User able to decrypt disk using Recovery CD despite being prohibited by server policy

Article:TECH149198  |  Created: 2008-08-06  |  Updated: 2012-01-31  |  Article URL
Article Type
Technical Solution


PGP Universal Server 2.9.0 to 2.12 allow administrators to apply more granular PGP Whole Disk Encryption policy to managed PGP Desktop clients. Administrators can configure various permissions for user-initiated PGP Whole Disk Encryption for internal and removable disks.





In a PGP Universal Server managed environment, even though the policy is configured not to allow decryption of internal disks, users are still able to decrypt a disk using the WDE Recovery CD. This is due to the option Store decryption policy on fixed disks not being selected for the policy.

When the policy for WDE is configured to not allow user-initiated decryption, this limits users from decrypting the internal disk from the PGP Desktop interface. Selecting the option to Store decryption policy on fixed disks for a policy, allows administrators to enforce user-initiated decryption of internal disks using the PGP Desktop interface or the Recovery CD.

To enable the Store decryption policy on fixed disks option:


  1. Log in to the PGP Universal Server administrative interface.
  2. Click Policy>Internal User Policy.
  3. Select the desired policy to edit from the Internal User Policy card.
  4. From the Policy Options, click the Edit... button next to PGP Desktop Settings.
  5. Select the WDE tab.
  6. Confirm that the checkmark next to Allow Decryption for the desired disk type is removed.
  7. Under User-initiated Whole Disk Encryption Permissions, place a checkmark next to Store decryption policy on fixed disks for the desired disk type.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices