Video Screencast Help

Disk instrumented but not encrypted; PGP doesn't see disk

Created: 02 Apr 2012 | 12 comments

Here's the sequence that led to the problem in the title (MacBook Pro 10.7.3 + PGP 10.2MP4 Universal Server):

  1. Wipe, install Snow Leopard, Upgrade to Lion.
  2. FileVault2 encrypted, as PGP was not ready.
  3. Decrypt FileVault2 boot volume.
  4. Install PGP 10.2.MP4 & restart.
  5. On next login, domain enrollment w/ username + passphrase in wizard.
  6. Start WDE encryption - "instrumenting disk" & reboot.
  7. Prompts for passphrase from #5 OK
  8. Return to PGP WDE - disk not encrypting & not visible either
  9. Check on CLI - enum command does not show anything but DVD-R, which was empty.
  10. Universal server shows the drive - unencrypted and machine does not have a name.
  11. Uninstall PGP & reboot.
  12. Prompted for Passphrase - OK
  13. Reinstall PGP - disk cannot be seen in PGP Desktop.

So, the disk is still instrumented, but not encrypted - we can't deinstrument, since it won't enum.

What do we have to do to get this working like the other Lion Macs that we have in the system?

Comments 12 CommentsJump to latest comment

isopepper's picture

The disk works, but claims it can't be encrypted.

In fact, pgp --enum doesn't even see the disk.

However, the disk requires (and works!) with passphrase when booted! The disk operates fine and the system runs from it!

PGP GUI does not see the disk. pgpwde does not see the disk.

PGP_Ben's picture

Filevault is not compatible with PGP WDE. Our WDE driver detects the presence of filevault being enabled on the machine (encrypted or not) and disables the WDE encryption driver.

I would try disabling the filevault service and see if that solves your problem.

 

These two articles may help:

http://www.symantec.com/docs/TECH173502

http://www.symantec.com/docs/TECH185289

 

 

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

Sarah Mays's picture

How is your disk formatted? it's partition table?

anything fun in console.app logs - specifically pgpwded?

Have you tried using a PGP recovery disk to 'decrypt' the volume? i know it has the ability to uninstrument. 

isopepper's picture

Thanks to all for the replies!

Here's the end game on this - I didn't tell my analyst not to have any FileVault disks connected and I believe that is where he had problems.

In contrast, when I converted from FV2 back to PGP (I went to FV2 as a stopgap while waiting for Lion compatibility) I had read the KB articles and posts here and disconnected my FV2 encrypted backup volume before installing PGP. I had no issues.

He left that volume attached after decrypting his boot disk. I believe that is the only difference. Perhaps the disabling of the encryption driver on detection of FV2 would explain the issue he had where the disk became instrumented but wouldn't encrypt.

I had him disconnect the attached FV2 encrypted volume, reinstall PGP and it then showed that it was encrypting his boot drive.

 

Strange note, just before we did the reinstall, we couldn't use the pgpwde CLI tools. They didn't seem to be present on the disk. 

Sarah Mays's picture

there is a new undocumented 'feature' in pgp desktop 10.2 MP4 that will detect FV2 encrypted disk (internal or external) and pgpwded will immediatley disable pgpwde.kext. This doesnt take effect until after reboot.

pgpwded log

 

Mar 28 15:28:30: CoreStorage detected at '' for disk2s2, checking if WDE needs to be disabled.

Mar 28 15:28:30: Disabling WDE Driver. This will take affect on the next boot.

What's strange is that you got pgpwde to work at all. When i run pgpwde after the kext has been removed (after a reboot) i get this error.

 

smays$ pgpwde

Operation no operation failed:

Error code -11984: item not found
isopepper's picture

Wow, Sarah, that is very interesting!

To point out the solution to the mystery in our case, the sequence was:

  1. Remove FV2 from boot disk > install PGP WDE > 'encrypt boot' > nothing happens (no error)
  2. Reboot & give passphrase. GUI doesn't recognize disk. Drop to terminal pgpwde doesn't recognize disk.
  3. Reboot & give passphrase. Drop to terminal > "What no pgpwde? This installation is defective!"
  4. Disconnect FV2 external drive with TimeMachine™ backup on it & reboot & give passphrase.
  5. Reinstall PGP Desktop (no uninstall) & reboot & give passphrase.
  6. Open PGP Desktop GUI > "What?! The previously unrecognized drive is encrypting? Good."

So, this undocumented feature is not cool, mostly because its not documented.

Julian_M's picture

what about pgpwde --uninstrument --disk 0 -p PASSWORD ?

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.
 

isopepper's picture

Julian_M when this is done and a FileVault2 external drive is attached you get one of two things, depending on whether you've rebooted after installing PGP Desktop 10.2 MP4:

  1. No reboot. Disk 0 is not present according to pgpwde.
  2. Reboot. pgpwde is 'not present', i.e. disabled, can't be called. 

See Sarah's post above.

Julian_M's picture

Just to make sure we are not dealing with other kind of issue...

Unsupported Disk Types
The following disk types are not supported:
 

  • Software RAID
  • Dynamic disks.
  • Diskettes and CD-RW/DVD-RWs.
  • Hardware RAID if formatted with GPT partitioning style.
  • External or Internal Drives over 2TB in size "These drives use GPT partition due to limitation of MBR partition is 2TB"

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.
 

Sarah Mays's picture

Julian, doesn't PGP desktop know when there is an unsupported disk and then doesn't show that unsupported disk when trying to encrypt? 

 

this issue is that the disk WAS available to encrypt, bootguard WAS installed and between the process of bootguard reboot and actual reboot a FV2 encrypted disk was connected which disabled the PGPWDE.kext

 

it's irresponsible that PGP added this feature without telling anyone (support didn't know, release notes do no indicate this change). Logic behind this feature is horribly flawed because it will disable pgpwde.kext on a system that has an encrypted boot disk. I hope PGP is fixing this. 

 

Julian_M's picture

Sarah,

I understand your concern and I totally agree.

This bug has already been reported and its being worked. Hopefully, this fix will be released in next version.

Internal bug Reference number: 2731438 and 2607086

 

Meanwhile, I hope this article explains the issue and can provide a workaround for you as well.

http://www.symantec.com/docs/TECH173502

 

Regards

 

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.