How to Retrieve a Whole Disk Recovery Token from the Symantec Encryption Management Server Database

Article:TECH185688  |  Created: 2012-04-03  |  Updated: 2013-10-28  |  Article URL
Article Type
Technical Solution



If an Encryption Desktop or PGP Desktop user forgets their passphrase and does not have Local Self Recovery (LSR) enabled, they will need to obtain a Whole Disk Recovery Token (WDRT) from a server administrator.

If the WDRT cannot easily be found in the server's administrative interface, you can use the steps below to find the WDRT for a user in the Encryption Management Server (previously PGP Universal Server) database.


Accessing the Symantec Encryption Management Server (SEMS) command line for read-only purposes (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications or customizations via the command line may void your Symantec Support agreement unless the following procedures are followed.

Any changes made to SEMS via the command line must be:

  • Authorized in writing by Symantec Support.
  • Implemented by a Symantec Partner, reseller or Symantec Technical Support.
  • Summarized and documented in a text file in /var/lib/ovid/customization on the Encryption Management Server itself.

Changes made through the command line may not persist through reboots and may be incompatible with future releases. Symantec Technical Support may also require reverting any custom configurations on SEMS back to a default state when troubleshooting new issues.

To search for the WDRT in the SEMS database, do the following:

  1. On the client computer, with the PGP BootGuard screen displayed, ask the user to go to the Advanced screen.
    1. Press the TAB key.
    2. Press the cursor down key to select Advanced.
    3. Press the Enter key.
  2. The Advanced screen shows the boot partition selected by default.  There are 2 fields displayed:
    1. Computer
    2. Computer ID
  3. If you feel the user can accurately write down the Computer ID then you can use this query, replacing ComputerID with the "Computer ID" shown at the PGP BootGuard. The last row should show the correct WDRT.

    psql oviddb ovidr -c "select device_id, recovery_token, synchronized_date, last_accessed_date from whole_disk_recovery_token where device_id = 'ComputerID' order by last_accessed_date asc;"
  4. If you feel it is easier for the user to tell you the Computer name (usually much shorter) then this query can be used, replacing Computer with the "Computer" shown at PGP BootGuard. The last row should display the correct WDRT.

    Note: The last_accessed_date column is the important one here even though this date may be considerably older than desktop_lastseen date. If the computer has multiple users then there will be multiple rows showing the same WDRT, one for each user.

    psql oviddb ovidr -c "SELECT primary_email_address, desktop_lastseen, cm.machine_id, cm.domain, cm.hostname, pgp_desktop_version, ad.uuid as device_id, as device_name, wdrt.recovery_token, wdrt.synchronized_date, wdrt.last_accessed_date FROM internal_user iu LEFT JOIN internal_user_client_machine iucm on iucm.internal_user_uuid = iu.uuid LEFT JOIN client_machine cm on iucm.client_machine_uuid = cm.uuid LEFT JOIN all_devices ad on cm.machine_id = ad.machine_id LEFT JOIN whole_disk_recovery_token wdrt on wdrt.device_id = ad.machine_id WHERE cm.hostname = 'Computer' order by wdrt.last_accessed_date asc;"

Article URL

Terms of use for this information are found in Legal Notices