HOW TO: Use TPM Authentication with PGP WDE - PGP Desktop 10


Article ID: 180230


Updated On:


Symantec Products




This article describes how to use TPM with PGP Whole Disk Encryption.

PGP Desktop supports using the Trusted Platform Module as an additional authentication device for PGP Whole Disk Encryption if available on your hardware.

Note: TPM authentication is supported on PGP Desktop 10.0.0 - 10.2.1 MP5.  The authentication through a TPM chip is only supported on Windows XP and the supported Hardware. Additionally, the feature to encrypt to a TPM has been discontinued and will not be further developed.

PGP Whole Disk Encryption is compatible with TPM version 1.1 or 1.2.

Computers that support TPM and are compatible with PGP WDE include the following:

  • Hewlett-Packard Compaq nx6325 (Infineon TPM with HP BIOS)
  • Dell D630 (Broadcom TPM)
  • Lenovo ThinkPad T60 (Atmel TPM)
  • Fujitsu LifeBook T2010, (Infineon TPM with Phoenix BIOS)
  • Panasonic Toughbook T5, W5, or Y5 (Infineon TPM with Matsushita BIOS)


Your TPM vendor may implement security features that affect usage of the TPM. Please consult the documentation for your system for information.

Note: If you clear your TPM by resetting it to factory settings, or if your system board containing the TPM is replaced, you will not be able to access your encrypted disk when using the TPM user because your credentials stored on the TPM are no longer accessible. Ensure that you have an alternate method to access your encrypted disk.


Special considerations when using TPM

  • Before you encrypt your disk, be sure that you establish ownership of the TPM on your system, configure the TPM, and then reboot your system before starting the encryption process. When you take ownership you set up a passphrase for TPM (separate from PGP Desktop or Windows) that is used to edit the TPM. Establishing ownership allows you to configure and use products with TPM.
  • Ensure that you have an alternate method of authenticating to your encrypted disk. If you are using PGP WDE in a PGP Universal Server-managed environment, you can use your Whole Disk Recovery Token. If you are using PGP WDE in a standalone environment, create a passphrase user as a backup, or create a passphrase user with a USB flash device for two-factor authentication.


To use TPM with PGP Whole Disk Encryption

  1. Open PGP Desktop then select the PGP Disk Control box.
  2. Click Encrypt Whole Disk or Partition.
  3. In the User Access section, select New Passphrase User.

    Note: TPM authentication is available using a Windows Password (Single Sign-On) or as a Passphrase user.
  4. Select Use Windows Password or Create New Passphrase and click Next.
  5. Select the radio button next to Use TPM available with you hardware.
  6. Click Next and then enter a password or passphrase for your user.
  7. Click Next.
  8. After the user is created, click the Encrypt button.
  9. Click Yes to confirm.