PGP CAPS Activation Package Administrator's Guide 9.12/10.0
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Version 9.12.0/10.0.0. Last updated: May 2011. Legal Notice Copyright (c) 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 Symantec Home Page (http://www.symantec.com) Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Contents About PGP CAPS Activation Package 1 Overview 1 What is the Session Key and DAK? 1 Getting product information 2 Technical Support 2 Contacting Technical Support 2 Licensing and registration 3 Customer service 3 Support agreement resources 4 Installing PGP CAPS Activation Package 5 System Requirements 5 PGP CAPS Activation Package Prerequisites 5 Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a PGP Universal Server-managed Environment 6 Important Notes for PGP Universal Server Administrators 8 Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a Standalone Environment 8 Important Notes for Administrators in a Standalone Environment 10 Using PGP CAPS Activation Package 11 For Security Administrators 11 Changing a User's Passphrase 11 Troubleshooting Problems with Passphrase Generation 12 Changing a User's Passphrase using a Recovery Token 12
1 About PGP CAPS Activation Package Note: To view the most recent version of this document, please go to the Documentation (https://pgp.custhelp.com/app/docs) section on the PGP Support Portal. In This Chapter Overview... 1 Getting product information... 2 Technical Support...2 Overview PGP CAPS Activation Package provides support of CESG (Communications-Electronics Security Group) "Baseline" certification, this allows PGP Whole Disk Encryption to be used for information classified up to RESTRICTED (Impact Level 3). Why CAPS? CAPS (CESG Assisted Products Service) enables products to be cryptographically verified by CESG to Her Majesty's Government (HMG) cryptographic standards and formally approved for use by HMG and other appropriate organizations. For HMG customers, CAPS provides assured solutions. What is the Session Key and DAK? The session key is used as the symmetric key used to encrypt the disk whereas the Disk Access Key (DAK) is used to secure access to the disk. The DAK is used to provide flexibility to the product, such as when adding or removing users, without needing to change the session key. An example of how the DAK is used in conjunction with the session key is similar to an envelope, with a key to the envelope that provides access to the key within. You can change the key on the envelope without touching the key in the envelope.
2 About PGP CAPS Activation Package Getting product information Getting product information Unless otherwise noted, online help is installed and is available within the PGP CAPS Activation Package product. Release notes are also available, which may have last-minute information not found in the product documentation. The user's guide and quick start guides, provided as Adobe Acrobat PDF files, are available on the Documentation (https://pgp.custhelp.com/app/docs) section on the Symantec Corporation Support Portal. Once PGP CAPS Activation Package is released, additional information regarding the product is entered into the online Knowledge Base available on the PGP Support Portal Web Site (https://support.pgp.com). Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Contacting Technical Support Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/
About PGP CAPS Activation Package Technical Support 3 Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
4 About PGP CAPS Activation Package Technical Support Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com
2 Installing PGP CAPS Activation Package This section provides information on the system requirements and prerequisites required to install PGP CAPS Activation Package, as well as installation instructions. In This Chapter System Requirements... 5 PGP CAPS Activation Package Prerequisites... 5 Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a PGP Universal Server-managed Environment... 6 Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a Standalone Environment... 8 System Requirements Windows 7 (all 32- and 64-bit editions), Windows Vista (all 32-bit and 64-bit versions, including Service Pack 1 and 2), Microsoft Windows XP Professional 32-bit (Service Pack 1, 2, or 3), Windows XP Professional 64-bit (Service Pack 2), Windows XP Home Edition (Service Pack 1, 2 or 3), Microsoft Windows XP Tablet PC Edition 2005 (requires attached keyboard). Note: The above operating systems are supported only when all of the latest hot fixes and security patches from Microsoft have been applied. 512 MB of RAM 64 MB hard disk space PGP CAPS Activation Package Prerequisites The following are the items required before you can deploy with the PGP CAPS Activation Package: Obtain UK Key Material from CESG. To contact CESG: Send an email to CESG (mailto: keymat@cesg.gsi.gov.uk). Call the main phone number (see the CESG website (http://www.cesg.gov.uk/about_us/contacts.shtml) for the number). In addition, see PGP Knowledgebase article 1096 (https://support.pgp.com/?faq=1096) for the forms and instructions you may need after you have discussed your request for key material with CESG.
