作者：Allen Chung

這與變更密碼的方式有關
請參考以下網頁說明，請透過 Ctrl + Alt + Del 來變更密碼，這樣才能立即同步
Symantec – Changing Your Windows Password with PGP WDE With Single Sign-On
https://support.symantec.com/en_US/article.HOWTO79569.html

Description
To synchronize your Windows password changes with PGP Whole Disk Encryption (PGP WDE), you must change your password for Single Sign-On using the Change Password feature in the Windows Security dialog box, which you access by pressing Ctrl+Alt+Del.
Note: You may also change your password when prompted by Windows that your password will expire during logging in.
To change your passphrase
1.  Press Ctrl+Alt+Delete.
2. Type your old password.
3. Type and confirm your new password.
4. Click OK.
Single Sign-On automatically and transparently synchronizes with this new password with your PGP WDE passphrase. You can use the new password immediately, in your next login attempt.

Caution: If you change your password in any other manner—via Domain Controller, the Windows Control Panel, via the system administrator, or from another system—your next login attempt on the PGP BootGuard screen will fail. You must then supply your old Windows password. Successful login on the PGP BootGuard screen using your old Windows password then brings up the Windows Login username/password screen. You must then log in successfully using

P.S.

Symantec – How to change-update the SSO passphrase over the PGP WDE command line, if it has not synched with the PGP Bootguard.

https://support.symantec.com/en_US/article.TECH149263.html

If your Windows password has not synchronized with your PGP BootGuard passphrase, you can synchronize your new Windows password with the PGP BootGuard passphrase using the pgpwde tool.

To use the pgpwde tool:

Windows XP

1. Click Start>Run.
2. Type cmd in the Open field and click OK.
3. Change to the Program Files\PGP Corporation\PGP Desktop directory.
   • Type the following at the command prompt (non-domain):
     pgpwde –change-passphrase –disk 0 –user username –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
   • Type the following at the command prompt (domain):
     pgpwde –change-passphrase –disk 0 –user username –domain ‘domainname’ –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
4. Press Enter.

Windows Vista & Windows 7 32-bit

1. Click Start>Run.
2. Type cmd in the Start Search field.
3. Click cmd from the list of Programs.
4. Change to the Program Files\PGP Corporation\PGP Desktop directory.
   • Type the following at the command prompt (non-domain):
     pgpwde –change-passphrase –disk 0 –user username –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
   • Type the following at the command prompt (domain):
     pgpwde –change-passphrase –disk 0 –user username –domain ‘domainname’ –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
5. Press Enter.

Windows Vista & Windows 7 64-bit

1. Click Start>Run.
2. Type cmd in the Start Search field.
3. Click cmd from the list of Programs.
4. Change to the Program Files (x86)\PGP Corporation\PGP Desktop directory.
   • Type the following at the command prompt (non-domain):
     pgpwde –change-passphrase –disk 0 –user username –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
   • Type the following at the command prompt (domain):
     pgpwde –change-passphrase –disk 0 –user username –domain ‘domainname’ –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
5. Press Enter.

Your PGP WDE passphrase is synchronized with your new Windows password.

Our company used the Symantec Drive Encryption (managed by Symantec Encryption Management Server (SEMS) and integrate with AD authentication and single sign on).

We always upgrad the Symantec Encryption Management Server (SEMS) to the latest version and it almost works normally.

This time we upgrad the Symantec Encryption Management Server (SEMS) to the (3.3.2 MP10) version.

We found if we install a new PC and use the user account (existed in SEMS) to enroll to the SEMS and the Encryption Deaktop Setup Assistant wizard asked to enter the passphrase.

But we can not enter the current domain password (it display “The passprase did not match of the key” ).

It must enter the old domain password (when the user account enrolled to the SEMS first time).

If we didn’t enter the match passphrase we can not press next button.

We refered to the URL below.

It says:

If using Silent Enrollment, we recommend using SKM mode only. Otherwise, a GKM key will be created, using their current Windows passphrase when they first enroll, but the passphrase on that key will not change, so after several Windows passphrase changes, the user will likely not remember the GKM key passphrase.

So we unchecked the Guarded Key Mode (GKM) in the key mode setting Under the LAB and the issue solved.

http://www.symantec.com/connect/forums/single-user-issue-multiple-machines

The key mode change to CKM.

1.We want to know why the (3.3.2 MP10) version has this issue?

Our company used the Symantec Drive Encryption (managed by Symantec Encryption Management Server (SEMS) and integrate with AD authentication and single sign on).

【We use the GKM mode】

If we install a new PC and use the user account (existed in SEMS) to enroll to the SEMS and the Encryption Deaktop Setup Assistant wizard asked to enter the passphrase.

The passphrase must be the original one,not the current domain password.

(1) In ( 3.3.2 MP10 )

It display “The passprase did not match of the key”.

And we can not press 【next】 to ignore it,and we can not do any configuration on PGP client.

(2) In ( 3.3.2 MP7 and earlier version )

It display “The passprase did not match of the key”.

But we can press 【next】 to ignore it,so we can encrypt th disk.

(3) If we unchecked the GKM then the user key change to CKM.

We install a new PC and use the user account (existed in SEMS) to enroll to the SEMS .

It doesn’t ask to enter the passphrase.

We don’t unchecked the GKM in the production environment because we are not sure what effects will be occured.

2.What different between check and uncheck the Guarded Key Mode (GKM)?

3.Any effects if we uncheck the Guarded Key Mode (GKM) in the production environment?

4.What is the correct setting for our environment?

