At some point it might happen that the computer encrypted with Symantec Encryption Desktop (SED) cannot be accessed. There are many reasons why this happens and here are some tips which can be used to find a way for authenticating or decrypting the drive:
1. First of all, if the machine is not locked, ensure the correct passphrase is entered. In BootGuard window, "tab" key can be pressed to show the characters for passphrase.
Here is the sample passphrase “MyP@ssphras3” written with hidden characters (default):
And here is revealed once “tab” was pressed:
2. In that case, authentication can be to another user’s passphrase (if another user was added to the disk) or using the Admin passphrase.
3. Usually after few unsuccessful attempts the disk is locked. Here is shown when the disk is already locked:
If this is the case, the next attempt would be to use Local Self Recovery (LSR) if it was configured before. This is a set of 5 questions to be answered. At least 3 of the answers need to be correct to authenticate. To use it, select "Forgot Passphrase" from bottom-right corner:
and answer the questions (answers will be visible by default):
Failed attempt will get you back to the first question with the “Incorrect authentication, please try again” message:
4. If LSR was not configured, or the answers were incorrect, Whole Disk Recovery Token (WDRT) can be used. This is 28-character long token (it looks like “ECYH0-BY95Y-YCDPH-UKB29-3A2F5-6MJ”, without quotes “”). On managed environments, this is one-time use only (the new one is generated after each use). Helpdesk or Administrator should be asked for current WDRT. If SED is standalone, WDRT generates on first encryption showing in the following pop-up:
and it can be used multiple times until it is manually regenerated, or disk is decrypted and then encrypted again. Since it displays only once, it had to be kept in a secure place as informed by a pop-up displayed on first encryption.
WDRT needs to be entered in the same place as the passphrase. Ensure to click “tab” key so all characters can be seen. The token is not case sensitive, so it can be written with small/capital letters and with/without dashes between characters:
5. In some rare cases, WDRT is not accepted. One of the reason is that the old WDRT was used. In that case, in managed environments, the list of all generated tokens might be taken directly from the database. In this situation a formal case with Technical Support should be opened.
6. If still no solution, the disk should be slaved to another machine with PGP installed and those pgpwde commands from command line can be executed. Be aware that all command options after pgpwde are followed with double hyphen (-):
- Navigate to the “PGP Desktop” with:
cd "C:\Program Files (x86)\PGP Corporation\PGP Desktop"
- In order to check what is the disk number for the encrypted boot drive, run:
pgpwde --enum
- Assuming that the affected drive is "1", run this in order to see the status of the disk (is it encrypted, or only instrumented):
pgpwde --disk-status --disk 1
- Check if there are users assigned to this disk – passphrase for any of that assigned user would be used for the decryption. The command is:
pgpwde --list-users --disk 1
- Next command to run is the decryption command:
pgpwde --decrypt --disk 1 --passphrase <user-passphrase>
where "<user-passphrase>" is the passphrase of any user found in previous step.
- If, for some reason, this is not working the following command can be used to check if any of the known passprases are correct:
pgpwde --auth --disk 1 --passphrase <user-passphrase>
Again, if the passphrase is found, it can be used for the decryption described in the previous step
- Decryption can be also done with the Admin passphrase (if the Drive Encryption policy has Admin added for disk decryption). The syntax for the decrypting will be the same.
7. If still unsuccessful, there is also a chance to decrypt the disk if the Additional Decryption Key (ADK) was created before the disk was encrypted. The keyID of ADK and its passphrase will need to be checked as these are used in the command. Once these are already known, the following command will be used to decrypt the drive:
pgpwde --decrypt --keyid <ADK-keyID> --disk <disk-number> --passphrase <ADK-passphrase>