Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Symantec Drive Encryption (previously known as PGP Whole Disk Encryption) and File Share Encryption (previously known as NetShare)

TSS is offering Symantec Drive Encryption accounts to departments that are not interested in running their own Symantec Encryption Server. In order to participate in this service, the Symantec Drive Encryption desktop client must be acquired from TSS and not from the vendor Symantec. The annual cost is $70 for a Symantec Drive Encryption account and $100 for a Symantec Drive Encryption and File Share Encryption account. For more information please contact lan@isc.

Update: The Symanec Encryption Server (Previously known as PGP Universal Server) was upgraded to 3.3.0 February 2013, and the latest version of the PGP client is 10.1.2

System Requirements - Supported Operating Systems

Windows

  • Windows 7 (all 32- and 64-bit editions, including Service Pack 1)
  • Windows Vista (all 32- and 64-bit editions, including Service Pack 2)
  • Microsoft Windows XP Tablet PC Edition 2005 (Service Pack 2, requires attached keyboard)
  • Windows XP Home Edition (Service Pack 2 or 3)
  • Windows XP Professional 64-bit (Service Pack 2)
  • Windows XP Professional 32-bit (Service Pack 2 or 3)

Mac OS X

  • Apple Mac OS X, 10.7.x, and 10.8x (Intel) - For early versions of Mac OS please refer to TECH174563

Linux

  • Ubuntu 10.04 LTS (32- and 64-bit versions), Red Hat Enterprise Linux 5.4 - 6.2 (32- and 64-bit versions)

Note: Symantec Drive Encryption for Linux is command line only.

Note: The above operating systems are supported by Symantec only when all of the latest hot fixes and security patches from Microsoft have been applied. LTS will only support Symantec running on Operating Systems listed under the current supported OS - For additional information please refer to Symantec Encryption 3.3.0 and 10.3.0 Documentation

What is Symantec Drive Encryption -

Symantec Drive Encryption (previously known as PGP Whole Disk Encryption) is Penn's supported and recommended for Whole Disk Encryption. The application is used to provide full disk encryption for all data (user files, swap files, system files, hidden files,..) on desktops, and laptops, and removable media.

Why do I need to use Whole Disk encryption -

Please refer to Penn' Computer Security Policy # 20100308 which states -

Additional Requirements for Portable Computing Devices, Storage Devices, and Media with Confidential Data

Encryption of Stored Data - Certain types of confidential University data stored on such devices must be protected at rest using strong encryption, with a key recovery component. Such data includes data that (1) by law, requires notifying individuals in the event of a breach - specifically, Social Security numbers, credit or debit card numbers, bank account numbers, and as required under HIPAA and the HITECH Act or (2) sensitive health information (e.g., treatment, diagnosis, test results, and certain care settings that are more sensitive than others).

Recommendations and Best Practices - Mobile Device Security For mobile devices with a high replacement cost, such as laptops, or where the ability to prevent theft of data is extremely important, consider using whole disk encryption and software that permits location of the device and secure deletion of the data remotely, should the device be lost or stolen. See Computrace Best Practices, Operation Theft Awareness, and Whole Disk Encryption

How Whole Disk Encryption Works

What is Symantec File Share Encryption?

File Share Encryption (previously known as PGP NetShare) is available as part of the Symantec Encryption Desktop client; Symantec File Share Encryption is used to encrypt data document on file servers, only authorized users can read or modify encrypted files (documents, spreadsheet, presentations, video and audio files) on a shared network drive. With File Share Encryption, authorized users can save and share encrypted files to a File Share protected folder easily with no change to applications or user behavior. The File Share Encrypted Folder content remains encrypted if copied to another drive or archived to backup media. File Share Encrypted Folder performs the encryption operations on the desktop client and does not require installation of any software on the file share server. As a result, there is no performance impact to the file server.

What is Virtual Disk?

This feature is also available as part of the Symanec Encryption Desktop available to the ISC service subscribers. Symantec Virtual Disk (previously known as PGP Virtual Disk) is an area of space (folder on your drive) which is set aside and encrypted. Virtual Disks are much like a bank vault, and are very useful for protecting sensitive files while the rest of your device is unlocked for work. Virtual Disks are unlocked and locked by mounting and unmounting them from your device. When Virtual Disk is unmounted, it does not appear within the File Explorer, and it is inaccessible to anyone without the appropriate credentials.

Service Terms

Domain account credentials - Those are the credentials (account name and password) provided to a user by the TSS Symantec Drive Encryption Server administrator. The credentials are used to start the enrollment process.  

Key Passphrase - During the enrollment process a user is prompted to create a unique key pair and assign a passphrase to that key pair. The passphrase for this key is going to remain constant when a user enrolls on different machines. After setting a Key Passphrase a user is prompted to choose 5 security questions and answers. Those questions will help reconstruct or reset the Key Passphrase if a user forgets it.  

Symantec Drive Encryption Passphrase (Previously known as PGP Whole Disk Encryption (WDE) Passphrase)- This passphrase is unique to a device and not tied to any other drive encrypted drive for the same user. If a user chooses Single Sign On, the Drive encryption Passphrase is synchronized with their Windows account credentials.  If a user forgets their Drive Encryption Passphrase or their Windows account credentials, a Drive Encryption Recovery Token can be used to gain access to the encrypted drive.

Windows Single Sign-On – This feature gives a user the option to synchronize the windows account credentials (domain or local) with Symantec Drive Encryption Passphrase.  When a user enters their Windows password at the Symantec Drive Encryption Login screen, the client proceeds to automatically log them in to windows. The machine effective local Windows password security policies (complexity, length, password expiration…) will over ride the Symantec security settings.  If a user is using Single Sign-On, using CTRL ALT DEL to change the users Windows password will also change the Symantec Drive Encryption passphrase.

Drive Encryption Recovery Token (Previously known as Whole Disk Encryption (WDRT) – The token can be used if a user is unavailable or forgot their Drive Encryption Recovery Token passphrase or their Windows logon credentials.  The Drive Encryption Recovery Token is used at the Drive Encryption Login Screen; .  Drive Encryption Recovery Tokens are associated with encrypted devices, not single computers or single users. A single computer can be associated with multiple encrypted devices. Only the administrator is able to provide a user with a Drive Encryption Recovery Token .

Local Self Recovery for Drive Encryption- This features enables users to answer pre-defined security questions at the Drive Encryption DesktopLogin screen to gain access to an encrypted system and reset the Symantec Drive Encryption passphrase without having to call an LSP. After drive encryption is completed, a user can initiate Local Self Recovery security questions.

 

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania