Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

What certificate is used for PGP Desktop disk encryption

Created: 10 Oct 2012 • Updated: 11 Oct 2012 | 5 comments
This issue has been solved. See solution.

In PGP Desktop 10.1, I have the ability to import keys, and veiw keys, under "PGP Keys" area of the interface. However, I am trying to view the key that is in use for the whole disk encryption. I don't think it's related to the keys that are showing under "PGP Keys", as those were imported from Windows certificates during installation. Does anyone know how to view the properties of the key that has ecrypted the disk?? Please help.

Comments 5 CommentsJump to latest comment

Tom Mc's picture

If this is a boot disk, you cannot do the WDE encryption to a public key unless you have it on a smart card/token.  You have probably encrypted the disk to a passphrase instead of to a public key.  If this is the case, the symmetric key is not saved to your disk, but is instead produced by hashing your passphase when you enter it.  It is then stored in protected memory to prevent it from being captured.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

SOLUTION
stevec883's picture

Thanks Tom, that is helpful, and that makes sense, since there are no keys installed on some of the laptops that we're encrypting. So, how do I get key information (for my documentation), things such as key size, algorythm size, key type etc? It must be taking my passphrase that I enter (like you said) and generating keys with default settings of some sort(?)

Tom Mc's picture

By default, the WDE encryption is to a 256 bit AES symmetric encryption key.  If you are in a PGP Universal managed setting, you have the option of changing the key type and size, but unless you do so, it will use 256 bit AES. 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

stevec883's picture

Thanks again Tom. If the same pass phrase is used then, for each laptop, would the key created be identical on each machine? Also, was this in documentation for PGP Desktop?

Tom Mc's picture

This has sometimes been in the User's Guide.  I'm not sure if it is still there.  This Knowledge Base Article covers the default WDE algorithm. 

The hashing of a passphrase to produce a symmetric key is how secure symmetric encryption is done and is standard practice.  There may be some discussion of this in the User's Guide. 

PGP, as is the general practice, actually encrypts all data symmetrically.  The use of hashing the passphrase to produce the symmetric key for access is done when the public key is not being used.  When you are using public key encryption, the data is encrypted to a randomly generated symmetric key (still defaulting to 256 bit AES), and this key is then encrypted to your public key.  The actually data being encrypted symmetrically is much faster than asymmetric encryption (which public key encryption uses).

I believe that the same symmetric key would be generated and used for each machine for the same passphrase.  This would be consistent with symmetrically encrypting a file and the file then being able to be decrypted on another machine with use of the passphrase, which you can test and find to be true. 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &