Interaction Issue with FileVault 2 on Mac OS X and Symantec PGP Desktop: Avoidance and Remediation

Article:TECH173502  |  Created: 2011-11-02  |  Updated: 2014-11-06  |  Article URL http://www.symantec.com/docs/TECH173502
Article Type
Technical Solution



Subject

Issue



This article describes an interaction issue between Apple’s FileVault 2 technology and Symantec PGP Desktop as of the Mac OS X 10.7.2 update. Prior versions of FileVault 2 in Mac OS X 10.7.1 and 10.7.0 do not exhibit this behavior.

This article provides steps to avoid this behavior, and remediation steps to fix a machine which has encountered the problem.
Note: Because it is not possible to use Symantec PGP Desktop’s Whole Disk Encryption functionality at the same time as FileVault 2, this does not affect users who are using Symantec PGP Desktop’s encryption functionality.

Problem Description

The problem occurs as soon as FileVault 2 is used to encrypt a drive on a machine that has Symantec PGP Desktop installed. As soon as the machine is rebooted after initiating encryption, the machine is left in an unbootable state.
The root cause appears to be an interaction with Symantec PGP Desktop’s disk filter driver and the FileVault functionality. Although the disk filter driver is in a “pass through” state – that is, it is allowing disk operations to be performed in an unaltered manner, once FileVault 2 is enabled, the driver is triggering an error that causes the boot process to be interrupted.

Solution



Avoidance
For users who wish to continue to use Symantec PGP Desktop in conjunction with FileVault 2, the following manual steps need to be performed to disable Symantec PGP Desktop’s disk filter driver:
 
1. On the system that you intend for above use,  open Terminal,
                $ cd /System/Library/Extensions
                $ sudo mv PGPwde.kext /Users/Shared/ (after this command, input your OS X password in the password prompt)
                $ cd /System/Library/Caches/com.apple.bootstamps/  (<tab> (press the tab key, then enter)
                $ pwd
 
2. You should now be in a directory named like this:
                 /System/Library/Caches/com.apple.bootstamps/D7887679-6DFD-3C78-8846-0360E6DD2CC1
               
3. Now continue to type in Terminal
                $ rm \:System\:Library\:Caches\:com.apple.kext.caches\:Startup\:kernelcache 
                $ cd /System/Library/Caches/com.apple.kext.caches/Startup
                $ rm kernelcache
 
4. Quit Terminal and reboot OS X. 
 
Remediation
For users who have encountered this issue, the following instructions describe how to recover access to their machines.
 
For machines with Thunderbolt ports, the machines will need to be re imaged. We have not yet determined a better recovery path for these machines. It is possible to back up data from the machines’ hard drives using target disk mode; Please refer to Apple’s support website or contact Apple support for more detailed information on how to perform this procedure.
 
For machines with Firewire ports, the following steps allow recovery of the machine without loss of data or re imaging:
 
1. You will need a second Lion host system to connect to the affected machine and repair its disk using target disk mode. Turn off the affected system. Connect the Firewire cable between this system and the second system.
 
 
Now press and hold the 'T' key on the keyboard on the affected system as you press the power button. Continue to hold the T key until you see the Target Mode icon on the screen. On the other system you should see a prompt asking you to authenticate to the drive. Enter the password for your user on the target system. Now determine the name of the mounted volume. You can see this by the icon that appears on your Desktop or by looking in Finder.

2. Open Terminal. At the prompt type:
   $ sudo chroot /Volumes/<name of the mounted disk>

For example "sudo chroot /Volumes/Macintosh\ HD". Because of the chroot command all of the following commands affect the mount volume and _NOT_ your host system. Do not skip this step!

3. Type the following:
   # cd /System/Library/Extensions
   # mv PGPwde.kext /Users/Shared/
   # cd /System/Library/Caches/com.apple.bootstamps/  (<tab> (press the tab key, then enter)
   # pwd

  
 You should now be in a directory named as follows:
 /System/Library/Caches/com.apple.bootstamps/D7887679-6DFD-3C78-8846-0360E6DD2CC1

   # rm \:System\:Library\:Caches\:com.apple.kext.caches\:Startup\:kernelcache
   # cd /System/Library/Caches/com.apple.kext.caches/Startup
   # rm kernelcache
   # exit



Article URL http://www.symantec.com/docs/TECH173502


Terms of use for this information are found in Legal Notices