Using Personal Identity Verification Cards with PGP Desktop
Updated On:29-04-2013 17:26
Personal Identity Verification cards are commonly used by US government agencies. These cards can contain the following information:
–Name, Address, Agency, and so on
–PIV Authentication Certificate
–Key Management Certificate
–Card Authentication Certificate
A PIV Authentication Certificate is a mandatory certificate that is used for Windows authentication.Key Management, Signature, and Card Authentication certificates are optional certificates. The Key Management certificate has key encipherment usage, which was required for encryption operations in previous versions of PGP Desktop. As of version 10.2.1, PGP Whole Disk Encryption does not require this certificate for disk encryption. Disks can be encrypted if the card contains only a PIV Authentication Certificate. However, other operations, such as PGP NetShare file encryption, cannot be performed without key encipherment usage.
Troubleshooting issues with PGP Desktop and PIV cards
Failed to create a PGP key on a smartcard.
A PIV card is a read-only card, and generating a new PGP key on it is not possible. On a PIV card, only a bundle key or wrapper key can be created, using X.509 certificates. By default, the option to generate a key on a token is greyed out for PIV cards if PGP Desktop recognizes the card as a read-only card.
When a PIV card is plugged-in, PGP Desktop prompts for PIN authentication. After the PIN is entered, bundle key creation fails.
Make sure the PGP Universal Server policy is set to import X.509 certificates as PGP bundle keys.
The PIV card is not detected by PGP Desktop.
1.Ensure that the PIV smartcard drivers are properly installed.
2.Verify that the PIV card is detected by the smartcard middleware.
3.If the PIV card is still not detected by a built-in smartcard reader, try to access the card with an external smartcard reader. Verify if PGP Desktop is able to detect the PIV card with the external reader.
PGP Whole Disk Encryption
Disk failed to encrypt from PGP Desktop.
·Make sure the PIV card is supported for PGP Whole Disk Encryption.
· From the PGP WDE command line, add the smartcard key, as follows: