PGP BootGuard Screen Remains after Decrypting Disk

Article:TECH148944  |  Created: 2006-09-01  |  Updated: 2013-06-10  |  Article URL
Article Type
Technical Solution


After decrypting a PGP Whole Disk Encrypted hard disk, upon reboot you are still prompted to enter your passphrase.

Although the hard drive was decrypted, the hard drive is still booting using the PGPMBR or is instrumented by the PGP BootGuard and requires a passphrase to boot.




Uninstrument the drive in question to remove PGP BootGuard instrumentation from the specified disk.

Use the following steps to determine if the hard drive is still encrypted or instrumented by PGP BootGuard:

1. Click Start > Run and type: cmd and press the Enter.
2. Type cd\, enter.
3. Type cd Program Files, enter.
4. Type cd PGP Corporation, enter.
5. Type cd PGP Desktop, enter.
6. Next, type pgpwde --enum and press the enter key. This command will show you the current drives detected by PGP Desktop. The disks will be labeled Disk 0, Disk 1, Disk 2 etc.  Disk 0 is typically the boot volume or drive.
7. On the disk you believe was Whole Disk encrypted, type pgpwde --status --disk 0 (or the disk number in question) and press Enter.

This will show the status of the disk. If the drive is still encrypted or partially encrypted, it will list a highwatermark value for the disk. The highwatermark is how many sectors are encrypted. If no highwatermark listed, but says "Disk 0 is instrumented by bootguard", then you need to uninstrument the disk.

If the disk still displays a highwatermark, you will still need to decrypt the drive. If the PGP Desktop graphical interface does not allow you to decrypt, you may also decrypt from a command line. Only use the command line interface if the PGP Desktop interface does not allow you to enter a passphrase and decrypt normally.


Caution: If any fixed disks are encrypted, decrypt them before you uninstrument disk 0. PGP BootGuard does not know if required system files exist on other fixed disks, therefore, when any fixed disk is encrypted, the main boot disk is instrumented as well. Before you uninstrument the boot disk, other disks should be decrypted.

Decrypting from a Command Line

1. From the command line, type pgpwde --decrypt --disk 0 (or the disk in question) --passphrase "enter passphrase here within double quotes" and press the Enter key. The disk will then decrypt and the PGP Tray icon displays in the system tray to show you decryption is in progress.

2. Once decryption is complete, see if the disk is still instrumented by typing pgpwde --status --disk 0. If the drive is not encrypted, the hard drive should boot normally. If the drive is still instrumented, but no highwatermark is displayed, proceed to the next step.

Uninstrumenting PGP BootGuard

1. From the command line, type pgpwde --uninstrument --disk 0 (or for the disk in question) and press Enter. You will then be returned to the command prompt with no further message.
2. This should uninstrument the drive and allow you to boot normally. Type pgpwde --status --disk 0 to verify success.
3. Reboot the computer and you should no longer be prompted for a passphrase.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices