HOW TO: Regenerate Whole Disk Recovery Tokens
|Article:HOWTO42118|||||Created: 2009-12-30|||||Updated: 2011-02-10|||||Article URL http://www.symantec.com/docs/HOWTO42118|
This article details how to regenerate/update a Whole Disk Recovery Token.
In certain instances, PGP Desktop clients may need to regenerate/update a Whole Disk Recovery Token (WDRT).
A Whole Disk Recovery Token for a user can be regenerated/updated by re-enrolling the client (manual or automatic) or by using the pgpwde command line (manual or automatic).
|Note: Manually re-enrolling PGP Desktop clients will only regenerate WDRTs if the user policy is configured to Automatically encrypt (Boot Disk/Windows partitions) at installation.
If this policy option is disabled, you must regenerate the WDRT via the pgpwde command line using the directions below.
For information on re-enrolling PGP Desktop for Windows clients, click here
For PGP Desktop for Mac clients prior to version 10.x, you must decrypt your system and re-encrypt your system to regenerate the WDRT. For versions of PGP Desktop 10.0 and above, use the steps in the following article.
For information on re-enrolling PGP Desktop for Mac OS X clients, click here
PGP Universal Server administrators can download a batch or executable to automate the PGP Enrollment Assistant for clients to update Whole Disk Recovery Tokens.
The batch file and executable perform the following actions:
- Stops the PGP Services.
- Deletes the PGPprefs file in the Application Data\PGP Corporation\PGP folder for the user.
- Restarts PGP Services.
After PGP Services are restarted, the PGP Enrollment Assistant displays and the user is prompted to re-enroll.
This batch file can be downloaded below.
An executable for re-enrolling the client which will then generate a WDRT can be downloaded below.
- Deploy the batch/executable file to your clients.
- Execute the batch/executable file on the client user's computer to regenerate the WDRT.
Regenerate Whole Disk Recovery Tokens using the pgpwde command line
Client Whole Disk Recovery Tokens (WDRT) can be regenerated by using a pgpwde command line tool on the client computer or by using a script on the client computers.
Use the following syntax to regenerate the WDRT from the command line using the pgpwde. The following commands can be created as a script to regenerate WDRTs for PGP Desktop clients.
When using PGP Desktop 9.9 and above, use the following command:
pgpwde --new-wdrt --disk 0 --admin-passphrase $passphrase
This will prompt the user to enter their passphrase.
When using PGP Desktop 9.8 and below, use the following command:
pgpwde --list-user --disk 0
This lists the PGP Whole Disk Encryption users.
pgpwde --new-wdrt --disk 0 --user $username --passphrase $passphrase
This will prompt the user to enter their user name from the list and their passphrase.
You can also use the command pgpwde --disk-status --disk 0 to confirm the disk is encrypted.
PGP Universal Server administrators can deploy this script to automate regeneration of Whole Disk Recovery Tokens.
This script file can be downloaded below.
This script determines the client version of PGP Desktop, lists the user for versions prioir to 9.8 and then prompts for the user passphrase.
To use a script
- Deploy the script to the client users computer Startup folder.
- After the user logs on to the computer, the users are prompted to type the PGP Whole Disk Encryption passphrase.
- Click OK
A new WDRT is regenerated for the user and sent to the PGP Universal Server.
Article URL http://www.symantec.com/docs/HOWTO42118