PGP Desktop Storage

Overview

Mobile computers and file servers have quickly emerged as industry-standard tools for enabling user productivity and collaboration. Unfortunately, unprotected mobile devices and data pose a critical risk to an enterprise's most sensitive data. Exposure of this data can result in financial loss, legal ramifications, and brand damage.

PGP® Desktop Storage provides flexible, multilayered encryption using PGP® Whole Disk Encryption to protect confidential files stored on local desktop or laptop systems and using PGP® NetShare to securely share files with selected colleagues. This approach ensures that only authorized users can access sensitive data, fulfilling partner and regulatory requirements for information partitioning and security.

• Easy, automatic operation-Protects files and disks without changing the user experience.
• Enforced security policies-Automatically enforce data protection with centrally managed policies.
• Accelerated deployment-Achieves disk and network encryption using the existing infrastructure.
• Reduced operation costs-Result from centrally automating encryption policies.

As a PGP® Encryption Platform-enabled application, PGP Desktop Storage can be used with PGP Universal™ Server to manage existing policies, users, keys, and configurations, expediting deployment and policy enforcement. PGP Desktop Storage can also be used in combination with other PGP® encryption applications to provide multiple layers of security.

Technical Specifications

Technical Specifications

Supported Operating Systems

Windows®

• Windows 7 (all 32- and 64-bit editions)
• Windows Vista (all 32- and 64-bit editions, including Service Pack 1 and 2)
• Microsoft Windows XP Tablet PC Edition 2005 (requires attached keyboard)
• Windows XP Home Edition (Service Pack 2 or 3)
• Windows XP Professional 64-bit (Service Pack 2)
• Windows XP Professional 32-bit (Service Pack 2 or 3)
• Microsoft Windows 2000 (Service Pack 4)

Note: The above operating systems are supported only when all of the latest hot fixes and security patches from Microsoft have been applied.

Windows® Server

• Windows Server 2008 SP 1 and 2 (32- and 64-bit editions)
• Windows Server 2008 R2 (32- and 64-bit editions)
• Windows Server 2003 (Service Pack 1 and 2)
• Windows Server 2003 SP 2 (32- and 64-bit editions)

Localization

• English
• German
• Japanese
• French (France)
• Spanish (Latin America)

Authentication Options

• OpenPGP RFC 4880 keys
• X.509 keys

Symmetric Key Algorithms-PGP® Whole Disk Encryption

• AES 256-bit keys

Messaging Security Standards

• PGP/MIME RFC 3156
• OpenPGP RFC 4880
• S/MIME v3 RFC 2633
• X.509 v3

Symmetric Key Algorithms

• AES (up to 256-bit keys)
• CAST
• TripleDES
• IDEA
• Twofish

Symmetric Key Algorithms-PGP® Whole Disk Encryption

• AES 256-bit keys
• AES 128-bit keys (enabled on PGP Universal Server)

Symmetric Key Algorithms-PGP® NetShare

• AES 256-bit keys in EME mode

Hashes

• SHA-2 (up to 512-bit hashes)
• SHA-1
• MD5
• RIPEMD-160

Public Key Algorithms

• Diffie-Hellman
• DSA (1024-bit keys only)
• RSA (up to 4096-bit keys)

Centralized Management Requirements

PGP Whole Disk Encryption is centrally managed by PGP Universal Server which requires a dedicated hardware server. For supported hardware and other information, please refer to the PGP Universal™ Server technical specifications.

Two-Factor Authentication (Windows Only)

Compatible Smart Card Readers for PGP WDE Authentication

The following smart card readers are compatible when communicating to a smart card at pre-boot time. These readers can be used with any compatible removable smart card (it is not necessary to use the same brand of smart card and reader).

Generic smart card readers

Most CCID smart card readers are compatible. The following readers have been tested by PGP Corporation:

• OMNIKEY CardMan 3121 USB for desktop systems (076b:3021)
• OMNIKEY CardMan 6121 USB for mobile systems (076b:6622)
• ActiveIdentity USB 2.0 reader (09c3:0008)
• SCM Microsystem Smart Card Reader model SCR3311
• CyberJack smart card readers
  - Reiner SCT CyberJack pinpad (0c4b:0100).
• ASE smart card readers
  - Athena ASEDrive IIIe USB reader (0dc3:0802)
• Embedded smart card readers
  - Dell D430 embedded reader
  - Dell D630 embedded reader
  - Dell D830 embedded reader

Compatible Smart Cards or Tokens for PGP WDE Authentication (Windows Only)

PGP Whole Disk Encryption is compatible with the following smart cards for pre-boot authentication:

