Re: PGP WDE

["Beechey, Jim" <beechey () NORTHWOOD EDU>]

Jeff

We did a PGP rollout to around 600 machines both laptops and desktops in December. Overall we have been very happy with 
the product.  We really like the performance of PGP and the fact that there is no Windows GINA modification. Here's a 
few thoughts that may help.

1.   Make sure you PC/Help Desk folks are involved and engaged as early as possible.  PGP, or any product, will be 
blamed for EVERY single hardware or application problem for at least a month :-)  Focus effort on determining what they 
need to change regarding data recovery, imaging (ghost) processes and PC deployments.  PGP has a supported boot disk, 
WinPE support and can access a drive from another computer natively in windows once credentials are provided.

2. If you do any forensic work, there will be changes here too.  Vendors are catching up, but not there yet.  EnCase, 
for instance, supports a couple vendors but does not yet have support for decryption of PGP drives during acquisition 
(with password of course).

3. People don't like the length of the recovery tokens in Universal.  Not sure much can be done about that though.  

4. We did not have a single drive fail during deployment, however did see dramatic time differences in the initial 
encryption process on drives which were not performing well.  We deployed using SMS and forcing auto-enrollment which 
generally worked well.  We tried to communicate with user groups to say that the deployment will begin at 4:30pm, 
please log in to PGP before you leave so the encryption process will run at night.  

5. Make sure you have a good physical inventory to compare with Universal server to catch machines that did not get 
encrypted or where users just hit cancel to the PGP login every day.  

6. Think about your strategy for getting IT folks access to users drives for support purposes.  Recovery tokens will do 
the trick, but can be a pain for the technician.  We ended up creating local accounts on machines for PC support 
personnel.  We script these additions using a SMS and the pgpwde command line utility.  

7. For our monthly patch deployment process, we now include the pgp bypass capability (part of pgpwde.exe) so the 
computer will reboot once after patches without going to the boot guard screen.  This allows the patching process to 
complete and the machine to not be stuck at the boot guard screen in case the user wanted to RDP in via SSLVPN.

8. If users have their local my documents folder re-directed to a server share they will get "pgp key ring" errors.  
PGP stores a few files in the user's profile in the my documents folder.  

Sorry for the long email, hope it's helpful.  Feel free to give me a shout directly if you'd like to talk more.

Jim


Jim Beechey
Associate Director, Networks and Information Security
Northwood University
4000 Whiting Drive
Midland, MI 48640
 
989-837-4169
beechey () northwood edu
www.northwood.edu
 
"Developing the future leaders of a global, free-enterprise society."



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of jeff 
murphy
Sent: Thursday, February 26, 2009 11:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PGP WDE

Related to the topic from earlier this week.

I'd like to hear from anyone who has deployed PGP Whole Disk  
Encryption and/or NetShare along with Universal Server. We're looking  
at a few options, one of which is PGP, and I'm looking for real-world  
war stories regarding how your rollout and support went.  We're  
looking at WDE for several hundred users, so the trial we did of a few  
desktops doesn't really give us enough information to get a feel for  
what the product will be like once deployed en masse.

thanks,

jeff