Skip to main content

IT@Cornell


PGP Frequently Asked Questions

Installation and Encryption Process

Passphrases

Compatibility with other Software and Services

Working with PGP

Using PGP at Cornell

General Information

 

Installation and Encryption Process

Are there disk types that cannot be encyrpted?

  • Dynamic disks
  • Diskettes and CD-RW/DVD-RW

Windows XP allows basic disks to be converted to dynamic disks, which support some features that basic disks do not. Never perform this conversion on the boot drive of a system that has already been protected using PGP Whole Disk Encryption. This conversion, from a basic-type disk to a dynamic one, renders the drive unusable.

Should I do any preparation before encrypting a disk?

Yes. See the Before You Encrypt procedure.

To avoid disruption during encryption start with a healthy disk by correcting any disk errors prior to encrypting. If you're not sure how to do this, contact your technical support provider.

It is not uncommon to encounter Cyclic Redundancy Check (CRC) errors while encrypting a hard disk. If PGP WDE encounters a hard drive or partition with bad sectors,  it will pause the encryption process. This allows you to fix the problem before continuing with the encryption process, thus avoiding potential disk corruption and lost data.

For more information, see the Troubleshooting Tip.

How long does encryption take?

Encryption on most modern computers takes 4-6 hours. Older or slower computers will take longer.

The encryption process is faster if you avoid using your computer because PGP automatically slows the encryption process if you are using the system.

If you decide to run other applications during the encryption process, those applications will probably run slightly slower than normal until the encryption process is over. The computer returns to normal operation when the encryption process is complete.

Why do I need to plug my laptop in (use AC power) during encryption?

Encryption is a CPU-intensive process. It cannot begin on a laptop that is running on battery power. If a laptop goes on battery power during the initial encryption process (or a later decryption or re-encryption process) PGP pauses its activity. When you restore AC power, the encryption, decryption, or re-encryption process resumes automatically.

What changes will I see after my computer is encrypted?

On power-up, the first thing you see is the PGP BootGuard log-in screen asking for your PGP bootguard passphrase. Other than that, your computer looks and functions the same as it always did. For more information, see How to Start Your Computer after Encryption  Windows  /  Mac.

Can I uninstall PGP?

Disks or partitions that are protected by PGP Whole Disk Encryption become inaccessible once PGP Desktop is uninstalled. For that reason, a safety feature prevents you from uninstalling PGP Desktop if your system has any disks or partitions protected by PGP Whole Disk Encryption. In this instance you see an error message explaining that the uninstall process is being terminated to protect the encrypted disk or partition.

If you want to uninstall PGP Desktop, first decrypt any disks or partitions on your system that are protected using PGP Whole Disk Encryption.

Passphrases

What is a passphrase?

A passphrase is a password that is associated with a phrase, making it easier to remember. By virtue of its length, a passphrase is stronger than a password. For more information and examples of passphrases see the How to Choose a Strong NetID Password page.

You specify a passphrase to use when you reboot a computer with an encrypted boot disk or partition, or if you attempt to access any other encrypted disk or partition. This is your PGP bootguard passphrase. If you forget your bootguard passphrase, your technical support provider can assist you with resetting it. For more information, see the Support page.

If you a encrypt file, virtual disk, or USB drive, you'll set an additional passphrase. (This is called a key passphrase.)  If you forget a key passphrase, it can't be reset.

Can I change my bootguard passphrase?

Yes. See How to Change a Passphrase. Windows / Mac

If more than one person uses a computer, can they each have their own bootguard passphrase?

Yes. Additional users can access the encrypted disk or partition using their own unique bootguard passphrase. There can be up to 120 users per encrypted disk. For more information, see How to Add Additional Users to the Encrypted Disk  Windows  / Mac.

What should I do if my bootguard passphrase has been compromised?

If you suspect your passphrase has been compromised, first notify your local technical support provider. 

You should change your passphrase and then re-encrypt your computer. Changing your passphrase alone is not a secure enough solution. Re-encryption takes much less time than the initial encryption.

You may also want to re-encrypt if users who had access have been removed.

For more information, see How to Re-encrypt a Disk Windows / Mac.

Compatibility with other Software and Services

What software is not compatible with PGP?

Installing new encryption software on a computer that has already been encrypted can cause problems. If you have used an encryption product, for example TrueCrypt, Cyber Angel, File Vault, or Windows EFS, on your computer, you should consult with your technical support provider or security liaison before installing PGP.

The following software products are known to be incompatible with PGP:

  • Faronics Deep Freeze (any edition)
  • Utimaco Safeguard Easy 3.x
  • Norton Save & Restore
  • Absolute Software's CompuTrace laptop security and tracking product. (PGP Whole Disk Encryption is compatible only with the BIOS configuration of CompuTrace. Using CompuTrace in MBR mode is not compatible.)
  • Hard disk encryption products from GuardianEdge Technologies: Encryption Anywhere Hard Disk and Encryption Plus Hard Disk products, formerly known as PC Guardian products.