6 Installing PGP CAPS Activation Package Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a PGP Universal Server-managed Environment In a PGP Universal Server-managed environment, ensure that the internal user policy for Whole Disk Encryption is not specified to automatically encrypt the system disk once the user has enrolled. Obtain the PGP CAPS Activation Package files from Symantec Corporation. The information on where to download this information was provided when you purchased PGP CAPS Activation Package. This file contains the PGP CAPS Activation Package program, the license agreement, and the Administrator's Guide (this document). Do one of the following: In a PGP Universal Server-managed environment, ensure that the PGP Desktop installation program and the CAPS-approved PGP Desktop installation program have been downloaded from Symantec Corporation (this information was provided when you purchased PGP CAPS Activation Package). Also ensure you have downloaded the PGP CAPS Activation Package file. In a standalone (unmanaged) environment, ensure that the PGP Desktop installation program and the CAPS-approved PGP Desktop installation program have been downloaded from Symantec Corporation (this information was provided when you purchased PGP CAPS Activation Package). Also ensure you have downloaded the PGP CAPS Activation Package file. Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a PGP Universal Server-managed Environment The following steps describe a typical installation process. The person who installs PGP Desktop on the user's computer could be the user or the security administrator. The security administrator, however, must install the CESG key with the PGP CAPS Activation Package. When deploying with the PGP CAPS Activation Package, be sure that you have obtained the special software update package (.pup) and installed it on the PGP Universal Server. To do this, refer to the chapter in the PGP Universal Server Administrator's Guide called "Updating PGP Universal Server Software." To install PGP Whole Disk Encryption on the user's Windows system 1 Locate the PGP Desktop installation program. Ensure that the correct PGP Desktop installation program that is CAPS-approved is being used. Note: Ensure that the correct.pup update file has been downloaded to the PGP Universal Server. This update should be the CESG-approved update. 2 Double-click the PGP Desktop installer. 3 Follow the on-screen instructions. 4 If prompted to do so, restart the system.
Installing PGP CAPS Activation Package Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a PGP Universal Server-managed Environment 7 5 When the system has restarted, proceed with the PGP Desktop Setup Assistant. This assistant creates the user's keys and, in a managed environment, enrolls the user to the PGP Universal Server managing the system. Symantec Corporation recommends that the actual user of the system completes the enrollment process. 6 Once PGP Desktop has been installed and the user has been enrolled to the PGP Universal Server, proceed with the steps to activate PGP CAPS Activation Package on the user's system. Note: If you are in a domain protected by a PGP Universal Server, your PGP administrator may have preconfigured your PGP CAPS Activation Package installer with specific features and/or settings. To activate PGP CAPS Activation Package on the user's system 1 Once the user has enrolled, the security administrator inserts PGP CAPS Activation Package (on compact disc or USB drive). Note: Do not copy the files in the PGP CAPS Activation Package to the user's system. Run the program directly from the media on which the files are located. 2 From the command line, run the program located on the disc or USB drive: pgpwde.exe --secure --disk 0 --user <username> --cesg-key-file <filename> --dak-index <keyindex> --session-key-index <keyindex> --passphrase-key-index <passphraseindex> where: <username> specifies the user's name for PGP Whole Disk Encryption <filename> Specifies the path and file name to the file containing the CESG key material (AES keys) <keyindex> for the dak-index specifies a value between 1 and x based on the number of keys included within the key file as a hex value (for example, 0x1, 0x1A, 0x3F32, 0xDA2, and so on), or a decimal value (for example 1, 10, 39 and so on) <keyindex> for session-key-index specifies a value between 1 and x based on the number of keys included within the key file as a hex value (for example, 0x1, 0x1A, 0x3F32, 0xDA2, and so on), or a decimal value (for example 1, 10, 39 and so on) <passphraseindex> for passphrase-key-index specifies a value between 1 and x based on the number of keys included within the key file as a hex value (for example, 0x1, 0x1A, 0x3F32, 0xDA2, and so on), or a decimal value (for example 1, 10, 39 and so on). This value dynamically generates a passphrase that can be used for subsequent command line operations where the passphrase is required. This passphrase is printed on the screen and must be noted for future reference. Care must be taken to assign distinct key index values to each system to avoid reusing keys. The DAK, session key, and passphrase key index values must not be 0 (zero).
8 Installing PGP CAPS Activation Package Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a Standalone Environment Note: Remember if the index value is specified in hexadecimal (for example, 1-9, A-F), it must begin with 0x or 0X. If key index values are not prefixed with 0x or 0X, they will be treated as decimal values. Care must be taken to assign distinct key index values to each system to avoid reusing keys. Every system should be assigned three (3) keys: one key as the session key, one key specified as data access key, and another as the passphrase key. For example, to encrypt the system to user "alice" using index 1 as the DAK key, index 2 as the session key from the file named CESG_keys.keys, run: pgpwde.exe --secure --disk 0 --user alice --cesg-key-file d:\cesg_keys.keys --dak-index 0x1 --session-key-index 0x2 --passphrase-key-index 0x3 This program locates the CESG key, obtains this key, and then inserts the key into the PGP Desktop installation. It also returns the passphrase, which has been dynamically created. Be sure to remember this passphrase as it is required when you boot your computer. 3 Once the key has been located and inserted, the script then initiates the system disk encryption. As soon as encryption begins, verify that no errors have been received. If encryption has begun, the security administrator can then exit the command line and eject the disc or USB drive containing the PGP CAPS Activation Package. Important Notes for PGP Universal Server Administrators Symantec Corporation recommends that the automatic update of PGP Desktop be disabled in the PGP Universal Server, or that the use of automatic updates be used carefully. This ensures that the next update users install is a CAPS-certified release of PGP Desktop. You will need to determine what update packages (PUP) you want to accept when they are offered by Symantec Corporation. When a CAPS-certified update is available, you can upload it to the PGP Universal Server, enable automatic updates for managed clients, and then inform your users to install the update when notified. Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a Standalone Environment The following steps describe a typical installation process. The person who installs PGP Desktop on the user's computer could be the user or the security administrator. The security administrator, however, must install the CESG key with the PGP CAPS Activation Package. To install PGP Whole Disk Encryption on the user's Windows system 1 Locate the PGP Desktop installation program. Ensure that the correct PGP Desktop installation program that is CAPS-approved is being used. 2 Double-click the PGP Desktop installer. 3 Follow the on-screen instructions.
Installing PGP CAPS Activation Package Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a Standalone Environment 9 4 If prompted to do so, restart the system. 5 When the system has restarted, proceed with the PGP Desktop Setup Assistant. This assistant creates the user's keys, if required. Symantec Corporation recommends that the actual user of the system completes the enrollment process. 6 Once PGP Desktop has been installed and the user's PGP key has been created, proceed with the steps to activate PGP CAPS Activation Package on the user's system. To activate PGP CAPS Activation Package on the user's system 1 Once the user has enrolled, the security administrator inserts PGP CAPS Activation Package (on compact disc or USB drive). Note: Do not copy the files in the PGP CAPS Activation Package to the user's system. Run the program directly from the media on which the files are located. 2 From the command line, run the program located on the disc or USB drive: pgpwde.exe --secure --disk 0 --user <username> --cesg-key-file <filename> --dak-index <keyindex> --session-key-index <keyindex> --passphrase-key-index <passphraseindex> where: <username> specifies the user's name for PGP Whole Disk Encryption <filename> Specifies the path and file name to the file containing the CESG key material (AES keys) <keyindex> for the dak-index specifies a value between 1 and x based on the number of keys included within the key file as a hex value (for example, 0x1, 0x1A, 0x3F32, 0xDA2, and so on), or a decimal value (for example 1, 10, 39 and so on) <keyindex> for session-key-index specifies a value between 1 and x based on the number of keys included within the key file as a hex value (for example, 0x1, 0x1A, 0x3F32, 0xDA2, and so on), or a decimal value (for example 1, 10, 39 and so on) <passphraseindex> for passphrase-key-index specifies a value between 1 and x based on the number of keys included within the key file as a hex value (for example, 0x1, 0x1A, 0x3F32, 0xDA2, and so on), or a decimal value (for example 1, 10, 39 and so on). This value dynamically generates a passphrase that can be used for subsequent command line operations where the passphrase is required. This passphrase is printed on the screen and must be noted for future reference. Care must be taken to assign distinct key index values to each system to avoid reusing keys. The DAK, session key, and passphrase key index values must not be 0 (zero). Note: Remember if the index value is specified in hexadecimal (for example, 1-9, A-F), it must begin with 0x or 0X. If key index values are not prefixed with 0x or 0X, they will be treated as decimal values. Care must be taken to assign distinct key index values to each system to avoid reusing keys. Every system should be assigned three (3) keys: one key as the session key, one key specified as data access key, and another as the passphrase key.
