it.ucsf.edu

Windows Symantec Encryption Desktop (PGP) Install Guide

Symantec Encryption Desktop (PGP) Windows system requirements

This section covers Symantec Encryption Desktop (PGP) version 10.3.1 [Build 13100]

System Requirements

  • Windows 8 Enterprise and Pro (32 and 64 bit versions)
  • Windows 7 (all 32 and 64 bit versions)
  • Windows Vista (all 32- and 64-bit editions)
  • Windows XP (32-bit Service Pack 2 or 3, 64-bit Service Pack 2) * END OF LIFE APRIL 2014*
  • Microsoft Windows XP Tablet PC Edition 2005 (requires attached keyboard)
  • Windows Server 2003 (Service Pack 1 and 2)

For additional system requirements and best practices information on using PGP WDE on Windows non-server systems, see Symantec KB Article 149543 http://www.symantec.com/business/support/index?page=content&id=TECH149543

PGP WDE supports all the client operating systems above as well as the following server versions:

  • Windows Server 2008 SP 1 and 2  (64-bit edition)
  • Windows Server 2008 R2 (64-bit edition)

For additional system requirements and best practices information on using PGP WDE on Windows Server systems, see Symantec KB Article 149613. http://www.symantec.com/business/support/index?page=content&id=TECH149613

Additional Requirements for Microsoft Windows 8 UEFI Systems

For systems running Windows 8 in UEFI mode, the following additional requirements must be met:

  • System must be certified for Microsoft Windows 8 64-bit
  • UEFI firmware must allow other programs or UEFI applications to execute while booting
  • Boot drive must be partitioned in GPT with only one EFI system partition on the same physical disk
  • Boot drive must not be configured with RAID or Logical Volume Managers (LVM)
  • Tablets and any systems without a wired or OEM-supplied attachable keyboard are not supported 
PGP WDE Supported Disk Types
The PGP WDE feature protects the contents of the following types of disks:
  • Desktop or laptop disks, including solid-state drives (either partitions, or the entire disk).
  • External disks, excluding music devices and digital cameras.
  • USB flash disks.
  • GPT partitioned Windows drives on systems that use UEFI and Windows 8 64-bit.
PGP WDE UnsupportedDisk Types
  • Dynamic disks
  • Diskettes and CD-RW/DVD-RWs.
  • Advanced Format disks that do not emulate 512e

Installation Instructions

  1. Download Symantec Encryption Desktop (PGP) client installer (http://software.ucsf.edu/applications/pgp.html) and double click installation package
  2. Follow on-screen prompts to install
  3. Reboot the machine when prompted
  4. After rebooting, Symantec Encryption Desktop (PGP) will display the PGP Setup Assistant, follow on-screen prompts to setup your PGP key and passphrase

 

PGP Setup Assistant – Enrollment

 
When Symantec Encryption Desktop (PGP) first contacts the Symantec Encryption Management server, you may receive a certificate error. If prompted select “Always Allow for This Site”.  If no certificate error screen is seen skip to step #1.
After installation, PGP Setup Assistant will auto-launch to begin the enrollment process.
  1. Enrollment will ask for a user name and password, this is your UCSF email address and email password
    [email protected] email address:
    e.g. [email protected]


  2. Select User Type “I am a new user” and press Next
  3. Assistant to help configure your PGP key screen – select "Next"
  4. Key Source Selection screen – select the "New Key" radio button and then select the Next button
  5. Key Generation Progress screen - Status will process and go to "done" Select Next to continue
  6. Completing screen - Select Next
  7. Congratulations Screen - Click Finish
  8. Installation is now complete. Open up Symantec Encryption Desktop (PGP) to enable encryption features such as WDE, Volume, and Email encryption

Setting up Whole Disk Encryption - Windows

PGP WDE Warnings and Precautions

Before encrypting review Whole Disk Encryption Best Practices

 

  • A Symantec (PGP) encrypted disk must be decrypted before performing the following tasks
  • Major operating system upgrades, example: Windows 7 to Windows 8
  • Repartitioning encrypted hard drives
  • Use caution when using 3rd party disk defragmentation programs.  See Symantec's website for more information http://www.symantec.com/docs/TECH148921
  • Do not use fixboot or fixmbr on a PGP WDE encrypted disk

 

Ensure your system meets system requirements, a full backup has been made and has a network connection before encrypting.

 

  1. After installing Symantec Encryption Desktop (PGP), open Symantec Encryption Desktop
  2. Click on PGP Disk then "Encrypt Disk or Partition"
  3. Click on "New Passphrase User"

    Go through PGP disk assistant to setup your WDE Passphrase.  Select "Use Windows Password" to have Symantec Encryption Desktop (PGP) copy your existing Windows login password to be used by whole disk encryption.  By selecting "Use Windows Password", PGP will automatically log your user account into Windows, called Single Sign On (SSO)

  4. New User for whole disk encryption - Select "Use Windows Password" and then select Next
  5. Two-Factor Authentication screen - Simply click Next to continue
  6. Confirm your current Windows Password - Type in your Username, Password and check the box "Enable Windows SSO".  Select Next to continue
  7. New User Created screen should appear.  Simply click Finish to continue
  8. The newly created passphrase user will now appear in the lower part of the screen. Click the plus sign to expand the boot disk and ensure that the entire section is highlighted.  Finally click the "Encrypt" button on the upper right part of the screen to begin encryption
  9. Optional Step - Once the Encryption has completed, select the user that was added and create LOCAL Recovery Questions - Select "Add Security Questions..."

Encryption will take 4-12 hours to complete; you must verify that the system is fully encrypted at 100% before it is considered encrypted by the central logging server.  After encryption is enabled and a reboot occurs, the system will boot up to a Pre-Boot authentication screen.  Only the passphrase user that was created at the beginning of this process will be able to authenticate.  Additional passphrase users can be configured but the original passphrase user account must be used to make any adds or changes.