The following programs co-exist with PGP Desktop on the same system, but will block the PGP Whole Disk Encryption feature.

  • Safeboot Solo
  • SecureStar SCPP

Can I use PGP in a dual-boot environment, for example with Bootcamp on a Mac?

CIT doesn't support this configuration, however it is possible to use PGP in a dualboot environment.  For more information see the PGP Documentation (on the PGP site).

Can I use EZ-Backup or other automatic back up systems with an encrypted computer?

You can automatically back up the disk or partition once protected with PGP WDE.

It is important to note that any files the software backs up are decrypted before being backed up.

Working with PGP

If my computer is encrypted, does that mean I'm the only one who can use the files stored on it?

No. The data on your computer is encrypted, but once you start the computer and enter the bootguard passphrase, its files are available to anyone who can log in to the computer. Your files are unlocked until you lock them again by shutting down your computer.

When you shut down a system with an encrypted boot disk or partition, or if you remove an encrypted removable disk from the system, all files on the disk or partition remain encrypted and fully protected—data is never written to the disk or partition in an unencrypted form. You'll need to enter the bootguard passphrase again before the files are accessible.

Is my data protected if my computer goes into Sleep or Hibernate mode?

The answer varies depending on which operating system you're using.

Windows

  • Sleep mode does not launch PGP protection.
  • PGP Whole Disk Encryption is fully supported with hibernation in Windows. If your computer has gone into hibernation, when you return to full power you'll be prompted for your bootguard passphrase. The disk is then decrypted and returned to the previous state.
  • If your computer is going to be unattended for a period of time, shut it down or put it into Hibernation mode to protect your data.


Mac OS X

  • Sleep mode does not launch PGP protection.
  • PGP Whole Disk Encryption is also NOT supported with hibernation mode in the Mac OS X. (A technical explanation of the reasons for this is available in the PGP documentation.) As a safeguard to prevent system issues and data loss, PGP Desktop disables the hibernation mode on Mac OS X. 
  • If your computer is going to be unattended for a period of time, shut it down to protect your data.

Using PGP at Cornell

Can I use PGP when I'm off-campus?

Yes. You can use your computer exactly the same way on campus or off.

If you plan to take PGP out of the country on a computer or plan to download it while abroad, be aware that the US Department of Commerce restricts the export of cryptographic software. Using PGP is illegal in: Cuba, Iran, Libya, North Korea, Sudan, and Syria.

Can students use PGP to encrypt their computers?

A limited number of licenses are available for PGP, and the product is only intended to protect university-owned equipment. If student employees have a university-owned system that needs to be encrypted, they should consult with their local technical support provider.

General Information

Where can I get more information about encryption?

Please see the Encryption pages in the Security section.

What are the best practices for keeping my encrypted computer safe?

When you are away from your desk, use a screen saver with a password to deter others from accessing your computer or viewing your screen.

Make sure that your encrypted disks or partitions (on Windows systems) are not available to other computers on a network.

Never write down your passphrase. Pick something you can remember. If you have trouble remembering your passphrase, use something to jog your memory, such as a poster, a song, a poem, or a joke—just do not write it down.

Additional notes about PGP safety features

When you enter a passphrase, PGP Desktop uses it only for a brief time, then erases it from memory. PGP Desktop also avoids making copies of the passphrase. The result is that your passphrase typically remains in memory for only a fraction of a second.

PGP Desktop never writes passphrases or encryption keys to disk. This feature prevents a potential intruder from scanning the virtual memory file looking for passphrases.

In Windows, Hibernate mode writes an image of your computer’s entire main memory storage to a file on your hard drive, but not your passphrase. PGP Corporation recommends that you always use Hibernate, rather than Standby, as Hibernate turns your computer off and then requires that you authenticate at the PGP BootGuard screen to log in again.

When you protect a disk or partition (on Windows systems) with PGP Whole Disk Encryption, your passphrase is turned into a key. This key is used to encrypt and decrypt the data on the encrypted disk or partition. While the passphrase is erased from memory immediately, the key (from which your passphrase cannot be derived) remains in memory.

This key is protected from virtual memory; however, if a certain section of memory stores the exact same data for extremely long periods of time without being turned off or reset, that memory tends to retain a static charge, which could be read by attackers. If your encrypted disk or partition (on Windows systems) is decrypted for long periods, over time, detectable traces of your key could be retained in memory. Devices exist that could recover the key. You won’t find such devices at your neighborhood electronics shop, but major governments are likely to have a few.

PGP Desktop protects against this by keeping two copies of the key in RAM, one normal copy and one bit-inverted copy, and inverting both copies every few seconds.