Endpoint Encryption

 View Only

  • 1.  Problems with authentication when trying to automate PGP Command Line tasks

    Posted Jun 15, 2016 10:27 AM

    I have a number of projects that I am working on that require me to automate some encryption but I'm having a considerable amount of difficulty getting it working correctly. 

    I have a service account set up with a keychain with all the keys I need. 

    The desire is
    SSIS or other package on a remote server A needs to remotely launch the following command
    pgp.exe --decrypt \\Remote Server B\*.asc" --passphrase "mypass" --output "\\RemoteServerC" 

    The problem im running into here is with authentication. The authentication seems to be breaking between all of the servers when I try to run the command. If I run the same command from the PGP server itself while logged into that account it will run just fine, it only fails to authenticate to the remote servers when I try to run it from a server other than PGP. 

    I have gotten around this by writing powershell scripts that are located on the PGP server and launching them, but this is not a sustainable approach. Also, I really don't like having my password in cleartext. That means I have to provide passwords to my developers. I could set it up as a env variable, but PGP will only accept the one variable and I'm going to have multiple passphrases being used for multiple keys on this server. 

    Is anyone doing anything like this that can give me some pointers on what I can do?

     



  • 2.  RE: Problems with authentication when trying to automate PGP Command Line tasks

    Posted Jun 15, 2016 10:51 AM

    The most common permissions issue comes from the keyrings being in the user's My Documents directory.  You should set the PGP Home directory outside of the user profiles:
    https://support.symantec.com/en_US/article.TECH149020.html

     



  • 3.  RE: Problems with authentication when trying to automate PGP Command Line tasks

    Posted Jun 15, 2016 11:00 AM

    Forgot to mention, I'm using powershell for these tasks. 
     

    The full powershell command run from a remote computer would be 
     

    Invoke-command -ComputerName PGPSERVER  -Credential $mycredential -ScriptBlock {Invoke-Expression "c:\windows\system32\cmd.exe /c pgp.exe --decrypt '\\Remote Server B\*.asc' --passphrase 'mypass' --output '\\RemoteServerC' -overwrite -remove"}

     



  • 4.  RE: Problems with authentication when trying to automate PGP Command Line tasks

    Posted Jun 15, 2016 11:05 AM

    Mike, I've got tasks currently running in production using this account/keyring. Other than the required reboot, will there be any issues with my current scripts by moving the keyring?

     



  • 5.  RE: Problems with authentication when trying to automate PGP Command Line tasks

    Posted Jun 22, 2016 02:10 PM

    I implemented this change this weekend but it didnt solve the issue. 
    The issue I am having is a kerberos double hop authentication issue. 

    I am trying to invoke-command but the auth isnt passing. I can open the keyring just fine, I just can't use the credentials to pass it through to the next path further along. 
    This isnt really a PGP problem as much as it is a powershell/kerberos problem. 

    I was hoping someone here might have some experience in automating PGP tasks across a domain.