This article details how to use a new PGP Whole Disk Encryption policy feature available in PGP Universal Server versions 2.9.0 - 2.12.0 to disable user-initiated disk decryption.

User-Initiated Whole Disk Encryption Permissions

PGP Universal Server 2.9.0 - 2.12.0 allow administrators to apply more granular PGP Whole Disk Encryption policy to managed PGP Desktop clients. Administrators can configure various permissions for user-initiated PGP Whole Disk Encryption for internal and removable disks.

The permission options for internal and removable disks include:

• Allow User Management - Selecting this option means a user can add or remove other passphrase users from the user's device.
  
  
• Allow Encryption - Selecting this option means users can initiate encryption of internal and/or removable disks. Automatic disk encryption during setup is not affected by this policy.
  
  
• Allow Decryption - Selecting this option means users can initiate decryption of internal and/or removable disks. If you do not enable this option, users will not be able to decrypt disks. Decryption after license expiration is not affected by this policy.
  
  
• Store Decryption policy on fixed disks - When selected, the policy that specifies whether users can initiate decryption of the disk is stored on the encrypted disk. When the policy is stored on the disk, current and future versions of PGP Whole Disk Encryption, as well as Windows PE tools and other recovery methods, will all be prevented from decrypting the disk. This information is not stored on removable disks.

When user-initiated decryption is disabled, the user receives a pop-up PGP Error stating Your administrator has disabled user controlled whole disk decryption when trying to decrypt the disk.

To disable user-initiated decryption of disks:

1. Log in to the PGP Universal Server administrative interface.
2. Click Policy>Internal User Policy.
3. Select the desired policy to edit from the Internal User Policy card.
4. From the Policy Options, click the Edit button next to PGP Desktop Settings.
5. Select the WDE tab.
6. Under User-initiated Whole Disk Encryption Permissions, remove the checkmark next to Allow Decryption for the desired disk type.
   
   

   Note: Selecting the option to Store decryption policy on fixed disks will also prevent user-initiated decryption using a PGP Whole Disk Encryption recovery disk.

   
   
7. Click Save twice to apply the updated setting for the policy.