PGP Desktop 9.0 Windows Operating instructions

Version 9.0.6 | April 2006

PGP

®

Desktop 9.0

for Windows

User’s Guide

Version Information

PGP Desktop 9.0.5 for Windows User’s Guide. Released

April 2006.

Copyright Information

reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose,

without the express written permission of PGP Corporation.

Trademark Information

“PGP”, “Pretty Good Privacy”, and the PGP logo are registered trademarks of PGP Corporation in

the U.S. and other countries. “IDEA” is a trademark of Ascom Tech AG. “Windows” is a registered

trademark of Microsoft Corporation. “AOL” is a registered trademark, and “AOL Instant

Messenger” is a trademark, of America Online, Inc. All other registered and unregistered trade-

marks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom

Tech AG. The CAST encryption algorithm is licensed from Northern Telecom, Ltd. PGP Corporation

may have patents and/or pending patent applications covering subject matter in this software or its

documentation; the furnishing of this software or documentation does not give you any license to

these patents.

Acknowledgments

The Zip and ZLib compression code in PGP Desktop was created by Mark Adler and Jean-Loup

Gailly; the Zip code is used with permission from the free Info-ZIP implementation. The BZip2

compression code in PGP Desktop was created by Julian Seward.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regu-

lations promulgated from time to time by the Bureau of Export Administration, United States

Department of Commerce, which restricts the export and re-export of certain products and techni-

cal data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the

terms of the End User License Agreement provided with the software. The information in this doc-

ument is subject to change without notice. PGP Corporation does not warrant that the information

meets your requirements or that the information is free of errors. The information may include

technical inaccuracies or typographical errors. Changes may be made to the information and incor-

porated in new editions of this document, if and when made available by PGP Corporation.

About PGP Corporation

Recognized worldwide as a leader in enterprise encryption technology, PGP Corporation develops,

markets, and supports products used by more than 30,000 enterprises, businesses, and govern-

ments worldwide, including 90% of the Fortune® 100 and 75% of the Forbes® International 100.

PGP products are also used by thousands of individuals and cryptography experts to secure propri-

etary and confidential information. During the past 15 years, PGP technology has earned a global

reputation for standards-based, trusted security products. It is the only commercial security vendor

to publish source code for peer review. The unique PGP encryption product suite includes PGP Uni-

versal—an automatic, self-managing, network-based solution for enterprises—as well as desktop,

mobile, FTP/batch transfer, and SDK solutions. Contact PGP Corporation at www.pgp.com or

+1 650 319 9000.

Table of Contents iii

Table of Contents

Foreward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Creating “Automagical” Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Who Should Read This User’s Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Improvements in This Version of PGP Desktop . . . . . . . . . . . . . . . . . . . . . . . . 15

This User’s Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Recommended Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 1: PGP Desktop Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Basic Steps for Using PGP Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 2: Installation and Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Installing PGP Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Running the Setup Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Uninstalling PGP Desktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 3: The PGP Desktop User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

PGP Desktop Main Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

The PGP Tray Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Context Menus in Windows Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

The Start Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 4: Securing Email Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Services and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Creating a Service and Editing Account Properties . . . . . . . . . . . . . . . . . . . . . 44

PGP Desktop User’s Guide

iv Table of Contents

Disabling, Enabling, and Deleting a Service. . . . . . . . . . . . . . . . . . . . . . . . . . . 47

PGP Desktop and SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Multiple Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Troubleshooting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Creating a New Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Wildcards and Regular Expressions in Policies. . . . . . . . . . . . . . . . . . . . . . . . . 56

Security Policy Information and Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Working with the Security Policy List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Viewing the PGP Messaging Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Chapter 5: Securing Instant Messaging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Encrypting your IM Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Chapter 6: Whole Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Preparing to Whole Disk Encrypt a Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Creating Recovery Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Whole Disk Encrypting a Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Adding Other Users to an Encrypted Disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Using the PGP Whole Disk Encryption Login Screen . . . . . . . . . . . . . . . . . . . . 80

Deleting Users From an Encrypted Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Changing a User’s Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Re-Encrypting a Whole Disk Encrypted Drive . . . . . . . . . . . . . . . . . . . . . . . . . 86

PGP Whole Disk Encryption FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Special Security Precautions Taken by PGP Desktop . . . . . . . . . . . . . . . . . . . . 90

