Symantec PGP Encryption

Recently purchased an Alladin(now owned by SafeNet) eToken which isn't being recognized by PGP WDE v10.2. However, Windows Vista does recognize the Alladin eToken, but I think I need to install the eToken specific usb drivers for my token dongle to be recognized by PGP. The site where I purchased the eToken didn't mention anything about additional software drivers. Help...

The drivers need to be obtained from the company.  This Knowledge Base Article is a little old, but may be of help. For my personal 64 bit Windows 7 machine, I use PKIClient-x64-5.1-SP1

Tom, thank you for your speedy responce!

Setting this up is such an Enigma, but the pieces of the puzzle are beginning to come together. Every time I think that I have all of the pieces in places, I'm presented with another hurdle to jump over.

Did they charge you for the PKIclient software, if so, how much? Will the PKIclient sw work as middleware for smartcards?

I believe this was over a year ago when I found some reference suggesting the use of this, and I just don't recall where that came from.  I could also not find the file at the site; as I recall, I searched the Internet and found it available from where ever that was.  I just did a Google search and found the following.  It looks familiar, but I'm not able to vouch for it: http://www.aladdin-rd.ru/support/faq/etoken/category3/faq1000512/

I found the driver-free. Thanks again! I can communicate with the devices.

Another problem has confounded me. I have already, encrypted my drive but I want to add the dual verification capability to it, now that I can communicate with the token.

For some reason, pgp wde won't let me add the token to the bootloader, which is only pw protected. In fact, the Trusted Platform Module capability is greyed out. I'm allowed to only keep the single verification pw inplace.

Do I need to decrypt the drive, then select the dual verification method before I reencrypt the drive?

btw: the virtual drive option works fine with the token. It is only the wde boot drive that won't allow me to select a token. I hope that this isn't a system board level incompatibiliy. Could you shed some light on this perplexity?

Was it Add User Key that you tried?  If so, what actually happened?  My laptop is using Single Sign On.  When I originally tried to see if I could add my eToken key, which was showing in PGP Desktop as an eToken key, Add User Key was grayed out.  I closed PGP Desktop and re-opened it, and it was then available.  I was then able to select it for adding, but did not hit OK, since I don't actually want it added.

Hello Tom,

Yes, it happens when I attempt to "Add User Key" to my existing single password entry. I click Add User Key, then I'm prompted for the current non-token password. Then, after entering the password for the existing single password entry, I get a pop up error box, which states: PGP Error, Unable to add the user to the disk group.  

I have administrator privileges, and I've tried creating various email/passwords combos on the eToken. Perhaps it's a hardware driver incompatibility, or the same user can't have more than one boot verification type. When I tried to delete the original single password verification key, pgp responded with a message stating that the original verification key can't be deleted. I could create another user account and try it from that process.

Also, the TPM is greyed out on my system.

Please see this Knowledge Base Article. 

Hello Tom,

I searched on articles concerning  authentication in pre-boot phase with the USB token. Quite a few users are have run into the same problem. It sounds as though you can't use a token during pre-boot authentication. That is too bad. It was one of the reasons I wanted PGP WDE. Please, let me know if you can shed some more light on this problem.

thank you!

Yes, some people have problems with this.  The following is from the current Release Notes:

Compatible Smart Cards and Tokens for PGP WDE BootGuard Authentication

This section describes the system requirements (compatible smart cards/tokens and readers).

Compatible Smart Card Readers for PGP WDE Authentication

The following smart card readers are compatible when communicating to a smart card at pre-boot time. These readers can be used with any compatible removable smart card (it is not necessary to use the same brand of smart card and reader).

Generic smart card readers

Most CCID smart card readers are compatible. The following readers have been tested by Symantec Corporation:

• OMNIKEY CardMan 3121 USB for desktop systems (076b:3021)
• OMNIKEY CardMan 6121 USB for mobile systems (076b:6622)
• ActivIdentity USB 2.0 reader (09c3:0008)
• SCM Microsystem Smart Card Reader model SCR3311

CyberJack smart card readers

• Reiner SCT CyberJack pinpad (0c4b:0100).

ASE smart card readers

• Athena ASEDrive IIIe USB reader (0dc3:0802)

Embedded smart card readers

• Dell D430 embedded reader
• Dell D630 embedded reader
• Dell D830 embedded reader
• Dell E6410 embedded reader (Broadcom)
• Dell E6510 embedded reader (Broadcom)

Compatible Smart Cards or Tokens for PGP WDE Authentication

PGP Whole Disk Encryption is compatible with the following smart cards for pre-boot authentication:

• ActiveIdentity ActivClientCAC cards, 2005 model
• Aladdin eToken PRO 64K, 2048 bit RSA capable
• Aladdin eToken PRO USB Key 32K, 2048 bit RSA capable
• Aladdin eToken PRO without 2048 bit capability (older smart cards)
• Aladdin eToken PRO Java 72K
• Aladdin eToken NG-OTP 32K

  Note: Other Aladdin eTokens, such as tokens with flash, should work provided they are APDU compatible with the compatible tokens. OEM versions of Aladdin eTokens, such as those issued by VeriSign, should work provided they are APDU compatible with the compatible tokens.

• Athena ASEKey Crypto USB Token
• Athena ASECard Crypto Smart Card

  Note: The Athena tokens are compatible only for credential storage.

• Axalto Cyberflex Access 32K V2
• Charismathics CryptoIdentity plug 'n' crypt Smart Card only stick
• EMC RSA SecurID 800 Rev A, B, and D

  Note: This token is compatible only for key storage. SecurID is not compatible.

• EMC RSA Smart Card 5200
• Marx CrypToken USB token
• Rainbow iKey 3000
• S-Trust StarCOS smart card

  Note: S-Trust SECCOS cards are not compatible.

• SafeNet iKey 2032 USB token
• SafeNet 330 smart card
• T-Systems Telesec NetKey 3.0 smart card
• T-Systems TCOS 3.0 IEI smart card

Personal Identity Verification (PIV) cards

• Oberthur ID-One Cosmo V5.2D personal identity verification cards using ActivClient version 6.1 client software.
• Giesecke and Devrient Sm@rtCafe Expert 3.2 personal identity verification cards using ActivClient version 6.1 client software.

Hello Tom,

My eToken is listed in the PGP WDE compatibility list, which should be suitable for pre-boot authentication. Perhaps I will need to decrypt the drive, then reencrypting with the token?          

This might make a difference for you.