[Symantec Encryption 10.4.2 Setup Free
Hanne Rylaarsdam
Solution 1 - PGP Encryption Solutions
PGP Encryption Server (also known as Symantec Encryption Management Server)
This is the management server piece that will manage the PGP Encryption Desktop clients on the PGP side.
It can also perform automatic email encryption when deployed in "Gateway Mode", which has many additional features for secure email delivery.
The PGP Encryption Server will manage this client, which provides you with limitless configuration possibilities.
As a result, using the PGP Encryption Desktop client in a managed setting is typically the preferred option for enterprises.
When the client is installed, a user is enrolled (either by the end user themselves, or invisibly depending on which option is chosen) and once enrollment is completed, the drive encryption process will start.
All PGP Encryption products interop with any other encryption solution that use the OpenPGP standard.
With Symantec Encryption, we invented the standard, so as long as other solutions that use OpenPGP do so using standard methods, PGP can interop with many other encryption solutions just fine.
PGP Encryption Desktop can run as a "standalone" product and all the features available can be used as a standalone client and does not require configuring a server to use this product. Although it is possible to manage the PGP client (PGP Encryption Desktop) by the server, it is not necessary in order to obtain the installer and get started with encryption. In this way, if you need to encrypt only a few machines and do not need to manage any of the components with a server, PGP is likely the best choice. The standalone MSI file can be downloaded directly from the Broadcom Support Portal.
With Symantec Endpoint Encryption, the client is managed on a "per machine" basis. This means that when the client is installed, the machine itself can automatically start encrypting without any user intervention--in fact, once the SEE Client is installed, upon reboot, even if the user does not login to the system, encryption will start. Once the user logs in, the user is registered to the drive encryption piece and associated to the machine. When a Drive Encryption recovery key is needed, the Encryption Administrator will search for the machine (rather than the user), and display the recovery key for the machine. The SEE Client will always have a recovery key even if the SEE Client never connects to the server. All policy applied to the machine itself, not the user.
Symantec Endpoint Encryption requires the SEE Management Server as the SEE Client must be generated by the server itself. The reason for this is SEE embeds encryption keys into the client and is a completely unique installer for each deployment. Due to this unique client creation, SEE enjoys "Connectionless Recovery". Connectionless Recovery allows a system to be encrypted and even if the client never contacts the server, a recovery key can be generated for the clients. This makes the SEE client a very attractive option when it comes to Drive Encryption, something few encryption solutions offer.
Both of the above encryption solutions that Symantec Enterprise Division offers will allow client management, but the management functionality is different here.
The table below displays the major feature differences at a glance between the two encryption solutions, and we will explain in more detail the different features for each solution:
Your data deserves protection. The UIC license for Symantec Encryption Desktop provides easy to use and secure encryption to protect sensitive data on your laptop or desktop computers. Laptops are easily lost, and even desktop computers can be stolen. Symantec Encryption Desktop also includes a secure shredder, to really delete files you want to delete. A major motivation for using Symantec Encryption Desktop is to fulfill HIPAA requirements.
You may have heard of PGP -- Pretty Good Privacy -- in the context of encrypting electronic mail and email attachments, and digitally signing email messages. That is not what the UIC license for Symantec Encryption Desktop/PGP Desktop is for. Symantec Encryption Desktop provides easy to use and secure encryption to protect sensitive data on your laptop, PC, or removable media. Laptops and flash drives are easily lost, and even desktop computers can be stolen. Symantec Encryption Desktop also includes a secure shredder, to really delete files you want to delete.
The UIC license for Symantec Encryption Desktop centers on Symantec Drive Encryption (formerly known as PGP Whole Disk Encryption / WDE) which securely encrypts the entire contents of your laptop or desktop, including boot sectors, system, and swap files. After you install Symantec Encryption Desktop on your computer, the disk encryption process will automatically run on its hard drive. After your hard disk is encrypted, you must login to Symantec Encryption Desktop before you can boot the computer. Operating system login bypass tricks won't work.
After you authenticate and your computer boots, encryption is always on, automatically protecting your data. But it is also transparent. This "transparency" means that your computer works exactly as it always did after you boot, but it also means that the files you use are not protected when your computer is on, after you authenticate with Symantec Encryption Desktop. So there are three additional things you need to do to protect your computer:
The Technology Solutions is running a Symantec Encryption Management Server, in which your PGP key is protected with your UIC Active Directory ID and password, which is your UIC NetID and your Technology Solutions common password.
The software that you install is called Symantec Encryption Desktop, but the UIC license for Symantec Encryption Desktop includes only the Symantec Drive Encryption features. Symantec's Quick Start Guides:
Symantec Drive Encryption You can use Symantec Drive Encryption to lock down the entire contents of your system or an external or USB flash drive. Boot sectors, system files, and swap files are all encrypted. Whole disk encrypting your boot drive means you do not have to worry if your computer is lost or stolen: to access your data, an attacker would need your encrypted drive's "passphrase", provided that the computer is not already booted.
PGP Zip allows you to create an encrypted, compressed, portable archive from any combination of files and folders. Symantec Encryption Desktop must be installed on a system to create or open a PGP Zip archive. You can use a PGP Zip archive to send data to other people securely or to back it up securely.
PGP Shredder completely destroys files and folders that you delete so that even file recovery software cannot recover them. When you delete a file using the Recycle Bin (on Windows systems) or Trash (on Mac OS X systems), it is not actually deleted; just the directory information pointing to it is deleted. PGP Shredder, however, immediately overwrites file's data multiple times.
The Technology Solutions runs a Symantec Encryption Management Server for UIC. The Symantec Encryption Management Server provides central administration of encryption applications, creation and delivery of configuration policy, reporting and logging, and management of PGP private and public keys.
Because the Technology Solutions Symantec Encryption Management Server manages the campus's public and private keys, our Symantec Encryption Desktop does not come with PGP Key Management.
The biggest problem with Symantec Drive Encryption is even though the data on your hard drive is encrypted, after you log in and unlock the encrypted disk, your data is freely accessible. Making sure that everyone uses a login password and has that password activated when the computer wakes up from sleep or the screensaver can help with that problem.
However, on Windows, if you use Hibernate rather than Sleep, when your computer turns itself off, Symantec Encryption Desktop will protect your computer when it wakes. But not all Windows computers support or are set up so that they can Hibernate. To tell whether yours is, check to see whether Hibernate is a Shutdown option in the Start menu. Even if it isn't, you might be able to turn it on. Search in Window's Help and Support for "hibernate" for more information.
Then a major problem developed. It appears that all of the laptops were encrypted using a Single Sign On, rather than having users log on to the domain at any point. So once the encryption password is entered, the computer immediately boots into Windows and is logged in as a particular user. The choice for SSO was made when the software was installed, if I understand it correctly.
Is there any way to undo this and have a dual sign on, with one to get past the encryption and a second to log in to the domain (or locally)? Do I have to uninstall the software and then reinstall it? Or is there another way to do it?
In that case I will have to decrypt the entire drive, uninstall the software, then reinstall the software and reencrypt the drive. When I tried decrypting one of these drives, I had to leave the laptop plugged in (turned off sleep functions) in the server room where it would be secure overnight while the drive was decrypting because it took many hours. So doing all of them is going to take some time. I may do one tomorrow as an experiment. If it works I will go ahead and do it with the rest of them. Still really annoyed that the Single Sign On was chosen when it was installed.
Are you trying to remove the SSO Auto Login feature altogether? You can do this permanently by using GPO or deploying a new framework or temporarily by using the autologon utility. You should not need to uninstall and decrypt the drive.
795a8134c1