Using Smartcards, PIV Cards, CACs with Symantec Encryption Desktop PGP Desktop
search cancel

Using Smartcards, PIV Cards, CACs with Symantec Encryption Desktop PGP Desktop

book

Article ID: 156452

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Encryption Desktop (PGP Desktop) has the ability to encrypt to PGP Keys locally, as well as on smartcards and tokens as well as PIV cards.

Personal Identity Verification cards are commonly used by many government agencies and include a lot of information that would be specific to only the users, such as Digital Certificates, PIV Authentication Certificate, Biometric Information, etc.

A PIV Authentication Certificate is a mandatory certificate that is used for Windows authentication.

Key Management, Signature, and Card Authentication certificates are optional certificates.

The Key Management certificate has key encipherment usage, which was required for encryption operations in previous versions of PGP Desktop.

Disks can be encrypted if the card contains only a PIV Authentication Certificate.  However; other operations, such as PGP NetShare file encryption, cannot be performed without key encipherment usage. 

 

This article will cover many scenarios that will offer basic troubleshooting and provide some ideas to get the PIV cards (or tokens/smartcards) to work with PGP Desktop.

For information on Enrollment using Certificates and Tokens/Smartcards and PIV cards, see the following article:

181070 - Enrollment with Certificate and Smartcards, PIV Cards, CACs with Symantec Encryption Desktop (PGP Desktop)

Resolution

Troubleshooting issues with PGP Desktop and PIV cards
 
Key Creation
Scenario 1: Failed to create a PGP key on a smartcard.
 
Solution: A PIV card is a read-only card, and generating a new PGP key on it is not possible. On a PIV card, only a bundle key or wrapper key can be created, using X.509 certificates. By default, the option to generate a key on a token is greyed out for PIV cards if PGP Desktop recognizes the card as a read-only card.
Also, make sure that the PGP Desktop client is pointing to the proper Token/Smartcard vendor, or driver.  To do this, Click the PGP padlock icon in the Windows taskbar at the lower right corner, then click Options, then the "Keys" tab:
Under "Synchronize keyring with tokens and smartcards", click the drop down:
 
 
If you do not see your vendor from this list, choose "Other..." and then you can browse to your own smartcard software driver.
Note: Typically any token driver will work as long as it contains the proper PKCS7 libraries.  Work with your token vendor to ensure this is something that their software includes.
 
In this example, a folder PIV may contain this driver, browse to this folder and see if this will work:
 
If the driver is not valid, you will likely see an error similar to the following:
 
 
Scenario 2: When a PIV card is plugged-in, PGP Desktop prompts for PIN authentication. After the PIN is entered, bundle key creation fails.
Solution
Make sure the PGP Server policy is set to import X.509 certificates as PGP bundle keys.
 

 

 

Scenario 3: The PIV card is not detected by PGP Desktop.

Solution
1.     Ensure that the PIV smartcard drivers are properly installed.
2.     Verify that the PIV card is detected by the smartcard middleware.
3.     If the PIV card is still not detected by a built-in smartcard reader, try to access the card with  an external smartcard reader. Verify if PGP Desktop is able to detect the PIV card with the external reader.
 
PGP Whole Disk Encryption
Scenario 4: Disk failed to encrypt from PGP Desktop.
Solution
·         Make sure the PIV card is supported for PGP Whole Disk Encryption.
·          From the PGP WDE command line, add the smartcard key, as follows:
Pgpwde -–add-user –-disk 0 –-token –-keyid <smartcard keyid> --a <admin passphrase>
If the smartcard is not supported for PGP Whole Disk Encryption, the result will be Token not supported.
·         Ensure that the key properties for the smartcard key have the PGP Whole Disk Encryption flag enabled.
·         Verify that PGP Desktop is licensed for PGP Whole Disk Encryption.
 
Additionally, encryption of the entire disk requires the token or smartcard to be certified.  Before you add a token/smartcard/PIV card for Drive Encryption, try on a test machine to ensure it works.
 
Scenario 5: Auto-encryption with a PIV card fails after enrollment.
Solution
·         Make sure that the PIV card is supported for PGP Whole Disk Encryption.
·         On PGP Server, be sure to select the option to auto encrypt with a supported smartcard.

 

 

Additionally, see Scenario 4 as the token needs to be compatible with Drive Encryption in order for this to work.

Scenario 6: PGP BootGuard authentication fails with a supported PIV card.

Solution
·         If you are using a built-in smartcard reader, switch to an external card reader and try again.
·         If you are using an external card reader, use a different USB port. USB 3.0 is not supported for preboot with PGP Desktop.


Scenario 7: Single Sign-on (SSO) fails with a PIV card.
Solution
  1.  Verify if the PIV card can be used to authenticate to Windows.
  2. If the PIV card can be used to log in to Windows, then do one of the following:
1.     Use certificate enrollment. On PGP Universal Server, set policy to automatically encrypt using supported smartcards.
2.     Use the PGP WDE command line. Add the PIV card user as an SSO user as follows:
Pgpwde –-add-user –-disk 0 –-token –-keyid <keyid of smartcard key> --sso -–a <admin passphrase>
 



PGP NetShare
Scenario 8:  File/folder encryption fails with a PIV smartcard bundle key.
Solution
·         Verify the following:
·         The PIV card contains the Key Management Certificate, which has encipherment key usage.
·         Subkeys are created in the key properties of the smartcard key in PGP Desktop.
·         Subkeys have encryption keys.
·         Key usage in the smartcard key properties has the PGP Netshare flag enabled on the key itself.
·         PGP Desktop is licensed for PGP File Share Encryption as this is a separate SKU that is purchased separately.
 
Certificate Enrollment
Please refer to the following KB article:

 



Additional Information

181070 - Enrollment with Certificate and Smartcards, PIV Cards, CACs with Symantec Encryption Desktop (PGP Desktop)