Chapter 7: PGP Virtual Disk Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Creating a New PGP Virtual Disk Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Finding PGP Virtual Disk Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Mounting a PGP Virtual Disk Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Using a Mounted PGP Virtual Disk Volume. . . . . . . . . . . . . . . . . . . . . . . . . . . 98

User’s Guide PGP Desktop

Table of Contents v

Unmounting a PGP Virtual Disk Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Adding Alternate Users to a PGP Virtual Disk Volume . . . . . . . . . . . . . . . . . . 100

Deleting Alternate Users From a PGP Virtual Disk Volume . . . . . . . . . . . . . . . 101

Disabling Alternate Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Toggling Read/Write Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Making an Alternate User an Administrator . . . . . . . . . . . . . . . . . . . . . . . . . 102

Changing a User’s Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Editing Advanced Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Re-Encrypting a PGP Virtual Disk Volume. . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Specifying Properties for a PGP Virtual Disk Volume . . . . . . . . . . . . . . . . . . . 105

Deleting a PGP Virtual Disk Volume. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Maintaining PGP Virtual Disk Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

About PGP Virtual Disk Volumes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

The PGP Virtual Disk Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 110

Special Security Precautions Taken by PGP Virtual Disk. . . . . . . . . . . . . . . . . 111

Chapter 8: PGP Zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Creating PGP Zip Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Creating PGP Zip SDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Opening a PGP Zip SDA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Verifying Signed PGP Zip Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Opening and Editing a PGP Zip Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Chapter 9: PGP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Viewing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Creating a Keypair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Distributing Your Public Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Getting the Public Keys of Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Working with Keyservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Chapter 10: Managing PGP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Examining and Setting Key Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

PGP Desktop User’s Guide

vi Table of Contents

Adding and Removing Photographic IDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Adding a New User Name and Email Address to a Key . . . . . . . . . . . . . . . . . 148

Importing Keys and X.509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Changing Your Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Deleting Keys, User IDs, and Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Disabling and Enabling Public Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Verifying a Public Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Signing a Public Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Granting Trust for Key Validations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Working with Subkeys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Working with ADKs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Working with Revokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Splitting and Rejoining Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

PGP Key Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Protecting Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Chapter 11: PGP Desktop and Windows Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Encrypt, Sign, or Encrypt and Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Shred . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Wipe Free Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Create an SDA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Decrypt/Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Mount, Edit, or Unmount a PGP Virtual Disk Volume . . . . . . . . . . . . . . . . . . . 178

Import a PGP Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Add PGP Keys to Your Keyring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

View the Contents of a PGP Zip Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Chapter 12: Shredding and Wiping Free Space . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Using PGP Shred to Permanently Delete Files and Folders . . . . . . . . . . . . . . . 184

Using the PGP Free Space Wipe Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Scheduling Free Space Wiping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

User’s Guide PGP Desktop

Table of Contents vii

Chapter 13: Smart Cards and Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Supported Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Recognizing Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Examining Smart Card Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Generating a PGP Keypair on a Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . 196

Copying your Public Key from a Smart Card to a Keyring . . . . . . . . . . . . . . . . 198

Wiping Keys from Your Smart Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Copying a Keypair from Your Keyring to a Smart Card . . . . . . . . . . . . . . . . . . 199

Using Multiple Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Special-Use Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Appendix A: Setting PGP Desktop Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Shredding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

HotKeys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Appendix B: Biometric Word Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Appendix C: Passwords and Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Passwords and Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

The Passphrase Quality Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Creating Strong Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Appendix D: PGP Desktop and PGP Universal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

For PGP Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Appendix E: Messaging with Lotus Notes and MAPI . . . . . . . . . . . . . . . . . . . . . . . . 235

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

PGP Desktop User’s Guide

viii Table of Contents

Notes IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Notes Client Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Foreward 9

Foreward

This Foreward was authored by Jon Callas, PGP Corporation’s Chief Technol-

ogy Officer; it describes PGP Corporation’s vision for security and how new

products and services fit into that vision.

More of Jon’s writings are available on the PGP website in the CTO Corner.

Creating “Automagical” Encryption

We started the new PGP Corporation in 1992 because we have a vision about

computer security, information security, and encryption. That vision is rela-

tively simple to express: We think everything you do should be secure—no

matter where you are. Whether you are at home, work, the coffee shop, an

airport, or the beach, you shouldn’t have to think about your location. Every-

thing you do should be secure “automagically.”

