PGP 主控台安裝、升級與設定

[PGP] Encryption Server 3.3.2 安裝

1. 解壓縮「SymantecEncryptionWeb3.3.2MP11Full.zip」。

2. 打開「Symantec Encryption Server」，可看到一個 ISO 檔案。

3. 掛載之後，進行安裝，輸入鍵盤「Enter」。

4. 選擇「Continue」，接著輸入鍵盤「Enter」。

5. 輸入「IP Address」、「Netmask」，接著選取「OK」，接著輸入鍵盤「Enter」。

6. 輸入「Gateway」、「Primary DNS」、「Secondary DNS」，接著輸入鍵盤「Enter」。

7. 輸入「Hostname」，必須為FQDN，接著輸入鍵盤「Enter」。

8. 安裝中。

9. 安裝完成，請登入下列網址。

10. 點選畫面中間下面「箭頭」。

11. 將「License Agreement」拉至最底，點選「I Agree」。

12. 點選「New Installation」，接著點選畫面右下角箭頭。

13. 輸入時區相關資訊，接著點選畫面右下角箭頭。

14. 確認資料無誤後，接著點選畫面右下角箭頭。

15. 確認上述資訊無誤，接著點選「Done」。

16. Server 重新啟動中，並且使用新的 URL 登入系統。

17. 輸入「License Number」，勾選「Enable Mail Proxies」（若僅使用全硬碟加密可不勾選）接著點選畫面右下角箭頭。

18. 輸入密碼（需符合複雜度原則），輸入Email，接著點選畫面右下角箭頭。

19. 選取模式，接著點選畫面右下角箭頭。（若啟用 Enable Mail Proxies 需設定）

20. 輸入「Mail Server」、「Primary Domain」，接著點選畫面右下角箭頭。（若啟用 Enable Mail Proxies 需設定）

21. 設定「Primary Domain」，接著點選畫面右下角箭頭。（若無啟用 Enable Mail Proxies 需設定）

22. 點選「Skip」。（啟用 Enable Mail Proxies 才需設定）

23. 點選「Backup Key」。

24. 儲存 Key。

25. 備份 Key 完成後，接著點選畫面右下角箭頭。

26. 安裝完成，點選「Done」。

27. 重新啟動中。

28. 輸入剛剛安裝時所設定的帳號密碼、接著點選「Login」。

29. 登入系統。

Symantec Drive Encryption (Managed by SMES) upgrade to 3.3.2 MP10 issue

Our company used the Symantec Drive Encryption (managed by Symantec Encryption Management Server (SEMS) and integrate with AD authentication and single sign on).

We always upgrad the Symantec Encryption Management Server (SEMS) to the latest version and it almost works normally.

This time we upgrad the Symantec Encryption Management Server (SEMS) to the (3.3.2 MP10) version.

We found if we install a new PC and use the user account (existed in SEMS) to enroll to the SEMS and the Encryption Deaktop Setup Assistant wizard asked to enter the passphrase.

But we can not enter the current domain password (it display “The passprase did not match of the key” ).

It must enter the old domain password (when the user account enrolled to the SEMS first time).

If we didn’t enter the match passphrase we can not press next button.

We refered to the URL below.

It says:

If using Silent Enrollment, we recommend using SKM mode only. Otherwise, a GKM key will be created, using their current Windows passphrase when they first enroll, but the passphrase on that key will not change, so after several Windows passphrase changes, the user will likely not remember the GKM key passphrase.

So we unchecked the Guarded Key Mode (GKM) in the key mode setting Under the LAB and the issue solved.

http://www.symantec.com/connect/forums/single-user-issue-multiple-machines

The key mode change to CKM.

1.We want to know why the (3.3.2 MP10) version has this issue?

Our company used the Symantec Drive Encryption (managed by Symantec Encryption Management Server (SEMS) and integrate with AD authentication and single sign on).

【We use the GKM mode】

If we install a new PC and use the user account (existed in SEMS) to enroll to the SEMS and the Encryption Deaktop Setup Assistant wizard asked to enter the passphrase.

The passphrase must be the original one,not the current domain password.

(1) In ( 3.3.2 MP10 )

It display “The passprase did not match of the key”.

And we can not press 【next】 to ignore it,and we can not do any configuration on PGP client.

(2) In ( 3.3.2 MP7 and earlier version )

It display “The passprase did not match of the key”.

But we can press 【next】 to ignore it,so we can encrypt th disk.

(3) If we unchecked the GKM then the user key change to CKM.

We install a new PC and use the user account (existed in SEMS) to enroll to the SEMS .

It doesn’t ask to enter the passphrase.

We don’t unchecked the GKM in the production environment because we are not sure what effects will be occured.

2.What different between check and uncheck the Guarded Key Mode (GKM)?

3.Any effects if we uncheck the Guarded Key Mode (GKM) in the production environment?

4.What is the correct setting for our environment?

