PGP Whole Disk Encryption

Overview

Protecting sensitive data, personal identifiable information (PII) and personal health information (PHI) on laptops, desktops and removable devices from theft or loss is critical for enterprises and the public sector. Exposure of sensitive data can result in financial loss, legal penalties and fines, loss in reputation, brand damage, loss in intellectual property and loss in customer trust. PGP Whole Disk Encryption provides organizations with comprehensive, platform-independent, and high performance full disk encryption for all data (user files, swap files, system files, hidden files, etc.) on desktops, laptops, and removable media. The encrypted data is protected from unauthorized access, providing strong security for intellectual property, customer data, partner data and brand.

Key Features

• Rapid deployment–Automated deployments, platform independent, includes USB encryption.
• Centralized management–Automatic, centralized policy enforcement with single web-based management console for all clients.
• Easy passphrase and machine recovery–Local self-recovery, one-time-use token and other recovery options.
• Built PGP® strong–High performance, optimized, and strong encryption, built with PGP® Hybrid Cryptographic Optimizer (HCO) technology. FIPS 140-2 validated, CAPS-approved, DIPCOG-approved, CC EAL 4+ pending.
• User-friendly–Background encryption with throttle capabilities. Fewer passwords to remember with support for Windows® Single sign-on.

 

Choose the PGP Whole Disk Encryption solution that fits your business needs.

Technical Specifications

Technical Specifications

Supported Operating Systems

Windows®

• Windows 7 (all 32- and 64-bit editions)
• Windows Vista (all 32- and 64-bit editions, including Service Pack 1 and 2)
• Microsoft Windows XP Tablet PC Edition 2005 (requires attached keyboard)
• Windows XP Home Edition (Service Pack 2 or 3)
• Windows XP Professional 64-bit (Service Pack 2)
• Windows XP Professional 32-bit (Service Pack 2 or 3)
• Microsoft Windows 2000 (Service Pack 4)

Note: The above operating systems are supported only when all of the latest hot fixes and security patches from Microsoft have been applied.

Windows® Server

• Windows Server 2008 SP 1 and 2 (32- and 64-bit editions)
• Windows Server 2008 R2 (32- and 64-bit editions)
• Windows Server 2003 (Service Pack 1 and 2)
• Windows Server 2003 SP 2 (32- and 64-bit editions)

• PGP WDE supports internal system RAID-1 and RAID-5

Mac OS® X

• Apple Mac OS X10.5.x or 10.6.x (Intel-based Macs only)

Linux®

• Ubuntu 8.04 and 9.04 (32-bit versions) and Red Hat Enterprise Linux/CentOS 5.2 and 5.3 (32-bit versions),Ubuntu 8.04 and 9.04 (64-bit versions), Red Hat Enterprise Linux 5.2 and 5.3 (64-bit versions)**

** PGP Whole Disk Encryption for Linux is command line only

Supported Keyboard Languages

PGP Whole Disk Encryption for Windows and Linux

• English (United States, United Kingdom,US-International)
• Belgian (Belgium; Comma), Belgian (Belgium; Period)
• Bosnian (Bosnia),Bosnian (Bosnia; Cyrillic)
• Bulgarian (Bulgaria), Bulgarian (Bulgaria; Latin) , Bulgarian (Bulgaria; Typewriter)
• Canadian Multilingual Standard (Canada)
• Chinese Simplified (China, Singapore), Chinese Traditional (Hong Kong, Taiwan)
• Croatian (Croatia)
• Czech (Czechoslovakia; QWERTY)
• Danish (Denmark)
• Dutch (The Netherlands)
• Estonian (Estonia)
• Finnish (Finland)
• French (Belgium), French (Canada) , French (France) , French (Switzerland)
• German (Germany/Austria) , German (IBM) , German (Switzerland)
• Hebrew (Israel)
• Hungarian (Hungary) , Hungarian (Hungary; 101 keys)
• Icelandic (Iceland)
• Irish (Ireland)
• Italian (Italy), Italian (Italy; 142 keys)
• Japanese (Japan)
• Korean (Korea)
• Norwegian (Norway)
• Polish (Poland; Programmers), Polish (Poland; 214 keyboard)
• Portuguese (Brazil; ABNT keyboards), Portuguese (Brazil; ABNT2 keyboards)
• Portuguese (Portugal)
• Romanian (Romania)
• Russian (Russia; Cyrillic)
• Serbian (Serbia and Montenegro; Cyrillic), Serbian (Serbia and Montenegro; Latin)
• Slovak (Slovakia)
• Slovenian (Slovenia)
• Spanish (Spain), Spanish (Latin America) , Spanish Variation
• Swedish (Sweden)
• Turkish (Turkey; F), Turkish (Turkey; Q)
• Ukrainian (Ukraine)