The first paper I published on that vision, “Improving Message Security With a

Self-Assembling PKI,” was presented at the second Annual PKI Research

Workshop in April 2003. In that paper, I described how we are re-thinking the

way encryption and security works. I described this change in thinking as a

change in metaphor from the “telephone” metaphor to the “messenger” met-

aphor. This change is as profound to the way security works as the change in

basic computing to the “desktop” metaphor brought about by a change in the

way we view and use computers.

The first product we made that fulfilled that vision was PGP

®

Universal. It’s a

server-based system that is the “secure robot messenger” I described in the

PKI paper. Best of all, it works. It’s so simple that the CTO can use it. Heck,

it’s so simple that even the CTO’s retired parents can use it.

We are now introducing our next-generation products, PGP Desktop 9.0 and

PGP Universal 2.0, as well as the new PGP Global Directory service hosted by

PGP Corporation. The combination of these new products and services is a

refinement of our use of servers and introduces our new way of thinking

across our product suite. These products solve real-world problems you deal

with every day, and here’s why you should care.

Vision and Goals

We are working on solving the problem of getting people to use more secure

email. This is a big problem that we can’t solve alone or overnight, but we

have decided that we must take the lead in designing a solution.

PGP Desktop User’s Guide

10 Foreward

The old way of doing secure email still works and is very secure. It is also rea-

sonably easy to set up and use. It even scales fairly well: The global OpenPGP

public key system is the largest PKI in the world and contains several million

keys. There are close to 2 million of them on the legacy public PGP Keyserver

and many more on other keyservers and websites.

Because we want everyone to use it, however, we need that system to scale

to billions, not millions of keys and users. We believe that the more people

there are using secure email, the more secure the overall system will become.

Consequently, we must make security completely automatic, open in design,

and usable by people who don’t know or care about the workings of secure

email any more than they do about the workings of telephones.

If you’re used to the OpenPGP way of secure email, it's still there and still

provides good security. What we're building is an extension to it, not a

replacement for it.

We are coming up with new mechanisms for security that satisfy the need for

automatic operation, seamless integration with existing security solutions,

and user transparency. Our new designs don’t require plugins, even though

you may still use one of ours or someone else’s. Our approach is to move

from requiring plugins and applications to software that works directly in the

network stack by proxying protocols for email, instant messaging, and more.

The new designs also work with other people’s software and even with other

messaging protocols, including S/MIME for the first time throughout our prod-

uct suite. Finally, we’ve added flexibility in how people find keys, publish

them, and do so reliably with “enough” security.

Interoperability

The most important thing we’ve done is to use interoperable pieces. In other

words, we didn’t throw the baby out with the bath water.

We make use of open, interoperable, distributed, scalable systems. Every PGP

Universal Server is a keyserver. We use the same well-publicized LDAP

schema that we’ve used since 1997. If you’re technically inclined, all you

have to do to play in this new game is set up an LDAP keyserver at the DNS

host of “keys.domain” (for example, keys.pgp.com) and you’re part of the

system.

We also have declared peace in the certificate and message format debates.

We don’t care whether you use X.509, OpenPGP, or S/MIME. We’ll use what-

ever format you want because we now support them all. And if we don’t do

something, please let us know. We may add an XML-based message format

in the future, for example. After all, one size doesn’t fit all.

We believe this strategy is paying off for the general good. One of the main

reasons most email is still unencrypted is the balkanization of formats. I’ve

been saying for years that just as there are multiple formats for displaying pic-

tures in a Web page, there are multiple formats for security. The reason we

have different formats is that they serve slightly different purposes. We’re

tickled pink that Entrust announced in February it will be supporting Open-

User’s Guide PGP Desktop

Foreward 11

PGP, too. This support will make security better for everyone and make it eas-

ier for us to interoperate with traditional PKIs. It also verifies that we’re right

about new models of security when one of the leaders of traditional PKIs joins

our parade.

PGP Desktop 9.0

The first thing you’ll see when you start using PGP Desktop 9.0 is that the

user interface (UI) has changed. We’ve changed things to more closely follow

the native UI of the operating system. The Windows version looks like the

rest of the Windows interface, and the Mac OS X version looks like an OS X

native program. We believe there has to be tight integration with the operat-

ing system to make the product usable to people.

