) and you were using a differnt consumer policy with a differnt WDE admin password PGP will automagically update this password each time a pgp desktop user logs on.

Julian_M's picture

When user is enrolled and keys are created, he is prompted which key mode to use (according to allowed key modes specified in Universal policy).

So you will need to re create keys an re enroll user to move to SKM.

WDE passwords are set when encrypting the disk, when added manually or when password is changed by the user. Please note that, if not using smart card, keys are not needed to boot the system, just the passphrase.

Im pretty sure you can set the enviroment to your needs, combining LDAP authentication, group policy, and LDAP user matching to policys.

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.
 

Sarah Mays's picture

if only one keymode is selected in the consumer policy PGP desktop will automattically convert the user's key to the new keymode. for GKM - SKM, the end user will need to know their keypasspharse to convert it to SKM.