• ActiveIdentity ActivClientCAC cards, 2005 model
• Aladdin eToken PRO 64K, 2048 bit RSA capable
• Aladdin eToken PRO USB Key 32K, 2048 bit RSA capable
• Aladdin eToken PRO without 2048 bit capability (older smart cards)
• Aladdin eToken PRO Java 72K
• Aladdin eToken NG-OTP 32K
  Note: Other Aladdin eTokens, such as tokens with flash, should work provided they are APDU compatible with the compatible tokens. OEM versions of Aladdin eTokens, such as those issued by VeriSign, should work provided they are APDU compatible with the compatible tokens.
• Athena ASEKey Crypto USB Token
• Athena ASECard Crypto Smart Card
  Note: The Athena tokens are compatible only for credential storage.
• Axalto Cyberflex Access 32K V2
• Charismathics CryptoIdentity plug 'n' crypt Smart Card only stick
• EMC RSA SecurID SID800 Token (v1 and 2)
  Note: This token is compatible only for key storage. SecurID is not compatible.
• EMC RSA Smart Card 5200
• Marx CrypToken USB token
• Rainbow iKey 3000
• S-Trust StarCOS smart card
  Note: S-Trust SECCOS cards are not compatible.
• SafeNet iKey 2032 USB token
• T-Systems Telesec NetKey 3.0 smart card
• T-Systems TCOS 3.0 IEI smart card
• Personal Identity Verification (PIV) cards
  - Oberthur ID-One Cosmo V5.2D PIV cards using ActivClient version 6.1 client software.
  - Giesecke and Devrient Sm@rtCafe Expert 3.2 PIV cards using ActivClient version 6.1 client software.

PGP Whole Disk Encryption for Windows Operating Systems also recognizes and works with smart cards from other vendors if the vendor includes a standards-based PKCS-11 library in its software drivers.

FAQ

General

What is PGP Desktop Storage and why is it important?

PGP Desktop Storage combines the network storage encryption of PGP NetShare with the transparent full disk encryption of PGP Whole Disk Encryption, securing the entire contents of a disk, including system and temporary files. PGP Desktop Storage provides secure, shared file encryption without requiring changes to end-user applications, processes, and workflow or to an organization's storage infrastructure. IT backup and archiving applications remain as is. PGP Desktop Storage enables complete role separation between those authorized to create, change, and view content and systems administration personnel. PGP Desktop Storage whole disk encryption capability provides worry-free protection against unauthorized access of private and confidential data.

What business problem does PGP Desktop Storage solve?

Network file servers can contain the most sensitive customer, patient, financial, or intellectual property data. Likewise, data stored on systems or removable media can be easily exposed due to system loss or theft. PGP Desktop Storage allows organizations to meet audit and compliance requirements while securing sensitive data stored on file servers, desktop and laptop systems, and removable media.

What are the key benefits of PGP Desktop Storage?

PGP Desktop Storage provides the following benefits:

• Enforces data security policies-Used in combination with PGP Universal™ Server, PGP Desktop Storage automatically secures protected directories based on policy while locking down the entire contents of a system drive.
• Reduces operational costs, accelerates deployment-By operating in the background, PGP Desktop Storage can be quickly deployed without the need for special user training or increased help desk calls. As a PGP Encryption Platform–enabled application, PGP Desktop Storage can share policies across groups and quickly tailor them, allowing administrators to deploy PGP Desktop Storage and focus on other projects.

How does PGP Desktop Storage work?

Using PGP NetShare technology, PGP Desktop Storage operates as a Windows file filter, enabling transparent encryption and decryption of files, including those stored over the network. PGP NetShare uses public key cryptography to protect folders and files, allowing access only to specific authorized users. The PGP Whole Disk Encryption engine operates at a system level between the operating system and the disk drive, providing user-transparent, sector-by-sector disk encryption and decryption. A successful pre-boot authentication unlocks the decryption key, enabling users to work without any additional changes to their experience. When centrally managed, PGP Desktop Storage key management, policy, and software updates are managed by PGP Universal Server.

What is the end-user experience?

For end users, PGP Desktop Storage operates in the background, securing protected directories (local or networked) and the entire contents of disk drives. If allowed by policy (or if not managed by PGP Universal Server), encryption policies and change configuration can be made through the PGP Desktop Storage application interface. When encryption operations are performed, the PGP Desktop Storage notifier window alerts users that an encryption operation is being performed and its status.

Is the source code available for download?

Yes. To validate the integrity of its products, PGP Corporation releases all product source code, including PGP Desktop Storage, for peer review. For more information, see PGP® Source Code.

How does PGP Desktop Storage fit into the PGP Encryption Platform architecture?

PGP Desktop Storage is a PGP Encryption Platform–enabled application managed by PGP Universal Server. PGP Desktop Storage account management, key management, and policy and software update distribution are automated for all PGP Encryption Platform–enabled applications.