Site Menu
Recent News
The Compensating Controls & Exceptions Form is up
Here are the Compensating Controls & Exception process submision forms for the UCSS.
GeoTrust SSL Certificate Purchasing Explained
Instructions on how to order SSL Certificates through GeoTrust can be found on this page
Security Boot Camp outline up for comment
The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here
Check the Blackhole List
To see the current Blackhole listing click here
Report an Incident
To report a security breach or other security incident send an email to Security@osu.edu
PGP Whole Disk Encryption Frequently Asked Questions
Below are answers to common configuration and usage questions relating to the PGP Whole Disk Encryption product used here at The Ohio State University
- What is a PGP Pass Phrase?
- How many boot pass phrases do I need?
- Should I Synchronize the PGP Boot Pass Phrases with Windows?
- Why would I not want to use Windows Single Sign On with PGP?
- Can I use PGP Whole Disk Encryption to Encrypt Removable Media?
- I have a network home directory or use Novell, how do I make PGP WDE work properly when logging in?
- How do I get my PGP Whole Disk Encryption Software?
- Where can I get a copy of the PGP Whole Disk Encryption Installation or User Guides?
- Can I use PGP WDE when creating computer images with Ghost?
- Can I back up my Windows computers with PGP Whole Disk Encryption Installed?
- I'm a Windows 64-bit user can i use PGP Whole Disk Encryption?
- I'm a Macintosh OS X user, can I use PGP Whole Disk Encryption?
- I'm a Unix/Linux user, can I use PGP Whole Disk Encryption?
- I want to add or change the appointed recovery agents for my department. How do I do this?
- Does PGP support SCSI hard drives?
Further Questions?
If you do not see your question answered here or in the user guide, send an email to the PGP Support team.
What is a PGP Pass Phrase?
In the process of installing and encrypting the entire PC disk, one or more pass phrases need to be set up to allow the machine to be booted. These phrases are set by the user during the encryption process. This is not the same thing as a windows password when you use single sign on mode with PGP.
How Many Boot Pass Phrases Do I Need?
This software allows multiple pass phrases to be used to boot the machine, so a decision needs to be made regarding the number of boot phrases that should be configured for the machine:
- If the machine is used by a single person, then the software should be
configured with a single boot pass phrase for that user.
- If the machine is shared between a few people, it will likely be easiest to have a boot pass phrase for each user so that each user can maintain their pass phrase independent of the other users.
- If the machine is in a lab setting or is loaned out, all of the machines in that setting should be configured with the same boot pass phrase to allow the machines to be interchangeable.
- If the machine is only used occasionally, it might be good for the support staff in that area to create a second administrative user on the machine which also has a boot pass phrase.
Should I Synchronize the PGP Boot Pass Phrases With Windows?
It is possible for the boot pass phrase to be synchronized with the user’s Windows password. Doing this has a few advantages:
- When the user enters their password to boot the machine, the PGP software proceeds to automatically log them in to Windows.
- When the user changes their Windows password, their boot password is
automatically updated as well (depending on how the change occurs, the next boot may still require the old password to boot but the password will be updated when the user logs in to Windows).
- If there are controls to force password expiration, these controls automatically extend to the boot password.
Why would I not want to use Windows Single Signon for PGP?
In most cases, synchronizing the boot pass phrase and the Windows password is a good thing. The only times that this may not be desired are:
- When the boot pass phrase should not automatically log the user in to Windows and for system support staff boot pass phrases (since, in this case, the pass phrase is likely to be used very infrequently so it may not stay in sync with the Windows password).
- When using a biometric reader like a thumbprint scanner. Often these devices do not work with PGP's boot level security. Users should not use single sign on with these devices, instead use the PGP Passphrase and then the biometric device can control the Windows login process as expected.
PGP WDE users need to enter the PGP passphrase before the biometric scanner software can execute and protect their system. Most Biometric systems, like fingerprint scanners do not operate on the hardware level.
I have a network home directory or use Novell, how do I make PGP WDE work properly when logging in?
