Whole Disk Encryption (WDE) Frequently Asked Questions

All Harvard University owned laptops must be protected with whole disk encryption (WDE). The University considers any laptop purchased with a grant or those purchased through normal procurement methods to be University-owned. HMS IT staff will be available to assist in encrypting laptops and will soon make available free downloadable software as a self-install option.

What is Whole Disk Encryption (WDE)?

How much does PGP cost?

What if I don't want to install PGP?

How do I create a secure PGP passphrase?

I forgot my PGP passphrase! What do I do?

PGP can't find my keyring files. How do I locate them?

What is a recovery token?

Can I change my PGP passphrase?

My department has a shared laptop. How do I create additional passphrases so that more than one person can access the computer?

How do I decrypt my computer?

Is PGP a per user license or per machine license?

What is the process for a lost laptop?

What happens when I leave Harvard and take my laptop with me?

Can't find an answer to your question?

What is Whole Disk Encryption (WDE)?
Whole (or Full) Disk Encryption is a process which, by using hardware or software, encodes the information on a computer. Decoding the information requires a password, which prevents unauthorized access to the data on your computer.
Back to top

How much does PGP cost?
HMS Information Technology has licensed PGP for use on Harvard owned laptops. It is available for free to HMS/HSDM paid faculty and staff.
Back to top

What if I don't want to install PGP?
HMS Information Technology encourages you to protect any sensitive information you may have stored on your computer. If you choose not to do so, you will need to submit an Encryption Waiver Form. Encryption waiver exceptions include:

  • Linux OS installation
  • Intel Mac with Bootcamp; FileVault enabled
  • PowerPC Mac; FileVault is enabled
  • BitLocker or other WDE software installed

Please contact the HMS Information Security Officer for additional information.
Back to top

How do I create a secure PGP passphrase?
Your PGP passphrase need to conform to eCommons password rules which, in effect, require a strong password.
eCommons password requirements are:

  1. The Password must be 8 characters or longer in length.
  2. The Password must contain at least one number.
  3. The Password must contain at least one upper case letter.
  4. The Password must contain at least one lower case letter.
  5. The Password cannot contain your first, middle or last name.
  6. The Password cannot contain your eCommons ID.
  7. The Password cannot contain the special characters ' " & < > / \ : ;

Additional information on password safety and safe computing can be found in HMS IT web site's Security and Privacy section.
Back to top

I forgot my PGP passphrase! What do I do?
Contact the HMS IT Help Desk at 617-432-2000 or your Client Services Representative to have a temporary recovery token issued to log into your encrypted device.
Back to top

PGP can't find my keyring files. How do I locate them?
If you are getting an error on startup where PGP can't find your keyring files, follow the steps below:

Bread Crumbs

  1. Click the browse button next to the Public path and navigate to \\home.files.med.harvard.edu\PGP\ and select pubring.pkr.
  2. Click the browse button next to the Private path and navigate to \\home.files.med.harvard.edu\PGP\ and select pubring.pkr.
  3. Click Try Again.

Back to top

What is a recovery token?
A recovery token is a onetime password which allows access to your encrypted device in the event that the owner has forgotten their PGP encryption passphrase.
Back to top

Can I change my PGP passphrase?
You can change your PGP passphrase, with the understanding that if you are a Windows computer, your PGP passphrase is initially set up to coincide with your eCommons password. If you change your PGP passphrase, you will need to remember two separate passwords to access your computer. For simplicity, it is recommended that you keep your PGP passphrase in sync with your eCommons password.

Change PGP Passphrase in Windows

Once the PGP Desktop application is installed on your computer, and the encryption process is completed, you can change your PGP passphrase by:

  1. From the Start menu select Programs > PGP > PGP Desktop.
  2. On the right side of the window, click Encrypt Whole Disk or Partition.
  3. Click Change Passphrase...
  4. Enter your current passphrase when prompted. Click OK.
  5. Enter your new passphrase and again to confirm the spelling. You can click the check box next to "Show Keystrokes" to display the passphrase if you wish.
  6. Click OK.

Change PGP Passphrase on a Macintosh Computer

Once the PGP Desktop application is installed on your computer, and the encryption process is completed, you can change your PGP passphrase by:

  1. Clicking the PGPDesktop icon in the menu bar:
    PGP Desktop
  2. Choosing Change Passphrase... from the menu.
  3. Enter your current passphrase when prompted. Click OK.
  4. Enter your new passphrase and again to confirm the spelling. You can click the check box next to "Show keystrokes" to display the passphrase if you wish.
  5. Click OK.

Back to top

My department has a shared laptop. How do I create additional passphrases so that more than one person can access the computer?
Creating additional passphrases enable more than one user to access the same encrypted computer.

Creating Additional Passphrase Users on a Macintosh

Before proceeding, make sure PGP is installed on your computer and the encryption process is complete.

  1. Click the PGPDesktop icon in the menu bar:
    PGP Desktop
  2. Choose Open PGP Desktop from the menu.
  3. Click the disk name on the left under PGP Disk. (If you don't see any disks listed, click the triangle to the right of PGP Disk.) Once the disk is selected you will see Disk Properties display on the right.
  4. Click the plus sign (+) under the user list and select Add Passphrase User....
  5. Enter a Username and a passphrase for the user. You'll need to enter the passphrase twice to ensure there are no typographical errors.
    Tip: Follow eCommons password rules to ensure a secure passphrase.
  6. Click OK.

Creating Additional Passphrase in Windows

Before proceeding, make sure PGP is installed on your computer and the encryption process is complete.

  1. From the Start menu select Programs > PGP > PGP Desktop.
  2. Click the disk name (typically C:(Boot) on the left under PGP Disk. Once the disk is selected you will see Disk Properties display on the right.
  3. Click New Passphrase User...
    4. on the bottom right under User Access.
  4. Select Create New Passphrase and click Next >.
  5. Select Proceed with passphrase authentication only and click Next >.
  6. Enter a Username and a passphrase for the user. You'll need to enter the passphrase twice to ensure there are no typographical errors.
    Tip: Follow eCommons password rules to ensure a secure passphrase.
  7. Click Next >.
  8. Click Finish.

Back to top

How do I decrypt my computer?
Once your laptop has been encrypted, you will need approval to decrypt it. Fill out a Decryption Request Form to request authorization for decryption from the HMS Security Officer.
Back to top

Is PGP a per user license or per machine license?
Per user and therefore can be applied to multiple machines.
Back to top

What is the process for a lost laptop?
If you discover or are dealing with a security breach, they should contact the Office of the General Counsel by calling 617-496-3006 or by emailing Scott_Fields@harvard.edu. The OGC will help coordinate the response to the breach.
Back to top

What happens when I leave Harvard and take my laptop with me?
PGP is licensed for on-quad use on Harvard owned computers. If you are taking a computer that was purchased with Harvard funds with you when you leave, you should:

  1. Delete any documents not personally needed by you;
  2. Decrypt your hard drive. You will need to contact HMS IT to request authorization to do so.
  3. Remove any software purchased with Harvard funds, including PGP software. You will need to decrypt your hard drive prior to uninstalling PGP software.

Back to top

Can't find an Answer to Your Question?

If you have any questions regarding PGP software or Whole Disk Encryption security policies, please contact the HMS Information Technology Help Desk at (617) 432-2000 or your Client Services Representative.

Last Updated July 12, 2011


Copyright 2013 by the President and Fellows of Harvard College.
Site Updated: 5/17/2013
IT Photo

more info