PGP Whole Disk Encryption for Mac OS X

• English (US-International)
• Japanese (Japan)
• German (Germany)
• French (France)
• Spanish (Latin America), Spanish (Spain; ISO)

Supported Disks

• Desktop or laptop disks (partitions in the case of Windows, or the entire disk for Windows and Mac OS X)
• External disks, excluding music devices and digital cameras
• USB flash disks
• Solid-state drives

Unsupported Disks

• Dynamic disks
• Diskettes and CD-RW/DVD-RWs

Authentication Options

• OpenPGP RFC 4880 keys
• X.509 keys

Symmetric Key Algorithms-PGP® Whole Disk Encryption

• AES 256-bit keys
• AES 128-bit keys (enabled on PGP Universal Server)

Centralized Management Requirements

PGP Whole Disk Encryption is centrally managed by PGP Universal Server which requires a dedicated hardware server. For supported hardware and other information, please refer to the PGP Universal™ Server technical specifications.

Two-Factor Authentication (Windows Only)

Compatible Smart Card Readers for PGP WDE Authentication

The following smart card readers are compatible when communicating to a smart card at pre-boot time. These readers can be used with any compatible removable smart card (it is not necessary to use the same brand of smart card and reader).

Generic smart card readers

Most CCID smart card readers are compatible. The following readers have been tested by PGP Corporation:

• OMNIKEY CardMan 3121 USB for desktop systems (076b:3021)
• OMNIKEY CardMan 6121 USB for mobile systems (076b:6622)
• ActiveIdentity USB 2.0 reader (09c3:0008)
• SCM Microsystem Smart Card Reader model SCR3311
• CyberJack smart card readers
  - Reiner SCT CyberJack pinpad (0c4b:0100).
• ASE smart card readers
  - Athena ASEDrive IIIe USB reader (0dc3:0802)
• Embedded smart card readers
  - Dell D430 embedded reader
  - Dell D630 embedded reader
  - Dell D830 embedded reader

Compatible Smart Cards or Tokens for PGP WDE Authentication (Windows Only)

PGP Whole Disk Encryption is compatible with the following smart cards for pre-boot authentication:

• ActiveIdentity ActivClientCAC cards, 2005 model
• Aladdin eToken PRO 64K, 2048 bit RSA capable
• Aladdin eToken PRO USB Key 32K, 2048 bit RSA capable
• Aladdin eToken PRO without 2048 bit capability (older smart cards)
• Aladdin eToken PRO Java 72K
• Aladdin eToken NG-OTP 32K
  Note: Other Aladdin eTokens, such as tokens with flash, should work provided they are APDU compatible with the compatible tokens. OEM versions of Aladdin eTokens, such as those issued by VeriSign, should work provided they are APDU compatible with the compatible tokens.
• Athena ASEKey Crypto USB Token
• Athena ASECard Crypto Smart Card
  Note: The Athena tokens are compatible only for credential storage.
• Axalto Cyberflex Access 32K V2
• Charismathics CryptoIdentity plug 'n' crypt Smart Card only stick
• EMC RSA SecurID SID800 Token (v1 and 2)
  Note: This token is compatible only for key storage. SecurID is not compatible.
• EMC RSA Smart Card 5200
• Marx CrypToken USB token
• Rainbow iKey 3000
• S-Trust StarCOS smart card
  Note: S-Trust SECCOS cards are not compatible.
• SafeNet iKey 2032 USB token
• T-Systems Telesec NetKey 3.0 smart card
• T-Systems TCOS 3.0 IEI smart card
• Personal Identity Verification (PIV) cards
  - Oberthur ID-One Cosmo V5.2D PIV cards using ActivClient version 6.1 client software.
  - Giesecke and Devrient Sm@rtCafe Expert 3.2 PIV cards using ActivClient version 6.1 client software.

PGP Whole Disk Encryption for Windows Operating Systems also recognizes and works with smart cards from other vendors if the vendor includes a standards-based PKCS-11 library in its software drivers.

FAQ

General

What is PGP Whole Disk Encryption and why is it important?

PGP Whole Disk Encryption is a solution for protecting all data on an entire desktop, laptop, or removable disk drive. PGP Whole Disk Encryption transparently secures disk contents, including system and temporary files, automatically safeguarding sensitive data from unauthorized access. PGP Whole Disk Encryption provides worry-free protection against unauthorized access of private and confidential data.

What business problem does PGP Whole Disk Encryption solve?

PGP Whole Disk Encryption enables individuals and organizations to secure sensitive data stored on systems or removable media, thereby meeting federal security mandates, partner requirements, and industry best practices for data protection.