Some users and administrators do not use the default location of the keyring for your users who have their home directories located on a Novell network share. For the users that get a dialog, I'm assuming it is the one stating that PGP cannot open the keyring files at the specified locations. If so, they should have an option to point to a location on their local machines that PGP will have access to, before looking for the home folder on a network share that hasn't mounted yet. The users will need to manually move their keys from the network share to a local path, then tell PGP to look in this new location when it starts up pgptray.exe.
For users that haven't installed PGP desktop yet, you can create a "PGPprefs.txt" file and place it in their directory. Inside this text file. place the following text:
PublicKeyringFile="xxxxx" PrivateKeyringFile="xxxxxx"
where "xxxxxx" is the absolute path to where you want the keys to be stored (i.e. PublicKeyringFile="C:\PGP\pubkey.pkr").
Now when PGP installs and the system reboots, it will look for a PGPprefs.xml file, and not find one (which is the default behavior). It will then look for an old PGPprefs.txt file in case the current install is an upgrade from PGP 8.x. It will find the PGPprefs.txt file you created and during the enrollment it will place the newly created keys in the directory you specified, instead of the home directory by default.
Can I use PGP Whole Disk Encryption to Encrypt Removable Media?
According to PGP, Whole Disk Encryption should not be used for floppies, CDs, and DVDs. Whole Disk Encryption can be used on USB drives, and policy can be set to require that USB drives be encrypted. This policy option must be used with care since devices such as MP3 players appear to the system as a USB drive; if the PGP software encrypts the MP3 player, the player won’t be able to play anything.
How do I get my PGP Whole Disk Encryption Software?
We are using the PGP Management web server as our primary method of distribution. There is no stand alone media, users are encouraged to download the software from the PGP registration site as that is updated when PGP releases new software versions and allows for a single point of distribution for these updates.
Where can I get a copy of the PGP Whole Disk Encryption Installation or User Guides?
Departments that purchased the university licensed PGP Whole Disk Encryption product can download the customized PGP Whole Disk Encryption Install Guide (PDF) or the PGP Whole Disk Encryption Administrator Guide (PDF) to assist in implementing this technology.
Can I use PGP WDE when creating computer images with Ghost?
Based on PGP testing, software such as Norton Ghost can be used to replicate a machine that already has PGP Desktop installed on it. The main requirement for this is that the disk must not be encrypted when the image is made.
Performing Backups
Backup software that does not bypass the Windows drivers should work with the disk encrypted. The backups that are created are not encrypted (unless the backup software encrypts them) and should be handled in an appropriate manner.
I'm a Windows 64-bit user, can I use PGP Whole Disk Encryption?
Currently PGP does not support 64-bit windows clients in its Whole Disk Encryption product. 64-bit support is reportedly on the horizon in a future version.
I'm a Macintosh OS X user, can I use PGP Whole Disk Encryption?
Currently the PGP WDE product has limited Macintosh OS X support. Unfortunately it does not encrypt a complete Macintosh file system or hard drive. Macintosh users are encouraged to use Virtual Drive encryption instead.
Virtual Drive encryption is covered in the PGP Whole Disk Encryption User Guide. This form of encryption is not foolproof as it requires users to save files to be encrypted in a specific place or image. PGP has assured us that Whole Disk Encryption support for Macintosh systems is coming in the near future.
I'm a Unix/Linux user, can I use PGP Whole Disk Encryption?
Currently there is no Unix/Linux support for PGP Whole Disk Encryption. Unix/Linux users are encouraged to investigate TrueCrypt and similar software to secure their systems.
I want to add or change the appointed recovery agents for my department. How do I do this?
The list of Key recovery agents is maintained by the Data Security group. To add or change account information send an email to access@osu.edu requesting the change and the Data Security group will address it promptly.
I do not see my question answered here or in the user guide.
While we have documented many of the common questions it is possible you might encounter something uncommon or unusual. To send a direct question to the PGP support team, complete the form below and hit submit. Someone will respond to your question promptly.
Does PGP Whole Disk Encryption support SCSI hard drives?
Currently PGP Whole DIsk Encryption does not support SCSI hard drives, despite the claim in the software documentation.
