Using Personal Identity Verification Cards with PGP Desktop

book

Article ID: 156452

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

 Personal Identity Verification cards are commonly used by US government agencies. These cards can contain the following information:

          Personal Information
      Name, Address, Agency, and so on
          Digital Certificates
      PIV Authentication Certificate
      Key Management Certificate
      Signature Certificate
      Card Authentication Certificate
          Biometric Information
      Fingerprint
      Retinal Image
      Facial Image
 
A PIV Authentication Certificate is a mandatory certificate that is used for Windows authentication.Key Management, Signature, and Card Authentication certificates are optional certificates. The Key Management certificate has key encipherment usage, which was required for encryption operations in previous versions of PGP Desktop. As of version 10.2.1, PGP Whole Disk Encryption does not require this certificate for disk encryption. Disks can be encrypted if the card contains only a PIV Authentication Certificate. However, other operations, such as PGP NetShare file encryption, cannot be performed without key encipherment usage.

 

Resolution

Troubleshooting issues with PGP Desktop and PIV cards
 
Key Creation
Problem
Failed to create a PGP key on a smartcard.
Solution
A PIV card is a read-only card, and generating a new PGP key on it is not possible. On a PIV card, only a bundle key or wrapper key can be created, using X.509 certificates. By default, the option to generate a key on a token is greyed out for PIV cards if PGP Desktop recognizes the card as a read-only card.
 
Problem
When a PIV card is plugged-in, PGP Desktop prompts for PIN authentication. After the PIN is entered, bundle key creation fails.
Solution
Make sure the PGP Universal Server policy is set to import X.509 certificates as PGP bundle keys.
 

 

 

Problem

The PIV card is not detected by PGP Desktop.
Solution
1.     Ensure that the PIV smartcard drivers are properly installed.
2.     Verify that the PIV card is detected by the smartcard middleware.
3.     If the PIV card is still not detected by a built-in smartcard reader, try to access the card with  an external smartcard reader. Verify if PGP Desktop is able to detect the PIV card with the external reader.
 
PGP Whole Disk Encryption
Problem
Disk failed to encrypt from PGP Desktop.
Solution
·         Make sure the PIV card is supported for PGP Whole Disk Encryption.
·          From the PGP WDE command line, add the smartcard key, as follows:
Pgpwde -–add-user –-disk 0 –-token –-keyid <smartcard keyid> --a <admin passphrase>
If the smartcard is not supported for PGP Whole Disk Encryption, the result will be Token not supported.
·         Ensure that the key properties for the smartcard key have the PGP Whole Disk Encryption flag enabled.
·         Verify that PGP Desktop is licensed for PGP Whole Disk Encryption.
Problem
Auto-encryption with a PIV card fails after enrollment.
Solution
·         Make sure that the PIV card is supported for PGP Whole Disk Encryption.
·         On PGP Universal Server, be sure to select the option to auto encrypt with a supported smartcard.

 

 

 

Problem

PGP BootGuard authentication fails with a supported PIV card.
Solution
·         If you are using a built-in smartcard reader, switch to an external card reader and try again.
·         If you are using an external card reader, use a different USB port. USB 3.0 is not supported for prebootwith PGP Desktop.
 
Problem
Single Sign-on (SSO) fails with a PIV card.
Solution
  1.  Verify if the PIV card can be used to authenticate to Windows.
  2. If the PIV card can be used to log in to Windows, then do one of the following:
1.     Use certificate enrollment. On PGP Universal Server, set policy to automatically encrypt using supported smartcards.
2.     Use the PGP WDE command line. Add the PIV card user as an SSO user as follows:
Pgpwde –-add-user –-disk 0 –-token –-keyid <keyid of smartcard key> --sso -–a <admin passphrase>
 
PGP NetShare
Problem
File/folder encryption fails with a PIV smartcard bundle key.
Solution
·         Verify the following:
·         The PIV card contains the Key Management Certificate, which has encipherment key usage.
·         Subkeys are created in the key properties of the smartcard key in PGP Desktop.
·         Subkeys have encryption keys.
·         Key usage in the smartcard key properties has the PGP NetShare flag enabled.
·         PGP Desktop is licensed for PGP NetShare.
 
Certificate Enrollment
Please refer to the Certificate Enrollment KB article: www.symantec.com/docs/HOWTO77022

Attachments