HSU has licensed Symatec's PGP Desktop/Netshare security software to protect Level 1 and Level 2 data as required by the HSU IT Procedure on Encryption so that it can be safely accessed, stored, and shared with others without risking that data falling into the wrong hands. The software can be used to: 

• Share files in a protected space (file server, shared folder, or USB drive) amongst authorized users
• Encrypt hard drive space to create a virtual disk volume with its own drive letter
• Create secure, encrypted Zip archives as a single encrypted, compressed package that can be opened on Windows or Mac OS X systems
• Secure destruction (shredding) of files and folders so that even file recovery software cannot recover them
• Secure erasure of  free drive space, rendering deleted data unrecoverable

Getting Started 

PGP is available to and has been installed for those individuals who require encrypted network shares. Departments must consult with ITC support to determine configuration settings and encryption policies using the ITC PGP Encryption Worksheet. A typical policy includes a list of shared folders and the users entitled to access those folders. Note that, if the administrator makes any configuration changes, all authorized department users will automatically receive the updated settings through the department's customized policy.

Supported Operating Systems

PGP Desktop/Netshare works with the following operating systems:

• Windows 7
• Windows Vista
• Windows Server 2003
• Windows XP
• Windows 2000
• Mac OS X 

The encryption strength, cipher type, and key sizes have been pre-configured in the policy server according to HSU recommended standards and include the use of Advanced Encryption Standard (AES) 256-bit encryption.

Installation and Use

The software must be installed by your ITC, and every authorized user is required to go through the enrollment process in order to gain access to the resources. As part of the iinstallation, users will be provided with a “key pair”. These keys are required to encrypt/decrypt the data and will be automaticallyused by the software to provide seamless access to the shared data. After the initial setup and configuration, users' interaction with the encrypted data should be transparent.

Folder Access

Folder access can be configured to designate specific permissions to decrypt information after file system access has been granted. The key pairs described above are used to determine which individual users are allowed to access the contents of the shared folders.Typically, two levels of access exist: administrator (admin) and normal users (users); these roles are described below:

Administrators have the following privileges:

• Full read/write capabilities on files and folders
• Ability to add and remove users
• Ability to assign roles and change user permission levels

Users have the following privileges:

• Read/write capabilities on the contents of a protected folder (depending on their permissions as assigned by an  administrator)

Note: At least one Admin is assigned to each protected folder in order to reduce the potential for inadvertent encryption of file shares. HSU Information Security recommends assigning a specialized admin whose responsibility it is to encrypt folders and assign users to each folder. This can be achieved by creating different administrator roles based on separate policies. 

Any files using encryption remain encrypted, even if copied locally to the desktop or saved to a USB stick. However, administrators should be aware that users with rights to decrypt the file have the potential to purposefully or accidentally decrypt the file in one of the following scenarios:

• Depending on the application, accessing a file and then saving it under a new name may remove the file’s encryption and reveal its contents, even if it was previously encrypted. If this is a concern, consider using the PGP Whole Disk Encryption option.
• Attaching an encrypted file to an email message may cause the attachment to become unencrypted when the message is sent, unless the mail client also uses a form of encryption. It is possible to prevent an application such as Microsoft Outlook from sending an encrypted file as an attachment “in the clear,” by including the name of the application process in the PGP Desktop/Netshare policy. Doing so causes the file to remain encrypted.

Other examples of applications that may affect encrypted files and folders are Secure File Transfer Protocol (SFTP) and backup client software. 

Questions?

Contact your ITC support or the Information Security Information Office for assistance, key recovery, or any questions you may have concerning Symantec PGP Desktop/Netshare.