File Share Encryption

I am using Universal Server 3.2. All I will be using is PGP Desktop Whole Disk Encryption - nothing else.

This will be in a Windows 2008r2 Domain.

I have about 300 laptops to encrypt. I am using LDAP for authentication, but about 20% of the time the laptops will be used off site (out of the Domain)

Which Key mode would be best to use?

Any special steps or configurations I should use since 20% of the time the laptops will not connect to the Server?  The users will be logging locally to the computer instead of the Domain.

Also, can I disable the Web Messenger Service?

I would think you want to use either of these (unless you are in a location where SCKM is required):

Client Key Mode (CKM): Keys are generated on and managed by the computer on which you are running PGP Desktop; private keys are not shared with the PGP Universal Server. All cryptographic operations (encrypt, decrypt, sign, verify) are also handled by the computer on which you are running PGP Desktop. On Windows systems, this key mode is compatible with smart cards.
•
Guarded Key Mode (GKM): Very similar to CKM, except that an encrypted copy of the private key is stored on the PGP Universal Server, which you can access if you change computers. As the key is encrypted, the PGP Universal administrator cannot access this private key, only you can. This key mode is compatible with smart cards (on Windows systems only) as long as the key is not generated directly on the smart card; that is, as long as the key is copied to the smart card.

It doesn't sound like you need to use the Web Messenger Service.

Hi. I more or less always recommend the GKM mode as Tom pasted the info about. Why?

Due to the "sloppyness" of SKM/SCKM regarding security, and the limitations of CKM.

The combination:

GKM and Key Reconstruction. Make sure to allow WDRT.

sloppiness of SKM? (i'm thinnking of switching from GKM to SKM because of the extra end user confusion regarding WDE passphrase and Key passphrase, SKM supports netshare now so that got rid of my reason why i used GKM)

I would think in a WDE only environment that SKM would be preferred over GKM, generally in a WDE only environment users will never use their PGP key.. it's an unneeded component and confusing to the end user. 

I would have to agree with Sarah Mays. Many SKM issues have been resolved in our latest releases of the product (including netshare support). It does make things less complex for the end-user to use an SKM key where the passphrase is managed by the server so that the user isn't confused between a PGP WDE passphrase and the PGP key passphrase. In WDE only environments, it often times makes sense to use SKM now (if you have a PGP Universal Server to manage those clients). The only thing that might come to mind as considered "slopiness" is if you export the SKM key from a PGP Universal Server (because it uses a random passphrase) you will have no way of figuring out what that passphrase is when prompted for it (if you import it) on PGP Desktop. But as long as the client is always managed by the PGP Universal Server and is updating policy and managed by the server, then there is NO NEED to know the passphrase.

I cannot see how " Many SKM issues have been resolved in our latest release.." can be connected to the different setups for the different key-modes.

There is _no_ limitation that a SSO scenario could not take place with a GKM key, thus enabling the user to stop having to remember different passphrases, or even a passphrase at all.

I am sorry, but it does not make more sense to use a SKM in any kind of scenario except when a Universal is a centralized machine within the mailflow and is the _only_ point that should have the rights to execute actions as the user - even if PGP started to add support that is morphing the SKM into something else.

When I say security, I mean actions that can be performed by someone else in this case. A CKM environment has it's flaws when it comes to recovery - or not a network-saved profile, therefore a GKM setup is a better choice - we still don't save enough data that _we_ can take actions that the user him/her self only should be able to perform.

And like I just said Ben - there's no need to know the passhprase even for a GKM-setup.

I am sorry, while I agree with you that GKM key mode is the way to go in most scenarios. I am going to have to correct you on a few points. Because I believe that you may be misinformed.

1)

I cannot see how " Many SKM issues have been resolved in our latest release.." can be connected to the different setups for the different key-modes.

The answer is simple, we don't recommend key modes that have known issues/bugs based on your setup. Since there have been several critical bugs having to do with using SKM mode related to WDE and messaging that are now fixed post 3.1.x releases. I would be more likely to recommend it as a technician. If there are bugs, I don't recommend it :)

2)

And like I just said Ben - there's no need to know the passhprase even for a GKM-setup

This is misinformation, a GKM key ALWAYS requires a passphrase. Even if that passphrase is "" (or blank). There is still a passphrase. Even when a managed environment has silent enrollment enabled on your PGP Universal Server. You are still creating a PGP key with a passphrase assigned to it. It uses the same password that you used to enroll on LDAP with. The rare, but very likely event to happen at this point is that the user never accesses said GKM mode PGP Key in their PGP Desktop for several years. Until they do something that requires a PGP passphrase, such as opening an encrypted email message, or inserting a smart card, or re-enrolling the client.  That user no longer remembers their passphrase, since it was generated back when they had that LDAP/AD password over a year ago and they no longer remember that password.

Not only that, but as soon as you change your windows/AD passphrase through ctrl-alt-del that updates your SSO password on the disk. But it DOES NOT update your GKM key passphrase. This causes TONS of confusion for end users as to which passphrase they are using (depending on whether they are putting in their GKM key passphrase or their SSO passphrase). 

-------------------

As such, I ALWAYS recommend using SKM key mode for customers who are doing WDE ONLY (no need for the PGP Universal Server to be in the direct mailflow at that point) and since even with SKM mode you still have a key stored in your keypair it doesn't necessarily need to be DIRECTLY connected to the PGP Universal Server 24/7.

I'm also not sure what you mean by the PGP Universal Server being the "only point to execute actions as the user". I think that you might be confused on what SKM mode does. Because it's only the passphrase and the key actions that are managed by the server. You technically don't need any PGP Key for WDE (it is controlled through user records on the disk).  But prior to 10.2, anytime you enrolled with PGP Desktop, by design, it automatically creates a PGP key. Which is why I have recommended using SKM mode on the server (less passphrases to remember). 

I hope that this all makes sense and clears things up a bit. But let it be said, if you are post 3.2/10.2 release on PGP Universal Server and PGP Desktop and you are using WDE ONLY.  You don't even need to create a PGP key anymore. At which point GKM, SKM, CKM, and SCKM are no longer something for the administrator to worry about for WDE only.

Thanks for the clarification Ben, I also see my malformed response now regarding not needing to know the passphrase (regarding #2).

Regarding bugs with SKM, I'm not sure I follow, do you mean that the keymode was supposed to support all the additional actions that the keymode was not able to perform?

Regarding 'I think that you might be confused on what SKM mode does', I think we missed each other there - I'm not only talking about WDE now. What I am refering to is granting the Universal actions to perform encrypt/decrypt/sign with the SKM (Admin-guide, page 61). The rest I agree with.
Sorry for any confusion due to my first response :).

Very good I can agree with you in an non-wde only environment SKM mode may not always be the best fit. I thought that the forum thread was about using WDE only though. That is why I was recommending it. But aws I stated previously, probably less of an issue now with PGP Desktop 10.2 and Universal Server 3.2 since it doesn't require the user to create a key when they enroll. As it is not needed for WDE.

As far as bugs for SKM key mode. Yes, some have caused you not to be able to use all the functions that are available with SKM key mode. I have also seen problems with Lotus Notes and not being able to encrypt emails in SKM mode because it failed to use the signing key of the SKM keypair for that user.  There was another bug where User ids on server SKM key were replaced with client key user ids. Also New user ids were not saved to SKM key. I could provide more examples, but I think that you get the idea. in the 3.0 and 3.1.1 or 3.1.2 releases we had these problems. But since 3.1.2 Sp1 those issues have been resolved.. I hope that clarifies things.