How does PGP Whole Disk Encryption work?

The PGP Whole Disk Encryption engine operates at a system level between the operating system and the disk drive, providing user-transparent, sector-by-sector disk encryption and decryption. A successful pre-boot authentication unlocks the decryption key, enabling users to work without any other changes to their experience.

What is the end-user experience?

The only change in the end-user experience with PGP Whole Disk Encryption is the addition of a pre-boot authentication screen. The pre-boot authentication screen protects the system from being accessed by unauthorized users by disabling their ability to attack operating system–level authentication mechanisms. Once the end user provides valid authentication, encryption and decryption of the disk are transparent to both the user and the operating system. The pre-boot authentication passphrase can be synchronized with the Windows logon, enabling Windows users to be automatically logged into their system without requiring additional passphrases or user actions.

Features

Does PGP Whole Disk Encryption provide automatic and transparent data encryption to the end user?

Yes. PGP Whole Disk Encryption automatically encrypts the entire contents of the hard disk in the background and is transparent to the end user. 

Does PGP Whole Disk Encryption provide complete disk and removable media encryption?

Yes. PGP Whole Disk Encryption provides complete disk and removable media encryption.

Does PGP Whole Disk Encryption provide encryption of individual partitions?

Yes. PGP Whole Disk Encryption for Windows provides encryption for individual partitions on fixed or removable drives. This feature enables users to encrypt the entire contents of a disk or encrypt only selected partitions. PGP Whole Disk Encryption for Mac OS X does not support encryption of individual partitions at this time. PGP Virtual Disk can be used to create encrypted virtual volumes, providing an additional layer of security for powered-on systems.

Can PGP Whole Disk Encryption and PGP Virtual Disk encryption be used at the same time?

Yes. PGP Virtual Disk can be used with PGP Whole Disk Encryption when encrypted files/folders are needed to protect data. For example, PGP Virtual Disk can be used to secure confidential data on multi-user shared systems protected with PGP Whole Disk Encryption, allowing individuals to ensure the privacy of their work on shared systems.

What performance impact should be expected when PGP Whole Disk Encryption is in use?

Once the hard drive is encrypted, the performance impact of PGP Whole Disk Encryption is negligible. Some users may notice a performance impact during the initial encryption process; however, this is a one-time-only event during which all current-generation PCs will perform normally, although disk-intensive computing processes may take slightly longer. The initial encryption process can be suspended at any time to complete time-sensitive or disk-intensive tasks.

Does PGP Whole Disk Encryption allow encrypted data to be recovered if the key or passphrase is lost?

Yes. In a managed deployment, PGP Whole Disk Encryption allows users to regain access to their systems in the event the key stored on a USB token such as Aladdin eToken Pro USB token or passphrase used for authentication is lost or forgotten. In such cases, PGP Whole Disk Encryption administrators issue a one-time-use recovery passphrase that allows users to regain access. Once the recovery passphrase is used, it is no longer valid and a new recovery passphrase is created for future use.

Does PGP Whole Disk Encryption enable users to have separate accounts, regardless of the number of users?

Yes. PGP Whole Disk Encryption for Windows provides the capability to have multiple user accounts on a single system.

Does PGP Whole Disk Encryption require authentication for access to all encrypted data?

Yes. PGP Whole Disk Encryption requires authentication via either a passphrase or USB token prior to granting access to the encrypted disks.

Does PGP Whole Disk Encryption prevent unauthorized access to encrypted data?

Yes. Only users with either the proper hardware token and/or passphrase can access encrypted data.

Technical

What operating systems are supported?

PGP Whole Disk Encryption supports Windows, Mac OS X, and Linux operating systems. For a detailed list of technical specifications please visit the Tech Specs page.

Does PGP Whole Disk Encryption store keys and passphrases in an encrypted format?

Yes. PGP Whole Disk Encryption stores all keys and passwords in an encrypted format.

Does PGP Whole Disk Encryption provide pre-boot authentication?

Yes. A PGP Whole Disk Encryption user will be prompted to enter either a passphrase or hardware token to unlock the encrypted disk.

Does PGP Whole Disk Encryption support screen saver functionality?

Yes. PGP Whole Disk Encryption is fully compatible with screen savers.

Does PGP Whole Disk Encryption support standby and hibernation modes?

Yes. At any time, even during initial hard drive encryption, a user may shut down the system or place it into standby or hibernation mode. When the system is shut down or placed in hibernation mode, a user must re-authenticate to PGP Whole Disk Encryption to access the system. If an initial drive encryption was in progress, it will be immediately resumed following successful authentication.

Does PGP Whole Disk Encryption provide the ability to use USB tokens for logon?

