Unable to write to PGP Whole Disk Encrypted Disks with PGP Endpoint WDE Detection Enabled
| Article:TECH183033 | | | Created: 2012-03-05 | | | Updated: 2012-03-05 | | | Article URL http://www.symantec.com/docs/TECH183033 |
Problem
PGP Endpoint has the ability to block writing to a device if the device is not encrypted with PGP Whole Disk Encryption. This setting can be toggled in the Permissions settings in PGP Endpoint policy called “PGP Whole Disk Encryption (WDE)”.
With this setting checked and with the Permissions for the device set to Read Write, if the device is encrypted with PGP Whole Disk Encryption, the user will be able to write to the disk. If the disk is not encrypted with PGP Whole Disk Encryption, then this parameter will block writing to the disk and the user will receive an error:
Cannot copy: Access is Denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.
Cause
The drive in question is not encrypted with PGP Whole Disk Encryption, or Partition Encryption was used.
Solution
Make sure the disks are in fact encrypted with PGP Whole Disk Encryption.
If the disks are encrypted with PGP Whole Disk Encryption, another scenario exists in which PGP Endpoint will prevent writing to the disks if the disks were encrypted using Partition Encryption.
Check to see if the entire device was encrypted, or if partition encryption was used.
To determine if the drive was encrypted with partition encryption, check to see the result of the following command.
1. Go to the command prompt.
2. Type: cd\
3. This should take you to the root drive C:\ in most cases.
4. For 32-bit operating systems, type: cd program files <enter>
5. For 64-bit operating systems, type: cd program files (x86) <enter>
6. Next, type: cd pgp corporation <enter>
7. Type: cd pgp desktop <enter>
8. You should now be at the C:\program files [(x86)]\PGP Corporation\PGP Desktop> prompt.
9. Type: pgpwde --disk-status --disk X where X is the disk number
If the following result is displayed for disk 0, the entire disk is encrypted:
Disk 0 is instrumented by bootguard.
Current key is valid.
Whole disk encrypted
If the following result is displayed, the disk was encrypted with partition encryption:
Disk 0 is instrumented by bootguard.
Current key is valid.
volume X is encrypted
or
Disk 0 is instrumented by bootguard.
Current key is valid.
volume X is encrypted
If the disk was encrypted using the partition disk encryption method, decrypt the disk and re-encrypt the entire disk to allow writing to the disk.
***NOTE***
A good test to run to confirm this is likely the case is to disable the option to require Whole Disk Encryption of the disk in order to write to the disk. If disabling this option still does not allow writing to the disk, then the disk needs to be added to the allowed device group.
The reasoning behind this logic is although certain partitions are encrypted, and data written to those partitions would be secured, there is no method to determine which partition the data is written to, and no method to determine what type of data is being written to specific partitions and if that partition is encrypted.
In other words, PGP Endpoint checks to see if the disk is fully encrypted, and if it is not, then it will not allow writing to the disk. Partition encryption does not constitute the entire drive being encrypted and we cannot guarantee the data will be secured in this case.
In order for PGP Endpoint to guarantee it is safe to use, the entire device must be encrypted, which would mean data written to the disk would be secured via PGP Whole Disk Encryption.
|
|
Article URL http://www.symantec.com/docs/TECH183033
Terms of use for this information are found in Legal Notices
Thank you.