Recently, there was a blog entry claiming that PGP Corporation's PGP® Whole Disk Encryption product contained an undocumented feature that created a security exposure.
What follows are the facts.
Full documentation for this feature is located at: http://support.pgp.com/?faq=750
An excerpt from the PGP Technical Documentation explains the feature:
"The PGP Whole Disk Encryption Authenticated Bypass option was designed so that a user who is able to authenticate the passphrase for PGP Whole Disk Encryption can boot the machine one time without entering a passphrase at PGP BootGuard. This feature can be useful for system maintenance when a reboot is necessary and bypassing the normal PGP BootGuard screen is desired, such as when performing remote maintenance on a system so that the system automatically reboots without the need for entering the passphrase at PGP BootGuard.
“The Bypass user can only be added by someone who is already on the PGP Whole Disk Encryption User Access list with an existing username and passphrase, and who can already unlock the decryption keys to boot the machine at the BootGuard screen.
“Once the machine has been rebooted, the PGP Whole Disk Encryption boot system will remove the bypass user immediately, making it impossible for anyone to authenticate without the original BootGuard passphrase."
Enterprises may choose to disallow access to this feature by simply using Windows ACLs centrally controlled via Windows Active Directory. This is a simple process, and also well documented (see http://support.pgp.com/?faq=791).
The documentation goes on to discuss security considerations of the feature and its use as well as specific syntax and feature constraints.
The WDE Authenticated Bypass feature is not a “backdoor”. Period. It is a documented, optional feature, developed in response to demand from our enterprise customers to facilitate remote system maintenance. Administrators must enter a valid passphrase to access this feature, even if the drive was already unlocked by the end user. We take offense when statements such as “backdoor” are used with reference to PGP Corporation and its products. There is probably no other company that can credibly stand on a history as strong as PGP Corporation’s in this area. Nothing here has changed, nor will it. (For more on this specific topic, please see: http://www.pgp.com/about_pgp_corporation/why_pgp_corporation/trusted_pgp_products.html)
Best Practices and Options
There is risk inherent in using WDE Authenticated Bypass. If someone enables the bypass and the volume is immediately stolen, then the volume is open. However, this window is usually very small. The people who use the Bypass feature understand the risk. Of course, anyone who has access to a running system, after authentication, could simply copy the data. For this reason, PGP Corporation has always included full disk, virtual disk, and file encryption together. These can be used as a layered defense or individually, where appropriate. System maintenance requirements have no bearing on the use of virtual disk or file encryption.
We believe that our solution, which only allows a single reboot, is a good compromise. It doesn't endanger people who don't use the feature, but it allows people to administer their systems remotely if they do use it. Note that you can’t enable the feature without cryptographic access to the volume. It’s a feature designed for manageability, and that's often as important as security because without manageability, you can't use a security feature.
We are not the only manufacturer to have such a feature: all the major vendors do because our customers require it. Although we don’t recommend individual users employ this feature, larger, managed populations find it invaluable. If you run a business where you manage computers remotely, you need to reboot them remotely.
A number of questions posed in the discussion asked what kind of customers request such a feature? Large ones. For more information on customers using PGP Whole Disk Encryption, please see: http://www.pgp.com/insight/customers/customers_solution.html#filedisk.
In summary, there is no “backdoor”. Customers may use the feature as they see fit. The feature documentation is available. We would have been happy to provide it, had we been asked.
Threat is inherent in the setup and management of systems, and PGP Corporation delivers an array of solutions to mitigate these threats. Our company offers a wide array of products that allow our customers to decide what security attributes are reflected in the solutions they deploy.
We appreciate and are thankful for open dialog between us, our customers, and even our critics. This discourse always helps us improve our process, our products, and the standards on which they’re based.
John Dasher
Director, Product Management
PGP Corporation