Drive Encryption Diagnosis and Recovery - Symantec Drive Encryption & PGP Whole Disk Encryption

Article:TECH149679  |  Created: 2010-01-04  |  Updated: 2014-02-03  |  Article URL http://www.symantec.com/docs/TECH149679
Article Type
Technical Solution


Subject

Issue



This article provides tools and steps to diagnose and recover disks that are encrypted with Symantec Drive Encryption (previously PGP Whole Disk Encryption). 


 


Solution



Section 1 describes some symptoms that users with encrypted disk problems may encounter.  Section 2 provides procedures for using the PGPWDE command line interface. Section  3 details use of the Recovery Disk.

Note: If a system hard disk has been "fully" decrypted, and will not boot, make sure to slave the disk and backup all your data, or use bit-by-bit copy of the disk. Connect the hard disk back to system and run the fixmbr command from the Windows Recovery Console from a Windows XP installation CD.

 

SECTION 1 - Symptoms

On rare occasions internal or external disks that are encrypted may experience the following issues:

  • Inability to decrypt or read the contents of a secondary or non-system disk.
  • System displays "Error loading operating system_" after entering the passphrase at the PGP BootGuard screen.
  • Master Boot Record (MBR) corruption causing the system to no longer boot.
  • After starting the system with the hard disk encrypted to a passphrase and an eToken, valid passphrases are not accepted.
     

1. Users able to access their encrypted disk from Windows should proceed to Section 2.

2. Users unable to access their disk from Windows or who are unable to boot should proceed to
Section 3.

 

SECTION 2 - PGPWDE Command Line 

The following commands will help diagnose and decrypt the disk. Other commands can be listed by typing pgpwde --help.

1. To begin working with the PGPWDE command line tool, open a command prompt and change to the PGP installation directory (default directory shown) C:\Program Files\PGP Corporation\PGP desktop.

2. To list all installed hard disks in the system type: pgpwde --enum. Entering this command displays a list of disks which the following steps reference.

3. Type pgpwde --status --disk 1. In the command, substitute the PGP WDE disk number listed in the previous step for the number 1 if it is different. The output of this command tells you whether the disk is still encrypted. 
 

  • If the disk is not encrypted, "Disk <number> is not instrumented by bootguard" will be the output.
  • If the disk is encrypted, the output will display:

    "Disk <number> is instrumented by Bootguard."
    The total number of sectors.
    A Highwater value (number of sectors encrypted).
     
  • Whether the current key is valid.
     

4. Type pgpwde --list-user --disk 1. This provides the user information contained on the disk. This will help in multi-user environments to determine which user passphrase was used for Drive Encryption.

5. Type pgpwde --decrypt --disk 1 --passphrase {MYPASSWORDHERE}. This will start the decryption process. To view progress, type the status command listed in step 3 and note the Highwater number. This number will get smaller and smaller as the number of sectors encrypted decreases. 
 

6. In case if your primary partition was formatted and your secondary partition is still encrypted, you may try to recover it by following TECH170574.

 

SECTION 3 - Using Recovery Disk Images (bootg.iso or bootg.img)

Warning: Use of the recovery disks should be used as the last step when attempting recovery.  Should there be a power loss while decrypting with the recovery disk, the result to the disk could be fatal and non-recoverable. It is also highly recommended to use the latest recovery disk available for the version you are running.

Recovery Images can be obtained by following the links below:

Windows

 

Mac OS X

 

Caution: Users with extended partitions on their hard disks that were encrypted should ONLY use the latest available Recovery disk for your version. Prior versions could cause these partitions to no longer be visible to Windows after fully decrypting the disk.

Once you have started to decrypt a disk or partition using a recovery CD, do not stop the decryption process. Depending on the size of the disk being decrypted, this process can take a long time. A faster way to decrypt the drive is to use another system that has the same version of Encryption Desktop\PGP Desktop installed on it.

 

Use the Recovery Disk with the following instructions if experiencing blue screen failures at boot up:

1. Boot the system with the recovery disk.

2. Do not continue with the normal sequence of entering a passphrase.

3. Go to the "advanced" panel.

4. This message "PGPWDE record inconsistency on 1 disk(s) was found and fixed" might be displayed. If this message is seen, the BSOD (blue screen failure) will be fixed.

5. Return back to the previous screen and continue to boot from the recovery CD. Rebooting without the Recovery Disk in the drive also works.

 

Use the Recovery Disk with the following instructions should the system not boot into Windows for any other reasons: 

The Symantec Encryption Desktop for Windows User's Guide provides instructions for creating recovery disks. 

  1. Boot the system with the recovery disk.
  2. When prompted, press any key to continue. Drive Encryption Recovery searches for user records and prompts to press any key when the records are found.
  3. Press any key to continue.
  4. On the PGP BootGuard screen, enter the passphrase and user name, if required.
  5. Press D to decrypt the drive. Drive Encryption Recovery starts decrypting your disk.
     

Note: Decrypting using a Recovery disk might take considerably more time than it does from within Windows.

 



Legacy ID



1850


Article URL http://www.symantec.com/docs/TECH149679


Terms of use for this information are found in Legal Notices