This article details how to create and use a PGP WDE Administrator Key. The PGP WDE Administrator Key provides access for administrators to user's systems which are PGP Whole Disk Encrypted. This feature is available in versions of PGP Desktop 9.7 and above.
If you need to perform maintenance or other tasks on a user's system, the PGP Whole Disk Encryption administrator key allows an administrator to login without having to request the user's passphrase. Use the PGP Whole Disk Encryption administrator key to log in to a user's system at the PGP WDE BootGuard screen using two-factor authentication (with a smart card or token).
The benefits of using two-factor authentication to access a user's system are:
- Each administrator has a unique token that allows access to systems encrypted with PGP Whole Disk Encryption.
- Because both the smart card or token and a PIN are required to access the system, security is maintained if the smart card or token is lost or stolen.
- If an administrator leaves the company, the PGP Universal Server administrator can change the key in PGP Universal Server for that group, and all clients are updated automatically. Clients are updated at PGP Desktop tray startup and every 24 hours.
|Note: If you have systems that have been encrypted with PGP WDE, you do not need to re-encrypt those disks in order to add the PGP WDE Administrator key. The key will be pushed down to the clients during the next policy update.|
To Create a PGP WDE Administrator Key
- Create a key using PGP Desktop:
- Open up PGP Desktop, then select File - New PGP Key
- Enter a name for the Key, for example "CompanyName PGP WDE Admin Key"
- Do not specify an email address, or at least an email address that is not used by any other user
- Do not specify a preferred keyserver for this key. If you do specify a keyserver on the key, you will need to upload and publish the key to the specified keyserver.
- Specify a password, that you can keep with a backup of the key (in case the Token needs to be created again)
- After finishing, export the key (Right click - Export... - Include Private keys) and keep this file in a safe place
- Configure the key in a PGP Universal Server internal user group policy.
Note: If you want all PGP Whole Disk Encryption installations to be accessible through the same key, upload the same key to all internal user groups. Refer to the WDE section of Configuring PGP Desktop Settings in the PGP Universal Server Administrator Guide for details on adding the key to an internal user group policy.
- In the PGP Universal Server administrative interface, Select Policy > Internal User Policy (in 2.x) or Consumers > Consumer Policy (in 3.x) and click the desired policy to add a PGP WDE Administrator Key.
- Select the WDE / Disk tab and place a check mark in the box next to Encrypt disks to an administrator smart card key.
- Click Import to add the public key for administrator key.
- Copy the private key to a smart card or token using PGP Desktop.
- Plug in the Token/SmartCard to the System (Make sure you see SmartCard Keys under PGP Keys)
- Right click the private key, select Add to - SmartCard keys
- You will be asked for the key password and then the PIN of the SmartCard
- The PIN of the SmartCard will be used in the future for accessing the key on the SmartCard
- The same key can be copied to multiple tokens (in this case, answer No to delete the private key).
- Each token should have its own unique PIN.
To Use a PGP WDE Administrator Key
- Start the system to be accessed.
- At the PGP BootGuard screen, insert the smart card or token containing the PGP WDE Administrator's Key and type in the PIN.
- Press Enter or CTRL+ENTER. The PGP BootGuard login is authenticated and the system begins to load Windows.
- At the Windows login dialog box, type your Windows administrator user name and password to access the system.