Yes. PGP Whole Disk Encryption for Windows Operating Systems provides the ability to use hardware-based tokens such as the Aladdin eToken Pro USB token.

Does PGP Whole Disk Encryption provide the ability to use smart cards for logon?

Yes. PGP Whole Disk Encryption for Windows supports smart cards and smart card readers for communicating to a smart card at pre-boot time. These readers can be used with any supported removable smart card (it is not necessary to use the same brand of smart card and reader). For a detailed list of supported smart cards and smart card readers please refer to the Technical Specifications. PGP Whole Disk Encryption for Mac OS X does not support smart cards at this time

Does PGP Whole Disk Encryption support certificates for pre-boot authentication?

Yes. PGP Whole Disk Encryption for Windows supports certificate-based pre-boot authentication certificates as long as the certificate used is on a supported smart card or USB token. Any key or certificate can be used for non-boot volumes or flash drives. When not used for boot-level security, a token is not required to use a key or certificate.

Is PGP Whole Disk Encryption for Mac OS X available for Mac OS X Server?

PGP Whole Disk Encryption is not available for Mac OS X Server.

Interoperability

Does PGP Whole Disk Encryption interfere with other systems or application software?

No. Both PGP Whole Disk Encryption and PGP Virtual Disk encryption operate transparently and do not interfere with the operating system or other application software.

Is PGP Whole Disk Encryption compatible with dual-boot environments?

Yes. PGP Whole Disk Encryption provides partition-level encryption, making it compatible with dual-boot environments with multi-partition disks that use different operating systems on each partition.

Does PGP Whole Disk Encryption work in conjunction with single sign-on solutions?

Yes. PGP Whole Disk Encryption for Windows can automatically synchronize with existing Windows account passwords, providing the user with a single sign-on solution for logging into Windows. PGP Whole Disk Encryption for Mac OS X does not currently provide integration with Mac OS X login.

Does PGP Whole Disk Encryption support the Advanced Encryption Standard (AES) algorithm?

Yes. PGP Whole Disk Encryption supports AES 128-bit (requires configuration on PGP Universal Server) and 256-bit.

Does PGP Whole Disk Encryption integrate with LDAP directories?

Yes. PGP Whole Disk Encryption for Windows is compatible with Microsoft Active Directory 2000 and Microsoft Active Directory 2003.

Does PGP Whole Disk Encryption work with systems management tools?

Yes. PGP Whole Disk Encryption is compatible with system management tools such as Microsoft SMS that support Microsoft MSI installers.

How does PGP Whole Disk Encryption for Apple Mac OS X support or work with my iPod or iPhone?

PGP Whole Disk Encryption is designed to secure data on Mac OS X desktop and laptop computers in addition to attached disk drives. While other Apple devices such as the iPhone are based on variants of Apple Mac OS X, there are numerous differences between platforms and desktop/laptop systems. User can continue to use their iPhone or iPod on Mac OS X or Windows systems secured with PGP Whole Disk Encryption.

Can I use a PGP Whole Disk encrypted USB device across both Windows and Mac OS X systems?

Yes. Removable drives encrypted with PGP Whole Disk Encryption are interoperable between Windows and Mac OS X platforms.

So for example, an individual can encrypt a removable drive using a passphrase or a public key on Mac OS X, and when this drive is inserted on a Windows system, the user would authenticate via a configured passphrase or key.

Management

How is PGP Whole Disk Encryption managed?

PGP Whole Disk Encryption is managed using PGP Universal Server. Once PGP Whole Disk Encryption is deployed, defined security policies are automatically enforced. User group management can be further automated by integrating PGP Whole Disk Encryption with Microsoft Active Directory. Please refer to the PGP Universal Server documentation for more information.

Can encryption of disks and removable media be enforced by policy?

Yes. When PGP Whole Disk Encryption is deployed with PGP Universal Server, administrators can force encryption of disks and removable media by policy.

Can a rollout of PGP Whole Disk Encryption be automated?

Yes. Distribution and installation of the PGP Whole Disk Encryption MSI installer can be performed using systems management tools such as Microsoft SMS. Initial enrollment of users into the system is automated using email or LDAP-based authentication. Once PGP Whole Disk Encryption is installed, policy updates are automatically distributed to installed end-user systems.

Can email encryption be added to PGP Whole Disk Encryption?

Yes. To add gateway-based or end-to-end email encryption, PGP Whole Disk Encryption customers can simply purchase the respective email encryption license. Please contact a PGP sales representative for more information.

Where can I find release notes and other product-related documentation?

Release Notes and Quick Start Guides are available at http://support.pgp.com/?faq=589. In addition, customers with a current support contract can download User, Administrator, and Programmer Guides from the same link.