When you look at keys and certificates in the windows, you’ll find that we’ve

streamlined the display and now let you edit all sorts of things in keys you

couldn’t edit before. You can now change what algorithms you use, set a

default keyserver, and so on. We’ve also added smart keyrings, allowing you

to create virtual keyrings that show you, for example, all the keys you have

for people in xyz.com.

When you start using PGP Desktop for email, you will see that something is

missing: the Encrypt button. This button has disappeared because we have

integrated the PGP Universal concept of policy-driven encryption into PGP

Desktop. Plugins have always been a pain: They are hard to write, hard to

maintain, and often work differently for the same email client on different

operating systems. We have kept the PGP SDK interfaces, and other plugins

such as those for Mailsmith and Pegasus continue to work just fine. On the

other hand, the new way of using proxies and policies means we now also

support Thunderbird, The Bat, or any other email client you care to use. We

do this by using a network proxy, the same proxy we use in PGP Universal

Servers, but with tweaks for desktop use. Think of it as a desktop firewall

that does “automagic” encryption for you.

Instead of having an Encrypt button, you can simply set the “Confidential”

flag on your message. Or perhaps you’d like to have a trigger in the subject

line such as the word “secret” or perhaps an “*” to be your Encrypt button.

You can even have PGP Desktop scan the body of the message for text or

patterns to trigger encryption or signing. You can also set it up so that when-

ever you send messages to certain people or domains, it will encrypt or sign

them automatically. Best of all, you can set strategies for searching for keys

and enforcing encryption so there is no danger of accidentally sending a mes-

sage in the clear. As I mentioned earlier, we also now support S/MIME in PGP

Desktop, so if you send a message to one person who has a PGP key and

another with an X.509 certificate, PGP Desktop will send the right format to

the right person.

This is a huge improvement over what’s gone before. With PGP Desktop 9.0,

you now have fine control over how encryption happens, yet when you’re

actually sending email, you don’t have to think about it because the right

thing just happens—automagically.

PGP Desktop User’s Guide

12 Foreward

Our new way of thinking about encryption also extends to instant messaging.

PGP Desktop 9.0 includes automatic AOL

®

Instant Messenger

™

(AIM) traffic

encryption. Because this is also a proxy, it doesn’t matter which AIM client

you use—AOL’s, Trillian, or Apple iChat. If you start a conversation with

someone else who has PGP Desktop 9.0, your conversation is encrypted

without your doing anything.

The last major improvement in PGP Desktop 9.0 is full disk encryption, which

is currently available for Windows XP and 2000 only. As the name suggests,

PGP Whole Disk encrypts the entirety of the disk. It works on the boot vol-

ume as well as other disks, including removables such as flash drives. PGP

Whole Disk is not a replacement for the traditional PGP Disk (which we now

call PGP Virtual Disk). Virtual disks are like data safes. They are places to put

things such as your financial data that you don’t use every day, but you want

kept secure. In comparison, PGP Whole Disk encryption shines at making the

computer itself more secure. It protects the whole machine, making it unboot-

able without a passphrase or crypto token. It protects your data when you

upgrade your machine or if it is lost or stolen. This new option extends the

way PGP encryption protects your data at rest from individual files, to collec-

tions of files, all the way to entire volumes.

PGP Universal 2.0

PGP Universal 2.0 is the next release of our server-based encryption system,

which includes new fine-grained system management improvements and bet-

ter support for Exchange and Notes servers. There are also improvements in

system security. For example, we’ve introduced an “ignition key” for the

server, which offers a way to use a smart card as an inexpensive hardware

security module, allowing the security database to be encrypted on disk,

decrypted at boot time, and stored in secure memory on the server. You can

also have multiple administrators, each with one of the five different security

levels, ranging from read-only admins to super users.

Most important, PGP Universal now integrates with all PGP client systems.

There are two types of clients: PGP Universal Satellite, the basic client with a

minimal UI, and PGP Desktop 9.0. In previous versions of PGP Desktop, we

had tools for managing groups of PGP Desktop users. These tools coordinated

with the PGP Keyserver. Now, all of those functions are rolled into PGP Uni-

versal, which is the management system for groups of people using PGP solu-

tions. PGP Universal works not only as a mail and policy processing system,

but also as a keyserver and deployment tool. You can have a cluster of PGP

Universal Servers, too, each with a different role in the integrated system.

