This article details how to install and use the RSA SID800 Token with Symantec Encryption Desktop. The RSA SID800 Token is compatible only for credential storage. SecurID is not compatible.
You can use a token with Symantec Drive Encryption for an extra layer of security. Symantec Encryption Desktop can be utilized to create a PGP keypair on a smart card or token, or to copy a PGP keypair to a smart card or token. Both options give you an extra layer of security in that you can keep your PGP keypair with you, on your smart card or token, instead of leaving it on your system.
Some RSA Smart Card installations may require you to install an update to the Microsoft Base Smart Card Cryptographic Service Provider before installing the software for your RSA Smart Card. For more information on installing this software, see the following article on the Microsoft Support site.
Generate a PGP Key on a RSA SID800 Token
- Download and install the RSA SID800 Token software (RSA Authentication Client.msi).
- After installing the software, you must reboot for the system to update the new settings.
- Following the reboot of the system, insert the RSA SID800 Token and change the PIN for the token using the RSA Token Program.
The default PIN for the token is PIN_CODE (with the underscore).
Symantec Encryption Desktop optional setting:
Before adding keys to the token, update the smart card synchronization. This is accomplished by opening the PGP Options by clicking the Symantec Encryption Desktop Tray icon and then selecting the Keys tab. Place a checkmark for the option to Synchronize keyring with tokens and smart cards and change the drop down menu from Automatically to from RSA.
- Open Symantec Encryption Desktop.
- Click File>New>PGP Key.
- Confirm the checkmark next to Generate Key on Token and click Next.
- Enter a Name and Email address for the key and then click Next.
- When prompted, enter the security code (PIN) for your RSA Token. The PGP Key Generation Assistant displays the Key Generation Process.
- Click Next.
- Click the Skip button to bypass the Global Directory Assistant or click Next.
- Click Next to complete the Key Generation Assistant.
Encrypt Using a key on a RSA SID800 Token
- Open Symantec Encryption Desktop.
- Select PGP Disk from the Control Box and then click Encrypt Disk or Partition.
- Select the desired disk/partition.
- In the User Access section, click the Add User Key... button.
- Highlight the key you created in the Key source list and click the Add button. The key is then displayed in the Keys to add list.
- Click OK to continue.
- Select the key from the User Access list and then click the Encryption button.
- Click Yes to confirm the disk encryption process.
- Symantec Encryption Desktop displays the encryption progress of the disk. The Symantec Encryption Desktop Tray icon also displays the disk is being encrypted with a spinning black and yellow wheel.
After encryption is complete, the token can be used for pre-boot authentication. You can plugin the token before turning on the system or when the PGP BootGuard screen displays. At the PGP BootGuard authentication screen, enter the token's PIN, and press CTRL + ENTER. This will verify authentication, and proceed to boot the system to Windows.
- When using a token for pre-boot authentication, the Single Sign-On feature is not available and therefore the Windows password is required to complete the boot process.
- You cannot add an existing user key to the token of a system that is already encrypted. This will not properly authenticate the token at the PGP BootGuard. If you want to add another key, you must decrypt the disk and create the key on the token.
|Warning: Using a keypair on a token to authenticate to a disk or partition encrypted using Symantec Drive Encryption increases your security, but if you lose the token you can no longer authenticate to the PGP BootGuard login screen, and all the data on the disk or partition is lost.
For this reason, consider adding other users (passphrase, token, or both) to a disk or partition encrypted using Symantec Drive Encryption. If your token is lost or stolen, those additional users can authenticate and unlock the disk or partition for you.
Once booted, you will need to stop the device, and remove the token. If you want to remove keys in Encryption Desktop, then you will need to plug it back in, open Encryption Desktop, and choose smart card keys.