【Information form Symantec Connect】

https://www-secure.symantec.com/connect/forums/symantec-drive-encryption-managed-smes-upgrade-332-mp10-issue#comment-form

1. During initial enrollment the users domain password is not used in GKM key mode. The PGP key and passphrase do not have the ability to use SSO(single sign on), the passphrase is assigned to the key in GKM mode when the user manually types their passphrase in the key generation wizard box. This passphrase for the PGP key does not sync with users Windows passwords. If you want to change the passphrase you must do so manually by selecting Symantec Encryption Desktop>PGP Key> Select the key>Change passphrase. It will ask for the old passphrase if it’s not cached and then it will let you update the passphrase. 

2. If you are only using Symantec Drive Encryption for your environment, then I would suggest using SKM key mode as this keymode requires that the users don’t need to maintain and remember their passphrase. The Server manages the key and never asks for a passphrase to use these keys. PGP keys have nothing to do with Symantec Drive Encryption unless you manually put them on a Smart Card or Token and then use that for authentication. By default Symantec Drive Encryption uses passphrase user for access and doesn’t require a PGP key to do the intial encryption.

I would recommend you open a support ticket so they can help you figure out a solution to get the users off of GKM key mode. GKM keymode will be problematic since the users don’t use the PGP key. They will forget the passphrase and you will run into an issue attempting to re-enroll or enroll on new machines. I always recommend SKM keymode for Drive Encryption only environments. 

I would not recommend you just select CKM keymode since it’s not fixing the issue. It will just add to the confusion in the future. The user will have a keypair that they don’t know or remember the passphrase. There are certain operations that require the users know the passphrase to function properly. I’m very suprised that the enrollment wizard allows you to bypass this section without knowing the passphrase to the key even in CKM mode. That seems like a defect to me since the users will have broken keys if they don’t know the passphrase. 

1.登入 PGP 主控台，【System】→【Network】→【Certificates】

2.【Add Certificates】

3.輸入憑證相關資訊 ( Expiration 請下拉選擇 5 年 ) 並按下【Generate Self-signed】

4.這是新增的憑證

5.回到 【System】→【Network】→【Assigned Certificate】，下拉選擇到期日最久的憑證，並按下【Save】

6.PGP 正重啟以套用變更

7.重新登入即可

8.之後用戶端會出現以下畫面，請按下【Always Allow for This Site】

透過 PGP加密過的硬碟因故無法開機，接到另一台裝有 PGP 的機器時，可進行以下操作：

登入後會要求輸入 passphrase，若發現怎麼輸入都不行

請登出電腦，再使用另外那位故無法開機使用者的帳號與密碼登入，登入後會要求輸入 passphrase，這時候輸入密碼就OK了

若仍有問題，請嘗試以下的 command 來解密

1. 命令提示字元，切換至以下路徑

Windows XP: C:\Program Files\PGP Corporation\PGP Desktop

Windows Vista/Windows 7: C:\Program Files\PGP Corporation\PGP Desktop

Windows Vista/Windows 7 (64-bit): C:\Program Files (x86)\PGP Corporation\PGP Desktop

2. pgpwde –enum 來列舉機器上的硬碟，通常後來接的硬碟是 Disk 1 ( 是兩個- )

3. pgpwde –list-user –disk 1 來列舉機器上的加密硬碟的使用者 ( 通常後來接的硬碟是 Disk 1 ) ( 是兩個- ) ( -user是一個- )

4. pgpwde –status –disk 1 來查看硬碟的加密狀態 ( 通常後來接的硬碟是 Disk 1) ( 是兩個- )

※ pgpwde –status –disk 1 來查看硬碟的加密狀態 ( 此例為 Disk 1 尚未通過 passphase 驗證) ( 是兩個- )

5. 如果狀態顯示硬碟正在加密中或加密到一半，請透過 pgp –stop –p passw0rd –disk 1 來停止加密程序 ( 是兩個- ) ( -p是一個- ) ( 這樣才能透過下一步驟的指令來解密硬碟 )

6. 如果持續無法在 UI 上通過 passphrase驗證，請以 pgp –decrypt –p p@ssw0rd –disk 1 來進行解密 ( 是兩個- ) ( -p是一個- ) p@ssw0rd 是密碼 (任何一個人的密碼都可以，如果有 WDE admin 的密碼就先用)

上方指令執行成功後，會發現已在進行解密

1.Boot Camp check
We must check whether the Mac client use the Boot Came dual boot,otherwise it may boot fail.

2.Check Mac FileVault
We must check whether the Mac client use the FileVault encryption,otherwise it will not see any disk can encrypted by PGP.(Error 69749 or 69700)

3.Disable CoreStorage if the Mac is 10.10.x We must disable CoreStorage on Mac 10.10,otherwise the Mac client cannot be recovered.(Error -12000)
http://www.wellife.com.tw/symantec/?p=7864

4.Run command (sudo chown 0:wheel /Library/PrivilegedHelperTools/) change the permission for group wheel instead of Admin Attempting to encrypt a Mac OS X 10.10.x Yosemite system with Symantec Drive Encryption 10.3 if Microsoft Office 2011 has been installed prior to Symantec Drive Encryption,it will get the error.(Error :116385)
http://www.symantec.com/business/support/index?page=content&id=TECH229178

【如何收到 PGP Universal Server Backup log 的 mail 通知】

請編輯 /etc/crontab

在 crontab 加入以下命令

這樣每天 19:05 administrator@elite2003.intra 會收到當日的 Backup log

5 19 * * 0 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 1 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 2 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 3 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 4 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 5 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 6 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)