Troubleshooting issues with PGP Desktop and PIV cards
Failed to create a PGP key on a smartcard.
A PIV card is a read-only card, and generating a new PGP key on it is not possible. On a PIV card, only a bundle key or wrapper key can be created, using X.509 certificates. By default, the option to generate a key on a token is greyed out for PIV cards if PGP Desktop recognizes the card as a read-only card.
When a PIV card is plugged-in, PGP Desktop prompts for PIN authentication. After the PIN is entered, bundle key creation fails.
Make sure the PGP Universal Server policy is set to import X.509 certificates as PGP bundle keys.
The PIV card is not detected by PGP Desktop.
1. Ensure that the PIV smartcard drivers are properly installed.
2. Verify that the PIV card is detected by the smartcard middleware.
3. If the PIV card is still not detected by a built-in smartcard reader, try to access the card with an external smartcard reader. Verify if PGP Desktop is able to detect the PIV card with the external reader.
PGP Whole Disk Encryption
Disk failed to encrypt from PGP Desktop.
· Make sure the PIV card is supported for PGP Whole Disk Encryption.
· From the PGP WDE command line, add the smartcard key, as follows:
Pgpwde -–add-user –-disk 0 –-token –-keyid <smartcard keyid> --a <admin passphrase>
If the smartcard is not supported for PGP Whole Disk Encryption, the result will be Token not supported.
· Ensure that the key properties for the smartcard key have the PGP Whole Disk Encryption flag enabled.
· Verify that PGP Desktop is licensed for PGP Whole Disk Encryption.
Auto-encryption with a PIV card fails after enrollment.
· Make sure that the PIV card is supported for PGP Whole Disk Encryption.
· On PGP Universal Server, be sure to select the option to auto encrypt with a supported smartcard.
PGP BootGuard authentication fails with a supported PIV card.
· If you are using a built-in smartcard reader, switch to an external card reader and try again.
· If you are using an external card reader, use a different USB port. USB 3.0 is not supported for prebootwith PGP Desktop.
Single Sign-on (SSO) fails with a PIV card.
- Verify if the PIV card can be used to authenticate to Windows.
- If the PIV card can be used to log in to Windows, then do one of the following:
1. Use certificate enrollment. On PGP Universal Server, set policy to automatically encrypt using supported smartcards.
2. Use the PGP WDE command line. Add the PIV card user as an SSO user as follows:
Pgpwde –-add-user –-disk 0 –-token –-keyid <keyid of smartcard key> --sso -–a <admin passphrase>
File/folder encryption fails with a PIV smartcard bundle key.
· Verify the following:
· The PIV card contains the Key Management Certificate, which has encipherment key usage.
· Subkeys are created in the key properties of the smartcard key in PGP Desktop.
· Subkeys have encryption keys.
· Key usage in the smartcard key properties has the PGP NetShare flag enabled.
· PGP Desktop is licensed for PGP NetShare.