Educause Security Discussion mailing list archives
Re: PGP WDE
From: "Beechey, Jim" <beechey () NORTHWOOD EDU>
Date: Thu, 26 Feb 2009 15:45:23 -0500
Jeff We did a PGP rollout to around 600 machines both laptops and desktops in December. Overall we have been very happy with the product. We really like the performance of PGP and the fact that there is no Windows GINA modification. Here's a few thoughts that may help. 1. Make sure you PC/Help Desk folks are involved and engaged as early as possible. PGP, or any product, will be blamed for EVERY single hardware or application problem for at least a month :-) Focus effort on determining what they need to change regarding data recovery, imaging (ghost) processes and PC deployments. PGP has a supported boot disk, WinPE support and can access a drive from another computer natively in windows once credentials are provided. 2. If you do any forensic work, there will be changes here too. Vendors are catching up, but not there yet. EnCase, for instance, supports a couple vendors but does not yet have support for decryption of PGP drives during acquisition (with password of course). 3. People don't like the length of the recovery tokens in Universal. Not sure much can be done about that though. 4. We did not have a single drive fail during deployment, however did see dramatic time differences in the initial encryption process on drives which were not performing well. We deployed using SMS and forcing auto-enrollment which generally worked well. We tried to communicate with user groups to say that the deployment will begin at 4:30pm, please log in to PGP before you leave so the encryption process will run at night. 5. Make sure you have a good physical inventory to compare with Universal server to catch machines that did not get encrypted or where users just hit cancel to the PGP login every day. 6. Think about your strategy for getting IT folks access to users drives for support purposes. Recovery tokens will do the trick, but can be a pain for the technician. We ended up creating local accounts on machines for PC support personnel. We script these additions using a SMS and the pgpwde command line utility. 7. For our monthly patch deployment process, we now include the pgp bypass capability (part of pgpwde.exe) so the computer will reboot once after patches without going to the boot guard screen. This allows the patching process to complete and the machine to not be stuck at the boot guard screen in case the user wanted to RDP in via SSLVPN. 8. If users have their local my documents folder re-directed to a server share they will get "pgp key ring" errors. PGP stores a few files in the user's profile in the my documents folder. Sorry for the long email, hope it's helpful. Feel free to give me a shout directly if you'd like to talk more. Jim Jim Beechey Associate Director, Networks and Information Security Northwood University 4000 Whiting Drive Midland, MI 48640 989-837-4169 beechey () northwood edu www.northwood.edu "Developing the future leaders of a global, free-enterprise society." -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of jeff murphy Sent: Thursday, February 26, 2009 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PGP WDE Related to the topic from earlier this week. I'd like to hear from anyone who has deployed PGP Whole Disk Encryption and/or NetShare along with Universal Server. We're looking at a few options, one of which is PGP, and I'm looking for real-world war stories regarding how your rollout and support went. We're looking at WDE for several hundred users, so the trial we did of a few desktops doesn't really give us enough information to get a feel for what the product will be like once deployed en masse. thanks, jeff
Current thread:
- PGP WDE jeff murphy (Feb 26)
- <Possible follow-ups>
- Re: PGP WDE Todd Clementz (Feb 26)
- Re: PGP WDE Sealey, Adam L. (Feb 26)
- Re: PGP WDE Beechey, Jim (Feb 26)
- Re: PGP WDE Gary Flynn (Feb 27)
- Re: PGP WDE Tonkin, Derek K. (Feb 27)
- Re: PGP WDE Brad Sanford (Feb 27)
- Re: PGP WDE Mclaughlin, Kevin (mclaugkl) (Feb 27)
- Re: PGP WDE Tonkin, Derek K. (Feb 27)