【Information form Symantec Connect】

https://www-secure.symantec.com/connect/forums/symantec-drive-encryption-managed-smes-upgrade-332-mp10-issue#comment-form

1. During initial enrollment the users domain password is not used in GKM key mode. The PGP key and passphrase do not have the ability to use SSO(single sign on), the passphrase is assigned to the key in GKM mode when the user manually types their passphrase in the key generation wizard box. This passphrase for the PGP key does not sync with users Windows passwords. If you want to change the passphrase you must do so manually by selecting Symantec Encryption Desktop>PGP Key> Select the key>Change passphrase. It will ask for the old passphrase if it’s not cached and then it will let you update the passphrase.

2. If you are only using Symantec Drive Encryption for your environment, then I would suggest using SKM key mode as this keymode requires that the users don’t need to maintain and remember their passphrase. The Server manages the key and never asks for a passphrase to use these keys. PGP keys have nothing to do with Symantec Drive Encryption unless you manually put them on a Smart Card or Token and then use that for authentication. By default Symantec Drive Encryption uses passphrase user for access and doesn’t require a PGP key to do the intial encryption.

I would recommend you open a support ticket so they can help you figure out a solution to get the users off of GKM key mode. GKM keymode will be problematic since the users don’t use the PGP key. They will forget the passphrase and you will run into an issue attempting to re-enroll or enroll on new machines. I always recommend SKM keymode for Drive Encryption only environments.

I would not recommend you just select CKM keymode since it’s not fixing the issue. It will just add to the confusion in the future. The user will have a keypair that they don’t know or remember the passphrase. There are certain operations that require the users know the passphrase to function properly. I’m very suprised that the enrollment wizard allows you to bypass this section without knowing the passphrase to the key even in CKM mode. That seems like a defect to me since the users will have broken keys if they don’t know the passphrase.

PGP 憑證過期

1.登入 PGP 主控台，【System】→【Network】→【Certificates】

2.【Add Certificates】

3.輸入憑證相關資訊 ( Expiration 請下拉選擇 5 年 ) 並按下【Generate Self-signed】

4.這是新增的憑證

5.回到【System】→【Network】→【Assigned Certificate】，下拉選擇到期日最久的憑證，並按下【Save】

6.PGP 正重啟以套用變更

7.重新登入即可

8.之後用戶端會出現以下畫面，請按下【Always Allow for This Site】

【如何收到 PGP Universal Server Backup log 的 mail 通知】

請編輯 /etc/crontab

在 crontab 加入以下命令

這樣每天 19:05 administrator@elite2003.intra 會收到當日的 Backup log

5 19 * * 0 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 1 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 2 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 3 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 4 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 5 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

5 19 * * 6 root mail -s “PGP Backup jobs" administrator@elite2003.intra < $(find “/var/log/ovid" -type f -name “backup-*"|sort -r|head -n1)

1.【如何確認 PGP 硬碟加密目前是採用 DES-128 或 DES-256】2. 【若將 PGP 硬碟加密政策由目前的 DES-256 改為 DES-128，該硬碟是否需先行解密後再進行加密】

【如何確認 PGP 硬碟加密目前是採用 DES-128 或 DES-256】

【若將 PGP 硬碟加密政策由目前的 DES-256 改為 DES-128，該硬碟是否需先行解密後再進行加密】

以上問題可參考官網 https://support.symantec.com/en_US/article.TECH224377.html

【如何確認 PGP 硬碟加密目前是採用 DES-128 或 DES-256】

請參考下圖於用戶端執行以下指令：

【64 位元電腦請切換至以下目錄】

C:\Program Files (x86)\PGP Corporation\PGP Desktop

【32 位元電腦請切換至以下目錄】

C:\Program Files\PGP Corporation\PGP Desktop

再執行

pgpwde –status –disk 0 –xml |find “alg”

※ for Mac → 執行 pgpwde –status –disk 0 –xml

在輸出的結果中，找到以下數值，若 alg=”9” 則該硬碟採用 DES-256 加密，若 alg=”7” 則該硬碟採用 DES-128 加密

【若將 PGP 硬碟加密政策由目前的 DES-256 改為 DES-128，該硬碟是否需先行解密後再進行加密】

是的，請參考下方程序

有關 PGP logs 的 purge

1. How long will the Symantec Encryption Management Server purge the logs?
The SEMS purge the logs in 1months time.

2. Where can I set the purge interval and find the logs percentage of hard disk usage?
You can set the purge time of the logs in the crontab.

In /etc/crontab edit the line

0 0 * * * root /usr/bin/pgpdellog.pl —days=30 /var/log/ovid >& /dev/null

and either change it to the desired value (–days=XX)

or comment the entry completely if the logs may not be deleted.
(by adding a # in front)

Depending on the requirements another solution might be to retain regular backups (which also contain the logfiles).

3. Location of the logs are available at 2 places1

(1) /var/log/ – General system logs
(2) /var/log/ovid/ – pgp process logs

4.If you want to list the size of the folder size please use
du -sh* or du -sh /var/log/ovid

You can use winscp to copy the logs from the linux machine to the windows and then delete the logs manually from the specifc location as mentioned above.
Please do not delete the parent location but only the logs inside the parent folder.