We have been using PGP Desktop and WDE for awhile now in the enterprise and are working on integrating smart cards for physical and system access. As part of this, of course, we would like to use the smartcard to get past the PGP Bootguard screen.
I am testing with (2) Win7 x64and (1) Win10 x64 and three different USB readers. I have verified that the boot mode is BIOS and not UEFI.
I am using SED 10.3.2 MP11 on all three.
SCM SCR3310 (roundish black and grey with wire)
SCM SCR3500 (foldable usb stick format)
Identive CLOUD 2700 R (white square with wire)
The first thing I notice is that there seems to be a bug where SED will crash when a USB reader is pulled. This has happens every time on the three machines I am testing with.
In my testing the first question I see is "why does my "smartcard keys" section in SED not always contain a key? This prevents me from being able to "Add User Key" on the PGP Disk screen. The second question is: "When I do have a key, why can't I add it to the WDE?"
So to start off with, when I plug in a smartcard, SED comes up with the "Import Certificate Assistant" asking for the card passphrase (pin).
__________________________________________________
If I click cancel it will ask me a total of three times (on Win10) before giving up. It will ask once on Win7. Either way, it generates three keys which appear to be the same three IDs even on different machines. The three keys are in the "All keys" and "smartcard keys" sections.
When the card is unplugged, two of those keys will immediately become italicized visually (but the green check "unverified" only happens sometimes?). The third key remains verified, and this is the key that is available on the PGP WDE when "Add User Key" is clicked.
__________________________________________________
If I use the "Import Certificate Assistant" instead of cancelling, I enter my pin twice (once for SED and once for the card) and it generates a key on the keyring. On Win7, the certificate imports in about 4 seconds.
On Win10 it gets stuck on "generating." I waited 5 minutes and canceled. The "cancelling" status stayed. Again, I wait for 5 minutes and then pulled the card. Another minute later the cancel button is "un-greyed" or I see a popup message "An error has occurred: bad parameters." At this point the "All keys" section may or may not contain an imported key from the smartcard. But when I plug the card back in, SED often hangs up and becomes unresponsive. If there is an imported key in "All keys" it will not be in the "smartcard keys" section so I assume that adding it to the smartcard keys is the item or is supposed to occur after what is failing.
That at least partially answers the question. If there is no key in "smartcard keys" then the "Add User Key" button will not be enabled on the PGP WDE screen.
In testing I have deleted the keys it adds in order to try it again. Without the card plugged in, it warns me that either a public or a private key is being deleted. I am not sure why it would be one or the other. If the card is still plugged in, I have seen a message indicating that the private key will be deleted *from the card itself* and so I unplugged the card before deleting the key because I don't know if it will really do it. I can tell visually which keys are generated from my card because the last name is always in caps.
Referencing these links shared by Mike Ankeny (Thank you) I tried to generate a new key on the smartcard. The checkbox is there and is populated by the smartcard manufacturer and model (NXP JCOP31 80K) but the box is greyed out. That shows me that SED recognizes the card (and the fact that the personal cert from it has already been imported.) This could be simply my lack of knowledge about it; maybe a smartcard is not a valid token type to generate a key on.
Moving toward adding a key to the WDE:
On a machine that has a smartcard key and WDE, I select the PGP Disk tab and the disk. The "Add User Key" button is greyed out unless the smartcard is plugged in AND the "smartcard keys" section contains the key. If I have those two items it allows me to click the button and select the key in the list. There is only #3 (of 3 created) in the list. The "Smartcard keys" tab at the top of the key selection box is the only one I can choose. But once I choose the key and enter the disk passphrase, I see the message "Unable to add the user to the disk group" and the user is not added. There is nothing in the SED log about why it does not work.
I was able to add the user once by unplugging the card while on the PGP Disk screen and using the dropdown above the WDE user list and choosing the key (again it was the only one available but the ID is #1 of 3 created). Then it added the user. I deleted the user from the WDE and played with it a bit and not been able to repeat that process successfully with the card in the reader. I was able to pulling the card while on the PGP Disk screen (the button didn't disable), and when I added the key at that time there was no complaint. The key stuck with the WDE through a boot, however none of my USB readers would light up at the bootguard screen and the bootguard F7 token entry didn't take. According to the helpfile:
Note: Token authentication in PGP BootGuard requires pressing Ctrl+Enter instead of just Enter. You may also experience some delay during the authentication of tokens in PGP BootGuard. For Windows systems booting in UEFI mode, token-based authentication is not available.
But the "Ctrl + Enter" option does nothing but type an extra invalid character (shown if characters are displayed).
Ocassionally when testing, unplugging and re-plugging the card SED would fail to update the key status on the keys screen. The card would be plugged in and yet the keys would remain unverified and the smartcard keys would show nothing. When this happened I would have to stop and restart SED and the PGP services.
I would love to know what I'm missing if anyone has insight.