10 Installing PGP CAPS Activation Package Installing PGP CAPS Activation Package for PGP Whole Disk Encryption in a Standalone Environment For example, to encrypt the system to user "alice" using index 1 as the DAK key, index 2 as the session key from the file named CESG_keys.keys, run: pgpwde.exe --secure --disk 0 --user alice --cesg-key-file d:\cesg_keys.keys --dak-index 0x1 --session-key-index 0x2 --passphrase-key-index 0x3 This program locates the CESG key, obtains this key, and then inserts the key into the PGP Desktop installation. It also returns the passphrase, which has been dynamically created. Be sure to remember this passphrase as it is required when you boot your computer. 3 Once the key has been located and inserted, the script then initiates the system disk encryption. As soon as encryption begins, verify that no errors have been received. If encryption has begun, the security administrator can then exit the command line and eject the disc or USB drive containing the PGP CAPS Activation Package. Important Notes for Administrators in a Standalone Environment Symantec Corporation recommends that you disable the automatic updating feature of PGP Desktop. This ensures that the next update you install is a CAPS-certified release of PGP Desktop. To disable automatic updates 1 In PGP Desktop, choose Tools > Options. 2 On the General tab, deselect the option to Check for Updates Every.
3 Using PGP CAPS Activation Package Your users should refer to the PGP Desktop for Windows User's Guide or Online Help for more information on how to use the features of PGP Whole Disk Encryption. In This Chapter For Security Administrators... 11 Changing a User's Passphrase... 11 Changing a User's Passphrase using a Recovery Token... 12 For Security Administrators In an environment that is managed by a PGP Universal Server, the user's system sends information back to the server to be logged. The log entries indicate that the CAPS session key and the CAPS DAK were used when the disk was encrypted. Changing a User's Passphrase It may be necessary to change a user's passphrase.
12 Using PGP CAPS Activation Package Changing a User's Passphrase using a Recovery Token To change a user's passphrase From the installation directory, run the following command: pgpwde --change-passphrase --user <username> -p <passphrase> where: <username> specifies the user's name for PGP Whole Disk Encryption <passphrase> specifies the passphrase associated with the user (this is the passphrase that was generated dynamically when PGP CAPS Activation Package was installed) The program outputs a new, dynamically generated, passphrase. Be sure to remember this passphrase as it is required when you boot your computer. Troubleshooting Problems with Passphrase Generation PGP generates passphrases dynamically in combination with a seed file. The file must be available to the software, or the following location, or passphrase generation will fail. If the seed file cannot be located or is corrupt, an error message displays. In this case a new passphrase cannot be automatically generated until the seed file is restored. The seed file can be restored by manually copying a CESG approved key material into a text file named PGPSeed.dat, located in the folder: On Windows XP systems: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGPData\PGPSeed.dat On Windows Vista/7 systems: C:\ProgramData\PGP Corporation\PGPData\PGPSeed.dat To restore the local seed file using the CESG key file, type the following command: pgpwde --change-passphrase --disk <disknum> -u <username> --cesg-key-file <cesg-keyfile> --passphrase-key-index <keyindex> -p <current passphrase> Changing a User's Passphrase using a Recovery Token If a user forgets his passphrase, he can log in to the system using a Whole Disk Recovery Token (WDRT). A recovery token is generated when a disk is initially encrypted, and is sent to the PGP Universal Server. To recover from a lost passphrase, the user types the WDRT during the pre-boot process and then provides a new passphrase. A WDRT can be used only once. After it is used successfully, and if network connectivity to the PGP Universal Server is available, a new WDRT is created and sent to the server. If the PGP Universal Server cannot be contacted during login, a new WDRT is not issued immediately, but is instead created later when connectivity is restored. To use a recovery token on a boot disk 1 Obtain the recovery token from your PGP Universal Administrator.
Using PGP CAPS Activation Package Changing a User's Passphrase using a Recovery Token 13 2 At the PGP BootGuard screen, enter the recovery token in the passphrase field. When you enter a recovery token, you do not need to match the case (all uppercase) or dashes that you received from your PGP Universal Administrator. You can enter all lowercase characters without the dashes if you want. To change a user's passphrase using a WDRT From the installation directory, run the following command: pgpwde --change-passphrase -disk <disk number> -u <username> --recovery token <WDRT> where: <username> specifies the user's name for PGP Whole Disk Encryption <wdrt> specifies the WDRT string, with or without dashs The program outputs a new, dynamically generated, passphrase. Be sure to remember this passphrase as it is required when you boot your computer. Note: If the PGP Universal Server can be contacted, the change passphrase command is successful and a new WDRT is created. If the PGP Universal Server cannot be contacted, the change passphrase command fails.