This new way of working has many benefits. PGP Desktop can work with

PGP Universal better than either could do alone. Policy-driven encryption

works best when coordinated between the user’s system and a server. For

example, many of the complex policies, such as searching a message for key-

word text, are better done on the desktop system than on the server, so we

do them there. Expert users can augment the server policies with their own

policies to upgrade (but never downgrade) message security. If you use PGP

User’s Guide PGP Desktop

Foreward 13

solutions in your organization, you’ll be delighted with the coherent coopera-

tion between PGP Desktop and PGP Universal Servers. Scaling PGP encryp-

tion throughout a large group is easy, as is configuring it for different groups

with different needs.

PGP Global Directory

The last part of our integrated system is the PGP Global Directory, our

replacement for the legacy public PGP Keyserver. Just as this legacy keyser-

ver was built on the old PGP Keyserver product, the new PGP Global Direc-

tory is built on a new feature of PGP Universal 2.0, the Verified Key Directory

(VKD). Every PGP Universal Server comes with a VKD, and the new PGP Glo-

bal Directory is a slightly modified version of the VKD. We are not yet produc-

tizing the PGP Global Directory enhancements to the base VKD, but we may

do so in the future.

One long-time barrier to widespread use of encryption has been finding the

right key or certificate for a recipient. PGP keyservers provide a good way to

search for keys; however, the previous generation of keyservers was com-

pletely trust-neutral, so keys tended to accumulate. There was no way for

you to retire an old key or to cope with bogus keys.

The new PGP Global Directory solves this problem by using an email

round-trip to verify that your key and your email address are associated—and

then re-verifies these connections every six months. It also protects against

spammers harvesting addresses by not allowing searches that yield more than

one response.

The PGP Global Directory uses the same LDAP directory structure that has

been used for years, and is therefore compatible with any OpenPGP-based

system that can use an LDAP keyserver; the additional management features

we’ve included are layered on top of that foundation.

What this all means is that there is now an open, integrated, distributed, and

verified key management system that anyone on the Internet can use to find

someone’s PGP key. The PGP Global Directory, every PGP Universal Server,

and even other servers such as Hushmail’s key directory are all parts of a uni-

fied security system that PGP Desktop 9.0 uses to transparently encrypt and

sign emails.

Conclusion

The new PGP product releases are significant because they finally bring to the

world what we’ve been thinking about for years. Ubiquitous security, starting

with email, going to instant messaging and then to other protocols, is finally

here. It’s simple, usable, and scalable.

Jon Callas

Chief Technology Officer and Chief Security Officer, PGP Corporation

May, 2005

PGP Desktop User’s Guide

14 Foreward

Introduction 15

Introduction

The PGP Desktop for Windows User’s Guide explains how to use PGP Desk-

top for Windows, a software product from PGP Corporation that uses encryp-

tion to protect data while it is on your system and while it is in transit.

Who Should Read This User’s Guide

The PGP Desktop for Windows User’s Guide is for anyone who is going to be

using the PGP Desktop for Windows software to protect their data.

Improvements in This Version of PGP Desktop

If you used a previous version of PGP Desktop, please be aware of the follow-

ing improvements in the current version:

• PGP Whole Disk Encryption is a new feature that lets you protect the

entire contents of desktop or laptop drives, external drives, and USB flash

drives with trusted, proven PGP encryption.

• PGP Zip is a new feature that lets you add any combination of files and

folders to an encrypted, compressed, portable archive. You can encrypt it

to specific PGP keys, so that only those persons can open it, or you can

encrypt it to a passphrase, so that only the passphrase is needed to open

it. You can use PGP Zip to distribute files and folders securely or back

them up.

• Integration with PGP Global Directory. PGP Desktop automatically

prompts you to publish your public keys to the PGP Global Directory, a

free, publicly available keyserver hosted by PGP Corporation that provides

quick and easy access to the universe of PGP keys. If you don’t have the

public key of someone you want to send an encrypted message to, PGP

Desktop will automatically search the PGP Global Directory to find that

public key. If you aren’t in an email domain protected by a PGP Universal

Server, the PGP Global Directory is your source for trusted keys.

• Email proxy technology replaces plugins, providing automatic and trans-

parent encryption, signing, decryption, and verification with virtually any

email client. PGP Desktop’s plugins gave you PGP Desktop encryption for

If you are new to cryptography and would like an overview of the terminology

and concepts in PGP Desktop, please refer to An Introduction to Cryptography

(it was installed onto your computer when you installed PGP Desktop).

