Re: PGP WDE

["Tonkin, Derek K." <Derek_Tonkin () BAYLOR EDU>]

We've been rolling out PGP over the last two years and we are approaching 1000 users on campus.  In our rollout I (or 
our installs group in the case of new computers) have actually personally installed PGP on each of those machines.  
This has a variety of scheduling challenges associated with it but it has the advantage of getting 20-30 minutes of one 
on one face time with users which we as the security group would not otherwise be afforded.  During this time I have 
found out about a variety of unrelated issues users are dealing (or not dealing) with and we have found this time to be 
a worthwhile benefit.

Our primary issues have been:

*       Expect to get a call at least every other day asking for a passphrase reset.  This problem will be exacerbated 
if you install on a lot of desktops where users do not shut down regularly.  Typically after MS patches roll out I get 
an increase in calls.  We could alleviate this with some of the new PGP tools for administrative bypass but we'd rather 
force the users to remember their passphrase.

*       I've had one or two users complain that the passphrase requirement is to great and/or that having to remember 
another "password" is a major pain (we opted not to use Single Sign-On).

*       The logging capabilities have been greatly improved in recent releases making it easier to tell which machines 
are encrypted and if machines have had drive fault issues during encryption.

*       We have had a number of drive failures during disk encryption.  We found that having users defragment their 
hard drives prior to encryption reduces failures and/or spots them before installation begins.  PGP now does a better 
job of continuing to encrypt good blocks and skipping over bad blocks rather than hanging the encryption process as it 
had in the past.

One last thing, remember that the PGP bootloader, at least last time I tried, does not support Bluetooth so Bluetooth 
keyboards will not work.

Sorry for the long e-mail please feel free to contact me with any other questions you might have,

-------------Baylor University-------------
Derek Tonkin
Information Security Analyst
Information Technology Services - Security
derek_tonkin () baylor edu        254-710-7061
---------------Sic 'em Bears---------------


_____________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of jeff 
murphy
Sent: Thursday, February 26, 2009 10:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PGP WDE


* PGP Signed by an unverified key: 02/26/09 at 10:52:52

Related to the topic from earlier this week.

I'd like to hear from anyone who has deployed PGP Whole Disk
Encryption and/or NetShare along with Universal Server. We're looking
at a few options, one of which is PGP, and I'm looking for real-world
war stories regarding how your rollout and support went.  We're
looking at WDE for several hundred users, so the trial we did of a few
desktops doesn't really give us enough information to get a feel for
what the product will be like once deployed en masse.

thanks,

jeff

* Jeffrey Murphy <jcmurphy () buffalo edu>
* Issuer: The USERTRUST Network - Unverified