PGP Desktop User’s Guide

16 Introduction

specific email clients; PGP Desktop’s new proxy technology replaces plu-

gins, giving you PGP Desktop encryption with virtually any email client,

plus the ability to define policies for specific recipients, domains, and mes-

sage priority, among others. Sending and receiving protected messages

has never been easier or more powerful.

• PGP Desktop always on. To support the new email proxy technology, PGP

Desktop stays on all the time, protecting your data automatically and

transparently.

• Unified interface. There continues to be multiple ways to access PGP

Desktop features, but the easiest way is the new, unified PGP Desktop

application, where each of the four main product features has its own

control box area on the left pane and work area on the right pane.

• Built-in integration with PGP Universal, if you are using PGP Desktop in a

PGP Universal-protected domain. You can get messaging policies automat-

ically from the PGP Universal Server managing your messaging domain.

• Management of PGP Desktop by a PGP administrator in a PGP Univer-

sal-protected domain. Your PGP administrator can create custom installers

of PGP Desktop and update policies dynamically.

• Automatic, transparent protection for AOL instant messaging sessions.

Text messages and file transfers are automatically protected.

• Support for Windows NT, 98, and ME has been removed from PGP Desk-

top; you cannot install PGP Desktop on these platforms. The ICQ plugin,

which protected ICQ sessions, has been removed from PGP Desktop. The

ability to create new PGP keypairs in the older RSA Legacy format (also

known as v3 format) is no longer supported.

This User’s Guide

The chapters and appendices in this User’s Guide include:

• Chapter 1, "PGP Desktop Basics," provides an overview of PGP Desktop

and what it does.

• Chapter 2, "Installation and Startup," tells you how to install PGP Desktop

and how to get up and running using the Setup Assistant.

• Chapter 3, "The PGP Desktop User Interface," shows and describes the

PGP Desktop user interface.

• Chapter 4, "Securing Email Messages," tells you how PGP Desktop can

secure your email messages.

• Chapter 5, "Securing Instant Messaging," tells you how PGP Desktop can

secure your instant messaging sessions.

• Chapter 6, "Whole Disk Encryption," describes Whole Disk Encryption and

tells you how to configure it on your system.

User’s Guide PGP Desktop

Introduction 17

• Chapter 7, "PGP Virtual Disk Volumes," tells you about PGP Virtual Disk

volumes.

• Chapter 8, "PGP Zip," tells you about the PGP Zip feature, which lets you

create encrypted, compressed repositories for files and folders that can be

used for easy transport or backup.

• Chapter 9, "PGP Keys," tells you about creating and using PGP keys.

• Chapter 10, "Managing PGP Keys," describes how to manage PGP keys.

• Chapter 11, "PGP Desktop and Windows Explorer," tells you how to use

PGP Desktop to encrypt, decrypt, sign, and verify files either for email or

for secure storage on your computer.

• Chapter 12, "Shredding and Wiping Free Space," describes the PGP Shred

feature, which lets you securely wipe files from your system so that unau-

thorized persons cannot retrieve them.

• Chapter 13, "Smart Cards and Tokens," tells you how to use smart cards

and tokens with PGP Desktop.

• Appendix A, "Setting PGP Desktop Options," describes PGP Desktop’s

options.

• Appendix B, "Biometric Word Lists," tells you about PGP Desktop’s spe-

cial biometric word lists and what they are for.

• Appendix C, "Passwords and Passphrases," describes the differences

between passwords and passphrases, tells you about the Passphrase

Quality Bar in PGP Desktop, and provides some guidelines for creating

strong passphrases.

• Appendix D, "PGP Desktop and PGP Universal," describes how using PGP

Desktop in a PGP Universal-managed environment affects your usage of

PGP Desktop.

• Appendix E, "Messaging with Lotus Notes and MAPI," describes how to

configure PGP Desktop messaging policies to support Lotus Notes and

MAPI email clients in a PGP Universal-protected environment

There is also a Glossary and an Index.

PGP Desktop User’s Guide

18 Introduction

PGP Desktop 9.0 Windows Operating instructions

PGP Desktop 9.0 Windows Operating instructions

Related papers

Other documents